socsvn commit: r269437 - soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw
dpl at FreeBSD.org
dpl at FreeBSD.org
Thu Jun 12 10:21:08 UTC 2014
Author: dpl
Date: Thu Jun 12 10:21:07 2014
New Revision: 269437
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269437
Log:
Finished isolating the rules.
Modified:
soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h
Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Thu Jun 12 09:59:11 2014 (r269436)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Thu Jun 12 10:21:07 2014 (r269437)
@@ -1388,76 +1388,7 @@
case O_IP_SRC_LOOKUP:
case O_2_LOOKUP:
- if (is_ipv4) {
- uint32_t key =
- (cmd->opcode == O_IP_DST_LOOKUP) ?
- dst_ip.s_addr : src_ip.s_addr;
- uint32_t v = 0;
-
- if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) {
- /* generic lookup. The key must be
- * in 32bit big-endian format.
- */
- v = ((ipfw_insn_u32 *)cmd)->d[1];
- if (v == 0)
- key = dst_ip.s_addr;
- else if (v == 1)
- key = src_ip.s_addr;
- else if (v == 6) /* dscp */
- key = (ip->ip_tos >> 2) & 0x3f;
- else if (offset != 0)
- break;
- else if (proto != IPPROTO_TCP &&
- proto != IPPROTO_UDP)
- break;
- else if (v == 2)
- key = htonl(dst_port);
- else if (v == 3)
- key = htonl(src_port);
-#ifndef USERSPACE
- else if (v == 4 || v == 5) {
- check_uidgid(
- (ipfw_insn_u32 *)cmd,
- args, &ucred_lookup,
-#ifdef __FreeBSD__
- &ucred_cache);
- if (v == 4 /* O_UID */)
- key = ucred_cache->cr_uid;
- else if (v == 5 /* O_JAIL */)
- key = ucred_cache->cr_prison->pr_id;
-#else /* !__FreeBSD__ */
- (void *)&ucred_cache);
- if (v ==4 /* O_UID */)
- key = ucred_cache.uid;
- else if (v == 5 /* O_JAIL */)
- key = ucred_cache.xid;
-#endif /* !__FreeBSD__ */
- key = htonl(key);
- } else
-#endif /* !USERSPACE */
- break;
- }
- match = ipfw_lookup_table(chain,
- cmd->arg1, key, &v);
- if (!match)
- break;
- if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
- match =
- ((ipfw_insn_u32 *)cmd)->d[0] == v;
- else
- tablearg = v;
- } else if (is_ipv6) {
- uint32_t v = 0;
- void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ?
- &args->f_id.dst_ip6: &args->f_id.src_ip6;
- match = ipfw_lookup_table_extended(chain,
- cmd->arg1, pkey, &v,
- IPFW_TABLE_CIDR);
- if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
- match = ((ipfw_insn_u32 *)cmd)->d[0] == v;
- if (match)
- tablearg = v;
- }
+ rule_2_lookup(&match, cmd, cmdlen, is_ipv4, is_ipv6, ip, dst_ip, src_ip, dst_port, src_port, offset, proto, ucred_lookup, ucred_cache, chain);
break;
case O_IP_SRC_MASK:
@@ -1689,7 +1620,7 @@
case O_PROBE_STATE:
case O_CHECK_STATE:
- rule_check_state(&match);
+ rule_check_state(&match, &dyn_dir, q, args, proto, ulp, pktlen, f, f_pos, chain, cmd, cmdlen, &l);
break;
case O_ACCEPT:
@@ -1725,17 +1656,7 @@
/* FALLTHROUGH */
#ifdef INET6
case O_UNREACH6:
- if (hlen > 0 && is_ipv6 &&
- ((offset & IP6F_OFF_MASK) == 0) &&
- (proto != IPPROTO_ICMPV6 ||
- (is_icmp6_query(icmp6_type) == 1)) &&
- !(m->m_flags & (M_BCAST|M_MCAST)) &&
- !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) {
- send_reject6(
- args, cmd->arg1, hlen,
- (struct ip6_hdr *)ip);
- m = args->m;
- }
+ rule_unreach6(hlen, is_ipv4, offset, proto, icmp6_type, m, args, cmd, ip);
/* FALLTHROUGH */
#endif
case O_DENY:
Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Thu Jun 12 09:59:11 2014 (r269436)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Thu Jun 12 10:21:07 2014 (r269437)
@@ -42,7 +42,6 @@
inline void
rule_recv(int *match, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_chain *chain, uint32_t *tablearg)
{
- //XXX What about embedding this function into code?
*match = iface_match(m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, chain, tablearg);
}
@@ -142,9 +141,8 @@
}
-// XXX Finish this function.
inline void
-rule_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, ucred_cache, struct ip_fw_chain *chain)
+rule_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, void *ucred_cache, struct ip_fw_chain *chain)
{
if (is_ipv4) {
uint32_t key =
@@ -178,13 +176,13 @@
(ipfw_insn_u32 *)cmd,
args, &ucred_lookup,
#ifdef __FreeBSD__
- &ucred_cache);
+ (struct bsd_ucred *)ucred_cache);
if (v == 4 /* O_UID */)
key = ucred_cache->cr_uid;
else if (v == 5 /* O_JAIL */)
key = ucred_cache->cr_prison->pr_id;
#else /* !__FreeBSD__ */
- (void *)&ucred_cache);
+ ucred_cache);
if (v ==4 /* O_UID */)
key = ucred_cache.uid;
else if (v == 5 /* O_JAIL */)
@@ -819,10 +817,8 @@
*match = 1;
}
-/* XXX typeof dyn_dir? */
-/* XXX typeof q? */
inline void
-rule_check_state(int *match, dyn_dir, q, struct ip_fw_args *args, uint8_t proto, void *ulp, int pktlen, struct ip_fw *f, int *f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, int *l)
+rule_check_state(int *match, int *dyn_dir, ipfw_dyn_rule *q, struct ip_fw_args *args, uint8_t proto, void *ulp, int pktlen, struct ip_fw *f, int *f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, int *l)
{
/*
* dynamic rules are checked at the first
@@ -833,9 +829,9 @@
* KEEP_STATE (because PROBE_STATE needs
* to be run first).
*/
- if (dyn_dir == MATCH_UNKNOWN &&
+ if (*dyn_dir == MATCH_UNKNOWN &&
(q = ipfw_lookup_dyn_rule(&args->f_id,
- &dyn_dir, proto == IPPROTO_TCP ?
+ dyn_dir, proto == IPPROTO_TCP ?
TCP(ulp) : NULL))
!= NULL) {
/*
@@ -1080,9 +1076,8 @@
*done = 1; /* exit outer loop */
}
-/* XXX typeof q?? */
inline void
-rule_forward_ip(struct ip_fw_args *args, q, int dyn_dir, ipfw_insn *cmd, struct sockaddr_in *sa, int *retval, int *l, int *done)
+rule_forward_ip(struct ip_fw_args *args, ipfw_dyn_rule *q, int dyn_dir, ipfw_insn *cmd, struct sockaddr_in *sa, int *retval, int *l, int *done)
{
if (args->eh) /* not valid on layer2 pkts */
return;
@@ -1107,7 +1102,7 @@
#ifdef INET6
inline void
-rule_forward_ip6(struct ip_fw_args *args, q, struct ip_fw *f, ipfw_insn *cmd, int *retval, int *l, int *done)
+rule_forward_ip6(struct ip_fw_args *args, ipfw_dyn_rule *q, struct ip_fw *f, ipfw_insn *cmd, int *retval, int *l, int *done)
{
if (args->eh) /* not valid on layer2 pkts */
return;
@@ -1137,9 +1132,8 @@
*done = 1; /* exit outer loop */
}
-/* XXX typeof rt_numfibs? */
inline void
-rule_setfib(struct ip_fw *f, int pktlen, ipfw_insn *cmd, rt_numfibs, struct mbuf *m, struct ip_fw_args *args, int *l)
+rule_setfib(struct ip_fw *f, int pktlen, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_args *args, int *l)
{
uint32_t fib;
More information about the svn-soc-all
mailing list