5 files changed, 28 insertions, 48 deletions

diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index c6ce544f543f..8d78c0e3fb95 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -77,7 +77,6 @@
 
 #include "opt_ipfw.h"
 #include "opt_ipstealth.h"
-#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -353,10 +352,13 @@ ip_fastforward(struct mbuf *m)
 	ip->ip_off = ntohs(ip->ip_off);
 
 	odest.s_addr = dest.s_addr = ip->ip_dst.s_addr;
-#ifdef PFIL_HOOKS
+
 	/*
 	 * Run through list of ipfilter hooks for input packets
 	 */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) ||
 	    m == NULL)
 		return 1;
@@ -388,8 +390,8 @@ ip_fastforward(struct mbuf *m)
 		goto forwardlocal;
 	}
 #endif /* IPFIREWALL_FORWARD */
-#endif /* PFIL_HOOKS */
 
+passin:
 	/*
 	 * Step 4: decrement TTL and look up route
 	 */
@@ -429,10 +431,12 @@ ip_fastforward(struct mbuf *m)
 	 * Step 5: outgoing firewall packet processing
 	 */
 
-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for output packets.
 	 */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
 	if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT) || m == NULL) {
 		goto consumed;
 	}
@@ -478,7 +482,6 @@ forwardlocal:
 		if (fwd_tag) {
 			if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst))
 				dest.s_addr = ((struct sockaddr_in *)(fwd_tag+1))->sin_addr.s_addr;
-				//bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
 			m_tag_delete(m, fwd_tag);
 		}
 #endif /* IPFIREWALL_FORWARD */
@@ -487,8 +490,8 @@ forwardlocal:
 			return 1;	/* icmp unreach already sent */
 		ifp = ro.ro_rt->rt_ifp;
 	}
-#endif /* PFIL_HOOKS */
 
+passout:
 	/*
 	 * Step 6: send off the packet
 	 */
diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c
index bace1c8633d5..69e0188dec13 100644
--- a/sys/netinet/ip_fw_pfil.c
+++ b/sys/netinet/ip_fw_pfil.c
@@ -30,15 +30,11 @@
 #include "opt_ipfw.h"
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
-#include "opt_pfil_hooks.h"
 #include "opt_inet.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */
-#if !defined(PFIL_HOOKS)
-#error IPFIREWALL requires PFIL_HOOKS.
-#endif
-#endif
+#endif /* KLD_MODULE */
 
 #include <sys/param.h>
 #include <sys/systm.h>
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 98e1185555db..c4d9ec0e6fb3 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -35,7 +35,6 @@
 #include "opt_ipstealth.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -156,9 +155,8 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
 #ifdef DIAGNOSTIC
 static int	ipprintfs = 0;
 #endif
-#ifdef PFIL_HOOKS
+
 struct pfil_head inet_pfil_hook;
-#endif
 
 static struct	ifqueue ipintrq;
 static int	ipqmaxlen = IFQ_MAXLEN;
@@ -264,13 +262,12 @@ ip_init()
 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
 			ip_protox[pr->pr_protocol] = pr - inetsw;
 
-#ifdef PFIL_HOOKS
+	/* Initialize packet filter hooks. */
 	inet_pfil_hook.ph_type = PFIL_TYPE_AF;
 	inet_pfil_hook.ph_af = AF_INET;
 	if ((i = pfil_head_register(&inet_pfil_hook)) != 0)
 		printf("%s: WARNING: unable to register pfil hook, "
 			"error %d\n", __func__, i);
-#endif /* PFIL_HOOKS */
 
 	IPQ_LOCK_INIT();
 	for (i = 0; i < IPREASS_NHASH; i++)
@@ -298,9 +295,7 @@ ip_input(struct mbuf *m)
 	int    checkif, hlen = 0;
 	u_short sum;
 	int dchg = 0;				/* dest changed after fw */
-#ifdef PFIL_HOOKS
 	struct in_addr odst;			/* original dst address */
-#endif
 #ifdef FAST_IPSEC
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
@@ -414,17 +409,16 @@ tooshort:
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (ipsec_getnhist(m))
-		goto pass;
+		goto passin;
 #endif
 #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
 	/*
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
-		goto pass;
+		goto passin;
 #endif
 
-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.
 	 *
@@ -432,6 +426,11 @@ tooshort:
 	 *     by NAT rewriting).  When this happens, tell
 	 *     ip_forward to do the right thing.
 	 */
+
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	odst = ip->ip_dst;
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
 	    PFIL_IN) != 0)
@@ -450,12 +449,7 @@ tooshort:
 	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
 #endif /* IPFIREWALL_FORWARD */
 
-#endif /* PFIL_HOOKS */
-
-#if (defined(FAST_IPSEC) || defined(IPSEC)) && !defined(IPSEC_FILTERGIF)
-pass:
-#endif
-
+passin:
 	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 7057764791d6..be73008a071d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -33,7 +33,6 @@
 #include "opt_ipfw.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"
 #include "opt_mbuf_stress_test.h"
 
 #include <sys/param.h>
@@ -49,6 +48,7 @@
 
 #include <net/if.h>
 #include <net/netisr.h>
+#include <net/pfil.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
@@ -58,10 +58,6 @@
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 
-#ifdef PFIL_HOOKS
-#include <net/pfil.h>
-#endif
-
 #include <machine/in_cksum.h>
 
 static MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options");
@@ -132,9 +128,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	struct in_ifaddr *ia = NULL;
 	int isbroadcast, sw_csum;
 	struct route iproute;
-#ifdef PFIL_HOOKS
 	struct in_addr odst;
-#endif
 #ifdef IPFIREWALL_FORWARD
 	struct m_tag *fwd_tag = NULL;
 #endif
@@ -187,9 +181,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	}
 
 	dst = (struct sockaddr_in *)&ro->ro_dst;
-#ifdef PFIL_HOOKS
 again:
-#endif
 	/*
 	 * If there is a cached route,
 	 * check that it is to the same destination
@@ -662,10 +654,11 @@ skip_ipsec:
 spd_done:
 #endif /* FAST_IPSEC */
 
-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
+	/* Run through list of hooks for output packets. */
 	odst.s_addr = ip->ip_dst.s_addr;
 	error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT);
 	if (error != 0 || m == NULL)
@@ -726,11 +719,7 @@ spd_done:
 	}
 #endif
 
-#endif /* PFIL_HOOKS */
-
-#if 0
-pass:
-#endif
+passout:
 	/* 127/8 must not appear on wire - RFC1122. */
 	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
 	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index f557225eb42f..46bd596f2895 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -192,9 +192,7 @@ extern int	(*ip_rsvp_vif)(struct socket *, struct sockopt *);
 extern void	(*ip_rsvp_force_done)(struct socket *);
 extern void	(*rsvp_input_p)(struct mbuf *m, int off);
 
-#ifdef PFIL_HOOKS
-extern	struct pfil_head inet_pfil_hook;
-#endif
+extern	struct pfil_head inet_pfil_hook;	/* packet filter hooks */
 
 void	in_delayed_cksum(struct mbuf *m);