Date: Mon, 1 Jul 2019 10:15:52 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r349575 - stable/11/sbin/ipfw Message-ID: <201907011015.x61AFq0A059406@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Mon Jul 1 10:15:52 2019 New Revision: 349575 URL: https://svnweb.freebsd.org/changeset/base/349575 Log: MFC r348235: Add `missing` and `or-flush` options to "ipfw table <NAME> create" command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev Differential Revision: https://reviews.freebsd.org/D18339 MFC r348301: Remove unused token that was added in r348235. Modified: stable/11/sbin/ipfw/ipfw.8 stable/11/sbin/ipfw/ipfw2.h stable/11/sbin/ipfw/tables.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/ipfw/ipfw.8 ============================================================================== --- stable/11/sbin/ipfw/ipfw.8 Mon Jul 1 10:09:19 2019 (r349574) +++ stable/11/sbin/ipfw/ipfw.8 Mon Jul 1 10:15:52 2019 (r349575) @@ -2144,7 +2144,7 @@ The following creation options are supported: .Bl -tag -width indent .It Ar create-options : Ar create-option | create-options .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc | -.Cm limit Ar number | Cm locked +.Cm limit Ar number | Cm locked | Cm missing | Cm or-flush .It Cm type Table key type. .It Cm valtype @@ -2155,6 +2155,13 @@ Table algorithm to use (see below). Maximum number of items that may be inserted into table. .It Cm locked Restrict any table modifications. +.It Cm missing +Do not fail if table already exists and has exactly same options as new one. +.It Cm or-flush +Flush existing table with same name instead of returning error. +Implies +.Cm missing +so existing table must be compatible with new one. .El .Pp Some of these options may be modified later via Modified: stable/11/sbin/ipfw/ipfw2.h ============================================================================== --- stable/11/sbin/ipfw/ipfw2.h Mon Jul 1 10:09:19 2019 (r349574) +++ stable/11/sbin/ipfw/ipfw2.h Mon Jul 1 10:15:52 2019 (r349575) @@ -265,6 +265,8 @@ enum tokens { TOK_UNLOCK, TOK_VLIST, TOK_OLIST, + TOK_MISSING, + TOK_ORFLUSH, /* NAT64 tokens */ TOK_NAT64STL, Modified: stable/11/sbin/ipfw/tables.c ============================================================================== --- stable/11/sbin/ipfw/tables.c Mon Jul 1 10:09:19 2019 (r349574) +++ stable/11/sbin/ipfw/tables.c Mon Jul 1 10:15:52 2019 (r349575) @@ -327,6 +327,8 @@ static struct _s_x tablenewcmds[] = { { "algo", TOK_ALGO }, { "limit", TOK_LIMIT }, { "locked", TOK_LOCK }, + { "missing", TOK_MISSING }, + { "or-flush", TOK_ORFLUSH }, { NULL, 0 } }; @@ -389,19 +391,19 @@ table_print_type(char *tbuf, size_t size, uint8_t type * Creates new table * * ipfw table NAME create [ type { addr | iface | number | flow } ] - * [ algo algoname ] + * [ algo algoname ] [missing] [or-flush] */ static void table_create(ipfw_obj_header *oh, int ac, char *av[]) { - ipfw_xtable_info xi; - int error, tcmd, val; + ipfw_xtable_info xi, xie; + int error, missing, orflush, tcmd, val; uint32_t fset, fclear; char *e, *p; char tbuf[128]; + missing = orflush = 0; memset(&xi, 0, sizeof(xi)); - while (ac > 0) { tcmd = get_token(tablenewcmds, *av, "option"); ac--; av++; @@ -457,6 +459,12 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) case TOK_LOCK: xi.flags |= IPFW_TGFLAGS_LOCKED; break; + case TOK_ORFLUSH: + orflush = 1; + /* FALLTHROUGH */ + case TOK_MISSING: + missing = 1; + break; } } @@ -466,8 +474,28 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) if (xi.vmask == 0) xi.vmask = IPFW_VTYPE_LEGACY; - if ((error = table_do_create(oh, &xi)) != 0) + error = table_do_create(oh, &xi); + + if (error == 0) + return; + + if (errno != EEXIST || missing == 0) err(EX_OSERR, "Table creation failed"); + + /* Check that existing table is the same we are trying to create */ + if (table_get_info(oh, &xie) != 0) + err(EX_OSERR, "Existing table check failed"); + + if (xi.limit != xie.limit || xi.type != xie.type || + xi.tflags != xie.tflags || xi.vmask != xie.vmask || ( + xi.algoname[0] != '\0' && strcmp(xi.algoname, + xie.algoname) != 0) || xi.flags != xie.flags) + errx(EX_DATAERR, "The existing table is not compatible " + "with one you are creating."); + + /* Flush existing table if instructed to do so */ + if (orflush != 0 && table_flush(oh) != 0) + err(EX_OSERR, "Table flush on creation failed"); } /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907011015.x61AFq0A059406>