Improve "reserved keywords" hack:

we can't easily predict (in current parsing model) if the keyword is ipfw(8) reserved keyword or port name. Checking proto database via getprotobyname() consumes a lot of CPU and leads to tens of seconds for parsing large ruleset. Use list of reserved keywords and check them as pre-requisite before doing getprotobyname(). Obtained from: Yandex LLC
svn path=/head/; revision=272607
2014-10-06 11:00:47 +00:00 · 2014-10-06 11:00:47 +00:00 · 9bb47e7068 · 2020-12-20 02:59:44 +00:00
commit 9bb47e7068
parent 88971a900d
1 changed files with 25 additions and 4 deletions
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@ -2904,13 +2904,34 @@ add_dstip(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
 	return cmd;
 }

+static struct _s_x f_reserved_keywords[] = {
+	{ "altq",	TOK_OR },
+	{ "//",		TOK_OR },
+	{ "diverted",	TOK_OR },
+	{ "dst-port",	TOK_OR },
+	{ "src-port",	TOK_OR },
+	{ "established",	TOK_OR },
+	{ "keep-state",	TOK_OR },
+	{ "frag",	TOK_OR },
+	{ "icmptypes",	TOK_OR },
+	{ "in",		TOK_OR },
+	{ "out",	TOK_OR },
+	{ "ip6",	TOK_OR },
+	{ "any",	TOK_OR },
+	{ "to",		TOK_OR },
+	{ "via",	TOK_OR },
+	{ "{",		TOK_OR },
+	{ NULL, 0 }	/* terminator */
+};
+
 static ipfw_insn *
 add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode, int cblen)
 {
-	/* XXX "any" is trapped before. Perhaps "to" */
-	if (_substrcmp(av, "any") == 0) {
-		return NULL;
-	} else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto, cblen)) {
+
+	if (match_token(f_reserved_keywords, av) != -1)
+		return (NULL);
+
+	if (fill_newports((ipfw_insn_u16 *)cmd, av, proto, cblen)) {
 		/* XXX todo: check that we have a protocol with ports */
 		cmd->opcode = opcode;
 		return cmd;