Date: Thu, 12 Jun 2014 10:21:07 GMT From: dpl@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r269437 - soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw Message-ID: <201406121021.s5CAL7NB053332@socsvn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dpl Date: Thu Jun 12 10:21:07 2014 New Revision: 269437 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269437 Log: Finished isolating the rules. Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Thu Jun 12 09:59:11 2014 (r269436) +++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Thu Jun 12 10:21:07 2014 (r269437) @@ -1388,76 +1388,7 @@ case O_IP_SRC_LOOKUP: case O_2_LOOKUP: - if (is_ipv4) { - uint32_t key = - (cmd->opcode == O_IP_DST_LOOKUP) ? - dst_ip.s_addr : src_ip.s_addr; - uint32_t v = 0; - - if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) { - /* generic lookup. The key must be - * in 32bit big-endian format. - */ - v = ((ipfw_insn_u32 *)cmd)->d[1]; - if (v == 0) - key = dst_ip.s_addr; - else if (v == 1) - key = src_ip.s_addr; - else if (v == 6) /* dscp */ - key = (ip->ip_tos >> 2) & 0x3f; - else if (offset != 0) - break; - else if (proto != IPPROTO_TCP && - proto != IPPROTO_UDP) - break; - else if (v == 2) - key = htonl(dst_port); - else if (v == 3) - key = htonl(src_port); -#ifndef USERSPACE - else if (v == 4 || v == 5) { - check_uidgid( - (ipfw_insn_u32 *)cmd, - args, &ucred_lookup, -#ifdef __FreeBSD__ - &ucred_cache); - if (v == 4 /* O_UID */) - key = ucred_cache->cr_uid; - else if (v == 5 /* O_JAIL */) - key = ucred_cache->cr_prison->pr_id; -#else /* !__FreeBSD__ */ - (void *)&ucred_cache); - if (v ==4 /* O_UID */) - key = ucred_cache.uid; - else if (v == 5 /* O_JAIL */) - key = ucred_cache.xid; -#endif /* !__FreeBSD__ */ - key = htonl(key); - } else -#endif /* !USERSPACE */ - break; - } - match = ipfw_lookup_table(chain, - cmd->arg1, key, &v); - if (!match) - break; - if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = - ((ipfw_insn_u32 *)cmd)->d[0] == v; - else - tablearg = v; - } else if (is_ipv6) { - uint32_t v = 0; - void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ? - &args->f_id.dst_ip6: &args->f_id.src_ip6; - match = ipfw_lookup_table_extended(chain, - cmd->arg1, pkey, &v, - IPFW_TABLE_CIDR); - if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = ((ipfw_insn_u32 *)cmd)->d[0] == v; - if (match) - tablearg = v; - } + rule_2_lookup(&match, cmd, cmdlen, is_ipv4, is_ipv6, ip, dst_ip, src_ip, dst_port, src_port, offset, proto, ucred_lookup, ucred_cache, chain); break; case O_IP_SRC_MASK: @@ -1689,7 +1620,7 @@ case O_PROBE_STATE: case O_CHECK_STATE: - rule_check_state(&match); + rule_check_state(&match, &dyn_dir, q, args, proto, ulp, pktlen, f, f_pos, chain, cmd, cmdlen, &l); break; case O_ACCEPT: @@ -1725,17 +1656,7 @@ /* FALLTHROUGH */ #ifdef INET6 case O_UNREACH6: - if (hlen > 0 && is_ipv6 && - ((offset & IP6F_OFF_MASK) == 0) && - (proto != IPPROTO_ICMPV6 || - (is_icmp6_query(icmp6_type) == 1)) && - !(m->m_flags & (M_BCAST|M_MCAST)) && - !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) { - send_reject6( - args, cmd->arg1, hlen, - (struct ip6_hdr *)ip); - m = args->m; - } + rule_unreach6(hlen, is_ipv4, offset, proto, icmp6_type, m, args, cmd, ip); /* FALLTHROUGH */ #endif case O_DENY: Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h ============================================================================== --- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Thu Jun 12 09:59:11 2014 (r269436) +++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Thu Jun 12 10:21:07 2014 (r269437) @@ -42,7 +42,6 @@ inline void rule_recv(int *match, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_chain *chain, uint32_t *tablearg) { - //XXX What about embedding this function into code? *match = iface_match(m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, chain, tablearg); } @@ -142,9 +141,8 @@ } -// XXX Finish this function. inline void -rule_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, ucred_cache, struct ip_fw_chain *chain) +rule_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, void *ucred_cache, struct ip_fw_chain *chain) { if (is_ipv4) { uint32_t key = @@ -178,13 +176,13 @@ (ipfw_insn_u32 *)cmd, args, &ucred_lookup, #ifdef __FreeBSD__ - &ucred_cache); + (struct bsd_ucred *)ucred_cache); if (v == 4 /* O_UID */) key = ucred_cache->cr_uid; else if (v == 5 /* O_JAIL */) key = ucred_cache->cr_prison->pr_id; #else /* !__FreeBSD__ */ - (void *)&ucred_cache); + ucred_cache); if (v ==4 /* O_UID */) key = ucred_cache.uid; else if (v == 5 /* O_JAIL */) @@ -819,10 +817,8 @@ *match = 1; } -/* XXX typeof dyn_dir? */ -/* XXX typeof q? */ inline void -rule_check_state(int *match, dyn_dir, q, struct ip_fw_args *args, uint8_t proto, void *ulp, int pktlen, struct ip_fw *f, int *f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, int *l) +rule_check_state(int *match, int *dyn_dir, ipfw_dyn_rule *q, struct ip_fw_args *args, uint8_t proto, void *ulp, int pktlen, struct ip_fw *f, int *f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, int *l) { /* * dynamic rules are checked at the first @@ -833,9 +829,9 @@ * KEEP_STATE (because PROBE_STATE needs * to be run first). */ - if (dyn_dir == MATCH_UNKNOWN && + if (*dyn_dir == MATCH_UNKNOWN && (q = ipfw_lookup_dyn_rule(&args->f_id, - &dyn_dir, proto == IPPROTO_TCP ? + dyn_dir, proto == IPPROTO_TCP ? TCP(ulp) : NULL)) != NULL) { /* @@ -1080,9 +1076,8 @@ *done = 1; /* exit outer loop */ } -/* XXX typeof q?? */ inline void -rule_forward_ip(struct ip_fw_args *args, q, int dyn_dir, ipfw_insn *cmd, struct sockaddr_in *sa, int *retval, int *l, int *done) +rule_forward_ip(struct ip_fw_args *args, ipfw_dyn_rule *q, int dyn_dir, ipfw_insn *cmd, struct sockaddr_in *sa, int *retval, int *l, int *done) { if (args->eh) /* not valid on layer2 pkts */ return; @@ -1107,7 +1102,7 @@ #ifdef INET6 inline void -rule_forward_ip6(struct ip_fw_args *args, q, struct ip_fw *f, ipfw_insn *cmd, int *retval, int *l, int *done) +rule_forward_ip6(struct ip_fw_args *args, ipfw_dyn_rule *q, struct ip_fw *f, ipfw_insn *cmd, int *retval, int *l, int *done) { if (args->eh) /* not valid on layer2 pkts */ return; @@ -1137,9 +1132,8 @@ *done = 1; /* exit outer loop */ } -/* XXX typeof rt_numfibs? */ inline void -rule_setfib(struct ip_fw *f, int pktlen, ipfw_insn *cmd, rt_numfibs, struct mbuf *m, struct ip_fw_args *args, int *l) +rule_setfib(struct ip_fw *f, int pktlen, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_args *args, int *l) { uint32_t fib;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406121021.s5CAL7NB053332>