socsvn commit: r269358 - soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw
dpl at FreeBSD.org
dpl at FreeBSD.org
Tue Jun 10 14:34:23 UTC 2014
Author: dpl
Date: Tue Jun 10 14:34:22 2014
New Revision: 269358
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269358
Log:
Changed the file type to have everything in the same compilation unit. Also, isolated some extra rules.
Modified:
soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h
Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Tue Jun 10 13:57:15 2014 (r269357)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Tue Jun 10 14:34:22 2014 (r269358)
@@ -1570,45 +1570,16 @@
rule_estab(&match, proto, offset, ulp);
break;
- case O_ALTQ: {
- struct pf_mtag *at;
- struct m_tag *mtag;
- ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
-
- /*
- * ALTQ uses mbuf tags from another
- * packet filtering system - pf(4).
- * We allocate a tag in its format
- * and fill it in, pretending to be pf(4).
- */
- match = 1;
- at = pf_find_mtag(m);
- if (at != NULL && at->qid != 0)
- break;
- mtag = m_tag_get(PACKET_TAG_PF,
- sizeof(struct pf_mtag), M_NOWAIT | M_ZERO);
- if (mtag == NULL) {
- /*
- * Let the packet fall back to the
- * default ALTQ.
- */
- break;
- }
- m_tag_prepend(m, mtag);
- at = (struct pf_mtag *)(mtag + 1);
- at->qid = altq->qid;
- at->hdr = ip;
+ case O_ALTQ:
+ rule_altq(&match, cmd, m);
break;
- }
case O_LOG:
- ipfw_log(f, hlen, args, m,
- oif, offset | ip6f_mf, tablearg, ip);
- match = 1;
+ rule_log(&match, f, hlen, args, m, oif, offset, ip6f_mf, tablearg, ip)
break;
case O_PROB:
- match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
+ rule_prob(&match, cmd);
break;
case O_VERREVPATH:
Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Tue Jun 10 13:57:15 2014 (r269357)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Tue Jun 10 14:34:22 2014 (r269358)
@@ -1,96 +1,736 @@
/*
- * The header containing the functions corresponding to each rule.
- * XXX - Still have to add the type to the args.
+ * Actions executed per-rule.
+ * We'll have to include some of the included files at ip_fw2.c
*/
-inline void rule_nop(int *match);
-inline void rule_forward_mac(int opcode);
-inline void rule_jail(u_short offset, uint8_t proto, ipfw_insn ipfw_insn *cmd,
- struct ip_fw_args *args, int ucred_lookup, void *ucred_cache)
+inline void
+rule_nop(int *match)
+{
+ *match = 1;
+}
+
+inline void
+rule_forward_mac(int opcode)
+{
+ printf("ipfw: opcode %d unimplemented\n",
+ opcode);
+
+}
+
+inline void
+rule_jail(u_short offset, uint8_t proto, ipfw_insn ipfw_insn_u32 *cmd, struct ip_fw_args *args, int ucred_lookup, void *ucred_cache)
+{
+ /*
+ * We only check offset == 0 && proto != 0,
+ * as this ensures that we have a
+ * packet with the ports info.
+ */
+ if (offset != 0)
+ break;
+ if (proto == IPPROTO_TCP ||
+ proto == IPPROTO_UDP)
+ *match = check_uidgid(
+ (ipfw_insn_u32 *)cmd,
+ args, &ucred_lookup,
+#ifdef __FreeBSD__
+ &(struct bsd_ucred *)ucred_cache);
+#else
+ (void *)&(struct ucred *)ucred_cache);
+#endif
+}
+
+inline void
+rule_recv(int *match, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_chain *chain, uint32_t *tablearg)
+{
+ //XXX What about embedding this function into code?
+ *match = iface_match(m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, chain, tablearg);
+}
+
+inline void
+rule_xmit(int *match, struct ifnet *oif, ipfw_insn *cmd, struct ip_fw_chain *chain, uint32_t *tablearg)
+{
+ *match = iface_match(oif, (ipfw_insn_if *)cmd, chain, tablearg);
+}
+
+inline void
+rule_via(int *match, struct ifnet *oif, struct mbuf *m, ipfw_insn *cmd, struct ip_fw_chain *chain, uint32_t *tablearg)
+{
+ *match = iface_match(oif ? oif : m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, chain, tablearg);
+}
+
+inline void
+rule_macaddr(int *match, struct ip_fw_args *args, ipfw_insn *cmd)
+{
+ if (args->eh != NULL) { /* have MAC header */
+ u_int32_t *want = (u_int32_t *)
+ ((ipfw_insn_mac *)cmd)->addr;
+ u_int32_t *mask = (u_int32_t *)
+ ((ipfw_insn_mac *)cmd)->mask;
+ u_int32_t *hdr = (u_int32_t *)args->eh;
+
+ *match =
+ ( want[0] == (hdr[0] & mask[0]) &&
+ want[1] == (hdr[1] & mask[1]) &&
+ want[2] == (hdr[2] & mask[2]) );
+ }
+
+}
+
+inline void
+rule_mac_type(int *match, struct ip_fw_args *args, ipfw_insn *cmd, int cmdlen, uint16_t etype);
+{
+ if (args->eh != NULL) {
+ u_int16_t *p =
+ ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = cmdlen - 1; !match && i>0;
+ i--, p += 2)
+ *match = (etype >= p[0] &&
+ etype <= p[1]);
+ }
+
+}
+
+inline void
+rule_frag(int *match, u_short offset)
+{
+ *match = (offset != 0);
+}
+
+inline void
+rule_in(int *match, struct ifnet *oif)
+{
+ /* "out" is "not in" */
+ *match = (oif == NULL);
+}
+
+inline void
+rule_layertwo(int *match, struct ip_fw_args * args)
+{
+ *match = (args->eh != NULL);
+}
+
+inline void
+rule_diverted(int *match, struct ip_fw_args * args)
+{
+ /* For diverted packets, args->rule.info
+ * contains the divert port (in host format)
+ * reason and direction.
+ */
+ uint32_t i = args->rule.info;
+ *match = (i&IPFW_IS_MASK) == IPFW_IS_DIVERT &&
+ cmd->arg1 & ((i & IPFW_INFO_IN) ? 1 : 2);
+}
+
+inline void
+rule_proto(int *match, uint8_t proto, ipfs_insn *cmd)
+{
+ /*
+ * We do not allow an arg of 0 so the
+ * check of "proto" only suffices.
+ */
+ *match = (proto == cmd->arg1);
+}
+
+inline void
+rule_ip_src(int *match, int is_ipv4, ipfs_insn *cmd, struct in_addr *src_ip)
+{
+ *match = is_ipv4 &&
+ (((ipfw_insn_ip *)cmd)->addr.s_addr ==
+ src_ip->s_addr);
+}
+
+
+// XXX Finish this function.
+inline void
+rule_ip_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, ucred_cache, struct ip_fw_chain *chain)
+{
+ if (is_ipv4) {
+ uint32_t key =
+ (cmd->opcode == O_IP_DST_LOOKUP) ?
+ dst_ip.s_addr : src_ip.s_addr;
+ uint32_t v = 0;
+
+ if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) {
+ /* generic lookup. The key must be
+ * in 32bit big-endian format.
+ */
+ v = ((ipfw_insn_u32 *)cmd)->d[1];
+ if (v == 0)
+ key = dst_ip.s_addr;
+ else if (v == 1)
+ key = src_ip.s_addr;
+ else if (v == 6) /* dscp */
+ key = (ip->ip_tos >> 2) & 0x3f;
+ else if (offset != 0)
+ break;
+ else if (proto != IPPROTO_TCP &&
+ proto != IPPROTO_UDP)
+ break;
+ else if (v == 2)
+ key = htonl(dst_port);
+ else if (v == 3)
+ key = htonl(src_port);
+#ifndef USERSPACE
+ else if (v == 4 || v == 5) {
+ check_uidgid(
+ (ipfw_insn_u32 *)cmd,
+ args, &ucred_lookup,
+#ifdef __FreeBSD__
+ &ucred_cache);
+ if (v == 4 /* O_UID */)
+ key = ucred_cache->cr_uid;
+ else if (v == 5 /* O_JAIL */)
+ key = ucred_cache->cr_prison->pr_id;
+#else /* !__FreeBSD__ */
+ (void *)&ucred_cache);
+ if (v ==4 /* O_UID */)
+ key = ucred_cache.uid;
+ else if (v == 5 /* O_JAIL */)
+ key = ucred_cache.xid;
+#endif /* !__FreeBSD__ */
+ key = htonl(key);
+ } else
+#endif /* !USERSPACE */
+ break;
+ }
+ *match = ipfw_lookup_table(chain,
+ cmd->arg1, key, &v);
+ if (!(*match))
+ break;
+ if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
+ *match =
+ ((ipfw_insn_u32 *)cmd)->d[0] == v;
+ else
+ tablearg = v;
+ } else if (is_ipv6) {
+ uint32_t v = 0;
+ void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ?
+ &args->f_id.dst_ip6: &args->f_id.src_ip6;
+ *match = ipfw_lookup_table_extended(chain,
+ cmd->arg1, pkey, &v,
+ IPFW_TABLE_CIDR);
+ if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
+ *match = ((ipfw_insn_u32 *)cmd)->d[0] == v;
+ if (*match)
+ tablearg = v;
+ }
+}
+
+
+//XXX Speak with mentor about passing both dst_ip and src_ip.
+inline void
+rule_ip_dst_mask(int *match, int is_ipv4, ipfw_insn *cmd, int cmdlen, struct in_addr *dst_ip, struct in_addr *src_ip)
+{
+ if (is_ipv4) {
+ uint32_t a =
+ (cmd->opcode == O_IP_DST_MASK) ?
+ dst_ip.s_addr : src_ip.s_addr;
+ uint32_t *p = ((ipfw_insn_u32 *)cmd)->d;
+ int i = cmdlen-1;
+
+ for (; !match && i>0; i-= 2, p+= 2)
+ *match = (p[0] == (a & p[1]));
+ }
+}
+
+inline void
+rule_ip_src_me(int *match, struct in_addr *src_ip, struct ip_fw_args *args)
+{
+ if (is_ipv4) {
+ struct ifnet *tif;
+
+ INADDR_TO_IFP(src_ip, tif);
+ *match = (tif != NULL);
+ return;
+ }
+ /* The next behavior has been also added to the next action */
+ *match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6);
+}
+
+inline void
+rule_ip6_src_me(int *match, int is_ipv6, struct ip_fw_args *args)
+{
+ *match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6);
+}
+
+inline void
+rule_ip_src_set(int *match, int is_ipv4, ipfw_insn *cmd, struct ip_fw_args *args)
+{
+ if (is_ipv4) {
+ u_int32_t *d = (u_int32_t *)(cmd+1);
+ u_int32_t addr =
+ cmd->opcode == O_IP_DST_SET ?
+ args->f_id.dst_ip :
+ args->f_id.src_ip;
+
+ if (addr < d[0])
+ break;
+ addr -= d[0]; /* subtract base */
+ *match = (addr < cmd->arg1) &&
+ ( d[ 1 + (addr>>5)] &
+ (1<<(addr & 0x1f)) );
+ }
+}
+
+inline void
+rule_ip_dst(int *match, is_ipv4, ipfw_insn *cmd, struct in_addr *dst_ip)
+{
+ *match = is_ipv4 &&
+ (((ipfw_insn_ip *)cmd)->addr.s_addr ==
+ dst_ip->s_addr);
+}
+
+inline void
+rule_ip_dst_me(int *match, is_ipv4, is_ipv6, struct in_addr *dst_ip, dst_ip6)
+{
+ if (is_ipv4) {
+ struct ifnet *tif;
+
+ INADDR_TO_IFP(dst_ip, tif);
+ *match = (tif != NULL);
+ return;
+ }
+ *match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6);
+}
+
+inline void
+rule_ip6_dst_me(int *match, struct ip_fw_args *args)
+{
+ *match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6);
+}
+
+inline void
+rule_ip_dstport(int *match, uint8_t proto, u_short offset, ipfw_insn *cmd, int cmdlen)
+{
+ /*
+ * offset == 0 && proto != 0 is enough
+ * to guarantee that we have a
+ * packet with port info.
+ */
+ if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP)
+ && offset == 0) {
+ u_int16_t x =
+ (cmd->opcode == O_IP_SRCPORT) ?
+ src_port : dst_port ;
+ u_int16_t *p =
+ ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = cmdlen - 1; !match && i>0;
+ i--, p += 2)
+ *match = (x>=p[0] && x<=p[1]);
+ }
+}
+
+inline void
+rule_icmptype(int *match, u_short offset, uint8_t proto, void *ulp, ipfw_insn *cmd )
+{
+ *match = (offset == 0 && proto==IPPROTO_ICMP &&
+ icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) );
+}
+
+inline void
+rule_ipopt(int *match, int is_ipv4, struct ip *ip, ipfw_insn *cmd)
+{
+ *match = (is_ipv4 &&
+ ipopts_match(ip, cmd) );
+
+}
+
+inline void
+rule_ipver(int *match, int is_ipv4, ipfw_insn *cmd, struct ip *ip)
+{
+ match = (is_ipv4 &&
+ cmd->arg1 == ip->ip_v);
+}
+
+inline void
+rule_ipttl(int *match, int is_ipv4 ipfw_insn *cmd, int cmdlen, struct ip *ip, uint16_t iplen)
+{
+ if (is_ipv4) { /* only for IP packets */
+ uint16_t x;
+ uint16_t *p;
+ int i;
+
+ if (cmd->opcode == O_IPLEN)
+ x = iplen;
+ else if (cmd->opcode == O_IPTTL)
+ x = ip->ip_ttl;
+ else /* must be IPID */
+ x = ntohs(ip->ip_id);
+ if (cmdlen == 1) {
+ *match = (cmd->arg1 == x);
+ return;
+ }
+ /* otherwise we have ranges */
+ p = ((ipfw_insn_u16 *)cmd)->ports;
+ i = cmdlen - 1;
+ for (; !match && i>0; i--, p += 2)
+ *match = (x >= p[0] && x <= p[1]);
+ }
+}
+
+inline void
+rule_ipprecedence(int *match, int is_ipv4, ipfw_insn *cmd, struct ip *ip)
+{
+ *match = (is_ipv4 &&
+ (cmd->arg1 == (ip->ip_tos & 0xe0)) );
+}
+
+inline void
+rule_iptos(int *match, int is_ipv4 ipfw_insn *cmd, struct ip *ip)
+{
+ *match = (is_ipv4 &&
+ flags_match(cmd, ip->ip_tos));
+}
+
+inline void
+rule_dscp(int *match, int is_ipv4, int is_ipv6, ipfw_insn *cmd, struct ip *ip)
+{
+ uint32_t *p;
+ uint16_t x;
+
+ p = ((ipfw_insn_u32 *)cmd)->d;
+
+ if (is_ipv4)
+ x = ip->ip_tos >> 2;
+ else if (is_ipv6) {
+ uint8_t *v;
+ v = &((struct ip6_hdr *)ip)->ip6_vfc;
+ x = (*v & 0x0F) << 2;
+ v++;
+ x |= *v >> 6;
+ } else
+ break;
+
+ /* DSCP bitmask is stored as low_u32 high_u32 */
+ if (x > 32)
+ *match = *(p + 1) & (1 << (x - 32));
+ else
+ *match = *p & (1 << x);
+}
+
+inline void
+rule_tcpdatalen(int *match, uint8_t proto, u_short offset, void *ulp, uint16_t iplen int *cmdlen, ipfw_insn *cmd)
+{
+ if (proto == IPPROTO_TCP && offset == 0) {
+ struct tcphdr *tcp;
+ uint16_t x;
+ uint16_t *p;
+ int i;
+
+ tcp = TCP(ulp);
+ x = iplen -
+ ((ip->ip_hl + tcp->th_off) << 2);
+ if (cmdlen == 1) {
+ match = (cmd->arg1 == x);
+ return;
+ }
+ /* otherwise we have ranges */
+ p = ((ipfw_insn_u16 *)cmd)->ports;
+ i = cmdlen - 1;
+ for (; !match && i>0; i--, p += 2)
+ *match = (x >= p[0] && x <= p[1]);
+ }
+}
+
+inline void
+rule_tcpflags(int *match, uint8_t proto, u_short offset, ipfw_insn *cmd, void *ulp)
+{
+ *match = (proto == IPPROTO_TCP && offset == 0 &&
+ flags_match(cmd, TCP(ulp)->th_flags));
+}
+
+inline void
+rule_tcpopts(int *match, hlen, void *ulp, uint8_t proto, u_short offset, ipfw_insn *cmd);
+{
+ PULLUP_LEN(hlen, ulp, (TCP(ulp)->th_off << 2));
+ *match = (proto == IPPROTO_TCP && offset == 0 &&
+ tcpopts_match(TCP(ulp), cmd));
+}
+
+inline void
+rule_tcpseq(int *match, uint8_t proto, u_short offset, ipfw_insn *cmd, void *ulp)
+{
+ match = (proto == IPPROTO_TCP && offset == 0 &&
+ ((ipfw_insn_u32 *)cmd)->d[0] ==
+ TCP(ulp)->th_seq);
+}
+
+inline void
+rule_tcpack(int *match, uint8_t proto, u_short offset, ipfw_insn *cmd, void *ulp)
+{
+ *match = (proto == IPPROTO_TCP && offset == 0 &&
+ ((ipfw_insn_u32 *)cmd)->d[0] ==
+ TCP(void *ulp)->th_ack);
+}
+
+inline void
+rule_tcpwin(int *match, uint8_t proto, u_short offset, ipfw_insn *cmd, void *ulp)
+{
+ if (proto == IPPROTO_TCP && offset == 0) {
+ uint16_t x;
+ uint16_t *p;
+ int i;
+
+ x = ntohs(TCP(ulp)->th_win);
+ if (cmdlen == 1) {
+ *match = (cmd->arg1 == x);
+ return;
+ }
+ /* Otherwise we have ranges. */
+ p = ((ipfw_insn_u16 *)cmd)->ports;
+ i = cmdlen - 1;
+ for (; !(*match) && i > 0; i--, p += 2)
+ *match = (x >= p[0] && x <= p[1]);
+ }
+}
+
+inline void
+rule_estab(int *match, uint8_t proto, u_short offset, void *ulp)
+{
+ /* reject packets which have SYN only */
+ /* XXX should i also check for TH_ACK ? */
+ *match = (proto == IPPROTO_TCP && offset == 0 &&
+ (TCP(ulp)->th_flags &
+ (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
+}
+
+inline void
+rule_altq(int *match, ipfw_insn *cmd, struct mbuf *m)
+{
+ struct pf_mtag *at;
+ struct m_tag *mtag;
+ ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
+
+ /*
+ * ALTQ uses mbuf tags from another
+ * packet filtering system - pf(4).
+ * We allocate a tag in its format
+ * and fill it in, pretending to be pf(4).
+ */
+ *match = 1;
+ at = pf_find_mtag(m);
+ if (at != NULL && at->qid != 0)
+ break;
+ mtag = m_tag_get(PACKET_TAG_PF,
+ sizeof(struct pf_mtag), M_NOWAIT | M_ZERO);
+ if (mtag == NULL) {
+ /*
+ * Let the packet fall back to the
+ * default ALTQ.
+ */
+ return;
+ }
+ m_tag_prepend(m, mtag);
+ at = (struct pf_mtag *)(mtag + 1);
+ at->qid = altq->qid;
+ at->hdr = ip;
+}
+
+inline void
+rule_log(int *match, struct ip_fw *f, hlen, struct ip_fw_args *args, struct mbuf *m, struct ifnet *oif, u_short offset, u_short ip6f_mf, uint32_t tablearg, struct ip *ip)
+{
+ ipfw_log(f, hlen, args, m,
+ oif, offset | ip6f_mf, tablearg, ip);
+ *match = 1;
+}
+
+inline void
+rule_prob(int *match, ipfw_insn *cmd)
+{
+ *match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
+ return;
+}
+
+inline void
+rule_verrevpath(int *match, struct ifnet *oif, struct mbuf *m, int is_ipv6 struct ip_fw_args *args, struct in_addr *src_ip)
+{
+}
+
+inline void
+rule_versrcreach(int *match, int is_ipv6 struct ip_fw_args *args, struct in_addr *src_ip)
+{
+}
+
+inline void
+rule_antispoof(int *match, struct ifnet *oif, hlen, int is_ipv4 struct in_addr *src_ip, int is_ipv6 struct ip_fw_args *args, m)
+{
+}
+
+inline void
+rule_ip4(int *match, is_ipv4)
+{
+}
+
+inline void
+rule_tag(int *match, ipfw_insn *cmd, struct mbuf *m, tag, )
+{
+}
+
+inline void
+rule_fib(int *match, struct ip_fw_args *args, ipfw_insn *cmd)
+{
+}
+
+inline void
+rule_tagged(int *match, ipfw_insn *cmd, int *cmdlen, struct mbuf *m, ipfw, tag)
+{
+}
-inline void rule_recv(int *match, struct mbuf *m, ipfw_insn *cmd, struct ip_fw_chain *chain, uint32_t *tablearg);
-inline void rule_xmit(int *match, struct ifnet *oif, ipfw_insn *cmd, struct ip_fw_chain *chain, uint32_t *tablearg);
-inline void rule_via(int *match, struct ifnet *oif, rcvif, ipfw_insn *cmd, struct ip_fw_chain *chain, uint32_t *tablearg);
-inline void rule_macaddr(int *match, struct ip_fw_args *args, ipfw_insn *cmd);
-inline void rule_mac_type(int *match, eh, ports, int *cmdlen, etype));
-inline void rule_frag(int *match, offset);
-inline void rule_in(int *match, struct ifnet *oif);
-inline void rule_layertwo(int *match, eh);
-inline void rule_diverted(int *match, info);
-inline void rule_proto(int *match, proto, arg1);
-inline void rule_ip_src(int *match, is_ipv4, addr1, addr2);
-inline void rule_ip_2_lookup(int *match, ipfw_insn *cmd, int *cmdlen, is_ipv4, is_ipv6, ip, dst_ip,
- src_ip, dst_port, src_port, offset, proto, ucred_lookup, ucred_cache, key, struct ip_fw_chain *chain);
-inline void rule_ip_dst_mask(int *match, is_ipv4, ipfw_insn *cmd, dst_ip);
-inline void rule_ip_src_me(int *match, src_ip, struct ip_fw_args *args);
-inline void rule_ip_src_set(int *match, is_ipv4, ipfw_insn *cmd, struct ip_fw_args *args);
-inline void rule_ip_dst(int *match, is_ipv4, ipfw_insn *cmd, addr1, addr2);
-inline void rule_ip_dst_me(int *match, is_ipv4, is_ipv6, dst_ip, dst_ip6);
-inline void rule_ip_dstport(int *match, proto, opcode, ports, int *cmdlen);
-inline void rule_icmptype(int *match, offset, proto,ulp, ipfw_insn *cmd );
-inline void rule_ipopt(int *match, is_ipv4, ip, ipfw_insn *cmd);
-inline void rule_ipver(int *match, is_ipv4, arg1, ip_v);
-inline void rule_ipttl(int *match, is_ipv4, opcode, iplen, ip_ttl, ip_id, int *cmdlen, ports);
-inline void rule_ipprecedence(int *match, is_ipv4, arg1, ip_tos);
-inline void rule_iptos(int *match, is_ipv4, ipfw_insn *cmd, ip_tos)
-inline void rule_dscp(d, is_ipv4, ip_tos, is_ipv6, ip6_vfc);
-inline void rule_tcpdatalen(int *match, proto, offset, ulp, iplen, int *cmdlen, arg1, ports);
-inline void rule_tcpflags(int *match, proto, offset, ipfw_insn *cmd, th_flags);
-inline void rule_tcpopts(int *match, hlen, ulp, th_off, proto, offset, ipfw_insn *cmd);
-inline void rule_tcpseq(int *match, proto, offset, ipfw_insn *cmd, ulp);
-inline void rule_tcpack(int *match, proto, offset, ipfw_insn *cmd, ulp);
-inline void rule_tcpwin(int *match, proto, offset, ipfw_insn *cmd, ulp);
-inline void rule_estab(int *match, proto, offset, ulp);
-inline void rule_altq(int *match, ipfw_insn *cmd, struct mbuf *m, tag /*PACKET_TAG_PF*/, size_t size, num);
-inline void rule_log(int *match, f, hlen, struct ip_fw_args *args, struct mbuf *m, struct ifnet *oif, offset, ip6f_mf, uint32_t *tablearg, ip);
-inline void rule_prob(int *match, ipfw_insn *cmd);
-inline void rule_verrevpath(int *match, struct ifnet *oif, struct mbuf *m, is_ipv6, struct ip_fw_args *args, src_ip);
-inline void rule_versrcreach(int *match, is_ipv6, struct ip_fw_args *args, src_ip);
-inline void rule_antispoof(int *match, struct ifnet *oif, hlen, is_ipv4, src_ip, is_ipv6, struct ip_fw_args *args, m);
-inline void rule_ip4(int *match, is_ipv4);
-inline void rule_tag(int *match, ipfw_insn *cmd, struct mbuf *m, tag, );
-inline void rule_fib(int *match, struct ip_fw_args *args, ipfw_insn *cmd);
-inline void rule_tagged(int *match, ipfw_insn *cmd, int *cmdlen, struct mbuf *m, ipfw, tag);
#ifdef INET6
-inline void rule_icmp6type(int *match, offset, proto, icmp6_type, ipfw_insn *cmd);
-inline void rule_ip6_src(int *match, is_ipv6, src_ip6, addr6);
-inline void rule_ip6_dst(int *match, is_ipv6, dst_ip6, addr6);
-inline void rule_ip6_dst_mask(int *match, struct ip_fw_args *args, ipfw_insn *cmd, int *cmdlen, is_ipv6, dst_ip6, addr6);
-inline void rule_ip6_dst(int *match, is_ipv6, flow_id6, ipfw_insn *cmd);
-inline void rule_is_ipv6(int *match, is_ipv6, ext_hd, ipfw_insn *cmd);
-inline void rule_ip6(int *match, is_ipv6);
+inline void
+rule_icmp6type(int *match, u_short offset, uint8_t proto, void *void *ulp, ipfw_insn *cmd)
+{
+ *match = is_ipv6 && offset == 0 &&
+ proto==IPPROTO_ICMPV6 &&
+ icmp6type_match(
+ ICMP6(void *ulp)->icmp6_type,
+ (ipfw_insn_u32 *)cmd);
+}
+
+inline void
+rule_ip6_src(int *match, int is_ipv6 struct in_addr *src_ip6, addr6)
+{
+}
+
+inline void
+rule_ip6_dst(int *match, int is_ipv6 dst_ip6, addr6)
+{
+}
+
+inline void
+rule_ip6_dst_mask(int *match, struct ip_fw_args *args, ipfw_insn *cmd, int *cmdlen, int is_ipv6 dst_ip6, addr6)
+{
+}
+
+inline void
+rule_ip6_dst(int *match, int is_ipv6 flow_id6, ipfw_insn *cmd)
+{
+}
+
+inline void
+rule_is_ipv6(int *match, int is_ipv6 ext_hd, ipfw_insn *cmd)
+{
+}
+
+inline void
+rule_ip6(int *match, is_ipv6)
+{
+}
+
#endif
#ifdef IPSEC
-inline void rule_ipsec(int *match, m);
+inline void
+rule_ipsec(int *match, m)
+{
+}
+
endif
-#ifndef USERSPACE /* not supported in userspace */
-inline void rule_sockarg(int *match, is_ipv6, proto, struct ip_fw_args *args, tcbinfo, udbinfo, inp, scr_ip, src_port, dst_ip, dst_port, uint32_t *tablearg);
+#ifndef USERSPACE
+inline void
+rule_sockarg(int *match, int is_ipv6 uint8_t proto, struct ip_fw_args *args, tcbinfo, udbinfo, inp, scr_ip, uint16_t src_port, struct in_addr *dst_ip, uint16_t dst_port, uint32_t *tablearg)
+{
+}
#endif /* !USERSPACE */
/*
* The second round of actions.
*/
-inline void rule_keep_state(int *match, f, ipfw_insn *cmd, struct ip_fw_args *args, uint32_t *tablearg, retval, l, done);
-inline void rule_check_state(int *match, dyn_dir, q, struct ip_fw_args *args, proto, ulp, pktlen, f, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, l);
-inline void rule_accept(retval, l, done);
-inline void rule_queue(args, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, retval, l, done);
-inline void rule_tee(args, l, done, retval, ipfw_insn *cmd, struct ip_fw_args *args, f_pos, struct ip_fw_chain *chain);
-inline void rule_count(l, f, pktlen);
-inline void rule_skipto(int *match, f, f_pos, pktlen, struct ip_fw_chain *chain, ipfw_insn *cmd, uint32_t *tablearg, f, l, ipfw_insn *cmd, int *cmdlen, skip_or);
-inline void rule_callreturn(ipfw_insn *cmd, int *cmdlen, struct mbuf *m, l, f, pktlen, uint32_t *tablearg, jmpto, f_pos, struct ip_fw_chain *chain, skip_or);
-inline void rule_reject(hlen, is_ipv4, offset, proto, ulp, struct mbuf *m, dst_ip, struct ip_fw_args *args, ipfw_insn *cmd, iplen, ip);
-inline void rule_deny(l, done, retval);
-inline void rule_forward_ip(args, q, dyn_dir, ipfw_insn *cmd, sa, retval, l, done);
-inline void rule_ngtee(args, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, V_fw_one_pass, retval, l, done);
-inline void rule_setfib(f, pktlen, ipfw_insn *cmd, rt_numfibs, struct mbuf *m, struct ip_fw_args *args, l);
-inline void rule_setdscp(ipfw_insn *cmd, l, is_ipv4, a, is_ipv6, f, pktlen);
-inline void rule_nat(l, done, retval, struct ip_fw_args *args, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, struct ip_fw_chain *chain);
-inlinue void rule_reass(f, pktlen, l, ip_off, ip, struct ip_fw_args *args, struct mbuf *m, retval, done);
+inline void
+rule_keep_state(int *match, f, ipfw_insn *cmd, struct ip_fw_args *args, uint32_t *tablearg, retval, l, done)
+{
+}
+
+inline void
+rule_check_state(int *match, dyn_dir, q, struct ip_fw_args *args, uint8_t proto, void *void *ulp, pktlen, f, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, l)
+{
+}
+
+inline void
+rule_accept(retval, l, done)
+{
+}
+
+inline void
+rule_queue(args, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, retval, l, done)
+{
+}
+
+inline void
+rule_tee(args, l, done, retval, ipfw_insn *cmd, struct ip_fw_args *args, f_pos, struct ip_fw_chain *chain)
+{
+}
+
+inline void
+rule_count(l, f, pktlen)
+{
+}
+
+inline void
+rule_skipto(int *match, f, f_pos, pktlen, struct ip_fw_chain *chain, ipfw_insn *cmd, uint32_t *tablearg, l, ipfw_insn *cmd, int *cmdlen, skip_or)
+{
+}
+
+inline void
+rule_callreturn(ipfw_insn *cmd, int *cmdlen, struct mbuf *m, l, f, pktlen, uint32_t *tablearg, jmpto, f_pos, struct ip_fw_chain *chain, skip_or)
+{
+}
+
+inline void
+rule_reject(hlen, int is_ipv4 u_short offset, uint8_t proto, void *void *ulp, struct mbuf *m, struct in_addr *dst_ip, struct ip_fw_args *args, ipfw_insn *cmd, uint16_t iplen struct ip *ip)
+{
+}
+
+inline void
+rule_deny(l, done, retval)
+{
+}
+
+inline void
+rule_forward_ip(args, q, dyn_dir, ipfw_insn *cmd, sa, retval, l, done)
+{
+}
+
+inline void
+rule_ngtee(args, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, V_fw_one_pass, retval, l, done)
+{
+}
+
+inline void
+rule_setfib(f, pktlen, ipfw_insn *cmd, rt_numfibs, struct mbuf *m, struct ip_fw_args *args, l)
+{
+}
+
+inline void
+rule_setdscp(ipfw_insn *cmd, l, int is_ipv4 a, int is_ipv6 f, pktlen)
+{
+}
+
+inline void
+rule_nat(l, done, retval, struct ip_fw_args *args, f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, struct ip_fw_chain *chain)
+{
+}
+
+inlinue void rule_reass(f, pktlen, l, ip_off, struct ip *ip, struct ip_fw_args *args, struct mbuf *m, retval, done)
+{
+}
+
#ifdef INET6
-inline void rule_unreach6(hlen, is_ipv4, offset, proto, icmp6_type, struct mbuf *m, struct ip_fw_args *args, ipfw_insn *cmd, ip);
-inline void rule_forward_ip6(args, q, f, dun_dir, ipfw_insn *cmd, struct ip_fw_args *args, retval, l, done);
-#endif
+inline void
+rule_unreach6(hlen, int is_ipv4 u_short offset, uint8_t proto, icmp6_type, struct mbuf *m, struct ip_fw_args *args, ipfw_insn *cmd, struct ip *ip)
+{
+}
+
+inline void
+rule_forward_ip6(args, q, f, dun_dir, ipfw_insn *cmd, struct ip_fw_args *args, retval, l, done)
+{
+}
+
+#endif /* INET6 */
More information about the svn-soc-all
mailing list