From owner-svn-src-all@freebsd.org Mon Jul 1 10:15:53 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C691415D1BF8; Mon, 1 Jul 2019 10:15:53 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6B2B46FA06; Mon, 1 Jul 2019 10:15:53 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 42127B7CB; Mon, 1 Jul 2019 10:15:53 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x61AFrn1059408; Mon, 1 Jul 2019 10:15:53 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x61AFq0A059406; Mon, 1 Jul 2019 10:15:52 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201907011015.x61AFq0A059406@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 1 Jul 2019 10:15:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r349575 - stable/11/sbin/ipfw X-SVN-Group: stable-11 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: stable/11/sbin/ipfw X-SVN-Commit-Revision: 349575 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 6B2B46FA06 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.97)[-0.969,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2019 10:15:54 -0000 Author: ae Date: Mon Jul 1 10:15:52 2019 New Revision: 349575 URL: https://svnweb.freebsd.org/changeset/base/349575 Log: MFC r348235: Add `missing` and `or-flush` options to "ipfw table create" command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev Differential Revision: https://reviews.freebsd.org/D18339 MFC r348301: Remove unused token that was added in r348235. Modified: stable/11/sbin/ipfw/ipfw.8 stable/11/sbin/ipfw/ipfw2.h stable/11/sbin/ipfw/tables.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/ipfw/ipfw.8 ============================================================================== --- stable/11/sbin/ipfw/ipfw.8 Mon Jul 1 10:09:19 2019 (r349574) +++ stable/11/sbin/ipfw/ipfw.8 Mon Jul 1 10:15:52 2019 (r349575) @@ -2144,7 +2144,7 @@ The following creation options are supported: .Bl -tag -width indent .It Ar create-options : Ar create-option | create-options .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc | -.Cm limit Ar number | Cm locked +.Cm limit Ar number | Cm locked | Cm missing | Cm or-flush .It Cm type Table key type. .It Cm valtype @@ -2155,6 +2155,13 @@ Table algorithm to use (see below). Maximum number of items that may be inserted into table. .It Cm locked Restrict any table modifications. +.It Cm missing +Do not fail if table already exists and has exactly same options as new one. +.It Cm or-flush +Flush existing table with same name instead of returning error. +Implies +.Cm missing +so existing table must be compatible with new one. .El .Pp Some of these options may be modified later via Modified: stable/11/sbin/ipfw/ipfw2.h ============================================================================== --- stable/11/sbin/ipfw/ipfw2.h Mon Jul 1 10:09:19 2019 (r349574) +++ stable/11/sbin/ipfw/ipfw2.h Mon Jul 1 10:15:52 2019 (r349575) @@ -265,6 +265,8 @@ enum tokens { TOK_UNLOCK, TOK_VLIST, TOK_OLIST, + TOK_MISSING, + TOK_ORFLUSH, /* NAT64 tokens */ TOK_NAT64STL, Modified: stable/11/sbin/ipfw/tables.c ============================================================================== --- stable/11/sbin/ipfw/tables.c Mon Jul 1 10:09:19 2019 (r349574) +++ stable/11/sbin/ipfw/tables.c Mon Jul 1 10:15:52 2019 (r349575) @@ -327,6 +327,8 @@ static struct _s_x tablenewcmds[] = { { "algo", TOK_ALGO }, { "limit", TOK_LIMIT }, { "locked", TOK_LOCK }, + { "missing", TOK_MISSING }, + { "or-flush", TOK_ORFLUSH }, { NULL, 0 } }; @@ -389,19 +391,19 @@ table_print_type(char *tbuf, size_t size, uint8_t type * Creates new table * * ipfw table NAME create [ type { addr | iface | number | flow } ] - * [ algo algoname ] + * [ algo algoname ] [missing] [or-flush] */ static void table_create(ipfw_obj_header *oh, int ac, char *av[]) { - ipfw_xtable_info xi; - int error, tcmd, val; + ipfw_xtable_info xi, xie; + int error, missing, orflush, tcmd, val; uint32_t fset, fclear; char *e, *p; char tbuf[128]; + missing = orflush = 0; memset(&xi, 0, sizeof(xi)); - while (ac > 0) { tcmd = get_token(tablenewcmds, *av, "option"); ac--; av++; @@ -457,6 +459,12 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) case TOK_LOCK: xi.flags |= IPFW_TGFLAGS_LOCKED; break; + case TOK_ORFLUSH: + orflush = 1; + /* FALLTHROUGH */ + case TOK_MISSING: + missing = 1; + break; } } @@ -466,8 +474,28 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) if (xi.vmask == 0) xi.vmask = IPFW_VTYPE_LEGACY; - if ((error = table_do_create(oh, &xi)) != 0) + error = table_do_create(oh, &xi); + + if (error == 0) + return; + + if (errno != EEXIST || missing == 0) err(EX_OSERR, "Table creation failed"); + + /* Check that existing table is the same we are trying to create */ + if (table_get_info(oh, &xie) != 0) + err(EX_OSERR, "Existing table check failed"); + + if (xi.limit != xie.limit || xi.type != xie.type || + xi.tflags != xie.tflags || xi.vmask != xie.vmask || ( + xi.algoname[0] != '\0' && strcmp(xi.algoname, + xie.algoname) != 0) || xi.flags != xie.flags) + errx(EX_DATAERR, "The existing table is not compatible " + "with one you are creating."); + + /* Flush existing table if instructed to do so */ + if (orflush != 0 && table_flush(oh) != 0) + err(EX_OSERR, "Table flush on creation failed"); } /*