Date: Wed, 1 Oct 2008 00:00:33 GMT From: Julian Elischer <julian@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 150734 for review Message-ID: <200810010000.m9100Xxh007419@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=150734 Change 150734 by julian@julian_trafmon1 on 2008/09/30 23:59:56 slight mismerges and ommisions Affected files ... .. //depot/projects/vimage/src/sys/netinet/ip_fw.h#18 edit .. //depot/projects/vimage/src/sys/netinet/ip_fw2.c#47 edit Differences ... ==== //depot/projects/vimage/src/sys/netinet/ip_fw.h#18 (text+ko) ==== @@ -564,6 +564,34 @@ */ #ifdef _KERNEL +/* + * Data structure to cache our ucred related + * information. This structure only gets used if + * the user specified UID/GID based constraints in + * a firewall rule. + */ +struct ip_fw_ugid { + gid_t fw_groups[NGROUPS]; + int fw_ngroups; + uid_t fw_uid; + int fw_prid; +}; + +#define IPFW_TABLES_MAX 128 +struct ip_fw_chain { + struct ip_fw *rules; /* list of rules */ + struct ip_fw *reap; /* list of rules to reap */ + LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ + struct radix_node_head *tables[IPFW_TABLES_MAX]; + struct rwlock rwmtx; +}; + +struct table_entry { + struct radix_node rn[2]; + struct sockaddr_in addr, mask; + u_int32_t value; +}; + /* Return values from ipfw_chk() */ enum { IP_FW_PASS = 0, @@ -648,14 +676,6 @@ extern ip_fw_chk_t *ip_fw_chk_ptr; #define IPFW_LOADED (ip_fw_chk_ptr != NULL) -struct ip_fw_chain { - struct ip_fw *rules; /* list of rules */ - struct ip_fw *reap; /* list of rules to reap */ - LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ - struct radix_node_head *tables[IPFW_TABLES_MAX]; - struct rwlock rwmtx; -}; - #ifdef IPFW_INTERNAL #define IPFW_LOCK_INIT(_chain) \ @@ -714,6 +734,7 @@ u_int64_t _norule_counter; struct callout _ipfw_timeout; eventhandler_tag _ifaddr_event_tag; + struct ip_fw_ugid _fw_ugid_cache; }; #endif @@ -753,7 +774,9 @@ #define V_dyn_max VNET_IPFW(dyn_max) #define V_norule_counter VNET_IPFW(norule_counter) #define V_ipfw_timeout VNET_IPFW(ipfw_timeout) +#define V_ipfw_timeout VNET_IPFW(ipfw_timeout) #define V_ifaddr_event_tag VNET_IPFW(ifaddr_event_tag) +#define V_fw_ugid_cache VNET_IPFW(fw_ugid_cache) #endif /* _KERNEL */ #endif /* _IPFW2_H */ ==== //depot/projects/vimage/src/sys/netinet/ip_fw2.c#47 (text+ko) ==== @@ -74,7 +74,6 @@ #define IPFW_INTERNAL /* Access to protected data structures in ip_fw.h. */ -#include <netinet/vinet.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/in_var.h> @@ -94,6 +93,7 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> #include <netinet/sctp.h> +#include <netinet/vinet.h> #include <netgraph/ng_ipfw.h> #include <altq/if_altq.h> @@ -2162,7 +2162,7 @@ * these types of constraints, as well as decrease contention * on pcb related locks. */ -#if 0 +#ifndef VIMAGE struct ip_fw_ugid fw_ugid_cache; /* XXX Marko revisit this */ #endif int ugid_lookup = 0; @@ -2623,7 +2623,8 @@ (ipfw_insn_u32 *)cmd, proto, oif, dst_ip, dst_port, - src_ip, src_port, &fw_ugid_cache, + src_ip, src_port, + &V_fw_ugid_cache, &ugid_lookup, args->inp); break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810010000.m9100Xxh007419>