socsvn commit: r269437 - soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw

dpl at FreeBSD.org dpl at FreeBSD.org
Thu Jun 12 10:21:08 UTC 2014 

Author: dpl
Date: Thu Jun 12 10:21:07 2014
New Revision: 269437
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269437

Log:
  Finished isolating the rules.
  

Modified:
  soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
  soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h

Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c	Thu Jun 12 09:59:11 2014	(r269436)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c	Thu Jun 12 10:21:07 2014	(r269437)
@@ -1388,76 +1388,7 @@
 
 			case O_IP_SRC_LOOKUP:
 			case O_2_LOOKUP:
-				if (is_ipv4) {
-				    uint32_t key =
-					(cmd->opcode == O_IP_DST_LOOKUP) ?
-					    dst_ip.s_addr : src_ip.s_addr;
-				    uint32_t v = 0;
-
-				    if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) {
-					/* generic lookup. The key must be
-					 * in 32bit big-endian format.
-					 */
-					v = ((ipfw_insn_u32 *)cmd)->d[1];
-					if (v == 0)
-					    key = dst_ip.s_addr;
-					else if (v == 1)
-					    key = src_ip.s_addr;
-					else if (v == 6) /* dscp */
-					    key = (ip->ip_tos >> 2) & 0x3f;
-					else if (offset != 0)
-					    break;
-					else if (proto != IPPROTO_TCP &&
-						proto != IPPROTO_UDP)
-					    break;
-					else if (v == 2)
-					    key = htonl(dst_port);
-					else if (v == 3)
-					    key = htonl(src_port);
-#ifndef USERSPACE
-					else if (v == 4 || v == 5) {
-					    check_uidgid(
-						(ipfw_insn_u32 *)cmd,
-						args, &ucred_lookup,
-#ifdef __FreeBSD__
-						&ucred_cache);
-					    if (v == 4 /* O_UID */)
-						key = ucred_cache->cr_uid;
-					    else if (v == 5 /* O_JAIL */)
-						key = ucred_cache->cr_prison->pr_id;
-#else /* !__FreeBSD__ */
-						(void *)&ucred_cache);
-					    if (v ==4 /* O_UID */)
-						key = ucred_cache.uid;
-					    else if (v == 5 /* O_JAIL */)
-						key = ucred_cache.xid;
-#endif /* !__FreeBSD__ */
-					    key = htonl(key);
-					} else
-#endif /* !USERSPACE */
-					    break;
-				    }
-				    match = ipfw_lookup_table(chain,
-					cmd->arg1, key, &v);
-				    if (!match)
-					break;
-				    if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
-					match =
-					    ((ipfw_insn_u32 *)cmd)->d[0] == v;
-				    else
-					tablearg = v;
-				} else if (is_ipv6) {
-					uint32_t v = 0;
-					void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ?
-						&args->f_id.dst_ip6: &args->f_id.src_ip6;
-					match = ipfw_lookup_table_extended(chain,
-							cmd->arg1, pkey, &v,
-							IPFW_TABLE_CIDR);
-					if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
-						match = ((ipfw_insn_u32 *)cmd)->d[0] == v;
-					if (match)
-						tablearg = v;
-				}
+				rule_2_lookup(&match, cmd, cmdlen, is_ipv4, is_ipv6, ip, dst_ip, src_ip, dst_port, src_port, offset, proto, ucred_lookup, ucred_cache, chain);
 				break;
 
 			case O_IP_SRC_MASK:
@@ -1689,7 +1620,7 @@
 
 			case O_PROBE_STATE:
 			case O_CHECK_STATE:
-				rule_check_state(&match);
+				rule_check_state(&match, &dyn_dir, q, args, proto, ulp, pktlen, f, f_pos, chain, cmd, cmdlen, &l);
 				break;
 
 			case O_ACCEPT:
@@ -1725,17 +1656,7 @@
 				/* FALLTHROUGH */
 #ifdef INET6
 			case O_UNREACH6:
-				if (hlen > 0 && is_ipv6 &&
-				    ((offset & IP6F_OFF_MASK) == 0) &&
-				    (proto != IPPROTO_ICMPV6 ||
-				     (is_icmp6_query(icmp6_type) == 1)) &&
-				    !(m->m_flags & (M_BCAST|M_MCAST)) &&
-				    !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) {
-					send_reject6(
-					    args, cmd->arg1, hlen,
-					    (struct ip6_hdr *)ip);
-					m = args->m;
-				}
+				rule_unreach6(hlen, is_ipv4, offset, proto, icmp6_type, m, args, cmd, ip);
 				/* FALLTHROUGH */
 #endif
 			case O_DENY:

Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h	Thu Jun 12 09:59:11 2014	(r269436)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h	Thu Jun 12 10:21:07 2014	(r269437)
@@ -42,7 +42,6 @@
 inline void
 rule_recv(int *match, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_chain *chain, uint32_t *tablearg)
 {
-	//XXX What about embedding this function into code?
 	*match = iface_match(m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, chain, tablearg);
 }
 
@@ -142,9 +141,8 @@
 }
 
 
-// XXX Finish this function.
 inline void
-rule_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, ucred_cache, struct ip_fw_chain *chain)
+rule_2_lookup(int *match, ipfw_insn *cmd, int cmdlen, int is_ipv4, int is_ipv6, struct ip *ip, struct in_addr *dst_ip, struct in_addr *src_ip, uint16_t dst_port, uint16_t src_port, u_short offset, uint8_t proto, int ucred_lookup, void *ucred_cache, struct ip_fw_chain *chain)
 {
 	if (is_ipv4) {
 	    uint32_t key =
@@ -178,13 +176,13 @@
 			(ipfw_insn_u32 *)cmd,
 			args, &ucred_lookup,
 #ifdef __FreeBSD__
-			&ucred_cache);
+			(struct bsd_ucred *)ucred_cache);
 		    if (v == 4 /* O_UID */)
 			key = ucred_cache->cr_uid;
 		    else if (v == 5 /* O_JAIL */)
 			key = ucred_cache->cr_prison->pr_id;
 #else /* !__FreeBSD__ */
-			(void *)&ucred_cache);
+			ucred_cache);
 		    if (v ==4 /* O_UID */)
 			key = ucred_cache.uid;
 		    else if (v == 5 /* O_JAIL */)
@@ -819,10 +817,8 @@
 	*match = 1;
 }
 
-/* XXX typeof dyn_dir? */
-/* XXX typeof q? */
 inline void
-rule_check_state(int *match, dyn_dir, q, struct ip_fw_args *args, uint8_t proto, void *ulp, int pktlen, struct ip_fw *f, int *f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, int *l)
+rule_check_state(int *match, int *dyn_dir, ipfw_dyn_rule *q, struct ip_fw_args *args, uint8_t proto, void *ulp, int pktlen, struct ip_fw *f, int *f_pos, struct ip_fw_chain *chain, ipfw_insn *cmd, int *cmdlen, int *l)
 {
 	/*
 	 * dynamic rules are checked at the first
@@ -833,9 +829,9 @@
 	 * KEEP_STATE (because PROBE_STATE needs
 	 * to be run first).
 	 */
-	if (dyn_dir == MATCH_UNKNOWN &&
+	if (*dyn_dir == MATCH_UNKNOWN &&
 	    (q = ipfw_lookup_dyn_rule(&args->f_id,
-	     &dyn_dir, proto == IPPROTO_TCP ?
+	     dyn_dir, proto == IPPROTO_TCP ?
 		TCP(ulp) : NULL))
 		!= NULL) {
 		/*
@@ -1080,9 +1076,8 @@
 	*done = 1;	/* exit outer loop */
 }
 
-/* XXX typeof q?? */
 inline void
-rule_forward_ip(struct ip_fw_args *args, q, int dyn_dir, ipfw_insn *cmd, struct sockaddr_in *sa, int *retval, int *l, int *done)
+rule_forward_ip(struct ip_fw_args *args, ipfw_dyn_rule *q, int dyn_dir, ipfw_insn *cmd, struct sockaddr_in *sa, int *retval, int *l, int *done)
 {
 	if (args->eh)	/* not valid on layer2 pkts */
 		return;
@@ -1107,7 +1102,7 @@
 
 #ifdef INET6
 inline void
-rule_forward_ip6(struct ip_fw_args *args, q, struct ip_fw *f, ipfw_insn *cmd, int *retval, int *l, int *done)
+rule_forward_ip6(struct ip_fw_args *args, ipfw_dyn_rule *q, struct ip_fw *f, ipfw_insn *cmd, int *retval, int *l, int *done)
 {
 	if (args->eh)	/* not valid on layer2 pkts */
 		return;
@@ -1137,9 +1132,8 @@
 	*done = 1;       /* exit outer loop */
 }
 
-/* XXX typeof rt_numfibs? */
 inline void
-rule_setfib(struct ip_fw *f, int pktlen, ipfw_insn *cmd, rt_numfibs, struct mbuf *m, struct ip_fw_args *args, int *l)
+rule_setfib(struct ip_fw *f, int pktlen, ipfw_insn *cmd, struct mbuf *m, struct ip_fw_args *args, int *l)
 {
 	uint32_t fib;

More information about the svn-soc-all mailing list