From owner-freebsd-bugs@freebsd.org  Mon May 15 21:25:30 2017
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4EF9D6C896
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Mon, 15 May 2017 21:25:30 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CB633167B
 for <freebsd-bugs@FreeBSD.org>; Mon, 15 May 2017 21:25:30 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4FLPU9a099188
 for <freebsd-bugs@FreeBSD.org>; Mon, 15 May 2017 21:25:30 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 219316] Wildcard matching of ipfw flow tables
Date: Mon, 15 May 2017 21:25:31 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: lutz@donnerhacke.de
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-219316-8-xmn7crv8fp@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-219316-8@https.bugs.freebsd.org/bugzilla/>
References: <bug-219316-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 21:25:31 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219316

--- Comment #3 from lutz@donnerhacke.de ---
In order to process the new ipfw configuration-opcode, the kernel backend n=
eeds
to be changed, too. This backend patch does not defined any functionality
besides parsing the options and checking if an optional algorithm specific
function is available. Otherwise the call returns ENOTSUP.

Index: sys/netinet/ip_fw.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netinet/ip_fw.h (revision 314807)
+++ sys/netinet/ip_fw.h (working copy)
@@ -110,6 +110,7 @@
 #define        IP_FW_DUMP_SOPTCODES    116     /* Dump available
sopts/versions */
 #define        IP_FW_DUMP_SRVOBJECTS   117     /* Dump existing named obje=
cts
*/

+#define        IP_FW_TABLE_XSETMASK    118     /* set a generic input mask=
 */
 /*
  * The kernel representation of ipfw rules is made of a list of
  * 'instructions' (for all practical purposes equivalent to BPF
Index: sys/netpfil/ipfw/ip_fw_table.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netpfil/ipfw/ip_fw_table.c      (revision 314807)
+++ sys/netpfil/ipfw/ip_fw_table.c      (working copy)
@@ -1143,6 +1143,78 @@
 }

 /*
+ * Set a generic input mask for a table
+ * Data layout (v0)(current):
+ * Request: [ ipfw_obj_header ipfw_obj_tentry ]
+ * Reply: [ ipfw_obj_header ipfw_obj_tentry ]
+ *
+ * Returns 0 on success
+ */
+static int
+set_table_mask(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
+    struct sockopt_data *sd)
+{
+       ipfw_obj_tentry *tent;
+       ipfw_obj_header *oh;
+       struct tid_info ti;
+       struct table_config *tc;
+       struct table_algo *ta;
+       struct table_info *kti;
+       struct namedobj_instance *ni;
+       int error;
+       size_t sz;
+
+       /* Check minimum header size */
+       sz =3D sizeof(*oh) + sizeof(*tent);
+       if (sd->valsize !=3D sz)
+               return (EINVAL);
+
+       oh =3D (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
+       tent =3D (ipfw_obj_tentry *)(oh + 1);
+
+       /* Basic length checks for TLVs */
+       if (oh->ntlv.head.length !=3D sizeof(oh->ntlv))
+               return (EINVAL);
+
+       objheader_to_ti(oh, &ti);
+       ti.type =3D oh->ntlv.type;
+       ti.uidx =3D tent->idx;
+
+       IPFW_UH_WLOCK(ch);
+       ni =3D CHAIN_TO_NI(ch);
+
+       /*
+        * Find existing table and check its type .
+        */
+       ta =3D NULL;
+       if ((tc =3D find_table(ni, &ti)) =3D=3D NULL) {
+               IPFW_UH_WUNLOCK(ch);
+               return (ESRCH);
+       }
+
+       /* check table type */
+       if (tc->no.subtype !=3D ti.type) {
+               IPFW_UH_WUNLOCK(ch);
+               return (EINVAL);
+       }
+
+       kti =3D KIDX_TO_TI(ch, tc->no.kidx);
+       ta =3D tc->ta;
+
+       if (ta->set_mask =3D=3D NULL) {
+               IPFW_UH_WUNLOCK(ch);
+               return (ENOTSUP);
+       }
+
+       IPFW_WLOCK(ch);
+       error =3D ta->set_mask(tc->astate, kti, tent);
+       IPFW_WUNLOCK(ch);
+       IPFW_UH_WUNLOCK(ch);
+
+       return (error);
+}
+
+/*
  * Flushes all entries or destroys given table.
  * Data layout (v0)(current):
  * Request: [ ipfw_obj_header ]
@@ -3258,6 +3330,7 @@
        { IP_FW_TABLE_XSWAP,    0,      HDIR_SET,       swap_table },
        { IP_FW_TABLES_ALIST,   0,      HDIR_GET,       list_table_algo },
        { IP_FW_TABLE_XGETSIZE, 0,      HDIR_GET,       get_table_size },
+       { IP_FW_TABLE_XSETMASK, 0,      HDIR_SET,       set_table_mask },
 };

 static int
Index: sys/netpfil/ipfw/ip_fw_table.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netpfil/ipfw/ip_fw_table.h      (revision 314807)
+++ sys/netpfil/ipfw/ip_fw_table.h      (working copy)
@@ -108,6 +108,8 @@
     ipfw_obj_tentry *tent);
 typedef int ta_find_tentry(void *ta_state, struct table_info *ti,
     ipfw_obj_tentry *tent);
+typedef int ta_set_mask(void *ta_state, struct table_info *ti,
+    ipfw_obj_tentry *tent);
 typedef void ta_dump_tinfo(void *ta_state, struct table_info *ti,
     ipfw_ta_tinfo *tinfo);
 typedef uint32_t ta_get_count(void *ta_state, struct table_info *ti);
@@ -139,6 +141,7 @@
        ta_print_config *print_config;
        ta_dump_tinfo   *dump_tinfo;
        ta_get_count    *get_count;
+       ta_set_mask     *set_mask;
 };
 #define        TA_FLAG_DEFAULT         0x01    /* Algo is default for given
type */
 #define        TA_FLAG_READONLY        0x02    /* Algo does not support
modifications*/

--=20
You are receiving this mail because:
You are the assignee for the bug.=