svn commit: r326086 - head/sys/netpfil/ipfw
Andrey V. Elsukov
ae at FreeBSD.org
Wed Nov 22 05:49:22 UTC 2017
Author: ae
Date: Wed Nov 22 05:49:21 2017
New Revision: 326086
URL: https://svnweb.freebsd.org/changeset/base/326086
Log:
Add ipfw_add_protected_rule() function that creates rule with 65535
number in the reserved set 31. Use this function to create default rule.
Obtained from: Yandex LLC
MFC after: 1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
head/sys/netpfil/ipfw/ip_fw_private.h
head/sys/netpfil/ipfw/ip_fw_sockopt.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c Wed Nov 22 05:27:18 2017 (r326085)
+++ head/sys/netpfil/ipfw/ip_fw2.c Wed Nov 22 05:49:21 2017 (r326086)
@@ -2842,11 +2842,6 @@ vnet_ipfw_init(const void *unused)
ipfw_init_srv(chain);
ipfw_init_counters();
- /* insert the default rule and create the initial map */
- chain->n_rules = 1;
- chain->map = malloc(sizeof(struct ip_fw *), M_IPFW, M_WAITOK | M_ZERO);
- rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw));
-
/* Set initial number of tables */
V_fw_tables_max = default_fw_tables;
error = ipfw_init_tables(chain, first);
@@ -2857,19 +2852,16 @@ vnet_ipfw_init(const void *unused)
return (ENOSPC);
}
+ IPFW_LOCK_INIT(chain);
+
/* fill and insert the default rule */
- rule->act_ofs = 0;
- rule->rulenum = IPFW_DEFAULT_RULE;
+ rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw));
rule->cmd_len = 1;
- rule->set = RESVD_SET;
rule->cmd[0].len = 1;
rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY;
- chain->default_rule = chain->map[0] = rule;
- chain->id = rule->id = 1;
- /* Pre-calculate rules length for legacy dump format */
- chain->static_len = sizeof(struct ip_fw_rule0);
+ chain->default_rule = rule;
+ ipfw_add_protected_rule(chain, rule, 0);
- IPFW_LOCK_INIT(chain);
ipfw_dyn_init(chain);
ipfw_eaction_init(chain, first);
#ifdef LINEAR_SKIPTO
Modified: head/sys/netpfil/ipfw/ip_fw_private.h
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_private.h Wed Nov 22 05:27:18 2017 (r326085)
+++ head/sys/netpfil/ipfw/ip_fw_private.h Wed Nov 22 05:49:21 2017 (r326086)
@@ -625,6 +625,8 @@ void ipfw_destroy_skipto_cache(struct ip_fw_chain *cha
int ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id);
int ipfw_ctl3(struct sockopt *sopt);
int ipfw_chk(struct ip_fw_args *args);
+int ipfw_add_protected_rule(struct ip_fw_chain *chain, struct ip_fw *rule,
+ int locked);
void ipfw_reap_add(struct ip_fw_chain *chain, struct ip_fw **head,
struct ip_fw *rule);
void ipfw_reap_rules(struct ip_fw *head);
Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Nov 22 05:27:18 2017 (r326085)
+++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Nov 22 05:49:21 2017 (r326086)
@@ -790,6 +790,30 @@ commit_rules(struct ip_fw_chain *chain, struct rule_ch
return (0);
}
+int
+ipfw_add_protected_rule(struct ip_fw_chain *chain, struct ip_fw *rule,
+ int locked)
+{
+ struct ip_fw **map;
+
+ map = get_map(chain, 1, locked);
+ if (map == NULL)
+ return (ENOMEM);
+ if (chain->n_rules > 0)
+ bcopy(chain->map, map,
+ chain->n_rules * sizeof(struct ip_fw *));
+ map[chain->n_rules] = rule;
+ rule->rulenum = IPFW_DEFAULT_RULE;
+ rule->set = RESVD_SET;
+ rule->id = chain->id + 1;
+ /* We add rule in the end of chain, no need to update skipto cache */
+ map = swap_map(chain, map, chain->n_rules + 1);
+ chain->static_len += RULEUSIZE0(rule);
+ IPFW_UH_WUNLOCK(chain);
+ free(map, M_IPFW);
+ return (0);
+}
+
/*
* Adds @rule to the list of rules to reap
*/
More information about the svn-src-all
mailing list