Date: Sun, 29 Jun 2008 23:46:49 GMT From: Julian Elischer <julian@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 144319 for review Message-ID: <200806292346.m5TNknh9035902@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=144319 Change 144319 by julian@julian_trafmon1 on 2008/06/29 23:46:11 attempt to integrate the changed version Affected files ... .. //depot/projects/vimage-commit3/src/sys/netinet/ip_fw.h#3 integrate Differences ... ==== //depot/projects/vimage-commit3/src/sys/netinet/ip_fw.h#3 (text+ko) ==== @@ -28,6 +28,9 @@ #ifndef _IPFW2_H #define _IPFW2_H +#include <sys/rwlock.h> +#include <net/radix.h> + /* * The kernel representation of ipfw rules is made of a list of * 'instructions' (for all practical purposes equivalent to BPF @@ -549,7 +552,40 @@ * Main firewall chains definitions and global var's definitions. */ #ifdef _KERNEL +#ifdef NOTYET /* still in ip_fw2.c */ + +/* + * Data structure to cache our ucred related + * information. This structure only gets used if + * the user specified UID/GID based constraints in + * a firewall rule. + */ +struct ip_fw_ugid { + gid_t fw_groups[NGROUPS]; + int fw_ngroups; + uid_t fw_uid; + int fw_prid; +}; +#endif + + +#define IPFW_TABLES_MAX 128 +struct ip_fw_chain { + struct ip_fw *rules; /* list of rules */ + struct ip_fw *reap; /* list of rules to reap */ + LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ + struct radix_node_head *tables[IPFW_TABLES_MAX]; + struct rwlock rwmtx; +}; +#ifdef NOTYET /* still in ip_fw2.c */ +struct table_entry { + struct radix_node rn[2]; + struct sockaddr_in addr, mask; + u_int32_t value; +}; +#endif + /* Return values from ipfw_chk() */ enum { IP_FW_PASS = 0, @@ -616,14 +652,18 @@ int ipfw_init(void); void ipfw_destroy(void); +void ipfw_nat_destroy(void); typedef int ip_fw_ctl_t(struct sockopt *); extern ip_fw_ctl_t *ip_fw_ctl_ptr; + +#ifndef VIMAGE extern int fw_one_pass; extern int fw_enable; #ifdef INET6 extern int fw6_enable; #endif +#endif /* For kernel ipfw_ether and ipfw_bridge. */ typedef int ip_fw_chk_t(struct ip_fw_args *args); @@ -632,14 +672,6 @@ #ifdef IPFW_INTERNAL -#define IPFW_TABLES_MAX 128 -struct ip_fw_chain { - struct ip_fw *rules; /* list of rules */ - struct ip_fw *reap; /* list of rules to reap */ - LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ - struct radix_node_head *tables[IPFW_TABLES_MAX]; - struct rwlock rwmtx; -}; #define IPFW_LOCK_INIT(_chain) \ rw_init(&(_chain)->rwmtx, "IPFW static rules") #define IPFW_LOCK_DESTROY(_chain) rw_destroy(&(_chain)->rwmtx) @@ -663,10 +695,52 @@ #endif /* + * Stack virtualization support. + */ +#ifdef VIMAGE +struct vnet_ipfw { + int _fw_one_pass; + int _fw_enable; + int _fw6_enable; + + u_int32_t _set_disable; + int _fw_deny_unknown_exthdrs; + int _fw_verbose; + int _verbose_limit; + int _fw_debug; + int _autoinc_step; + + ipfw_dyn_rule **_ipfw_dyn_v; + struct ip_fw_chain _layer3_chain; + u_int32_t _dyn_buckets; + u_int32_t _curr_dyn_buckets; + + u_int32_t _dyn_ack_lifetime; + u_int32_t _dyn_syn_lifetime; + u_int32_t _dyn_fin_lifetime; + u_int32_t _dyn_rst_lifetime; + u_int32_t _dyn_udp_lifetime; + u_int32_t _dyn_short_lifetime; + u_int32_t _dyn_keepalive_interval; + u_int32_t _dyn_keepalive_period; + u_int32_t _dyn_keepalive; + u_int32_t _static_count; + u_int32_t _static_len; + u_int32_t _dyn_count; + u_int32_t _dyn_max; + + u_int64_t _norule_counter; + + struct callout _ipfw_timeout; +}; +#endif + +/* * Symbol translation macros */ -#define INIT_VNET_IPFW(vnet) int vnet_ipfw; +#define INIT_VNET_IPFW(vnet) \ + INIT_FROM_VNET(vnet, VNET_MOD_IPFW, struct vnet_ipfw, vnet_ipfw) #define VNET_IPFW(sym) VSYM(vnet_ipfw, sym)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806292346.m5TNknh9035902>