svn commit: r272607 - head/sbin/ipfw
Alexander V. Chernikov
melifaro at FreeBSD.org
Mon Oct 6 11:00:48 UTC 2014
Author: melifaro
Date: Mon Oct 6 11:00:47 2014
New Revision: 272607
URL: https://svnweb.freebsd.org/changeset/base/272607
Log:
Improve "reserved keywords" hack:
we can't easily predict (in current parsing model)
if the keyword is ipfw(8) reserved keyword or port name.
Checking proto database via getprotobyname() consumes a lot of
CPU and leads to tens of seconds for parsing large ruleset.
Use list of reserved keywords and check them as pre-requisite
before doing getprotobyname().
Obtained from: Yandex LLC
Modified:
head/sbin/ipfw/ipfw2.c
Modified: head/sbin/ipfw/ipfw2.c
==============================================================================
--- head/sbin/ipfw/ipfw2.c Mon Oct 6 10:58:54 2014 (r272606)
+++ head/sbin/ipfw/ipfw2.c Mon Oct 6 11:00:47 2014 (r272607)
@@ -2904,13 +2904,34 @@ add_dstip(ipfw_insn *cmd, char *av, int
return cmd;
}
+static struct _s_x f_reserved_keywords[] = {
+ { "altq", TOK_OR },
+ { "//", TOK_OR },
+ { "diverted", TOK_OR },
+ { "dst-port", TOK_OR },
+ { "src-port", TOK_OR },
+ { "established", TOK_OR },
+ { "keep-state", TOK_OR },
+ { "frag", TOK_OR },
+ { "icmptypes", TOK_OR },
+ { "in", TOK_OR },
+ { "out", TOK_OR },
+ { "ip6", TOK_OR },
+ { "any", TOK_OR },
+ { "to", TOK_OR },
+ { "via", TOK_OR },
+ { "{", TOK_OR },
+ { NULL, 0 } /* terminator */
+};
+
static ipfw_insn *
add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode, int cblen)
{
- /* XXX "any" is trapped before. Perhaps "to" */
- if (_substrcmp(av, "any") == 0) {
- return NULL;
- } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto, cblen)) {
+
+ if (match_token(f_reserved_keywords, av) != -1)
+ return (NULL);
+
+ if (fill_newports((ipfw_insn_u16 *)cmd, av, proto, cblen)) {
/* XXX todo: check that we have a protocol with ports */
cmd->opcode = opcode;
return cmd;
More information about the svn-src-all
mailing list