2014-06-14 11:13:02 +00:00
|
|
|
/*-
|
|
|
|
* Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* $FreeBSD: projects/ipfw/sys/netpfil/ipfw/ip_fw_private.h 267467 2014-06-14 10:58:39Z melifaro $
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _IPFW2_TABLE_H
|
|
|
|
#define _IPFW2_TABLE_H
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Internal constants and data structures used by ipfw tables
|
2014-08-03 09:48:54 +00:00
|
|
|
* not meant to be exported outside the kernel.
|
2014-06-14 11:13:02 +00:00
|
|
|
*/
|
|
|
|
#ifdef _KERNEL
|
|
|
|
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
struct table_algo;
|
|
|
|
struct tables_config {
|
|
|
|
struct namedobj_instance *namehash;
|
|
|
|
struct namedobj_instance *valhash;
|
|
|
|
uint32_t val_size;
|
|
|
|
uint32_t algo_count;
|
|
|
|
struct table_algo *algo[256];
|
|
|
|
struct table_algo *def_algo[IPFW_TABLE_MAXTYPE + 1];
|
|
|
|
TAILQ_HEAD(op_state_l,op_state) state_list;
|
|
|
|
};
|
|
|
|
#define CHAIN_TO_TCFG(chain) ((struct tables_config *)(chain)->tblcfg)
|
|
|
|
|
2014-06-14 11:13:02 +00:00
|
|
|
struct table_info {
|
|
|
|
table_lookup_t *lookup; /* Lookup function */
|
|
|
|
void *state; /* Lookup radix/other structure */
|
|
|
|
void *xstate; /* eXtended state */
|
|
|
|
u_long data; /* Hints for given func */
|
|
|
|
};
|
|
|
|
|
2014-07-03 22:25:59 +00:00
|
|
|
/* Internal structures for handling sockopt data */
|
|
|
|
struct tid_info {
|
|
|
|
uint32_t set; /* table set */
|
|
|
|
uint16_t uidx; /* table index */
|
|
|
|
uint8_t type; /* table type */
|
|
|
|
uint8_t atype;
|
|
|
|
void *tlvs; /* Pointer to first TLV */
|
|
|
|
int tlen; /* Total TLV size block */
|
|
|
|
};
|
|
|
|
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
struct table_value;
|
2014-06-15 13:40:27 +00:00
|
|
|
struct tentry_info {
|
|
|
|
void *paddr;
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
struct table_value *pvalue;
|
|
|
|
void *ptv; /* Temporary field to hold obj */
|
2014-06-15 13:40:27 +00:00
|
|
|
uint8_t masklen; /* mask length */
|
2014-07-03 22:25:59 +00:00
|
|
|
uint8_t subtype;
|
2014-06-15 13:40:27 +00:00
|
|
|
uint16_t flags; /* record flags */
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
uint32_t value; /* value index */
|
2014-06-15 13:40:27 +00:00
|
|
|
};
|
2014-08-11 17:34:25 +00:00
|
|
|
#define TEI_FLAGS_UPDATE 0x0001 /* Add or update rec if exists */
|
|
|
|
#define TEI_FLAGS_UPDATED 0x0002 /* Entry has been updated */
|
|
|
|
#define TEI_FLAGS_COMPAT 0x0004 /* Called from old ABI */
|
|
|
|
#define TEI_FLAGS_DONTADD 0x0008 /* Do not create new rec */
|
|
|
|
#define TEI_FLAGS_ADDED 0x0010 /* Entry was added */
|
|
|
|
#define TEI_FLAGS_DELETED 0x0020 /* Entry was deleted */
|
|
|
|
#define TEI_FLAGS_LIMIT 0x0040 /* Limit was hit */
|
|
|
|
#define TEI_FLAGS_ERROR 0x0080 /* Unknown request error */
|
|
|
|
#define TEI_FLAGS_NOTFOUND 0x0100 /* Entry was not found */
|
|
|
|
#define TEI_FLAGS_EXISTS 0x0200 /* Entry already exists */
|
2014-06-15 13:40:27 +00:00
|
|
|
|
2014-07-28 19:01:25 +00:00
|
|
|
typedef int (ta_init)(struct ip_fw_chain *ch, void **ta_state,
|
* Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm
Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/
* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.
Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields
Syntax:
ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
Examples:
0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000
10.0.0.92,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
Trying 78.46.89.105...
..
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
2014-07-31 20:08:19 +00:00
|
|
|
struct table_info *ti, char *data, uint8_t tflags);
|
2014-06-14 11:13:02 +00:00
|
|
|
typedef void (ta_destroy)(void *ta_state, struct table_info *ti);
|
2014-07-28 19:01:25 +00:00
|
|
|
typedef int (ta_prepare_add)(struct ip_fw_chain *ch, struct tentry_info *tei,
|
|
|
|
void *ta_buf);
|
|
|
|
typedef int (ta_prepare_del)(struct ip_fw_chain *ch, struct tentry_info *tei,
|
|
|
|
void *ta_buf);
|
2014-06-14 11:13:02 +00:00
|
|
|
typedef int (ta_add)(void *ta_state, struct table_info *ti,
|
2014-08-02 17:18:47 +00:00
|
|
|
struct tentry_info *tei, void *ta_buf, uint32_t *pnum);
|
2014-06-14 11:13:02 +00:00
|
|
|
typedef int (ta_del)(void *ta_state, struct table_info *ti,
|
2014-08-02 17:18:47 +00:00
|
|
|
struct tentry_info *tei, void *ta_buf, uint32_t *pnum);
|
2014-07-28 19:01:25 +00:00
|
|
|
typedef void (ta_flush_entry)(struct ip_fw_chain *ch, struct tentry_info *tei,
|
|
|
|
void *ta_buf);
|
2014-07-26 13:37:25 +00:00
|
|
|
|
2014-08-12 14:09:15 +00:00
|
|
|
typedef int (ta_need_modify)(void *ta_state, struct table_info *ti,
|
2014-08-02 17:18:47 +00:00
|
|
|
uint32_t count, uint64_t *pflags);
|
2014-07-26 13:37:25 +00:00
|
|
|
typedef int (ta_prepare_mod)(void *ta_buf, uint64_t *pflags);
|
|
|
|
typedef int (ta_fill_mod)(void *ta_state, struct table_info *ti,
|
|
|
|
void *ta_buf, uint64_t *pflags);
|
2014-08-12 14:09:15 +00:00
|
|
|
typedef void (ta_modify)(void *ta_state, struct table_info *ti,
|
2014-07-26 13:37:25 +00:00
|
|
|
void *ta_buf, uint64_t pflags);
|
|
|
|
typedef void (ta_flush_mod)(void *ta_buf);
|
|
|
|
|
2014-07-28 19:01:25 +00:00
|
|
|
typedef void (ta_change_ti)(void *ta_state, struct table_info *ti);
|
2014-07-03 22:25:59 +00:00
|
|
|
typedef void (ta_print_config)(void *ta_state, struct table_info *ti, char *buf,
|
|
|
|
size_t bufsize);
|
2014-06-14 11:13:02 +00:00
|
|
|
|
|
|
|
typedef int ta_foreach_f(void *node, void *arg);
|
|
|
|
typedef void ta_foreach(void *ta_state, struct table_info *ti, ta_foreach_f *f,
|
|
|
|
void *arg);
|
2014-07-06 18:16:04 +00:00
|
|
|
typedef int ta_dump_tentry(void *ta_state, struct table_info *ti, void *e,
|
|
|
|
ipfw_obj_tentry *tent);
|
* Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm
Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/
* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.
Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields
Syntax:
ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
Examples:
0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000
10.0.0.92,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
Trying 78.46.89.105...
..
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
2014-07-31 20:08:19 +00:00
|
|
|
typedef int ta_find_tentry(void *ta_state, struct table_info *ti,
|
|
|
|
ipfw_obj_tentry *tent);
|
2014-08-03 12:19:45 +00:00
|
|
|
typedef void ta_dump_tinfo(void *ta_state, struct table_info *ti,
|
|
|
|
ipfw_ta_tinfo *tinfo);
|
* Add cidr:kfib algo type just for fun. It binds kernel fib
of given number to a table.
Example:
# ipfw table fib2 create algo "cidr:kfib fib=2"
# ipfw table fib2 info
+++ table(fib2), set(0) +++
kindex: 2, type: cidr, locked
valtype: number, references: 0
algorithm: cidr:kfib fib=2
items: 11, size: 288
# ipfw table fib2 list
+++ table(fib2), set(0) +++
10.0.0.0/24 0
127.0.0.1/32 0
::/96 0
::1/128 0
::ffff:0.0.0.0/96 0
2a02:978:2::/112 0
fe80::/10 0
fe80:1::/64 0
fe80:2::/64 0
fe80:3::/64 0
ff02::/16 0
# ipfw table fib2 lookup 10.0.0.5
10.0.0.0/24 0
# ipfw table fib2 lookup 2a02:978:2::11
2a02:978:2::/112 0
# ipfw table fib2 detail
+++ table(fib2), set(0) +++
kindex: 2, type: cidr, locked
valtype: number, references: 0
algorithm: cidr:kfib fib=2
items: 11, size: 288
IPv4 algorithm radix info
items: 0 itemsize: 200
IPv6 algorithm radix info
items: 0 itemsize: 200
2014-08-14 20:17:23 +00:00
|
|
|
typedef uint32_t ta_get_count(void *ta_state, struct table_info *ti);
|
2014-06-14 11:13:02 +00:00
|
|
|
|
|
|
|
struct table_algo {
|
2014-06-16 13:05:07 +00:00
|
|
|
char name[16];
|
2014-08-01 07:35:17 +00:00
|
|
|
uint32_t idx;
|
|
|
|
uint32_t type;
|
|
|
|
uint32_t refcnt;
|
|
|
|
uint32_t flags;
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
uint32_t vlimit;
|
2014-08-01 07:35:17 +00:00
|
|
|
size_t ta_buf_size;
|
2014-06-14 11:13:02 +00:00
|
|
|
ta_init *init;
|
|
|
|
ta_destroy *destroy;
|
|
|
|
ta_prepare_add *prepare_add;
|
|
|
|
ta_prepare_del *prepare_del;
|
|
|
|
ta_add *add;
|
|
|
|
ta_del *del;
|
|
|
|
ta_flush_entry *flush_entry;
|
* Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm
Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/
* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.
Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields
Syntax:
ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
Examples:
0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000
10.0.0.92,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
Trying 78.46.89.105...
..
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
2014-07-31 20:08:19 +00:00
|
|
|
ta_find_tentry *find_tentry;
|
2014-08-12 14:09:15 +00:00
|
|
|
ta_need_modify *need_modify;
|
2014-07-26 13:37:25 +00:00
|
|
|
ta_prepare_mod *prepare_mod;
|
|
|
|
ta_fill_mod *fill_mod;
|
|
|
|
ta_modify *modify;
|
|
|
|
ta_flush_mod *flush_mod;
|
* Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm
Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/
* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.
Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields
Syntax:
ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
Examples:
0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000
10.0.0.92,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
Trying 78.46.89.105...
..
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
2014-07-31 20:08:19 +00:00
|
|
|
ta_change_ti *change_ti;
|
2014-06-14 11:13:02 +00:00
|
|
|
ta_foreach *foreach;
|
2014-07-06 18:16:04 +00:00
|
|
|
ta_dump_tentry *dump_tentry;
|
2014-07-03 22:25:59 +00:00
|
|
|
ta_print_config *print_config;
|
* Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm
Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/
* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.
Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields
Syntax:
ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
Examples:
0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000
10.0.0.92,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
Trying 78.46.89.105...
..
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
2014-07-31 20:08:19 +00:00
|
|
|
ta_dump_tinfo *dump_tinfo;
|
* Add cidr:kfib algo type just for fun. It binds kernel fib
of given number to a table.
Example:
# ipfw table fib2 create algo "cidr:kfib fib=2"
# ipfw table fib2 info
+++ table(fib2), set(0) +++
kindex: 2, type: cidr, locked
valtype: number, references: 0
algorithm: cidr:kfib fib=2
items: 11, size: 288
# ipfw table fib2 list
+++ table(fib2), set(0) +++
10.0.0.0/24 0
127.0.0.1/32 0
::/96 0
::1/128 0
::ffff:0.0.0.0/96 0
2a02:978:2::/112 0
fe80::/10 0
fe80:1::/64 0
fe80:2::/64 0
fe80:3::/64 0
ff02::/16 0
# ipfw table fib2 lookup 10.0.0.5
10.0.0.0/24 0
# ipfw table fib2 lookup 2a02:978:2::11
2a02:978:2::/112 0
# ipfw table fib2 detail
+++ table(fib2), set(0) +++
kindex: 2, type: cidr, locked
valtype: number, references: 0
algorithm: cidr:kfib fib=2
items: 11, size: 288
IPv4 algorithm radix info
items: 0 itemsize: 200
IPv6 algorithm radix info
items: 0 itemsize: 200
2014-08-14 20:17:23 +00:00
|
|
|
ta_get_count *get_count;
|
2014-06-14 11:13:02 +00:00
|
|
|
};
|
2014-08-14 17:31:04 +00:00
|
|
|
#define TA_FLAG_DEFAULT 0x01 /* Algo is default for given type */
|
|
|
|
#define TA_FLAG_READONLY 0x02 /* Algo does not support modifications*/
|
* Add cidr:kfib algo type just for fun. It binds kernel fib
of given number to a table.
Example:
# ipfw table fib2 create algo "cidr:kfib fib=2"
# ipfw table fib2 info
+++ table(fib2), set(0) +++
kindex: 2, type: cidr, locked
valtype: number, references: 0
algorithm: cidr:kfib fib=2
items: 11, size: 288
# ipfw table fib2 list
+++ table(fib2), set(0) +++
10.0.0.0/24 0
127.0.0.1/32 0
::/96 0
::1/128 0
::ffff:0.0.0.0/96 0
2a02:978:2::/112 0
fe80::/10 0
fe80:1::/64 0
fe80:2::/64 0
fe80:3::/64 0
ff02::/16 0
# ipfw table fib2 lookup 10.0.0.5
10.0.0.0/24 0
# ipfw table fib2 lookup 2a02:978:2::11
2a02:978:2::/112 0
# ipfw table fib2 detail
+++ table(fib2), set(0) +++
kindex: 2, type: cidr, locked
valtype: number, references: 0
algorithm: cidr:kfib fib=2
items: 11, size: 288
IPv4 algorithm radix info
items: 0 itemsize: 200
IPv6 algorithm radix info
items: 0 itemsize: 200
2014-08-14 20:17:23 +00:00
|
|
|
#define TA_FLAG_EXTCOUNTER 0x04 /* Algo has external counter available*/
|
2014-07-28 19:01:25 +00:00
|
|
|
|
2014-07-29 21:38:06 +00:00
|
|
|
int ipfw_add_table_algo(struct ip_fw_chain *ch, struct table_algo *ta,
|
|
|
|
size_t size, int *idx);
|
|
|
|
void ipfw_del_table_algo(struct ip_fw_chain *ch, int idx);
|
* Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm
Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/
* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.
Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields
Syntax:
ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
Examples:
0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000
10.0.0.92,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
Trying 78.46.89.105...
..
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
2014-07-31 20:08:19 +00:00
|
|
|
|
2014-06-15 13:40:27 +00:00
|
|
|
void ipfw_table_algo_init(struct ip_fw_chain *chain);
|
|
|
|
void ipfw_table_algo_destroy(struct ip_fw_chain *chain);
|
|
|
|
|
|
|
|
|
2014-06-14 22:47:25 +00:00
|
|
|
/* direct ipfw_ctl handlers */
|
2014-06-27 10:07:00 +00:00
|
|
|
int ipfw_list_tables(struct ip_fw_chain *ch, struct sockopt_data *sd);
|
|
|
|
int ipfw_dump_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
|
|
|
int ipfw_describe_table(struct ip_fw_chain *ch, struct sockopt_data *sd);
|
2014-06-14 22:47:25 +00:00
|
|
|
|
2014-07-06 18:16:04 +00:00
|
|
|
int ipfw_find_table_entry(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
2014-07-03 22:25:59 +00:00
|
|
|
int ipfw_create_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
2014-08-08 09:27:49 +00:00
|
|
|
int ipfw_modify_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
2014-07-26 13:37:25 +00:00
|
|
|
int ipfw_manage_table_ent(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
2014-07-03 22:25:59 +00:00
|
|
|
struct sockopt_data *sd);
|
2014-07-08 23:11:15 +00:00
|
|
|
int ipfw_flush_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
2014-07-29 22:44:26 +00:00
|
|
|
int ipfw_list_table_algo(struct ip_fw_chain *ch, struct sockopt_data *sd);
|
2014-08-03 21:37:12 +00:00
|
|
|
int ipfw_swap_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
2014-07-04 07:02:11 +00:00
|
|
|
/* Exported to support legacy opcodes */
|
|
|
|
int add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
|
2014-08-11 17:34:25 +00:00
|
|
|
struct tentry_info *tei, uint8_t flags, uint32_t count);
|
2014-07-04 07:02:11 +00:00
|
|
|
int del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
|
2014-08-11 17:34:25 +00:00
|
|
|
struct tentry_info *tei, uint8_t flags, uint32_t count);
|
2014-07-04 07:02:11 +00:00
|
|
|
int flush_table(struct ip_fw_chain *ch, struct tid_info *ti);
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
void ipfw_import_table_value_legacy(uint32_t value, struct table_value *v);
|
|
|
|
uint32_t ipfw_export_table_value_legacy(struct table_value *v);
|
|
|
|
|
|
|
|
/* ipfw_table_value.c functions */
|
|
|
|
int ipfw_list_table_values(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
|
|
|
|
struct sockopt_data *sd);
|
|
|
|
struct table_config;
|
|
|
|
struct tableop_state;
|
|
|
|
void ipfw_table_value_init(struct ip_fw_chain *ch);
|
|
|
|
void ipfw_table_value_destroy(struct ip_fw_chain *ch);
|
|
|
|
int ipfw_link_table_values(struct ip_fw_chain *ch, struct tableop_state *ts);
|
|
|
|
void ipfw_finalize_table_values(struct ip_fw_chain *ch, struct table_config *tc,
|
|
|
|
struct tentry_info *tei, uint32_t count, int rollback);
|
|
|
|
void ipfw_import_table_value_v1(ipfw_table_value *iv);
|
|
|
|
void ipfw_export_table_value_v1(struct table_value *v, ipfw_table_value *iv);
|
|
|
|
void ipfw_unref_table_values(struct ip_fw_chain *ch, struct table_config *tc,
|
|
|
|
struct table_algo *ta, void *astate, struct table_info *ti);
|
2014-07-03 22:25:59 +00:00
|
|
|
|
2014-06-15 13:40:27 +00:00
|
|
|
int ipfw_rewrite_table_uidx(struct ip_fw_chain *chain,
|
|
|
|
struct rule_check_info *ci);
|
2014-07-08 23:11:15 +00:00
|
|
|
int ipfw_rewrite_table_kidx(struct ip_fw_chain *chain,
|
|
|
|
struct ip_fw_rule0 *rule);
|
2014-06-28 23:20:24 +00:00
|
|
|
int ipfw_mark_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule,
|
|
|
|
uint32_t *bmask);
|
|
|
|
int ipfw_export_table_ntlv(struct ip_fw_chain *ch, uint16_t kidx,
|
|
|
|
struct sockopt_data *sd);
|
2014-08-12 16:08:13 +00:00
|
|
|
void ipfw_unref_rule_tables(struct ip_fw_chain *chain, struct ip_fw *rule);
|
2014-06-15 13:40:27 +00:00
|
|
|
|
|
|
|
/* utility functions */
|
2014-07-03 22:25:59 +00:00
|
|
|
int ipfw_check_table_name(char *name);
|
2014-08-07 21:37:31 +00:00
|
|
|
int ipfw_move_tables_sets(struct ip_fw_chain *ch, ipfw_range_tlv *rt,
|
|
|
|
uint32_t new_set);
|
|
|
|
void ipfw_swap_tables_sets(struct ip_fw_chain *ch, uint32_t old_set,
|
|
|
|
uint32_t new_set, int mv);
|
2014-08-23 11:27:49 +00:00
|
|
|
int ipfw_foreach_table_tentry(struct ip_fw_chain *ch, uint16_t kidx,
|
|
|
|
ta_foreach_f f, void *arg);
|
2014-06-15 13:40:27 +00:00
|
|
|
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
/* internal functions */
|
|
|
|
void tc_ref(struct table_config *tc);
|
|
|
|
void tc_unref(struct table_config *tc);
|
|
|
|
|
|
|
|
struct op_state;
|
|
|
|
typedef void (op_rollback_f)(void *object, struct op_state *state);
|
|
|
|
struct op_state {
|
|
|
|
TAILQ_ENTRY(op_state) next; /* chain link */
|
|
|
|
op_rollback_f *func;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct tableop_state {
|
|
|
|
struct op_state opstate;
|
|
|
|
struct ip_fw_chain *ch;
|
|
|
|
struct table_config *tc;
|
|
|
|
struct table_algo *ta;
|
|
|
|
struct tentry_info *tei;
|
|
|
|
uint32_t count;
|
|
|
|
uint32_t vmask;
|
|
|
|
int vshared;
|
|
|
|
int modified;
|
|
|
|
};
|
|
|
|
|
|
|
|
void add_toperation_state(struct ip_fw_chain *ch, struct tableop_state *ts);
|
|
|
|
void del_toperation_state(struct ip_fw_chain *ch, struct tableop_state *ts);
|
|
|
|
void rollback_toperation_state(struct ip_fw_chain *ch, void *object);
|
|
|
|
|
2014-06-15 13:40:27 +00:00
|
|
|
/* Legacy interfaces */
|
2014-06-14 11:13:02 +00:00
|
|
|
int ipfw_count_table(struct ip_fw_chain *ch, struct tid_info *ti,
|
|
|
|
uint32_t *cnt);
|
|
|
|
int ipfw_count_xtable(struct ip_fw_chain *ch, struct tid_info *ti,
|
|
|
|
uint32_t *cnt);
|
2014-06-14 22:47:25 +00:00
|
|
|
int ipfw_dump_table_legacy(struct ip_fw_chain *ch, struct tid_info *ti,
|
2014-06-14 11:13:02 +00:00
|
|
|
ipfw_table *tbl);
|
|
|
|
|
|
|
|
|
|
|
|
#endif /* _KERNEL */
|
|
|
|
#endif /* _IPFW2_TABLE_H */
|