From owner-svn-src-projects@FreeBSD.ORG Fri Jul 4 07:02:12 2014 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 328FD570; Fri, 4 Jul 2014 07:02:12 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1356726D7; Fri, 4 Jul 2014 07:02:12 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s6472Bdl071671; Fri, 4 Jul 2014 07:02:11 GMT (envelope-from melifaro@svn.freebsd.org) Received: (from melifaro@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s6472BTI071668; Fri, 4 Jul 2014 07:02:11 GMT (envelope-from melifaro@svn.freebsd.org) Message-Id: <201407040702.s6472BTI071668@svn.freebsd.org> From: "Alexander V. Chernikov" Date: Fri, 4 Jul 2014 07:02:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r268245 - projects/ipfw/sys/netpfil/ipfw X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2014 07:02:12 -0000 Author: melifaro Date: Fri Jul 4 07:02:11 2014 New Revision: 268245 URL: http://svnweb.freebsd.org/changeset/base/268245 Log: * Issue warning while requesting ruleset with new tables via legacy binary. Convert each unresolved table as table 65535 (which cannot be used normally). * Perform s/^ipfw_// for add_table_entry, del_table_entry and flush_table since these are internal functions exported to keep legacy interface. * Remove macro TABLE_SET. Operations with tables can be done in any set, the only thing net.inet.ip.fw.tables_sets affects is the set in which tables are looked up while binding them to the rule. Modified: projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h Modified: projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c ============================================================================== --- projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c Fri Jul 4 06:05:39 2014 (r268244) +++ projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c Fri Jul 4 07:02:11 2014 (r268245) @@ -974,9 +974,11 @@ ipfw_getrules(struct ip_fw_chain *chain, char *bp = buf; char *ep = bp + space; struct ip_fw *rule, *dst; - int error, i, l; + int error, i, l, warnflag; time_t boot_seconds; + warnflag = 0; + boot_seconds = boottime.tv_sec; for (i = 0; i < chain->n_rules; i++) { rule = chain->map[i]; @@ -1032,11 +1034,19 @@ ipfw_getrules(struct ip_fw_chain *chain, bp += l; if (error != 0) { + if (error == 2) { + /* Non-fatal table rewrite error. */ + warnflag = 1; + continue; + } printf("Stop on rule %d. Fail to convert table\n", rule->rulenum); break; } } + if (warnflag != 0) + printf("ipfw: process %s is using legacy interfaces," + " consider rebuilding\n", ""); ipfw_get_dynamic(chain, &bp, ep); /* protected by the dynamic lock */ return (bp - (char *)buf); } @@ -1740,8 +1750,8 @@ ipfw_ctl(struct sockopt *sopt) ti.type = IPFW_TABLE_CIDR; error = (opt == IP_FW_TABLE_ADD) ? - ipfw_add_table_entry(chain, &ti, &tei) : - ipfw_del_table_entry(chain, &ti, &tei); + add_table_entry(chain, &ti, &tei) : + del_table_entry(chain, &ti, &tei); } break; @@ -1757,7 +1767,7 @@ ipfw_ctl(struct sockopt *sopt) break; memset(&ti, 0, sizeof(ti)); ti.uidx = tbl; - error = ipfw_flush_table(chain, &ti); + error = flush_table(chain, &ti); } break; Modified: projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c ============================================================================== --- projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c Fri Jul 4 06:05:39 2014 (r268244) +++ projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c Fri Jul 4 07:02:11 2014 (r268245) @@ -115,7 +115,6 @@ static int ipfw_modify_table_v1(struct i struct sockopt_data *sd); static int destroy_table(struct ip_fw_chain *ch, struct tid_info *ti); -static int flush_table(struct ip_fw_chain *ch, struct tid_info *ti); static struct table_algo *find_table_algo(struct tables_config *tableconf, struct tid_info *ti, char *name); @@ -127,7 +126,7 @@ static struct table_algo *find_table_alg int -ipfw_add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, +add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, struct tentry_info *tei) { struct table_config *tc, *tc_new; @@ -250,7 +249,7 @@ done: } int -ipfw_del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, +del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, struct tentry_info *tei) { struct table_config *tc; @@ -362,8 +361,8 @@ ipfw_modify_table_v0(struct ip_fw_chain ti.type = xent->type; error = (op3->opcode == IP_FW_TABLE_XADD) ? - ipfw_add_table_entry(ch, &ti, &tei) : - ipfw_del_table_entry(ch, &ti, &tei); + add_table_entry(ch, &ti, &tei) : + del_table_entry(ch, &ti, &tei); return (error); } @@ -422,8 +421,8 @@ ipfw_modify_table_v1(struct ip_fw_chain ti.tlen = oh->ntlv.head.length; error = (oh->opheader.opcode == IP_FW_TABLE_XADD) ? - ipfw_add_table_entry(ch, &ti, &tei) : - ipfw_del_table_entry(ch, &ti, &tei); + add_table_entry(ch, &ti, &tei) : + del_table_entry(ch, &ti, &tei); return (error); } @@ -442,9 +441,9 @@ ipfw_flush_table(struct ip_fw_chain *ch, oh = (struct _ipfw_obj_header *)op3; objheader_to_ti(oh, &ti); - if (opt == IP_FW_TABLE_XDESTROY) + if (op3->opcode == IP_FW_TABLE_XDESTROY) error = destroy_table(ch, &ti); - else if (opt == IP_FW_TABLE_XFLUSH) + else if (op3->opcode == IP_FW_TABLE_XFLUSH) error = flush_table(ch, &ti); else return (ENOTSUP); @@ -459,7 +458,7 @@ ipfw_flush_table(struct ip_fw_chain *ch, * * Returns 0 on success */ -static int +int flush_table(struct ip_fw_chain *ch, struct tid_info *ti) { struct namedobj_instance *ni; @@ -1000,8 +999,6 @@ ipfw_create_table(struct ip_fw_chain *ch } objheader_to_ti(oh, &ti); - /* Create table in set 0 by default */ - ti->set = TABLE_SET(ti->set); ti.type = i->type; ni = CHAIN_TO_NI(ch); @@ -1739,18 +1736,16 @@ bind_table_rule(struct ip_fw_chain *ch, int ipfw_rewrite_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule) { - int cmdlen, l; + int cmdlen, error, l; ipfw_insn *cmd; - uint32_t set; - uint16_t kidx; + uint16_t kidx, uidx; uint8_t type; struct named_object *no; struct namedobj_instance *ni; ni = CHAIN_TO_NI(chain); + error = 0; - set = TABLE_SET(rule->set); - l = rule->cmd_len; cmd = rule->cmd; cmdlen = 0; @@ -1763,13 +1758,22 @@ ipfw_rewrite_table_kidx(struct ip_fw_cha if ((no = ipfw_objhash_lookup_kidx(ni, kidx)) == NULL) return (1); - if (no->compat == 0) - return (2); + uidx = no->uidx; + if (no->compat == 0) { + + /* + * We are called via legacy opcode. + * Save error and show table as fake number + * not to make ipfw(8) hang. + */ + uidx = 65535; + error = 2; + } - update_table_opcode(cmd, no->uidx); + update_table_opcode(cmd, uidx); } - return (0); + return (error); } /* @@ -1853,7 +1857,12 @@ ipfw_rewrite_table_uidx(struct ip_fw_cha ftype = 0; memset(&ti, 0, sizeof(ti)); - ti.set = TABLE_SET(ci->krule->set); + + /* + * Use default set for looking up tables (old way) or + * use set rule is assigned to (new way). + */ + ti.set = (V_fw_tables_sets != 0) ? ci->krule->set : 0; if (ci->ctlv != NULL) { ti.tlvs = (void *)(ci->ctlv + 1); ti.tlen = ci->ctlv->head.length - sizeof(ipfw_obj_ctlv); @@ -2039,14 +2048,11 @@ ipfw_unbind_table_rule(struct ip_fw_chai ipfw_insn *cmd; struct namedobj_instance *ni; struct named_object *no; - uint32_t set; uint16_t kidx; uint8_t type; ni = CHAIN_TO_NI(chain); - set = TABLE_SET(rule->set); - l = rule->cmd_len; cmd = rule->cmd; cmdlen = 0; Modified: projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h ============================================================================== --- projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h Fri Jul 4 06:05:39 2014 (r268244) +++ projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h Fri Jul 4 07:02:11 2014 (r268245) @@ -116,13 +116,15 @@ int ipfw_create_table(struct ip_fw_chain struct sockopt_data *sd); int ipfw_modify_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3, struct sockopt_data *sd); -int ipfw_add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, +/* Exported to support legacy opcodes */ +int add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, struct tentry_info *tei); -int ipfw_del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, +int del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti, struct tentry_info *tei); +int flush_table(struct ip_fw_chain *ch, struct tid_info *ti); -int ipfw_destroy_table(struct ip_fw_chain *ch, struct tid_info *ti); -int ipfw_flush_table(struct ip_fw_chain *ch, struct tid_info *ti); +int ipfw_flush_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3, + struct sockopt_data *sd); int ipfw_rewrite_table_uidx(struct ip_fw_chain *chain, struct rule_check_info *ci); int ipfw_rewrite_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule);