diff --git a/sys/netinet/ipfw/ip_dummynet.c b/sys/netinet/ipfw/ip_dummynet.c index 285089682f00..6f8dc4d331b3 100644 --- a/sys/netinet/ipfw/ip_dummynet.c +++ b/sys/netinet/ipfw/ip_dummynet.c @@ -2364,3 +2364,4 @@ static moduledata_t dummynet_mod = { DECLARE_MODULE(dummynet, dummynet_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); MODULE_DEPEND(dummynet, ipfw, 2, 2, 2); MODULE_VERSION(dummynet, 1); +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index 207202dc7183..1b743ba01647 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -26,11 +26,8 @@ #include __FBSDID("$FreeBSD$"); -#define DEB(x) -#define DDB(x) x - /* - * Implement IP packet firewall (new version) + * The FreeBSD IP packet firewall, main file */ #if !defined(KLD_MODULE) @@ -101,21 +98,17 @@ __FBSDID("$FreeBSD$"); #include #endif +/* + * static variables followed by global ones. + * All ipfw global variables are here. + */ + +/* ipfw_vnet_ready controls when we are open for business */ static VNET_DEFINE(int, ipfw_vnet_ready) = 0; #define V_ipfw_vnet_ready VNET(ipfw_vnet_ready) -/* - * set_disable contains one bit per set value (0..31). - * If the bit is set, all rules with the corresponding set - * are disabled. Set RESVD_SET(31) is reserved for the default rule - * and rules that are not deleted by the flush command, - * and CANNOT be disabled. - * Rules in set RESVD_SET can only be deleted explicitly. - */ -VNET_DEFINE(u_int32_t, set_disable); -VNET_DEFINE(int, fw_verbose); -#define V_set_disable VNET(set_disable) -#define V_verbose_limit VNET(verbose_limit) +static VNET_DEFINE(int, fw_deny_unknown_exthdrs); +#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs) #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT static int default_to_accept = 1; @@ -123,14 +116,30 @@ static int default_to_accept = 1; static int default_to_accept; #endif -struct ip_fw *ip_fw_default_rule; +VNET_DEFINE(int, autoinc_step); /* - * list of rules for layer 3 + * Each rule belongs to one of 32 different sets (0..31). + * The variable set_disable contains one bit per set. + * If the bit is set, all rules in the corresponding set + * are disabled. Set RESVD_SET(31) is reserved for the default rule + * and rules that are not deleted by the flush command, + * and CANNOT be disabled. + * Rules in set RESVD_SET can only be deleted individually. */ +VNET_DEFINE(u_int32_t, set_disable); +#define V_set_disable VNET(set_disable) + +VNET_DEFINE(int, fw_verbose); +//#define V_verbose_limit VNET(verbose_limit) +/* counter for ipfw_log(NULL...) */ +VNET_DEFINE(u_int64_t, norule_counter); +VNET_DEFINE(int, verbose_limit); + + +/* layer3_chain contains the list of rules for layer 3 */ VNET_DEFINE(struct ip_fw_chain, layer3_chain); -MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); ipfw_nat_t *ipfw_nat_ptr = NULL; struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; @@ -138,30 +147,16 @@ ipfw_nat_cfg_t *ipfw_nat_del_ptr; ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; -struct table_entry { - struct radix_node rn[2]; - struct sockaddr_in addr, mask; - u_int32_t value; -}; - -static VNET_DEFINE(int, autoinc_step); -#define V_autoinc_step VNET(autoinc_step) -static VNET_DEFINE(int, fw_deny_unknown_exthdrs); -#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs) - extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, - ipfw_chg_hook, "I", "Enable ipfw"); -SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, - CTLFLAG_RW, &VNET_NAME(autoinc_step), 0, - "Rule number auto-increment step"); SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass, CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0, "Only do a single pass through ipfw when using dummynet(4)"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, + CTLFLAG_RW, &VNET_NAME(autoinc_step), 0, + "Rule number auto-increment step"); SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0, "Log matches to ipfw rules"); @@ -182,9 +177,6 @@ TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept); #ifdef INET6 SYSCTL_DECL(_net_inet6_ip6); SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0, - ipfw_chg_hook, "I", "Enable ipfw+6"); SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0, "Deny packets with unknown IPv6 Extension Headers"); @@ -194,6 +186,7 @@ SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, /* + * Some macros used in the various matching options. * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T * Other macros just cast void * into the appropriate type */ @@ -379,19 +372,20 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd) * * The 'verrevpath' option checks that the interface that an IP packet * arrives on is the same interface that traffic destined for the - * packet's source address would be routed out of. The 'versrcreach' - * option just checks that the source address is reachable via any route - * (except default) in the routing table. These two are a measure to block - * forged packets. This is also commonly known as "anti-spoofing" or Unicast - * Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs + * packet's source address would be routed out of. + * The 'versrcreach' option just checks that the source address is + * reachable via any route (except default) in the routing table. + * These two are a measure to block forged packets. This is also + * commonly known as "anti-spoofing" or Unicast Reverse Path + * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs * is purposely reminiscent of the Cisco IOS command, * * ip verify unicast reverse-path * ip verify unicast source reachable-via any * - * which implements the same functionality. But note that syntax is - * misleading. The check may be performed on all IP packets whether unicast, - * multicast, or broadcast. + * which implements the same functionality. But note that the syntax + * is misleading, and the check may be performed on all IP packets + * whether unicast, multicast, or broadcast. */ static int verify_path(struct in_addr src, struct ifnet *ifp, u_int fib) @@ -536,6 +530,7 @@ verify_path6(struct in6_addr *src, struct ifnet *ifp) return 1; } + static int is_icmp6_query(int icmp6_type) { @@ -562,7 +557,7 @@ send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6) if ((tcp->th_flags & TH_RST) == 0) { struct mbuf *m0; - m0 = send_pkt(args->m, &(args->f_id), + m0 = ipfw_send_pkt(args->m, &(args->f_id), ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m0 != NULL) @@ -622,7 +617,7 @@ send_reject(struct ip_fw_args *args, int code, int ip_len, struct ip *ip) L3HDR(struct tcphdr, mtod(args->m, struct ip *)); if ( (tcp->th_flags & TH_RST) == 0) { struct mbuf *m; - m = send_pkt(args->m, &(args->f_id), + m = ipfw_send_pkt(args->m, &(args->f_id), ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m != NULL) @@ -635,18 +630,18 @@ send_reject(struct ip_fw_args *args, int code, int ip_len, struct ip *ip) } /** - * * Given an ip_fw *, lookup_next_rule will return a pointer * to the next rule, which can be either the jump * target (for skipto instructions) or the next one in the list (in * all other cases including a missing jump target). * The result is also written in the "next_rule" field of the rule. - * Backward jumps are not allowed, so start looking from the next - * rule... + * Backward jumps are not allowed, so we start the search from the + * rule following the current one. * - * This never returns NULL -- in case we do not have an exact match, - * the next rule is returned. When the ruleset is changed, - * pointers are flushed so we are always correct. + * The function never returns NULL: if the requested rule is not + * present, it returns the next rule in the chain. + * As a side effect, the rule pointer is also set so next time + * the jump will not require a scan of the list. */ static struct ip_fw * @@ -676,12 +671,22 @@ lookup_next_rule(struct ip_fw *me, u_int32_t tablearg) } } } - if (rule == NULL) /* failure or not a skipto */ + if (rule == NULL) /* failure or not a skipto */ rule = me->next; me->next_rule = rule; return rule; } +/* + * Support for uid/gid/jail lookup. These tests are expensive + * (because we may need to look into the list of active sockets) + * so we cache the results. ugid_lookupp is 0 if we have not + * yet done a lookup, 1 if we succeeded, and -1 if we tried + * and failed. The function always returns the match value. + * We could actually spare the variable and use *uc, setting + * it to '(void *)check_uidgid if we have no info, NULL if + * we tried and failed, or any other value if successful. + */ static int check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip, @@ -740,10 +745,8 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, INP_INFO_RUNLOCK(pi); if (*ugid_lookupp == 0) { /* - * If the lookup did not yield any results, there - * is no sense in coming back and trying again. So - * we can set lookup to -1 and ensure that we wont - * bother the pcb system again. + * We tried and failed, set the variable to -1 + * so we will not try again on this packet. */ *ugid_lookupp = -1; return (0); @@ -768,10 +771,10 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, * * args->m (in/out) The packet; we set to NULL when/if we nuke it. * Starts with the IP header. - * args->eh (in) Mac header if present, or NULL for layer3 packet. + * args->eh (in) Mac header if present, NULL for layer3 packet. * args->L3offset Number of bytes bypassed if we came from L2. * e.g. often sizeof(eh) ** NOTYET ** - * args->oif Outgoing interface, or NULL if packet is incoming. + * args->oif Outgoing interface, NULL if packet is incoming. * The incoming interface is in the mbuf. (in) * args->divert_rule (in/out) * Skip up to the first rule past this rule number; @@ -797,7 +800,7 @@ ipfw_chk(struct ip_fw_args *args) { /* - * Local variables holding state during the processing of a packet: + * Local variables holding state while processing a packet: * * IMPORTANT NOTE: to speed up the processing of rules, there * are some assumption on the values of the variables, which @@ -932,15 +935,15 @@ ipfw_chk(struct ip_fw_args *args) * pointer might become stale after other pullups (but we never use it * this way). */ -#define PULLUP_TO(_len, p, T) \ -do { \ - int x = (_len) + sizeof(T); \ - if ((m)->m_len < x) { \ - args->m = m = m_pullup(m, x); \ - if (m == NULL) \ - goto pullup_failed; \ - } \ - p = (mtod(m, char *) + (_len)); \ +#define PULLUP_TO(_len, p, T) \ +do { \ + int x = (_len) + sizeof(T); \ + if ((m)->m_len < x) { \ + args->m = m = m_pullup(m, x); \ + if (m == NULL) \ + goto pullup_failed; \ + } \ + p = (mtod(m, char *) + (_len)); \ } while (0) /* @@ -1199,7 +1202,7 @@ do { \ if (f != NULL) f = f->next_rule; else - f = ip_fw_default_rule; + f = V_layer3_chain.default_rule; } else f = args->rule->next_rule; @@ -1905,7 +1908,7 @@ do { \ */ case O_LIMIT: case O_KEEP_STATE: - if (install_state(f, + if (ipfw_install_state(f, (ipfw_insn_limit *)cmd, args, tablearg)) { /* error or limit violation */ retval = IP_FW_DENY; @@ -1927,7 +1930,7 @@ do { \ * to be run first). */ if (dyn_dir == MATCH_UNKNOWN && - (q = lookup_dyn_rule(&args->f_id, + (q = ipfw_lookup_dyn_rule(&args->f_id, &dyn_dir, proto == IPPROTO_TCP ? TCP(ulp) : NULL)) != NULL) { @@ -2251,7 +2254,11 @@ do { \ return (IP_FW_DENY); } -/**************** +/* + * Module and VNET glue + */ + +/* * Stuff that must be initialised only on boot or module load */ static int @@ -2306,7 +2313,7 @@ ipfw_init(void) return (error); } -/********************** +/* * Called for the removal of the last instance only on module unload. */ static void @@ -2317,7 +2324,7 @@ ipfw_destroy(void) printf("IP firewall unloaded\n"); } -/**************** +/* * Stuff that must be initialized for every instance * (including the first of course). */ @@ -2345,7 +2352,6 @@ vnet_ipfw_init(const void *unused) V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ - V_fw_deny_unknown_exthdrs = 1; V_layer3_chain.rules = NULL; @@ -2368,7 +2374,7 @@ vnet_ipfw_init(const void *unused) return (error); } - ip_fw_default_rule = V_layer3_chain.rules; + V_layer3_chain.default_rule = V_layer3_chain.rules; ipfw_dyn_init(); @@ -2391,20 +2397,11 @@ vnet_ipfw_init(const void *unused) */ V_ip_fw_ctl_ptr = ipfw_ctl; V_ip_fw_chk_ptr = ipfw_chk; - if (V_fw_enable && ipfw_hook() != 0) { - error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ - printf("ipfw_hook() error\n"); - } -#ifdef INET6 - if (V_fw6_enable && ipfw6_hook() != 0) { - error = ENOENT; - printf("ipfw6_hook() error\n"); - } -#endif + error = ipfw_attach_hooks(); return (error); } -/*********************** +/* * Called for the removal of each instance. */ static int @@ -2514,4 +2511,4 @@ SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER, ipfw_destroy, NULL); VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER, vnet_ipfw_uninit, NULL); - +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_dynamic.c b/sys/netinet/ipfw/ip_fw_dynamic.c index 8982d662ede8..3d4b643f312e 100644 --- a/sys/netinet/ipfw/ip_fw_dynamic.c +++ b/sys/netinet/ipfw/ip_fw_dynamic.c @@ -114,6 +114,10 @@ __FBSDID("$FreeBSD$"); * obey the 'randomized match', and we do not do multiple * passes through the firewall. XXX check the latter!!! */ + +/* + * Static variables followed by global ones + */ static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); static VNET_DEFINE(u_int32_t, dyn_buckets); static VNET_DEFINE(u_int32_t, curr_dyn_buckets); @@ -374,7 +378,7 @@ remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me) } void -remove_dyn_children(struct ip_fw *rule) +ipfw_remove_dyn_children(struct ip_fw *rule) { IPFW_DYN_LOCK(); remove_dyn_rule(rule, NULL /* force removal */); @@ -382,9 +386,9 @@ remove_dyn_children(struct ip_fw *rule) } /** - * lookup a dynamic rule. + * lookup a dynamic rule, locked version */ -ipfw_dyn_rule * +static ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, struct tcphdr *tcp) { @@ -528,7 +532,7 @@ lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, } ipfw_dyn_rule * -lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, +ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, struct tcphdr *tcp) { ipfw_dyn_rule *q; @@ -699,7 +703,7 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule) * session limitations are enforced. */ int -install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, +ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg) { static int last_log; @@ -877,7 +881,7 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, * so that MAC can label the reply appropriately. */ struct mbuf * -send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, +ipfw_send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags) { struct mbuf *m; @@ -1065,9 +1069,9 @@ ipfw_tick(void * vnetx) if (TIME_LEQ(q->expire, time_uptime)) continue; /* too late, rule expired */ - m = send_pkt(NULL, &(q->id), q->ack_rev - 1, + m = ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); - mnext = send_pkt(NULL, &(q->id), q->ack_fwd - 1, + mnext = ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1, q->ack_rev, 0); switch (q->id.addr_type) { @@ -1222,3 +1226,4 @@ ipfw_get_dynamic(char **pbp, const char *ep) bzero(&last->next, sizeof(last)); *pbp = bp; } +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_log.c b/sys/netinet/ipfw/ip_fw_log.c index dcb782dda5a7..5e566fd678dd 100644 --- a/sys/netinet/ipfw/ip_fw_log.c +++ b/sys/netinet/ipfw/ip_fw_log.c @@ -85,10 +85,6 @@ __FBSDID("$FreeBSD$"); #define ICMP(p) ((struct icmphdr *)(p)) #define ICMP6(p) ((struct icmp6_hdr *)(p)) -/* counter for ipfw_log(NULL...) */ -VNET_DEFINE(u_int64_t, norule_counter); -VNET_DEFINE(int, verbose_limit); - #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 #define SNP(buf) buf, sizeof(buf) @@ -369,3 +365,4 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, "ipfw: limit %d reached on entry %d\n", limit_reached, f ? f->rulenum : -1); } +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_nat.c b/sys/netinet/ipfw/ip_fw_nat.c index 4ed4327501a9..2cdfa5c479c2 100644 --- a/sys/netinet/ipfw/ip_fw_nat.c +++ b/sys/netinet/ipfw/ip_fw_nat.c @@ -671,3 +671,4 @@ DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2); MODULE_VERSION(ipfw_nat, 1); +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_pfil.c b/sys/netinet/ipfw/ip_fw_pfil.c index e99b45561de0..e1dcf16d5583 100644 --- a/sys/netinet/ipfw/ip_fw_pfil.c +++ b/sys/netinet/ipfw/ip_fw_pfil.c @@ -68,9 +68,12 @@ __FBSDID("$FreeBSD$"); #include -VNET_DEFINE(int, fw_enable) = 1; +static VNET_DEFINE(int, fw_enable) = 1; +#define V_fw_enable VNET(fw_enable) + #ifdef INET6 -VNET_DEFINE(int, fw6_enable) = 1; +static VNET_DEFINE(int, fw6_enable) = 1; +#define V_fw6_enable VNET(fw6_enable) #endif int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); @@ -86,6 +89,19 @@ static int ipfw_divert(struct mbuf **, int, int); #define DIV_DIR_IN 1 #define DIV_DIR_OUT 0 +#ifdef SYSCTL_NODE +SYSCTL_DECL(_net_inet_ip_fw); +SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, + ipfw_chg_hook, "I", "Enable ipfw"); +#ifdef INET6 +SYSCTL_DECL(_net_inet6_ip6_fw); +SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0, + ipfw_chg_hook, "I", "Enable ipfw+6"); +#endif /* INET6 */ +#endif /* SYSCTL_NODE */ + int ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, struct inpcb *inp) @@ -443,7 +459,7 @@ ipfw_divert(struct mbuf **m, int incoming, int tee) return 1; } -int +static int ipfw_hook(void) { struct pfil_head *pfh_inet; @@ -478,7 +494,7 @@ ipfw_unhook(void) } #ifdef INET6 -int +static int ipfw6_hook(void) { struct pfil_head *pfh_inet6; @@ -513,6 +529,24 @@ ipfw6_unhook(void) } #endif /* INET6 */ +int +ipfw_attach_hooks(void) +{ + int error = 0; + + if (V_fw_enable && ipfw_hook() != 0) { + error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ + printf("ipfw_hook() error\n"); + } +#ifdef INET6 + if (V_fw6_enable && ipfw6_hook() != 0) { + error = ENOENT; + printf("ipfw6_hook() error\n"); + } +#endif + return error; +} + int ipfw_chg_hook(SYSCTL_HANDLER_ARGS) { @@ -566,4 +600,4 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS) return (0); } - +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_private.h b/sys/netinet/ipfw/ip_fw_private.h index c2048c2e8dc4..8253d8dd5a97 100644 --- a/sys/netinet/ipfw/ip_fw_private.h +++ b/sys/netinet/ipfw/ip_fw_private.h @@ -99,12 +99,12 @@ MALLOC_DECLARE(M_IPFW); /* Firewall hooks */ -int ipfw_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); -int ipfw_check_out(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); +int ipfw_check_in(void *, struct mbuf **, struct ifnet *, + int, struct inpcb *inp); +int ipfw_check_out(void *, struct mbuf **, struct ifnet *, + int, struct inpcb *inp); - -int ipfw_hook(void); -int ipfw6_hook(void); +int ipfw_attach_hooks(void); int ipfw_unhook(void); int ipfw6_unhook(void); #ifdef NOTYET @@ -138,15 +138,13 @@ enum { /* result for matching dynamic rules */ void ipfw_dyn_unlock(void); struct tcphdr; -struct mbuf *send_pkt(struct mbuf *, struct ipfw_flow_id *, +struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, u_int32_t, u_int32_t, int); -int install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, +int ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg); -ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, - struct tcphdr *tcp); -ipfw_dyn_rule * lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, - struct tcphdr *tcp); -void remove_dyn_children(struct ip_fw *rule); +ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, + int *match_direction, struct tcphdr *tcp); +void ipfw_remove_dyn_children(struct ip_fw *rule); void ipfw_get_dynamic(char **bp, const char *ep); void ipfw_dyn_attach(void); /* uma_zcreate .... */ @@ -157,25 +155,24 @@ int ipfw_dyn_len(void); /* common variables */ VNET_DECLARE(int, fw_one_pass); -VNET_DECLARE(int, fw_enable); -VNET_DECLARE(int, fw_verbose); -VNET_DECLARE(struct ip_fw_chain, layer3_chain); -VNET_DECLARE(u_int32_t, set_disable); - #define V_fw_one_pass VNET(fw_one_pass) -#define V_fw_enable VNET(fw_enable) -#define V_fw_verbose VNET(fw_enable) + +VNET_DECLARE(int, fw_verbose); +#define V_fw_verbose VNET(fw_verbose) + +VNET_DECLARE(struct ip_fw_chain, layer3_chain); #define V_layer3_chain VNET(layer3_chain) + +VNET_DECLARE(u_int32_t, set_disable); #define V_set_disable VNET(set_disable) -#ifdef INET6 -VNET_DECLARE(int, fw6_enable); -#define V_fw6_enable VNET(fw6_enable) -#endif +VNET_DECLARE(int, autoinc_step); +#define V_autoinc_step VNET(autoinc_step) struct ip_fw_chain { struct ip_fw *rules; /* list of rules */ struct ip_fw *reap; /* list of rules to reap */ + struct ip_fw *default_rule; LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */ struct radix_node_head *tables[IPFW_TABLES_MAX]; struct rwlock rwmtx; @@ -236,6 +233,5 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr; extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; - #endif /* _KERNEL */ #endif /* _IPFW2_PRIVATE_H */ diff --git a/sys/netinet/ipfw/ip_fw_sockopt.c b/sys/netinet/ipfw/ip_fw_sockopt.c index 5c8fc2f1623b..c64936dfa040 100644 --- a/sys/netinet/ipfw/ip_fw_sockopt.c +++ b/sys/netinet/ipfw/ip_fw_sockopt.c @@ -30,7 +30,8 @@ __FBSDID("$FreeBSD$"); #define DDB(x) x /* - * Sockopt support for ipfw + * Sockopt support for ipfw. The routines here implement + * the upper half of the ipfw code. */ #if !defined(KLD_MODULE) @@ -72,8 +73,11 @@ __FBSDID("$FreeBSD$"); #include #endif -static VNET_DEFINE(int, autoinc_step); -#define V_autoinc_step VNET(autoinc_step) +MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); + +/* + * static variables followed by global ones + */ static VNET_DEFINE(u_int32_t, static_count); /* # of static rules */ static VNET_DEFINE(u_int32_t, static_len); /* bytes of static rules */ @@ -210,7 +214,7 @@ remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule, IPFW_WLOCK_ASSERT(chain); n = rule->next; - remove_dyn_children(rule); + ipfw_remove_dyn_children(rule); if (prev == NULL) chain->rules = n; else @@ -474,7 +478,7 @@ zero_entry(struct ip_fw_chain *chain, u_int32_t arg, int log_only) /* * Check validity of the structure before insert. - * Fortunately rules are simple, so this mostly need to check rule sizes. + * Rules are simple, so this mostly need to check rule sizes. */ static int check_ipfw_struct(struct ip_fw *rule, int size) @@ -821,7 +825,7 @@ ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space) } } IPFW_RUNLOCK(chain); - ipfw_get_dynamic(&bp, ep); + ipfw_get_dynamic(&bp, ep); /* protected by the dynamic lock */ return (bp - (char *)buf); } @@ -1094,3 +1098,4 @@ ipfw_ctl(struct sockopt *sopt) return (error); #undef RULE_MAXSIZE } +/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_table.c b/sys/netinet/ipfw/ip_fw_table.c index 694d712f46f0..e01a44538ddc 100644 --- a/sys/netinet/ipfw/ip_fw_table.c +++ b/sys/netinet/ipfw/ip_fw_table.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa + * Copyright (c) 2002 ......... * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,11 +26,14 @@ #include __FBSDID("$FreeBSD$"); -#define DEB(x) -#define DDB(x) x - /* - * Sockopt support for ipfw + * Lookup table support for ipfw + * + * Lookup tables are implemented (at the moment) using the radix + * tree used for routing tables. Tables store key-value entries, where + * keys are network prefixes (addr/masklen), and values are integers. + * As a degenerate case we can interpret keys as 32-bit integers + * (with a /32 mask). */ #if !defined(KLD_MODULE) @@ -259,3 +262,4 @@ ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl) rnh->rnh_walktree(rnh, dump_table_entry, tbl); return (0); } +/* end of file */