svn commit: r200601 - head/sys/netinet/ipfw
Luigi Rizzo
luigi at FreeBSD.org
Wed Dec 16 02:48:41 PST 2009
Author: luigi
Date: Wed Dec 16 10:48:40 2009
New Revision: 200601
URL: http://svn.freebsd.org/changeset/base/200601
Log:
Various cosmetic cleanup of the files:
- move global variables around to reduce the scope and make them
static if possible;
- add an ipfw_ prefix to all public functions to prevent conflicts
(the same should be done for variables);
- try to pack variable declaration in an uniform way across files;
- clarify some comments;
- remove some misspelling of names (#define V_foo VNET(bar)) that
slipped in due to cut&paste
- remove duplicate static variables in different files;
MFC after: 1 month
Modified:
head/sys/netinet/ipfw/ip_dummynet.c
head/sys/netinet/ipfw/ip_fw2.c
head/sys/netinet/ipfw/ip_fw_dynamic.c
head/sys/netinet/ipfw/ip_fw_log.c
head/sys/netinet/ipfw/ip_fw_nat.c
head/sys/netinet/ipfw/ip_fw_pfil.c
head/sys/netinet/ipfw/ip_fw_private.h
head/sys/netinet/ipfw/ip_fw_sockopt.c
head/sys/netinet/ipfw/ip_fw_table.c
Modified: head/sys/netinet/ipfw/ip_dummynet.c
==============================================================================
--- head/sys/netinet/ipfw/ip_dummynet.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_dummynet.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -2364,3 +2364,4 @@ static moduledata_t dummynet_mod = {
DECLARE_MODULE(dummynet, dummynet_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
MODULE_DEPEND(dummynet, ipfw, 2, 2, 2);
MODULE_VERSION(dummynet, 1);
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw2.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw2.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -26,11 +26,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
-#define DEB(x)
-#define DDB(x) x
-
/*
- * Implement IP packet firewall (new version)
+ * The FreeBSD IP packet firewall, main file
*/
#if !defined(KLD_MODULE)
@@ -101,21 +98,17 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_framework.h>
#endif
-static VNET_DEFINE(int, ipfw_vnet_ready) = 0;
-#define V_ipfw_vnet_ready VNET(ipfw_vnet_ready)
/*
- * set_disable contains one bit per set value (0..31).
- * If the bit is set, all rules with the corresponding set
- * are disabled. Set RESVD_SET(31) is reserved for the default rule
- * and rules that are not deleted by the flush command,
- * and CANNOT be disabled.
- * Rules in set RESVD_SET can only be deleted explicitly.
+ * static variables followed by global ones.
+ * All ipfw global variables are here.
*/
-VNET_DEFINE(u_int32_t, set_disable);
-VNET_DEFINE(int, fw_verbose);
-#define V_set_disable VNET(set_disable)
-#define V_verbose_limit VNET(verbose_limit)
+/* ipfw_vnet_ready controls when we are open for business */
+static VNET_DEFINE(int, ipfw_vnet_ready) = 0;
+#define V_ipfw_vnet_ready VNET(ipfw_vnet_ready)
+
+static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
+#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs)
#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
static int default_to_accept = 1;
@@ -123,14 +116,30 @@ static int default_to_accept = 1;
static int default_to_accept;
#endif
-struct ip_fw *ip_fw_default_rule;
+VNET_DEFINE(int, autoinc_step);
/*
- * list of rules for layer 3
+ * Each rule belongs to one of 32 different sets (0..31).
+ * The variable set_disable contains one bit per set.
+ * If the bit is set, all rules in the corresponding set
+ * are disabled. Set RESVD_SET(31) is reserved for the default rule
+ * and rules that are not deleted by the flush command,
+ * and CANNOT be disabled.
+ * Rules in set RESVD_SET can only be deleted individually.
*/
+VNET_DEFINE(u_int32_t, set_disable);
+#define V_set_disable VNET(set_disable)
+
+VNET_DEFINE(int, fw_verbose);
+//#define V_verbose_limit VNET(verbose_limit)
+/* counter for ipfw_log(NULL...) */
+VNET_DEFINE(u_int64_t, norule_counter);
+VNET_DEFINE(int, verbose_limit);
+
+
+/* layer3_chain contains the list of rules for layer 3 */
VNET_DEFINE(struct ip_fw_chain, layer3_chain);
-MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
ipfw_nat_t *ipfw_nat_ptr = NULL;
struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
ipfw_nat_cfg_t *ipfw_nat_cfg_ptr;
@@ -138,30 +147,16 @@ ipfw_nat_cfg_t *ipfw_nat_del_ptr;
ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
-struct table_entry {
- struct radix_node rn[2];
- struct sockaddr_in addr, mask;
- u_int32_t value;
-};
-
-static VNET_DEFINE(int, autoinc_step);
-#define V_autoinc_step VNET(autoinc_step)
-static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
-#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs)
-
extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
#ifdef SYSCTL_NODE
SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
- ipfw_chg_hook, "I", "Enable ipfw");
-SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step,
- CTLFLAG_RW, &VNET_NAME(autoinc_step), 0,
- "Rule number auto-increment step");
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0,
"Only do a single pass through ipfw when using dummynet(4)");
+SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step,
+ CTLFLAG_RW, &VNET_NAME(autoinc_step), 0,
+ "Rule number auto-increment step");
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose,
CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0,
"Log matches to ipfw rules");
@@ -182,9 +177,6 @@ TUNABLE_INT("net.inet.ip.fw.default_to_a
#ifdef INET6
SYSCTL_DECL(_net_inet6_ip6);
SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
- ipfw_chg_hook, "I", "Enable ipfw+6");
SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs,
CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0,
"Deny packets with unknown IPv6 Extension Headers");
@@ -194,6 +186,7 @@ SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_A
/*
+ * Some macros used in the various matching options.
* L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
* Other macros just cast void * into the appropriate type
*/
@@ -379,19 +372,20 @@ iface_match(struct ifnet *ifp, ipfw_insn
*
* The 'verrevpath' option checks that the interface that an IP packet
* arrives on is the same interface that traffic destined for the
- * packet's source address would be routed out of. The 'versrcreach'
- * option just checks that the source address is reachable via any route
- * (except default) in the routing table. These two are a measure to block
- * forged packets. This is also commonly known as "anti-spoofing" or Unicast
- * Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
+ * packet's source address would be routed out of.
+ * The 'versrcreach' option just checks that the source address is
+ * reachable via any route (except default) in the routing table.
+ * These two are a measure to block forged packets. This is also
+ * commonly known as "anti-spoofing" or Unicast Reverse Path
+ * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
* is purposely reminiscent of the Cisco IOS command,
*
* ip verify unicast reverse-path
* ip verify unicast source reachable-via any
*
- * which implements the same functionality. But note that syntax is
- * misleading. The check may be performed on all IP packets whether unicast,
- * multicast, or broadcast.
+ * which implements the same functionality. But note that the syntax
+ * is misleading, and the check may be performed on all IP packets
+ * whether unicast, multicast, or broadcast.
*/
static int
verify_path(struct in_addr src, struct ifnet *ifp, u_int fib)
@@ -536,6 +530,7 @@ verify_path6(struct in6_addr *src, struc
return 1;
}
+
static int
is_icmp6_query(int icmp6_type)
{
@@ -562,7 +557,7 @@ send_reject6(struct ip_fw_args *args, in
if ((tcp->th_flags & TH_RST) == 0) {
struct mbuf *m0;
- m0 = send_pkt(args->m, &(args->f_id),
+ m0 = ipfw_send_pkt(args->m, &(args->f_id),
ntohl(tcp->th_seq), ntohl(tcp->th_ack),
tcp->th_flags | TH_RST);
if (m0 != NULL)
@@ -622,7 +617,7 @@ send_reject(struct ip_fw_args *args, int
L3HDR(struct tcphdr, mtod(args->m, struct ip *));
if ( (tcp->th_flags & TH_RST) == 0) {
struct mbuf *m;
- m = send_pkt(args->m, &(args->f_id),
+ m = ipfw_send_pkt(args->m, &(args->f_id),
ntohl(tcp->th_seq), ntohl(tcp->th_ack),
tcp->th_flags | TH_RST);
if (m != NULL)
@@ -635,18 +630,18 @@ send_reject(struct ip_fw_args *args, int
}
/**
- *
* Given an ip_fw *, lookup_next_rule will return a pointer
* to the next rule, which can be either the jump
* target (for skipto instructions) or the next one in the list (in
* all other cases including a missing jump target).
* The result is also written in the "next_rule" field of the rule.
- * Backward jumps are not allowed, so start looking from the next
- * rule...
+ * Backward jumps are not allowed, so we start the search from the
+ * rule following the current one.
*
- * This never returns NULL -- in case we do not have an exact match,
- * the next rule is returned. When the ruleset is changed,
- * pointers are flushed so we are always correct.
+ * The function never returns NULL: if the requested rule is not
+ * present, it returns the next rule in the chain.
+ * As a side effect, the rule pointer is also set so next time
+ * the jump will not require a scan of the list.
*/
static struct ip_fw *
@@ -676,12 +671,22 @@ lookup_next_rule(struct ip_fw *me, u_int
}
}
}
- if (rule == NULL) /* failure or not a skipto */
+ if (rule == NULL) /* failure or not a skipto */
rule = me->next;
me->next_rule = rule;
return rule;
}
+/*
+ * Support for uid/gid/jail lookup. These tests are expensive
+ * (because we may need to look into the list of active sockets)
+ * so we cache the results. ugid_lookupp is 0 if we have not
+ * yet done a lookup, 1 if we succeeded, and -1 if we tried
+ * and failed. The function always returns the match value.
+ * We could actually spare the variable and use *uc, setting
+ * it to '(void *)check_uidgid if we have no info, NULL if
+ * we tried and failed, or any other value if successful.
+ */
static int
check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip,
@@ -740,10 +745,8 @@ check_uidgid(ipfw_insn_u32 *insn, int pr
INP_INFO_RUNLOCK(pi);
if (*ugid_lookupp == 0) {
/*
- * If the lookup did not yield any results, there
- * is no sense in coming back and trying again. So
- * we can set lookup to -1 and ensure that we wont
- * bother the pcb system again.
+ * We tried and failed, set the variable to -1
+ * so we will not try again on this packet.
*/
*ugid_lookupp = -1;
return (0);
@@ -768,10 +771,10 @@ check_uidgid(ipfw_insn_u32 *insn, int pr
*
* args->m (in/out) The packet; we set to NULL when/if we nuke it.
* Starts with the IP header.
- * args->eh (in) Mac header if present, or NULL for layer3 packet.
+ * args->eh (in) Mac header if present, NULL for layer3 packet.
* args->L3offset Number of bytes bypassed if we came from L2.
* e.g. often sizeof(eh) ** NOTYET **
- * args->oif Outgoing interface, or NULL if packet is incoming.
+ * args->oif Outgoing interface, NULL if packet is incoming.
* The incoming interface is in the mbuf. (in)
* args->divert_rule (in/out)
* Skip up to the first rule past this rule number;
@@ -797,7 +800,7 @@ ipfw_chk(struct ip_fw_args *args)
{
/*
- * Local variables holding state during the processing of a packet:
+ * Local variables holding state while processing a packet:
*
* IMPORTANT NOTE: to speed up the processing of rules, there
* are some assumption on the values of the variables, which
@@ -932,15 +935,15 @@ ipfw_chk(struct ip_fw_args *args)
* pointer might become stale after other pullups (but we never use it
* this way).
*/
-#define PULLUP_TO(_len, p, T) \
-do { \
- int x = (_len) + sizeof(T); \
- if ((m)->m_len < x) { \
- args->m = m = m_pullup(m, x); \
- if (m == NULL) \
- goto pullup_failed; \
- } \
- p = (mtod(m, char *) + (_len)); \
+#define PULLUP_TO(_len, p, T) \
+do { \
+ int x = (_len) + sizeof(T); \
+ if ((m)->m_len < x) { \
+ args->m = m = m_pullup(m, x); \
+ if (m == NULL) \
+ goto pullup_failed; \
+ } \
+ p = (mtod(m, char *) + (_len)); \
} while (0)
/*
@@ -1199,7 +1202,7 @@ do { \
if (f != NULL)
f = f->next_rule;
else
- f = ip_fw_default_rule;
+ f = V_layer3_chain.default_rule;
} else
f = args->rule->next_rule;
@@ -1905,7 +1908,7 @@ do { \
*/
case O_LIMIT:
case O_KEEP_STATE:
- if (install_state(f,
+ if (ipfw_install_state(f,
(ipfw_insn_limit *)cmd, args, tablearg)) {
/* error or limit violation */
retval = IP_FW_DENY;
@@ -1927,7 +1930,7 @@ do { \
* to be run first).
*/
if (dyn_dir == MATCH_UNKNOWN &&
- (q = lookup_dyn_rule(&args->f_id,
+ (q = ipfw_lookup_dyn_rule(&args->f_id,
&dyn_dir, proto == IPPROTO_TCP ?
TCP(ulp) : NULL))
!= NULL) {
@@ -2251,7 +2254,11 @@ pullup_failed:
return (IP_FW_DENY);
}
-/****************
+/*
+ * Module and VNET glue
+ */
+
+/*
* Stuff that must be initialised only on boot or module load
*/
static int
@@ -2306,7 +2313,7 @@ ipfw_init(void)
return (error);
}
-/**********************
+/*
* Called for the removal of the last instance only on module unload.
*/
static void
@@ -2317,7 +2324,7 @@ ipfw_destroy(void)
printf("IP firewall unloaded\n");
}
-/****************
+/*
* Stuff that must be initialized for every instance
* (including the first of course).
*/
@@ -2345,7 +2352,6 @@ vnet_ipfw_init(const void *unused)
V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
-
V_fw_deny_unknown_exthdrs = 1;
V_layer3_chain.rules = NULL;
@@ -2368,7 +2374,7 @@ vnet_ipfw_init(const void *unused)
return (error);
}
- ip_fw_default_rule = V_layer3_chain.rules;
+ V_layer3_chain.default_rule = V_layer3_chain.rules;
ipfw_dyn_init();
@@ -2391,20 +2397,11 @@ vnet_ipfw_init(const void *unused)
*/
V_ip_fw_ctl_ptr = ipfw_ctl;
V_ip_fw_chk_ptr = ipfw_chk;
- if (V_fw_enable && ipfw_hook() != 0) {
- error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
- printf("ipfw_hook() error\n");
- }
-#ifdef INET6
- if (V_fw6_enable && ipfw6_hook() != 0) {
- error = ENOENT;
- printf("ipfw6_hook() error\n");
- }
-#endif
+ error = ipfw_attach_hooks();
return (error);
}
-/***********************
+/*
* Called for the removal of each instance.
*/
static int
@@ -2514,4 +2511,4 @@ SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIRE
ipfw_destroy, NULL);
VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER,
vnet_ipfw_uninit, NULL);
-
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw_dynamic.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_dynamic.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_dynamic.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -114,6 +114,10 @@ __FBSDID("$FreeBSD$");
* obey the 'randomized match', and we do not do multiple
* passes through the firewall. XXX check the latter!!!
*/
+
+/*
+ * Static variables followed by global ones
+ */
static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v);
static VNET_DEFINE(u_int32_t, dyn_buckets);
static VNET_DEFINE(u_int32_t, curr_dyn_buckets);
@@ -374,7 +378,7 @@ next:
}
void
-remove_dyn_children(struct ip_fw *rule)
+ipfw_remove_dyn_children(struct ip_fw *rule)
{
IPFW_DYN_LOCK();
remove_dyn_rule(rule, NULL /* force removal */);
@@ -382,9 +386,9 @@ remove_dyn_children(struct ip_fw *rule)
}
/**
- * lookup a dynamic rule.
+ * lookup a dynamic rule, locked version
*/
-ipfw_dyn_rule *
+static ipfw_dyn_rule *
lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp)
{
@@ -528,7 +532,7 @@ done:
}
ipfw_dyn_rule *
-lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
+ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp)
{
ipfw_dyn_rule *q;
@@ -699,7 +703,7 @@ lookup_dyn_parent(struct ipfw_flow_id *p
* session limitations are enforced.
*/
int
-install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
+ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
struct ip_fw_args *args, uint32_t tablearg)
{
static int last_log;
@@ -877,7 +881,7 @@ install_state(struct ip_fw *rule, ipfw_i
* so that MAC can label the reply appropriately.
*/
struct mbuf *
-send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
+ipfw_send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
u_int32_t ack, int flags)
{
struct mbuf *m;
@@ -1065,9 +1069,9 @@ ipfw_tick(void * vnetx)
if (TIME_LEQ(q->expire, time_uptime))
continue; /* too late, rule expired */
- m = send_pkt(NULL, &(q->id), q->ack_rev - 1,
+ m = ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1,
q->ack_fwd, TH_SYN);
- mnext = send_pkt(NULL, &(q->id), q->ack_fwd - 1,
+ mnext = ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1,
q->ack_rev, 0);
switch (q->id.addr_type) {
@@ -1222,3 +1226,4 @@ ipfw_get_dynamic(char **pbp, const char
bzero(&last->next, sizeof(last));
*pbp = bp;
}
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw_log.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_log.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_log.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -85,10 +85,6 @@ __FBSDID("$FreeBSD$");
#define ICMP(p) ((struct icmphdr *)(p))
#define ICMP6(p) ((struct icmp6_hdr *)(p))
-/* counter for ipfw_log(NULL...) */
-VNET_DEFINE(u_int64_t, norule_counter);
-VNET_DEFINE(int, verbose_limit);
-
#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
#define SNP(buf) buf, sizeof(buf)
@@ -369,3 +365,4 @@ ipfw_log(struct ip_fw *f, u_int hlen, st
"ipfw: limit %d reached on entry %d\n",
limit_reached, f ? f->rulenum : -1);
}
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw_nat.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_nat.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_nat.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -671,3 +671,4 @@ DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, S
MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1);
MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2);
MODULE_VERSION(ipfw_nat, 1);
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw_pfil.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_pfil.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_pfil.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -68,9 +68,12 @@ __FBSDID("$FreeBSD$");
#include <machine/in_cksum.h>
-VNET_DEFINE(int, fw_enable) = 1;
+static VNET_DEFINE(int, fw_enable) = 1;
+#define V_fw_enable VNET(fw_enable)
+
#ifdef INET6
-VNET_DEFINE(int, fw6_enable) = 1;
+static VNET_DEFINE(int, fw6_enable) = 1;
+#define V_fw6_enable VNET(fw6_enable)
#endif
int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
@@ -86,6 +89,19 @@ static int ipfw_divert(struct mbuf **, i
#define DIV_DIR_IN 1
#define DIV_DIR_OUT 0
+#ifdef SYSCTL_NODE
+SYSCTL_DECL(_net_inet_ip_fw);
+SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
+ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
+ ipfw_chg_hook, "I", "Enable ipfw");
+#ifdef INET6
+SYSCTL_DECL(_net_inet6_ip6_fw);
+SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
+ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
+ ipfw_chg_hook, "I", "Enable ipfw+6");
+#endif /* INET6 */
+#endif /* SYSCTL_NODE */
+
int
ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
struct inpcb *inp)
@@ -443,7 +459,7 @@ nodivert:
return 1;
}
-int
+static int
ipfw_hook(void)
{
struct pfil_head *pfh_inet;
@@ -478,7 +494,7 @@ ipfw_unhook(void)
}
#ifdef INET6
-int
+static int
ipfw6_hook(void)
{
struct pfil_head *pfh_inet6;
@@ -514,6 +530,24 @@ ipfw6_unhook(void)
#endif /* INET6 */
int
+ipfw_attach_hooks(void)
+{
+ int error = 0;
+
+ if (V_fw_enable && ipfw_hook() != 0) {
+ error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
+ printf("ipfw_hook() error\n");
+ }
+#ifdef INET6
+ if (V_fw6_enable && ipfw6_hook() != 0) {
+ error = ENOENT;
+ printf("ipfw6_hook() error\n");
+ }
+#endif
+ return error;
+}
+
+int
ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
{
int enable;
@@ -566,4 +600,4 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
return (0);
}
-
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw_private.h
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_private.h Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_private.h Wed Dec 16 10:48:40 2009 (r200601)
@@ -99,12 +99,12 @@ MALLOC_DECLARE(M_IPFW);
/* Firewall hooks */
-int ipfw_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp);
-int ipfw_check_out(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp);
+int ipfw_check_in(void *, struct mbuf **, struct ifnet *,
+ int, struct inpcb *inp);
+int ipfw_check_out(void *, struct mbuf **, struct ifnet *,
+ int, struct inpcb *inp);
-
-int ipfw_hook(void);
-int ipfw6_hook(void);
+int ipfw_attach_hooks(void);
int ipfw_unhook(void);
int ipfw6_unhook(void);
#ifdef NOTYET
@@ -138,15 +138,13 @@ enum { /* result for matching dynamic ru
void ipfw_dyn_unlock(void);
struct tcphdr;
-struct mbuf *send_pkt(struct mbuf *, struct ipfw_flow_id *,
+struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *,
u_int32_t, u_int32_t, int);
-int install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
+int ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
struct ip_fw_args *args, uint32_t tablearg);
-ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction,
- struct tcphdr *tcp);
-ipfw_dyn_rule * lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
- struct tcphdr *tcp);
-void remove_dyn_children(struct ip_fw *rule);
+ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt,
+ int *match_direction, struct tcphdr *tcp);
+void ipfw_remove_dyn_children(struct ip_fw *rule);
void ipfw_get_dynamic(char **bp, const char *ep);
void ipfw_dyn_attach(void); /* uma_zcreate .... */
@@ -157,25 +155,24 @@ int ipfw_dyn_len(void);
/* common variables */
VNET_DECLARE(int, fw_one_pass);
-VNET_DECLARE(int, fw_enable);
+#define V_fw_one_pass VNET(fw_one_pass)
+
VNET_DECLARE(int, fw_verbose);
-VNET_DECLARE(struct ip_fw_chain, layer3_chain);
-VNET_DECLARE(u_int32_t, set_disable);
+#define V_fw_verbose VNET(fw_verbose)
-#define V_fw_one_pass VNET(fw_one_pass)
-#define V_fw_enable VNET(fw_enable)
-#define V_fw_verbose VNET(fw_enable)
+VNET_DECLARE(struct ip_fw_chain, layer3_chain);
#define V_layer3_chain VNET(layer3_chain)
+
+VNET_DECLARE(u_int32_t, set_disable);
#define V_set_disable VNET(set_disable)
-#ifdef INET6
-VNET_DECLARE(int, fw6_enable);
-#define V_fw6_enable VNET(fw6_enable)
-#endif
+VNET_DECLARE(int, autoinc_step);
+#define V_autoinc_step VNET(autoinc_step)
struct ip_fw_chain {
struct ip_fw *rules; /* list of rules */
struct ip_fw *reap; /* list of rules to reap */
+ struct ip_fw *default_rule;
LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */
struct radix_node_head *tables[IPFW_TABLES_MAX];
struct rwlock rwmtx;
@@ -236,6 +233,5 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr;
extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
-
#endif /* _KERNEL */
#endif /* _IPFW2_PRIVATE_H */
Modified: head/sys/netinet/ipfw/ip_fw_sockopt.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_sockopt.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_sockopt.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -30,7 +30,8 @@ __FBSDID("$FreeBSD$");
#define DDB(x) x
/*
- * Sockopt support for ipfw
+ * Sockopt support for ipfw. The routines here implement
+ * the upper half of the ipfw code.
*/
#if !defined(KLD_MODULE)
@@ -72,8 +73,11 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_framework.h>
#endif
-static VNET_DEFINE(int, autoinc_step);
-#define V_autoinc_step VNET(autoinc_step)
+MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
+
+/*
+ * static variables followed by global ones
+ */
static VNET_DEFINE(u_int32_t, static_count); /* # of static rules */
static VNET_DEFINE(u_int32_t, static_len); /* bytes of static rules */
@@ -210,7 +214,7 @@ remove_rule(struct ip_fw_chain *chain, s
IPFW_WLOCK_ASSERT(chain);
n = rule->next;
- remove_dyn_children(rule);
+ ipfw_remove_dyn_children(rule);
if (prev == NULL)
chain->rules = n;
else
@@ -474,7 +478,7 @@ zero_entry(struct ip_fw_chain *chain, u_
/*
* Check validity of the structure before insert.
- * Fortunately rules are simple, so this mostly need to check rule sizes.
+ * Rules are simple, so this mostly need to check rule sizes.
*/
static int
check_ipfw_struct(struct ip_fw *rule, int size)
@@ -821,7 +825,7 @@ ipfw_getrules(struct ip_fw_chain *chain,
}
}
IPFW_RUNLOCK(chain);
- ipfw_get_dynamic(&bp, ep);
+ ipfw_get_dynamic(&bp, ep); /* protected by the dynamic lock */
return (bp - (char *)buf);
}
@@ -1094,3 +1098,4 @@ ipfw_ctl(struct sockopt *sopt)
return (error);
#undef RULE_MAXSIZE
}
+/* end of file */
Modified: head/sys/netinet/ipfw/ip_fw_table.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_table.c Wed Dec 16 04:19:23 2009 (r200600)
+++ head/sys/netinet/ipfw/ip_fw_table.c Wed Dec 16 10:48:40 2009 (r200601)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
+ * Copyright (c) 2002 .........
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,11 +26,14 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
-#define DEB(x)
-#define DDB(x) x
-
/*
- * Sockopt support for ipfw
+ * Lookup table support for ipfw
+ *
+ * Lookup tables are implemented (at the moment) using the radix
+ * tree used for routing tables. Tables store key-value entries, where
+ * keys are network prefixes (addr/masklen), and values are integers.
+ * As a degenerate case we can interpret keys as 32-bit integers
+ * (with a /32 mask).
*/
#if !defined(KLD_MODULE)
@@ -259,3 +262,4 @@ ipfw_dump_table(struct ip_fw_chain *ch,
rnh->rnh_walktree(rnh, dump_table_entry, tbl);
return (0);
}
+/* end of file */
More information about the svn-src-head
mailing list