OS-7667 Cdiff usr/src/uts/common/inet/ipf/solaris.c

Print this page

OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>


*** 4,14 ****
   * See the IPFILTER.LICENCE file for details on licencing.
   *
   * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
   * Use is subject to license terms.
   *
!  * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
   */
  
  /*
   * ipfilter kernel module mutexes and locking:
   *
--- 4,14 ----
   * See the IPFILTER.LICENCE file for details on licencing.
   *
   * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
   * Use is subject to license terms.
   *
!  * Copyright 2019 Joyent, Inc.
   */
  
  /*
   * ipfilter kernel module mutexes and locking:
   *
*** 114,124 ****
  static  void    ipf_stack_destroy __P((const netid_t, void *));
  static  void    ipf_stack_shutdown __P((const netid_t, void *));
  static  int     ipf_property_g_update __P((dev_info_t *));
  static  char    *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME,
                                      IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME,
!                                     IPLOOKUP_NAME, NULL };
  extern void     *ipf_state;     /* DDI state */
  extern vmem_t   *ipf_minor;     /* minor number arena */
  
  static struct cb_ops ipf_cb_ops = {
          iplopen,
--- 114,124 ----
  static  void    ipf_stack_destroy __P((const netid_t, void *));
  static  void    ipf_stack_shutdown __P((const netid_t, void *));
  static  int     ipf_property_g_update __P((dev_info_t *));
  static  char    *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME,
                                      IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME,
!                                     IPLOOKUP_NAME, IPFEV_NAME, NULL };
  extern void     *ipf_state;     /* DDI state */
  extern vmem_t   *ipf_minor;     /* minor number arena */
  
  static struct cb_ops ipf_cb_ops = {
          iplopen,
*** 739,748 ****
--- 739,751 ----
                                  goto attach_failed;
                  }
  
                  ipf_dev_info = dip;
  
+                 if (ipf_cfw_ring_resize(IPF_CFW_RING_ALLOCATE) != 0)
+                         goto attach_failed;
+ 
                  ipfncb = net_instance_alloc(NETINFO_VERSION);
                  if (ipfncb == NULL)
                          goto attach_failed;
  
                  ipfncb->nin_name = "ipf";
*** 766,775 ****
--- 769,779 ----
          default:
                  break;
          }
  
  attach_failed:
+         (void) ipf_cfw_ring_resize(IPF_CFW_RING_DESTROY);
          ddi_remove_minor_node(dip, NULL);
          ddi_prop_remove_all(dip);
          ddi_soft_state_fini(&ipf_state);
          return (DDI_FAILURE);
  }
*** 793,802 ****
--- 797,807 ----
                   * Undo what we did in ipf_attach, freeing resources
                   * and removing things we installed.  The system
                   * framework guarantees we are not active with this devinfo
                   * node in any other entry points at this time.
                   */
+                 (void) ipf_cfw_ring_resize(IPF_CFW_RING_DESTROY);
                  ddi_prop_remove_all(dip);
                  i = ddi_get_instance(dip);
                  ddi_remove_minor_node(dip, NULL);
                  if (i > 0) {
                          cmn_err(CE_CONT, "IP Filter: still attached (%d)\n", i);