Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Dec 2009 21:24:12 +0000 (UTC)
From:      Luigi Rizzo <luigi@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r200590 - in head/sys: conf netinet/ipfw
Message-ID:  <200912152124.nBFLOCPm075761@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: luigi
Date: Tue Dec 15 21:24:12 2009
New Revision: 200590
URL: http://svn.freebsd.org/changeset/base/200590

Log:
  more splitting of ip_fw2.c, now extract the 'table' routines
  and the sockopt routines (the upper half of the kernel).
  
  Whoever is the author of the 'table' code (Ruslan/glebius/oleg ?)
  please change the attribution in ip_fw_table.c. I have copied
  the copyright line from ip_fw2.c but it carries my name and I have
  neither written nor designed the feature so I don't deserve
  the credit.
  
  MFC after:	1 month

Added:
  head/sys/netinet/ipfw/ip_fw_sockopt.c   (contents, props changed)
  head/sys/netinet/ipfw/ip_fw_table.c   (contents, props changed)
Modified:
  head/sys/conf/files
  head/sys/netinet/ipfw/ip_fw2.c
  head/sys/netinet/ipfw/ip_fw_private.h

Modified: head/sys/conf/files
==============================================================================
--- head/sys/conf/files	Tue Dec 15 21:02:29 2009	(r200589)
+++ head/sys/conf/files	Tue Dec 15 21:24:12 2009	(r200590)
@@ -2430,6 +2430,8 @@ netinet/ipfw/ip_fw2.c		optional inet ipf
 netinet/ipfw/ip_fw_dynamic.c	optional inet ipfirewall
 netinet/ipfw/ip_fw_log.c	optional inet ipfirewall
 netinet/ipfw/ip_fw_pfil.c	optional inet ipfirewall
+netinet/ipfw/ip_fw_sockopt.c	optional inet ipfirewall
+netinet/ipfw/ip_fw_table.c	optional inet ipfirewall
 netinet/ipfw/ip_fw_nat.c	optional inet ipfirewall_nat
 netinet/ip_icmp.c		optional inet
 netinet/ip_input.c		optional inet

Modified: head/sys/netinet/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw2.c	Tue Dec 15 21:02:29 2009	(r200589)
+++ head/sys/netinet/ipfw/ip_fw2.c	Tue Dec 15 21:24:12 2009	(r200590)
@@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/ucred.h>
 #include <net/ethernet.h> /* for ETHERTYPE_IP */
 #include <net/if.h>
-#include <net/radix.h>
 #include <net/route.h>
 #include <net/pf_mtag.h>
 #include <net/vnet.h>
@@ -112,7 +111,7 @@ static VNET_DEFINE(int, ipfw_vnet_ready)
  * and CANNOT be disabled.
  * Rules in set RESVD_SET can only be deleted explicitly.
  */
-static VNET_DEFINE(u_int32_t, set_disable);
+VNET_DEFINE(u_int32_t, set_disable);
 VNET_DEFINE(int, fw_verbose);
 
 #define	V_set_disable			VNET(set_disable)
@@ -132,8 +131,6 @@ struct ip_fw *ip_fw_default_rule;
 VNET_DEFINE(struct ip_fw_chain, layer3_chain);
 
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
-MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables");
-#define IPFW_NAT_LOADED (ipfw_nat_ptr != NULL)
 ipfw_nat_t *ipfw_nat_ptr = NULL;
 struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
 ipfw_nat_cfg_t *ipfw_nat_cfg_ptr;
@@ -152,10 +149,6 @@ static VNET_DEFINE(int, autoinc_step);
 static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
 #define	V_fw_deny_unknown_exthdrs	VNET(fw_deny_unknown_exthdrs)
 
-static VNET_DEFINE(u_int32_t, static_count);	/* # of static rules */
-static VNET_DEFINE(u_int32_t, static_len);	/* bytes of static rules */
-#define	V_static_count			VNET(static_count)
-#define	V_static_len			VNET(static_len)
 extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
 
 #ifdef SYSCTL_NODE
@@ -197,9 +190,6 @@ SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_A
     "Deny packets with unknown IPv6 Extension Headers");
 #endif /* INET6 */
 
-SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count,
-    CTLFLAG_RD, &VNET_NAME(static_count), 0,
-    "Number of static rules");
 #endif /* SYSCTL_NODE */
 
 
@@ -693,193 +683,6 @@ lookup_next_rule(struct ip_fw *me, u_int
 }
 
 static int
-add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
-    uint8_t mlen, uint32_t value)
-{
-	struct radix_node_head *rnh;
-	struct table_entry *ent;
-	struct radix_node *rn;
-
-	if (tbl >= IPFW_TABLES_MAX)
-		return (EINVAL);
-	rnh = ch->tables[tbl];
-	ent = malloc(sizeof(*ent), M_IPFW_TBL, M_NOWAIT | M_ZERO);
-	if (ent == NULL)
-		return (ENOMEM);
-	ent->value = value;
-	ent->addr.sin_len = ent->mask.sin_len = 8;
-	ent->mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0);
-	ent->addr.sin_addr.s_addr = addr & ent->mask.sin_addr.s_addr;
-	IPFW_WLOCK(ch);
-	rn = rnh->rnh_addaddr(&ent->addr, &ent->mask, rnh, (void *)ent);
-	if (rn == NULL) {
-		IPFW_WUNLOCK(ch);
-		free(ent, M_IPFW_TBL);
-		return (EEXIST);
-	}
-	IPFW_WUNLOCK(ch);
-	return (0);
-}
-
-static int
-del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
-    uint8_t mlen)
-{
-	struct radix_node_head *rnh;
-	struct table_entry *ent;
-	struct sockaddr_in sa, mask;
-
-	if (tbl >= IPFW_TABLES_MAX)
-		return (EINVAL);
-	rnh = ch->tables[tbl];
-	sa.sin_len = mask.sin_len = 8;
-	mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0);
-	sa.sin_addr.s_addr = addr & mask.sin_addr.s_addr;
-	IPFW_WLOCK(ch);
-	ent = (struct table_entry *)rnh->rnh_deladdr(&sa, &mask, rnh);
-	if (ent == NULL) {
-		IPFW_WUNLOCK(ch);
-		return (ESRCH);
-	}
-	IPFW_WUNLOCK(ch);
-	free(ent, M_IPFW_TBL);
-	return (0);
-}
-
-static int
-flush_table_entry(struct radix_node *rn, void *arg)
-{
-	struct radix_node_head * const rnh = arg;
-	struct table_entry *ent;
-
-	ent = (struct table_entry *)
-	    rnh->rnh_deladdr(rn->rn_key, rn->rn_mask, rnh);
-	if (ent != NULL)
-		free(ent, M_IPFW_TBL);
-	return (0);
-}
-
-static int
-flush_table(struct ip_fw_chain *ch, uint16_t tbl)
-{
-	struct radix_node_head *rnh;
-
-	IPFW_WLOCK_ASSERT(ch);
-
-	if (tbl >= IPFW_TABLES_MAX)
-		return (EINVAL);
-	rnh = ch->tables[tbl];
-	KASSERT(rnh != NULL, ("NULL IPFW table"));
-	rnh->rnh_walktree(rnh, flush_table_entry, rnh);
-	return (0);
-}
-
-static void
-flush_tables(struct ip_fw_chain *ch)
-{
-	uint16_t tbl;
-
-	IPFW_WLOCK_ASSERT(ch);
-
-	for (tbl = 0; tbl < IPFW_TABLES_MAX; tbl++)
-		flush_table(ch, tbl);
-}
-
-static int
-init_tables(struct ip_fw_chain *ch)
-{ 
-	int i;
-	uint16_t j;
-
-	for (i = 0; i < IPFW_TABLES_MAX; i++) {
-		if (!rn_inithead((void **)&ch->tables[i], 32)) {
-			for (j = 0; j < i; j++) {
-				(void) flush_table(ch, j);
-			}
-			return (ENOMEM);
-		}
-	}
-	return (0);
-}
-
-static int
-lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
-    uint32_t *val)
-{
-	struct radix_node_head *rnh;
-	struct table_entry *ent;
-	struct sockaddr_in sa;
-
-	if (tbl >= IPFW_TABLES_MAX)
-		return (0);
-	rnh = ch->tables[tbl];
-	sa.sin_len = 8;
-	sa.sin_addr.s_addr = addr;
-	ent = (struct table_entry *)(rnh->rnh_lookup(&sa, NULL, rnh));
-	if (ent != NULL) {
-		*val = ent->value;
-		return (1);
-	}
-	return (0);
-}
-
-static int
-count_table_entry(struct radix_node *rn, void *arg)
-{
-	u_int32_t * const cnt = arg;
-
-	(*cnt)++;
-	return (0);
-}
-
-static int
-count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt)
-{
-	struct radix_node_head *rnh;
-
-	if (tbl >= IPFW_TABLES_MAX)
-		return (EINVAL);
-	rnh = ch->tables[tbl];
-	*cnt = 0;
-	rnh->rnh_walktree(rnh, count_table_entry, cnt);
-	return (0);
-}
-
-static int
-dump_table_entry(struct radix_node *rn, void *arg)
-{
-	struct table_entry * const n = (struct table_entry *)rn;
-	ipfw_table * const tbl = arg;
-	ipfw_table_entry *ent;
-
-	if (tbl->cnt == tbl->size)
-		return (1);
-	ent = &tbl->ent[tbl->cnt];
-	ent->tbl = tbl->tbl;
-	if (in_nullhost(n->mask.sin_addr))
-		ent->masklen = 0;
-	else
-		ent->masklen = 33 - ffs(ntohl(n->mask.sin_addr.s_addr));
-	ent->addr = n->addr.sin_addr.s_addr;
-	ent->value = n->value;
-	tbl->cnt++;
-	return (0);
-}
-
-static int
-dump_table(struct ip_fw_chain *ch, ipfw_table *tbl)
-{
-	struct radix_node_head *rnh;
-
-	if (tbl->tbl >= IPFW_TABLES_MAX)
-		return (EINVAL);
-	rnh = ch->tables[tbl->tbl];
-	tbl->cnt = 0;
-	rnh->rnh_walktree(rnh, dump_table_entry, tbl);
-	return (0);
-}
-
-static int
 check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
     struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip,
     u_int16_t src_port, struct ucred **uc, int *ugid_lookupp,
@@ -1636,7 +1439,7 @@ do {									\
 					} else
 					    break;
 				    }
-				    match = lookup_table(chain, cmd->arg1, a,
+				    match = ipfw_lookup_table(chain, cmd->arg1, a,
 					&v);
 				    if (!match)
 					break;
@@ -2448,1010 +2251,6 @@ pullup_failed:
 	return (IP_FW_DENY);
 }
 
-/*
- * When a rule is added/deleted, clear the next_rule pointers in all rules.
- * These will be reconstructed on the fly as packets are matched.
- */
-static void
-flush_rule_ptrs(struct ip_fw_chain *chain)
-{
-	struct ip_fw *rule;
-
-	IPFW_WLOCK_ASSERT(chain);
-
-	chain->id++;
-
-	for (rule = chain->rules; rule; rule = rule->next)
-		rule->next_rule = NULL;
-}
-
-/*
- * Add a new rule to the list. Copy the rule into a malloc'ed area, then
- * possibly create a rule number and add the rule to the list.
- * Update the rule_number in the input struct so the caller knows it as well.
- */
-static int
-add_rule(struct ip_fw_chain *chain, struct ip_fw *input_rule)
-{
-	struct ip_fw *rule, *f, *prev;
-	int l = RULESIZE(input_rule);
-
-	if (chain->rules == NULL && input_rule->rulenum != IPFW_DEFAULT_RULE)
-		return (EINVAL);
-
-	rule = malloc(l, M_IPFW, M_NOWAIT | M_ZERO);
-	if (rule == NULL)
-		return (ENOSPC);
-
-	bcopy(input_rule, rule, l);
-
-	rule->next = NULL;
-	rule->next_rule = NULL;
-
-	rule->pcnt = 0;
-	rule->bcnt = 0;
-	rule->timestamp = 0;
-
-	IPFW_WLOCK(chain);
-
-	if (chain->rules == NULL) {	/* default rule */
-		chain->rules = rule;
-		rule->id = ++chain->id;
-		goto done;
-        }
-
-	/*
-	 * If rulenum is 0, find highest numbered rule before the
-	 * default rule, and add autoinc_step
-	 */
-	if (V_autoinc_step < 1)
-		V_autoinc_step = 1;
-	else if (V_autoinc_step > 1000)
-		V_autoinc_step = 1000;
-	if (rule->rulenum == 0) {
-		/*
-		 * locate the highest numbered rule before default
-		 */
-		for (f = chain->rules; f; f = f->next) {
-			if (f->rulenum == IPFW_DEFAULT_RULE)
-				break;
-			rule->rulenum = f->rulenum;
-		}
-		if (rule->rulenum < IPFW_DEFAULT_RULE - V_autoinc_step)
-			rule->rulenum += V_autoinc_step;
-		input_rule->rulenum = rule->rulenum;
-	}
-
-	/*
-	 * Now insert the new rule in the right place in the sorted list.
-	 */
-	for (prev = NULL, f = chain->rules; f; prev = f, f = f->next) {
-		if (f->rulenum > rule->rulenum) { /* found the location */
-			if (prev) {
-				rule->next = f;
-				prev->next = rule;
-			} else { /* head insert */
-				rule->next = chain->rules;
-				chain->rules = rule;
-			}
-			break;
-		}
-	}
-	flush_rule_ptrs(chain);
-	/* chain->id incremented inside flush_rule_ptrs() */
-	rule->id = chain->id;
-done:
-	V_static_count++;
-	V_static_len += l;
-	IPFW_WUNLOCK(chain);
-	DEB(printf("ipfw: installed rule %d, static count now %d\n",
-		rule->rulenum, V_static_count);)
-	return (0);
-}
-
-/**
- * Remove a static rule (including derived * dynamic rules)
- * and place it on the ``reap list'' for later reclamation.
- * The caller is in charge of clearing rule pointers to avoid
- * dangling pointers.
- * @return a pointer to the next entry.
- * Arguments are not checked, so they better be correct.
- */
-static struct ip_fw *
-remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule,
-    struct ip_fw *prev)
-{
-	struct ip_fw *n;
-	int l = RULESIZE(rule);
-
-	IPFW_WLOCK_ASSERT(chain);
-
-	n = rule->next;
-	remove_dyn_children(rule);
-	if (prev == NULL)
-		chain->rules = n;
-	else
-		prev->next = n;
-	V_static_count--;
-	V_static_len -= l;
-
-	rule->next = chain->reap;
-	chain->reap = rule;
-
-	return n;
-}
-
-/*
- * Reclaim storage associated with a list of rules.  This is
- * typically the list created using remove_rule.
- * A NULL pointer on input is handled correctly.
- */
-static void
-reap_rules(struct ip_fw *head)
-{
-	struct ip_fw *rule;
-
-	while ((rule = head) != NULL) {
-		head = head->next;
-		free(rule, M_IPFW);
-	}
-}
-
-/*
- * Remove all rules from a chain (except rules in set RESVD_SET
- * unless kill_default = 1).  The caller is responsible for
- * reclaiming storage for the rules left in chain->reap.
- */
-static void
-free_chain(struct ip_fw_chain *chain, int kill_default)
-{
-	struct ip_fw *prev, *rule;
-
-	IPFW_WLOCK_ASSERT(chain);
-
-	chain->reap = NULL;
-	flush_rule_ptrs(chain); /* more efficient to do outside the loop */
-	for (prev = NULL, rule = chain->rules; rule ; )
-		if (kill_default || rule->set != RESVD_SET)
-			rule = remove_rule(chain, rule, prev);
-		else {
-			prev = rule;
-			rule = rule->next;
-		}
-}
-
-/**
- * Remove all rules with given number, and also do set manipulation.
- * Assumes chain != NULL && *chain != NULL.
- *
- * The argument is an u_int32_t. The low 16 bit are the rule or set number,
- * the next 8 bits are the new set, the top 8 bits are the command:
- *
- *	0	delete rules with given number
- *	1	delete rules with given set number
- *	2	move rules with given number to new set
- *	3	move rules with given set number to new set
- *	4	swap sets with given numbers
- *	5	delete rules with given number and with given set number
- */
-static int
-del_entry(struct ip_fw_chain *chain, u_int32_t arg)
-{
-	struct ip_fw *prev = NULL, *rule;
-	u_int16_t rulenum;	/* rule or old_set */
-	u_int8_t cmd, new_set;
-
-	rulenum = arg & 0xffff;
-	cmd = (arg >> 24) & 0xff;
-	new_set = (arg >> 16) & 0xff;
-
-	if (cmd > 5 || new_set > RESVD_SET)
-		return EINVAL;
-	if (cmd == 0 || cmd == 2 || cmd == 5) {
-		if (rulenum >= IPFW_DEFAULT_RULE)
-			return EINVAL;
-	} else {
-		if (rulenum > RESVD_SET)	/* old_set */
-			return EINVAL;
-	}
-
-	IPFW_WLOCK(chain);
-	rule = chain->rules;	/* common starting point */
-	chain->reap = NULL;	/* prepare for deletions */
-	switch (cmd) {
-	case 0:	/* delete rules with given number */
-		/*
-		 * locate first rule to delete
-		 */
-		for (; rule->rulenum < rulenum; prev = rule, rule = rule->next)
-			;
-		if (rule->rulenum != rulenum) {
-			IPFW_WUNLOCK(chain);
-			return EINVAL;
-		}
-
-		/*
-		 * flush pointers outside the loop, then delete all matching
-		 * rules. prev remains the same throughout the cycle.
-		 */
-		flush_rule_ptrs(chain);
-		while (rule->rulenum == rulenum)
-			rule = remove_rule(chain, rule, prev);
-		break;
-
-	case 1:	/* delete all rules with given set number */
-		flush_rule_ptrs(chain);
-		while (rule->rulenum < IPFW_DEFAULT_RULE) {
-			if (rule->set == rulenum)
-				rule = remove_rule(chain, rule, prev);
-			else {
-				prev = rule;
-				rule = rule->next;
-			}
-		}
-		break;
-
-	case 2:	/* move rules with given number to new set */
-		for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
-			if (rule->rulenum == rulenum)
-				rule->set = new_set;
-		break;
-
-	case 3: /* move rules with given set number to new set */
-		for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
-			if (rule->set == rulenum)
-				rule->set = new_set;
-		break;
-
-	case 4: /* swap two sets */
-		for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
-			if (rule->set == rulenum)
-				rule->set = new_set;
-			else if (rule->set == new_set)
-				rule->set = rulenum;
-		break;
-
-	case 5: /* delete rules with given number and with given set number.
-		 * rulenum - given rule number;
-		 * new_set - given set number.
-		 */
-		for (; rule->rulenum < rulenum; prev = rule, rule = rule->next)
-			;
-		if (rule->rulenum != rulenum) {
-			IPFW_WUNLOCK(chain);
-			return (EINVAL);
-		}
-		flush_rule_ptrs(chain);
-		while (rule->rulenum == rulenum) {
-			if (rule->set == new_set)
-				rule = remove_rule(chain, rule, prev);
-			else {
-				prev = rule;
-				rule = rule->next;
-			}
-		}
-	}
-	/*
-	 * Look for rules to reclaim.  We grab the list before
-	 * releasing the lock then reclaim them w/o the lock to
-	 * avoid a LOR with dummynet.
-	 */
-	rule = chain->reap;
-	IPFW_WUNLOCK(chain);
-	reap_rules(rule);
-	return 0;
-}
-
-/*
- * Clear counters for a specific rule.
- * The enclosing "table" is assumed locked.
- */
-static void
-clear_counters(struct ip_fw *rule, int log_only)
-{
-	ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule);
-
-	if (log_only == 0) {
-		rule->bcnt = rule->pcnt = 0;
-		rule->timestamp = 0;
-	}
-	if (l->o.opcode == O_LOG)
-		l->log_left = l->max_log;
-}
-
-/**
- * Reset some or all counters on firewall rules.
- * The argument `arg' is an u_int32_t. The low 16 bit are the rule number,
- * the next 8 bits are the set number, the top 8 bits are the command:
- *	0	work with rules from all set's;
- *	1	work with rules only from specified set.
- * Specified rule number is zero if we want to clear all entries.
- * log_only is 1 if we only want to reset logs, zero otherwise.
- */
-static int
-zero_entry(struct ip_fw_chain *chain, u_int32_t arg, int log_only)
-{
-	struct ip_fw *rule;
-	char *msg;
-
-	uint16_t rulenum = arg & 0xffff;
-	uint8_t set = (arg >> 16) & 0xff;
-	uint8_t cmd = (arg >> 24) & 0xff;
-
-	if (cmd > 1)
-		return (EINVAL);
-	if (cmd == 1 && set > RESVD_SET)
-		return (EINVAL);
-
-	IPFW_WLOCK(chain);
-	if (rulenum == 0) {
-		V_norule_counter = 0;
-		for (rule = chain->rules; rule; rule = rule->next) {
-			/* Skip rules from another set. */
-			if (cmd == 1 && rule->set != set)
-				continue;
-			clear_counters(rule, log_only);
-		}
-		msg = log_only ? "All logging counts reset" :
-		    "Accounting cleared";
-	} else {
-		int cleared = 0;
-		/*
-		 * We can have multiple rules with the same number, so we
-		 * need to clear them all.
-		 */
-		for (rule = chain->rules; rule; rule = rule->next)
-			if (rule->rulenum == rulenum) {
-				while (rule && rule->rulenum == rulenum) {
-					if (cmd == 0 || rule->set == set)
-						clear_counters(rule, log_only);
-					rule = rule->next;
-				}
-				cleared = 1;
-				break;
-			}
-		if (!cleared) {	/* we did not find any matching rules */
-			IPFW_WUNLOCK(chain);
-			return (EINVAL);
-		}
-		msg = log_only ? "logging count reset" : "cleared";
-	}
-	IPFW_WUNLOCK(chain);
-
-	if (V_fw_verbose) {
-		int lev = LOG_SECURITY | LOG_NOTICE;
-
-		if (rulenum)
-			log(lev, "ipfw: Entry %d %s.\n", rulenum, msg);
-		else
-			log(lev, "ipfw: %s.\n", msg);
-	}
-	return (0);
-}
-
-/*
- * Check validity of the structure before insert.
- * Fortunately rules are simple, so this mostly need to check rule sizes.
- */
-static int
-check_ipfw_struct(struct ip_fw *rule, int size)
-{
-	int l, cmdlen = 0;
-	int have_action=0;
-	ipfw_insn *cmd;
-
-	if (size < sizeof(*rule)) {
-		printf("ipfw: rule too short\n");
-		return (EINVAL);
-	}
-	/* first, check for valid size */
-	l = RULESIZE(rule);
-	if (l != size) {
-		printf("ipfw: size mismatch (have %d want %d)\n", size, l);
-		return (EINVAL);
-	}
-	if (rule->act_ofs >= rule->cmd_len) {
-		printf("ipfw: bogus action offset (%u > %u)\n",
-		    rule->act_ofs, rule->cmd_len - 1);
-		return (EINVAL);
-	}
-	/*
-	 * Now go for the individual checks. Very simple ones, basically only
-	 * instruction sizes.
-	 */
-	for (l = rule->cmd_len, cmd = rule->cmd ;
-			l > 0 ; l -= cmdlen, cmd += cmdlen) {
-		cmdlen = F_LEN(cmd);
-		if (cmdlen > l) {
-			printf("ipfw: opcode %d size truncated\n",
-			    cmd->opcode);
-			return EINVAL;
-		}
-		DEB(printf("ipfw: opcode %d\n", cmd->opcode);)
-		switch (cmd->opcode) {
-		case O_PROBE_STATE:
-		case O_KEEP_STATE:
-		case O_PROTO:
-		case O_IP_SRC_ME:
-		case O_IP_DST_ME:
-		case O_LAYER2:
-		case O_IN:
-		case O_FRAG:
-		case O_DIVERTED:
-		case O_IPOPT:
-		case O_IPTOS:
-		case O_IPPRECEDENCE:
-		case O_IPVER:
-		case O_TCPWIN:
-		case O_TCPFLAGS:
-		case O_TCPOPTS:
-		case O_ESTAB:
-		case O_VERREVPATH:
-		case O_VERSRCREACH:
-		case O_ANTISPOOF:
-		case O_IPSEC:
-#ifdef INET6
-		case O_IP6_SRC_ME:
-		case O_IP6_DST_ME:
-		case O_EXT_HDR:
-		case O_IP6:
-#endif
-		case O_IP4:
-		case O_TAG:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn))
-				goto bad_size;
-			break;
-
-		case O_FIB:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn))
-				goto bad_size;
-			if (cmd->arg1 >= rt_numfibs) {
-				printf("ipfw: invalid fib number %d\n",
-					cmd->arg1);
-				return EINVAL;
-			}
-			break;
-
-		case O_SETFIB:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn))
-				goto bad_size;
-			if (cmd->arg1 >= rt_numfibs) {
-				printf("ipfw: invalid fib number %d\n",
-					cmd->arg1);
-				return EINVAL;
-			}
-			goto check_action;
-
-		case O_UID:
-		case O_GID:
-		case O_JAIL:
-		case O_IP_SRC:
-		case O_IP_DST:
-		case O_TCPSEQ:
-		case O_TCPACK:
-		case O_PROB:
-		case O_ICMPTYPE:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
-				goto bad_size;
-			break;
-
-		case O_LIMIT:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
-				goto bad_size;
-			break;
-
-		case O_LOG:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_log))
-				goto bad_size;
-
-			((ipfw_insn_log *)cmd)->log_left =
-			    ((ipfw_insn_log *)cmd)->max_log;
-
-			break;
-
-		case O_IP_SRC_MASK:
-		case O_IP_DST_MASK:
-			/* only odd command lengths */
-			if ( !(cmdlen & 1) || cmdlen > 31)
-				goto bad_size;
-			break;
-
-		case O_IP_SRC_SET:
-		case O_IP_DST_SET:
-			if (cmd->arg1 == 0 || cmd->arg1 > 256) {
-				printf("ipfw: invalid set size %d\n",
-					cmd->arg1);
-				return EINVAL;
-			}
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
-			    (cmd->arg1+31)/32 )
-				goto bad_size;
-			break;
-
-		case O_IP_SRC_LOOKUP:
-		case O_IP_DST_LOOKUP:
-			if (cmd->arg1 >= IPFW_TABLES_MAX) {
-				printf("ipfw: invalid table number %d\n",
-				    cmd->arg1);
-				return (EINVAL);
-			}
-			if (cmdlen != F_INSN_SIZE(ipfw_insn) &&
-			    cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1 &&
-			    cmdlen != F_INSN_SIZE(ipfw_insn_u32))
-				goto bad_size;
-			break;
-
-		case O_MACADDR2:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_mac))
-				goto bad_size;
-			break;
-
-		case O_NOP:
-		case O_IPID:
-		case O_IPTTL:
-		case O_IPLEN:
-		case O_TCPDATALEN:
-		case O_TAGGED:
-			if (cmdlen < 1 || cmdlen > 31)
-				goto bad_size;
-			break;
-
-		case O_MAC_TYPE:
-		case O_IP_SRCPORT:
-		case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */
-			if (cmdlen < 2 || cmdlen > 31)
-				goto bad_size;
-			break;
-
-		case O_RECV:
-		case O_XMIT:
-		case O_VIA:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_if))
-				goto bad_size;
-			break;
-
-		case O_ALTQ:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_altq))
-				goto bad_size;
-			break;
-
-		case O_PIPE:
-		case O_QUEUE:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn))
-				goto bad_size;
-			goto check_action;
-
-		case O_FORWARD_IP:
-#ifdef	IPFIREWALL_FORWARD
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
-				goto bad_size;
-			goto check_action;
-#else
-			return EINVAL;
-#endif
-
-		case O_DIVERT:
-		case O_TEE:
-			if (ip_divert_ptr == NULL)
-				return EINVAL;
-			else
-				goto check_size;
-		case O_NETGRAPH:
-		case O_NGTEE:
-			if (!NG_IPFW_LOADED)
-				return EINVAL;
-			else
-				goto check_size;
-		case O_NAT:
-			if (!IPFW_NAT_LOADED)
-				return EINVAL;
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_nat))
- 				goto bad_size;		
- 			goto check_action;
-		case O_FORWARD_MAC: /* XXX not implemented yet */
-		case O_CHECK_STATE:
-		case O_COUNT:
-		case O_ACCEPT:
-		case O_DENY:
-		case O_REJECT:
-#ifdef INET6
-		case O_UNREACH6:
-#endif
-		case O_SKIPTO:
-		case O_REASS:
-check_size:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn))
-				goto bad_size;
-check_action:
-			if (have_action) {
-				printf("ipfw: opcode %d, multiple actions"
-					" not allowed\n",
-					cmd->opcode);
-				return EINVAL;
-			}
-			have_action = 1;
-			if (l != cmdlen) {
-				printf("ipfw: opcode %d, action must be"
-					" last opcode\n",
-					cmd->opcode);
-				return EINVAL;
-			}
-			break;
-#ifdef INET6
-		case O_IP6_SRC:
-		case O_IP6_DST:
-			if (cmdlen != F_INSN_SIZE(struct in6_addr) +
-			    F_INSN_SIZE(ipfw_insn))
-				goto bad_size;
-			break;
-
-		case O_FLOW6ID:
-			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
-			    ((ipfw_insn_u32 *)cmd)->o.arg1)
-				goto bad_size;
-			break;
-
-		case O_IP6_SRC_MASK:
-		case O_IP6_DST_MASK:
-			if ( !(cmdlen & 1) || cmdlen > 127)
-				goto bad_size;
-			break;
-		case O_ICMP6TYPE:
-			if( cmdlen != F_INSN_SIZE( ipfw_insn_icmp6 ) )
-				goto bad_size;
-			break;
-#endif
-
-		default:
-			switch (cmd->opcode) {
-#ifndef INET6
-			case O_IP6_SRC_ME:
-			case O_IP6_DST_ME:
-			case O_EXT_HDR:
-			case O_IP6:
-			case O_UNREACH6:
-			case O_IP6_SRC:
-			case O_IP6_DST:
-			case O_FLOW6ID:
-			case O_IP6_SRC_MASK:
-			case O_IP6_DST_MASK:
-			case O_ICMP6TYPE:
-				printf("ipfw: no IPv6 support in kernel\n");
-				return EPROTONOSUPPORT;
-#endif
-			default:
-				printf("ipfw: opcode %d, unknown opcode\n",
-					cmd->opcode);
-				return EINVAL;
-			}
-		}
-	}
-	if (have_action == 0) {
-		printf("ipfw: missing action\n");
-		return EINVAL;
-	}
-	return 0;
-
-bad_size:
-	printf("ipfw: opcode %d size %d wrong\n",
-		cmd->opcode, cmdlen);
-	return EINVAL;
-}
-
-/*
- * Copy the static and dynamic rules to the supplied buffer
- * and return the amount of space actually used.
- */
-static size_t
-ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space)
-{
-	char *bp = buf;
-	char *ep = bp + space;
-	struct ip_fw *rule;
-	int i;
-	time_t	boot_seconds;
-
-        boot_seconds = boottime.tv_sec;
-	/* XXX this can take a long time and locking will block packet flow */
-	IPFW_RLOCK(chain);
-	for (rule = chain->rules; rule ; rule = rule->next) {
-		/*
-		 * Verify the entry fits in the buffer in case the
-		 * rules changed between calculating buffer space and
-		 * now.  This would be better done using a generation
-		 * number but should suffice for now.
-		 */
-		i = RULESIZE(rule);
-		if (bp + i <= ep) {
-			bcopy(rule, bp, i);
-			/*
-			 * XXX HACK. Store the disable mask in the "next"
-			 * pointer in a wild attempt to keep the ABI the same.
-			 * Why do we do this on EVERY rule?
-			 */
-			bcopy(&V_set_disable,
-			    &(((struct ip_fw *)bp)->next_rule),
-			    sizeof(V_set_disable));
-			if (((struct ip_fw *)bp)->timestamp)
-				((struct ip_fw *)bp)->timestamp += boot_seconds;
-			bp += i;
-		}
-	}
-	IPFW_RUNLOCK(chain);
-	ipfw_get_dynamic(&bp, ep);
-	return (bp - (char *)buf);
-}

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912152124.nBFLOCPm075761>