PERFORCE change 165563 for review
Tatsiana Elavaya
tsel at FreeBSD.org
Fri Jul 3 09:21:40 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=165563
Change 165563 by tsel at tsel_mz on 2009/07/03 09:20:46
Cleanup. Remove debugging
Affected files ...
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw.8#3 edit
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#9 edit
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/main.c#4 edit
.. //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw.h#5 edit
.. //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw2.c#6 edit
Differences ...
==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw.8#3 (text+ko) ====
@@ -440,6 +440,7 @@
.Bd -ragged -offset indent
.Bk -words
.Op Ar rule_number
+.Op Cm alias Ar rule_alias
.Op Cm set Ar set_number
.Op Cm prob Ar match_probability
.Ar action
@@ -521,6 +522,14 @@
If this is not possible (e.g.\& because we would go beyond the
maximum allowed rule number), the number of the last
non-default value is used instead.
+.It Cm alias Ar rule_alias
+Each rule can have optional alias name.
+.Ar rule_alias
+can be used where
+.Ar rule_number
+is expected (like
+.Em delete , show , skipto , zero
+commands.)
.It Cm set Ar set_number
Each rule is associated with a
.Ar set_number
@@ -2580,11 +2589,6 @@
Enables the firewall.
Setting this variable to 0 lets you run your machine without
firewall even if compiled in.
-.It Va net.inet.ip.fw.optimization_enable : No 1
-Enables the rule processing optimization.
-Optimization should also be enabled for a ruleset by
-.Nm ipfw optimimize
-command.
.It Va net.inet6.ip6.fw.enable : No 1
provides the same functionality as above for the IPv6 case.
.It Va net.inet.ip.fw.one_pass : No 1
==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#9 (text+ko) ====
@@ -1199,7 +1199,8 @@
PRINT_UINT_ARG("setfib ", cmd->arg1);
break;
- case O_ALIAS: /* O_ALIAS is printed first */
+ case O_ALIAS:
+ /* O_ALIAS is printed first */
break;
case O_REASS:
@@ -1620,11 +1621,13 @@
case O_OPTIMIZE:
if (co.verbose) {
+ ipfw_insn_u16 *optimize_cmd = (ipfw_insn_u16 *) cmd;
int i, cnt = (F_LEN(cmd) - 1) * 2;
+
printf(" [optimize");
for (i = 0; i < cnt; i++)
- if (((ipfw_insn_u16*)cmd)->ports[i])
- printf(" %d", ((ipfw_insn_u16*)cmd)->ports[i]);
+ if (optimize_cmd->ports[i])
+ printf(" %d", optimize_cmd->ports[i]);
printf("]");
}
break;
@@ -1848,11 +1851,11 @@
#define NEXT(r) ((struct ip_fw *)((char *)r + RULESIZE(r)))
char *lim;
+ void *data = NULL;
int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
int exitval = EX_OK;
int lac;
char **lav;
- void *data;
u_long rnum, last;
char *endptr;
int seen = 0;
@@ -2138,7 +2141,7 @@
}
if (F_LEN(a) == 1)
return 1;
- if (memcmp(a, b, (F_LEN(a) - 1)* 4) == 0)
+ if (memcmp(a, b, (F_LEN(a) - 1) * 4) == 0)
return 1;
return 0;
}
@@ -2176,7 +2179,6 @@
void
insn_match_remove(struct insn_match *m)
{
- // printf("remove match: cmd = %d, rule = %d\n", m->cmd->opcode, m->match_rule->rule->rulenum);
LIST_REMOVE(m, rule_entries);
LIST_REMOVE(m, match_entries);
free(m);
@@ -2207,11 +2209,6 @@
max_r = rulenum;
}
a[i]->rank = ((a[i]->match_count & 0x7fff) << 16) - (max_r - min_r);
- /*
- printf("rank %d: match_count: %d, dist: %d\n",
- LIST_FIRST(&a[i]->match_head)->cmd->opcode,
- a[i]->match_count, max_r - min_r);
- */
}
return a[1]->rank - a[0]->rank;
@@ -2246,9 +2243,6 @@
continue;
}
g->label = (group_count++) + 1;
- printf("sorted: %d; opcode %d; match_count %d; rank %d\n",
- g->label, LIST_FIRST(&g->match_head)->cmd->opcode,
- g->match_count, g->rank);
}
return group_count;
}
@@ -2332,6 +2326,9 @@
insn_match_group_sort(&groups, insn_match_group_cmp);
group_count = optimization_filter_groups(&groups);
+
+ if (group_count == 0)
+ return;
optimization_setup(0, 0);
@@ -2361,23 +2358,13 @@
optimize_cmd->o.opcode = O_OPTIMIZE;
optimize_cmd->o.arg1 = 0;
- /*
- printf("rule %d; before sort: ", rules[i]->rulenum);
- LIST_FOREACH(m, &match_rules[i].rule_head, rule_entries) {
- printf("optimize %d:%d; ", m->cmd->opcode, m->group->rank);
- }
- printf("\n");
- */
insn_match_rule_cmd_sort(&match_rules[i].rule_head, insn_match_rule_cmd_cmp);
- //printf("rule %d; after sort: ", rules[i]->rulenum);
LIST_FOREACH(m, &match_rules[i].rule_head, rule_entries) {
- //printf("optimize %d:%d; ", m->cmd->opcode, m->group->rank);
optimize_cmd->ports[optimize_cnt] = m->group->label;
if (optimize_cnt % 2 == 0)
optimize_cmd->ports[optimize_cnt + 1] = 0;
optimize_cnt++;
}
- //printf("\n");
optimize_cmd->o.len = F_INSN_SIZE(ipfw_insn) + (optimize_cnt + 1) / 2;
cmd += optimize_cmd->o.len;
@@ -2407,9 +2394,6 @@
rcmd += F_LEN(rcmd);
}
- printf("before optimization: ");
- show_ipfw(rules[i], 0, 0);
-
l = orule->rulenum & 0xffff;
if (do_cmd(IP_FW_DEL, &l, sizeof(l)))
errx(EX_DATAERR, "rule %u: setsockopt(IP_FW_DEL)", orule->rulenum);
@@ -2417,12 +2401,12 @@
l = RULESIZE(orule);
if (do_cmd(IP_FW_ADD, orule, (uintptr_t)&l))
errx(EX_DATAERR, "rule %u: setsockopt(IP_FW_ADD)", orule->rulenum);
+
if (co.verbose)
show_ipfw(orule, 0, 0);
}
- if (group_count)
- optimization_setup(1, group_count);
+ optimization_setup(1, group_count);
}
static int
==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/main.c#4 (text+ko) ====
@@ -50,6 +50,7 @@
"set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"
"table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n"
"table all {flush | list}\n"
+"optimize\n"
"\n"
"RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
"ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n"
==== //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw.h#5 (text+ko) ====
@@ -180,7 +180,7 @@
O_FIB, /* arg1=FIB desired fib number */
O_ALIAS,
- O_OPTIMIZE, /* u32 position in bitset */
+ O_OPTIMIZE, /* list of labels */
O_LAST_OPCODE /* not an opcode! */
};
==== //depot/projects/soc2009/tsel_ipfw/sys/netinet/ip_fw2.c#6 (text+ko) ====
@@ -367,7 +367,7 @@
return 0;
for (i = 0; i < OPTIMIZATION_POOLS; i++) {
- bufs[i] = malloc(OPTIMIZATION_BUF_MAX, M_IPFW, M_WAITOK | M_ZERO);
+ bufs[i] = malloc(sz, M_IPFW, M_WAITOK | M_ZERO);
}
IPFW_WLOCK(&V_layer3_chain);
@@ -991,6 +991,7 @@
action = "Reass";
break;
case O_ALIAS:
+ ((ipfw_insn_alias *)cmd)->alias[IPFW_ALIAS_NAME_SIZE - 1] = '\0';
snprintf(SNPARGS(action2, 0), "Alias %s",
((ipfw_insn_alias *)cmd)->alias);
break;
@@ -2743,19 +2744,19 @@
optimiz_ind++;
if (GET_OPTIMIZ_LABEL(label)) {
optimiz_match = label;
+#ifdef IPFW_OPTIMIZE_DEBUG
printf("ipfw: rule %d: optimized %d %d\n", f->rulenum, cmd->opcode, optimiz_match);
-#ifndef IPFW_OPTIMIZE_DEBUG
+ optimiz_match_neg = 0;
+#else
continue;
-#else
- optimiz_match_neg = 0;
#endif
- } if (GET_NEG_OPTIMIZ_LABEL(label)) {
+ } else if (GET_NEG_OPTIMIZ_LABEL(label)) {
optimiz_match = label;
+#ifdef IPFW_OPTIMIZE_DEBUG
printf("ipfw: rule %d: negative optimized %d %d\n", f->rulenum, cmd->opcode, optimiz_match);
-#ifndef IPFW_OPTIMIZE_DEBUG
+ optimiz_match_neg = 1;
+#else
goto next_rule;
-#else
- optimiz_match_neg = 1;
#endif
} else {
@@ -3320,13 +3321,17 @@
for (int i = 0; i < (F_LEN(cmd) - 1) * 2; i++)
if (optimiz_cmd->ports[i] > V_optimization_buf_sz * 8 / 2) {
+#ifdef IPFW_OPTIMIZE_DEBUG
printf("ipfw: invalid O_OPTIMIZE instruction. ignoring");
+#endif
optimiz_cmd = NULL;
continue;
}
if (optimiz_match) {
+#ifdef IPFW_OPTIMIZE_DEBUG
printf("ipfw: unexpected O_OPTIMIZE instruction. ignoring");
+#endif
continue;
}
continue;
@@ -3648,7 +3653,9 @@
SET_OPTIMIZ_LABEL(optimiz_match);
else
SET_NEG_OPTIMIZ_LABEL(optimiz_match);
+#ifdef IPFW_OPTIMIZE_DEBUG
printf("ipfw: rule %d: set %soptimize match %d %d\n", f->rulenum, match ? "" : "negative ", cmd->opcode, optimiz_match);
+#endif
}
optimiz_match = 0;
}
More information about the p4-projects
mailing list