From owner-p4-projects@FreeBSD.ORG  Fri Jul  3 09:21:40 2009
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id AE1B91065673; Fri,  3 Jul 2009 09:21:39 +0000 (UTC)
Delivered-To: perforce@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 63794106564A
	for <perforce@FreeBSD.org>; Fri,  3 Jul 2009 09:21:39 +0000 (UTC)
	(envelope-from tsel@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 50FCF8FC13
	for <perforce@FreeBSD.org>; Fri,  3 Jul 2009 09:21:39 +0000 (UTC)
	(envelope-from tsel@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n639Lc1Z054375
	for <perforce@FreeBSD.org>; Fri, 3 Jul 2009 09:21:38 GMT
	(envelope-from tsel@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n639LcYE054373
	for perforce@freebsd.org; Fri, 3 Jul 2009 09:21:38 GMT
	(envelope-from tsel@FreeBSD.org)
Date: Fri, 3 Jul 2009 09:21:38 GMT
Message-Id: <200907030921.n639LcYE054373@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	tsel@FreeBSD.org using -f
From: Tatsiana Elavaya <tsel@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Cc: 
Subject: PERFORCE change 165563 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2009 09:21:40 -0000

http://perforce.freebsd.org/chv.cgi?CH=165563

Change 165563 by tsel@tsel_mz on 2009/07/03 09:20:46

	Cleanup. Remove debugging

Affected files ...

.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw.8#3 edit
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#9 edit
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/main.c#4 edit
.. //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw.h#5 edit
.. //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw2.c#6 edit

Differences ...

==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw.8#3 (text+ko) ====

@@ -440,6 +440,7 @@
 .Bd -ragged -offset indent
 .Bk -words
 .Op Ar rule_number
+.Op Cm alias Ar rule_alias
 .Op Cm set Ar set_number
 .Op Cm prob Ar match_probability
 .Ar action
@@ -521,6 +522,14 @@
 If this is not possible (e.g.\& because we would go beyond the
 maximum allowed rule number), the number of the last
 non-default value is used instead.
+.It Cm alias Ar rule_alias
+Each rule can have optional alias name.
+.Ar rule_alias
+can be used where
+.Ar rule_number
+is expected (like
+.Em delete , show , skipto , zero
+commands.)
 .It Cm set Ar set_number
 Each rule is associated with a
 .Ar set_number
@@ -2580,11 +2589,6 @@
 Enables the firewall.
 Setting this variable to 0 lets you run your machine without
 firewall even if compiled in.
-.It Va net.inet.ip.fw.optimization_enable : No 1
-Enables the rule processing optimization.
-Optimization should also be enabled for a ruleset by
-.Nm ipfw optimimize
-command.
 .It Va net.inet6.ip6.fw.enable : No 1
 provides the same functionality as above for the IPv6 case.
 .It Va net.inet.ip.fw.one_pass : No 1

==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#9 (text+ko) ====

@@ -1199,7 +1199,8 @@
 			PRINT_UINT_ARG("setfib ", cmd->arg1);
  			break;
 
-		case O_ALIAS: /* O_ALIAS is printed first */
+		case O_ALIAS:
+			/* O_ALIAS is printed first */
 			break;
 
 		case O_REASS:
@@ -1620,11 +1621,13 @@
 
 			case O_OPTIMIZE:
 				if (co.verbose) {
+					ipfw_insn_u16 *optimize_cmd = (ipfw_insn_u16 *) cmd;
 					int i, cnt = (F_LEN(cmd) - 1) * 2;
+
 					printf(" [optimize");
 					for (i = 0; i < cnt; i++)
-						if (((ipfw_insn_u16*)cmd)->ports[i])
-							printf(" %d", ((ipfw_insn_u16*)cmd)->ports[i]);
+						if (optimize_cmd->ports[i])
+							printf(" %d", optimize_cmd->ports[i]);
 					printf("]");
 				}
 				break;
@@ -1848,11 +1851,11 @@
 
 #define NEXT(r)	((struct ip_fw *)((char *)r + RULESIZE(r)))
 	char *lim;
+	void *data = NULL;
 	int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
 	int exitval = EX_OK;
 	int lac;
 	char **lav;
-	void *data;
 	u_long rnum, last;
 	char *endptr;
 	int seen = 0;
@@ -2138,7 +2141,7 @@
 	}
 	if (F_LEN(a) == 1)
 		return 1;
-	if (memcmp(a, b, (F_LEN(a) - 1)* 4) == 0)
+	if (memcmp(a, b, (F_LEN(a) - 1) * 4) == 0)
 		return 1;
 	return 0;
 }
@@ -2176,7 +2179,6 @@
 void
 insn_match_remove(struct insn_match *m)
 {
-	// printf("remove match: cmd = %d, rule = %d\n", m->cmd->opcode, m->match_rule->rule->rulenum);
 	LIST_REMOVE(m, rule_entries);
 	LIST_REMOVE(m, match_entries);
 	free(m);
@@ -2207,11 +2209,6 @@
 				max_r = rulenum;
 		}
 		a[i]->rank = ((a[i]->match_count & 0x7fff) << 16) - (max_r - min_r);
-		/*
-		printf("rank %d: match_count: %d, dist: %d\n", 
-				LIST_FIRST(&a[i]->match_head)->cmd->opcode, 
-				a[i]->match_count, max_r - min_r);
-		*/
 	}
 	return a[1]->rank - a[0]->rank;
 
@@ -2246,9 +2243,6 @@
 			continue;
 		}
 		g->label = (group_count++) + 1;
-		printf("sorted: %d; opcode %d; match_count %d; rank %d\n", 
-				g->label, LIST_FIRST(&g->match_head)->cmd->opcode,
-				g->match_count, g->rank);
 	}
 	return group_count;
 }
@@ -2332,6 +2326,9 @@
 	insn_match_group_sort(&groups, insn_match_group_cmp);
 	
 	group_count = optimization_filter_groups(&groups);
+
+	if (group_count == 0)
+		return;
 	
 	optimization_setup(0, 0);
 
@@ -2361,23 +2358,13 @@
 		optimize_cmd->o.opcode = O_OPTIMIZE;
 		optimize_cmd->o.arg1 = 0;
 
-		/*
-		printf("rule %d; before sort: ", rules[i]->rulenum);
-		LIST_FOREACH(m, &match_rules[i].rule_head, rule_entries) {
-			printf("optimize %d:%d; ", m->cmd->opcode, m->group->rank);
-		}
-		printf("\n");
-		*/
 		insn_match_rule_cmd_sort(&match_rules[i].rule_head, insn_match_rule_cmd_cmp);
-		//printf("rule %d;  after sort: ", rules[i]->rulenum);
 		LIST_FOREACH(m, &match_rules[i].rule_head, rule_entries) {
-			//printf("optimize %d:%d; ", m->cmd->opcode, m->group->rank);
 			optimize_cmd->ports[optimize_cnt] = m->group->label;
 			if (optimize_cnt % 2 == 0)
 				optimize_cmd->ports[optimize_cnt + 1] = 0;
 			optimize_cnt++;
 		}
-		//printf("\n");
 
 		optimize_cmd->o.len = F_INSN_SIZE(ipfw_insn) + (optimize_cnt + 1) / 2;
 		cmd += optimize_cmd->o.len;
@@ -2407,9 +2394,6 @@
 			rcmd += F_LEN(rcmd);
 		}
 
-		printf("before optimization: ");
-		show_ipfw(rules[i], 0, 0);
-
 		l = orule->rulenum & 0xffff;
 		if (do_cmd(IP_FW_DEL, &l, sizeof(l)))
 			errx(EX_DATAERR, "rule %u: setsockopt(IP_FW_DEL)", orule->rulenum);
@@ -2417,12 +2401,12 @@
 		l = RULESIZE(orule);
 		if (do_cmd(IP_FW_ADD, orule, (uintptr_t)&l))
 			errx(EX_DATAERR, "rule %u: setsockopt(IP_FW_ADD)", orule->rulenum);
+
 		if (co.verbose)
 			show_ipfw(orule, 0, 0);
 	}
 
-	if (group_count)
-		optimization_setup(1, group_count);
+	optimization_setup(1, group_count);
 }
 
 static int

==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/main.c#4 (text+ko) ====

@@ -50,6 +50,7 @@
 "set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"
 "table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n"
 "table all {flush | list}\n"
+"optimize\n"
 "\n"
 "RULE-BODY:	check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
 "ACTION:	check-state | allow | count | deny | unreach{,6} CODE |\n"

==== //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw.h#5 (text+ko) ====

@@ -180,7 +180,7 @@
 	O_FIB,			/* arg1=FIB desired fib number */
 
 	O_ALIAS,
-	O_OPTIMIZE,		/* u32 position in bitset	*/
+	O_OPTIMIZE,		/* list of labels		*/
 
 	O_LAST_OPCODE		/* not an opcode!		*/
 };

==== //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw2.c#6 (text+ko) ====

@@ -367,7 +367,7 @@
 		return 0;
 
 	for (i = 0; i < OPTIMIZATION_POOLS; i++) {
-		bufs[i] = malloc(OPTIMIZATION_BUF_MAX, M_IPFW, M_WAITOK | M_ZERO);
+		bufs[i] = malloc(sz, M_IPFW, M_WAITOK | M_ZERO);
 	}
 
 	IPFW_WLOCK(&V_layer3_chain);
@@ -991,6 +991,7 @@
 			action = "Reass";
 			break;
 		case O_ALIAS:
+			((ipfw_insn_alias *)cmd)->alias[IPFW_ALIAS_NAME_SIZE - 1] = '\0';
 			snprintf(SNPARGS(action2, 0), "Alias %s",
 				((ipfw_insn_alias *)cmd)->alias);
 			break;
@@ -2743,19 +2744,19 @@
 					optimiz_ind++;
 					if (GET_OPTIMIZ_LABEL(label)) {
 						optimiz_match = label;
+#ifdef IPFW_OPTIMIZE_DEBUG
 						printf("ipfw: rule %d: optimized %d %d\n", f->rulenum, cmd->opcode, optimiz_match);
-#ifndef IPFW_OPTIMIZE_DEBUG
+						optimiz_match_neg = 0;
+#else
 						continue;
-#else
-						optimiz_match_neg = 0;
 #endif
-					} if (GET_NEG_OPTIMIZ_LABEL(label)) {
+					} else if (GET_NEG_OPTIMIZ_LABEL(label)) {
 						optimiz_match = label;
+#ifdef IPFW_OPTIMIZE_DEBUG
 						printf("ipfw: rule %d: negative optimized %d %d\n", f->rulenum, cmd->opcode, optimiz_match);
-#ifndef IPFW_OPTIMIZE_DEBUG
+						optimiz_match_neg = 1;
+#else
 						goto next_rule;
-#else
-						optimiz_match_neg = 1;
 #endif
 
 					} else {
@@ -3320,13 +3321,17 @@
 
 				for (int i = 0; i < (F_LEN(cmd) - 1) * 2; i++)
 					if (optimiz_cmd->ports[i] > V_optimization_buf_sz * 8 / 2) {
+#ifdef IPFW_OPTIMIZE_DEBUG
 						printf("ipfw: invalid O_OPTIMIZE instruction. ignoring");
+#endif
 						optimiz_cmd = NULL;
 						continue;
 					}
 
 				if (optimiz_match) {
+#ifdef IPFW_OPTIMIZE_DEBUG
 					printf("ipfw: unexpected O_OPTIMIZE instruction. ignoring");
+#endif
 					continue;
 				}
 				continue;
@@ -3648,7 +3653,9 @@
 						SET_OPTIMIZ_LABEL(optimiz_match);
 					else
 						SET_NEG_OPTIMIZ_LABEL(optimiz_match);
+#ifdef IPFW_OPTIMIZE_DEBUG
 					printf("ipfw: rule %d: set %soptimize match %d %d\n", f->rulenum, match ? "" : "negative ", cmd->opcode, optimiz_match);
+#endif
 				}
 				optimiz_match = 0;
 			}