Various cosmetic cleanup of the files:

- move global variables around to reduce the scope and make them
  static if possible;
- add an ipfw_ prefix to all public functions to prevent conflicts
  (the same should be done for variables);
- try to pack variable declaration in an uniform way across files;
- clarify some comments;
- remove some misspelling of names (#define V_foo VNET(bar)) that
  slipped in due to cut&paste
- remove duplicate static variables in different files;

MFC after:	1 month
This commit is contained in:
luigi 2009-12-16 10:48:40 +00:00
parent fbf6bc755d
commit 3805c8f0d8
9 changed files with 184 additions and 144 deletions

View File

@ -2364,3 +2364,4 @@ static moduledata_t dummynet_mod = {
DECLARE_MODULE(dummynet, dummynet_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
MODULE_DEPEND(dummynet, ipfw, 2, 2, 2);
MODULE_VERSION(dummynet, 1);
/* end of file */

View File

@ -26,11 +26,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#define DEB(x)
#define DDB(x) x
/*
* Implement IP packet firewall (new version)
* The FreeBSD IP packet firewall, main file
*/
#if !defined(KLD_MODULE)
@ -101,21 +98,17 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_framework.h>
#endif
/*
* static variables followed by global ones.
* All ipfw global variables are here.
*/
/* ipfw_vnet_ready controls when we are open for business */
static VNET_DEFINE(int, ipfw_vnet_ready) = 0;
#define V_ipfw_vnet_ready VNET(ipfw_vnet_ready)
/*
* set_disable contains one bit per set value (0..31).
* If the bit is set, all rules with the corresponding set
* are disabled. Set RESVD_SET(31) is reserved for the default rule
* and rules that are not deleted by the flush command,
* and CANNOT be disabled.
* Rules in set RESVD_SET can only be deleted explicitly.
*/
VNET_DEFINE(u_int32_t, set_disable);
VNET_DEFINE(int, fw_verbose);
#define V_set_disable VNET(set_disable)
#define V_verbose_limit VNET(verbose_limit)
static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs)
#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
static int default_to_accept = 1;
@ -123,14 +116,30 @@ static int default_to_accept = 1;
static int default_to_accept;
#endif
struct ip_fw *ip_fw_default_rule;
VNET_DEFINE(int, autoinc_step);
/*
* list of rules for layer 3
* Each rule belongs to one of 32 different sets (0..31).
* The variable set_disable contains one bit per set.
* If the bit is set, all rules in the corresponding set
* are disabled. Set RESVD_SET(31) is reserved for the default rule
* and rules that are not deleted by the flush command,
* and CANNOT be disabled.
* Rules in set RESVD_SET can only be deleted individually.
*/
VNET_DEFINE(u_int32_t, set_disable);
#define V_set_disable VNET(set_disable)
VNET_DEFINE(int, fw_verbose);
//#define V_verbose_limit VNET(verbose_limit)
/* counter for ipfw_log(NULL...) */
VNET_DEFINE(u_int64_t, norule_counter);
VNET_DEFINE(int, verbose_limit);
/* layer3_chain contains the list of rules for layer 3 */
VNET_DEFINE(struct ip_fw_chain, layer3_chain);
MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
ipfw_nat_t *ipfw_nat_ptr = NULL;
struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
ipfw_nat_cfg_t *ipfw_nat_cfg_ptr;
@ -138,30 +147,16 @@ ipfw_nat_cfg_t *ipfw_nat_del_ptr;
ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
struct table_entry {
struct radix_node rn[2];
struct sockaddr_in addr, mask;
u_int32_t value;
};
static VNET_DEFINE(int, autoinc_step);
#define V_autoinc_step VNET(autoinc_step)
static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs)
extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
#ifdef SYSCTL_NODE
SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
ipfw_chg_hook, "I", "Enable ipfw");
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step,
CTLFLAG_RW, &VNET_NAME(autoinc_step), 0,
"Rule number auto-increment step");
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0,
"Only do a single pass through ipfw when using dummynet(4)");
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step,
CTLFLAG_RW, &VNET_NAME(autoinc_step), 0,
"Rule number auto-increment step");
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose,
CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0,
"Log matches to ipfw rules");
@ -182,9 +177,6 @@ TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept);
#ifdef INET6
SYSCTL_DECL(_net_inet6_ip6);
SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
ipfw_chg_hook, "I", "Enable ipfw+6");
SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs,
CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0,
"Deny packets with unknown IPv6 Extension Headers");
@ -194,6 +186,7 @@ SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs,
/*
* Some macros used in the various matching options.
* L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
* Other macros just cast void * into the appropriate type
*/
@ -379,19 +372,20 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd)
*
* The 'verrevpath' option checks that the interface that an IP packet
* arrives on is the same interface that traffic destined for the
* packet's source address would be routed out of. The 'versrcreach'
* option just checks that the source address is reachable via any route
* (except default) in the routing table. These two are a measure to block
* forged packets. This is also commonly known as "anti-spoofing" or Unicast
* Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
* packet's source address would be routed out of.
* The 'versrcreach' option just checks that the source address is
* reachable via any route (except default) in the routing table.
* These two are a measure to block forged packets. This is also
* commonly known as "anti-spoofing" or Unicast Reverse Path
* Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
* is purposely reminiscent of the Cisco IOS command,
*
* ip verify unicast reverse-path
* ip verify unicast source reachable-via any
*
* which implements the same functionality. But note that syntax is
* misleading. The check may be performed on all IP packets whether unicast,
* multicast, or broadcast.
* which implements the same functionality. But note that the syntax
* is misleading, and the check may be performed on all IP packets
* whether unicast, multicast, or broadcast.
*/
static int
verify_path(struct in_addr src, struct ifnet *ifp, u_int fib)
@ -536,6 +530,7 @@ verify_path6(struct in6_addr *src, struct ifnet *ifp)
return 1;
}
static int
is_icmp6_query(int icmp6_type)
{
@ -562,7 +557,7 @@ send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6)
if ((tcp->th_flags & TH_RST) == 0) {
struct mbuf *m0;
m0 = send_pkt(args->m, &(args->f_id),
m0 = ipfw_send_pkt(args->m, &(args->f_id),
ntohl(tcp->th_seq), ntohl(tcp->th_ack),
tcp->th_flags | TH_RST);
if (m0 != NULL)
@ -622,7 +617,7 @@ send_reject(struct ip_fw_args *args, int code, int ip_len, struct ip *ip)
L3HDR(struct tcphdr, mtod(args->m, struct ip *));
if ( (tcp->th_flags & TH_RST) == 0) {
struct mbuf *m;
m = send_pkt(args->m, &(args->f_id),
m = ipfw_send_pkt(args->m, &(args->f_id),
ntohl(tcp->th_seq), ntohl(tcp->th_ack),
tcp->th_flags | TH_RST);
if (m != NULL)
@ -635,18 +630,18 @@ send_reject(struct ip_fw_args *args, int code, int ip_len, struct ip *ip)
}
/**
*
* Given an ip_fw *, lookup_next_rule will return a pointer
* to the next rule, which can be either the jump
* target (for skipto instructions) or the next one in the list (in
* all other cases including a missing jump target).
* The result is also written in the "next_rule" field of the rule.
* Backward jumps are not allowed, so start looking from the next
* rule...
* Backward jumps are not allowed, so we start the search from the
* rule following the current one.
*
* This never returns NULL -- in case we do not have an exact match,
* the next rule is returned. When the ruleset is changed,
* pointers are flushed so we are always correct.
* The function never returns NULL: if the requested rule is not
* present, it returns the next rule in the chain.
* As a side effect, the rule pointer is also set so next time
* the jump will not require a scan of the list.
*/
static struct ip_fw *
@ -676,12 +671,22 @@ lookup_next_rule(struct ip_fw *me, u_int32_t tablearg)
}
}
}
if (rule == NULL) /* failure or not a skipto */
if (rule == NULL) /* failure or not a skipto */
rule = me->next;
me->next_rule = rule;
return rule;
}
/*
* Support for uid/gid/jail lookup. These tests are expensive
* (because we may need to look into the list of active sockets)
* so we cache the results. ugid_lookupp is 0 if we have not
* yet done a lookup, 1 if we succeeded, and -1 if we tried
* and failed. The function always returns the match value.
* We could actually spare the variable and use *uc, setting
* it to '(void *)check_uidgid if we have no info, NULL if
* we tried and failed, or any other value if successful.
*/
static int
check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip,
@ -740,10 +745,8 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
INP_INFO_RUNLOCK(pi);
if (*ugid_lookupp == 0) {
/*
* If the lookup did not yield any results, there
* is no sense in coming back and trying again. So
* we can set lookup to -1 and ensure that we wont
* bother the pcb system again.
* We tried and failed, set the variable to -1
* so we will not try again on this packet.
*/
*ugid_lookupp = -1;
return (0);
@ -768,10 +771,10 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
*
* args->m (in/out) The packet; we set to NULL when/if we nuke it.
* Starts with the IP header.
* args->eh (in) Mac header if present, or NULL for layer3 packet.
* args->eh (in) Mac header if present, NULL for layer3 packet.
* args->L3offset Number of bytes bypassed if we came from L2.
* e.g. often sizeof(eh) ** NOTYET **
* args->oif Outgoing interface, or NULL if packet is incoming.
* args->oif Outgoing interface, NULL if packet is incoming.
* The incoming interface is in the mbuf. (in)
* args->divert_rule (in/out)
* Skip up to the first rule past this rule number;
@ -797,7 +800,7 @@ ipfw_chk(struct ip_fw_args *args)
{
/*
* Local variables holding state during the processing of a packet:
* Local variables holding state while processing a packet:
*
* IMPORTANT NOTE: to speed up the processing of rules, there
* are some assumption on the values of the variables, which
@ -932,15 +935,15 @@ ipfw_chk(struct ip_fw_args *args)
* pointer might become stale after other pullups (but we never use it
* this way).
*/
#define PULLUP_TO(_len, p, T) \
do { \
int x = (_len) + sizeof(T); \
if ((m)->m_len < x) { \
args->m = m = m_pullup(m, x); \
if (m == NULL) \
goto pullup_failed; \
} \
p = (mtod(m, char *) + (_len)); \
#define PULLUP_TO(_len, p, T) \
do { \
int x = (_len) + sizeof(T); \
if ((m)->m_len < x) { \
args->m = m = m_pullup(m, x); \
if (m == NULL) \
goto pullup_failed; \
} \
p = (mtod(m, char *) + (_len)); \
} while (0)
/*
@ -1199,7 +1202,7 @@ do { \
if (f != NULL)
f = f->next_rule;
else
f = ip_fw_default_rule;
f = V_layer3_chain.default_rule;
} else
f = args->rule->next_rule;
@ -1905,7 +1908,7 @@ do { \
*/
case O_LIMIT:
case O_KEEP_STATE:
if (install_state(f,
if (ipfw_install_state(f,
(ipfw_insn_limit *)cmd, args, tablearg)) {
/* error or limit violation */
retval = IP_FW_DENY;
@ -1927,7 +1930,7 @@ do { \
* to be run first).
*/
if (dyn_dir == MATCH_UNKNOWN &&
(q = lookup_dyn_rule(&args->f_id,
(q = ipfw_lookup_dyn_rule(&args->f_id,
&dyn_dir, proto == IPPROTO_TCP ?
TCP(ulp) : NULL))
!= NULL) {
@ -2251,7 +2254,11 @@ pullup_failed:
return (IP_FW_DENY);
}
/****************
/*
* Module and VNET glue
*/
/*
* Stuff that must be initialised only on boot or module load
*/
static int
@ -2306,7 +2313,7 @@ ipfw_init(void)
return (error);
}
/**********************
/*
* Called for the removal of the last instance only on module unload.
*/
static void
@ -2317,7 +2324,7 @@ ipfw_destroy(void)
printf("IP firewall unloaded\n");
}
/****************
/*
* Stuff that must be initialized for every instance
* (including the first of course).
*/
@ -2345,7 +2352,6 @@ vnet_ipfw_init(const void *unused)
V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
V_fw_deny_unknown_exthdrs = 1;
V_layer3_chain.rules = NULL;
@ -2368,7 +2374,7 @@ vnet_ipfw_init(const void *unused)
return (error);
}
ip_fw_default_rule = V_layer3_chain.rules;
V_layer3_chain.default_rule = V_layer3_chain.rules;
ipfw_dyn_init();
@ -2391,20 +2397,11 @@ vnet_ipfw_init(const void *unused)
*/
V_ip_fw_ctl_ptr = ipfw_ctl;
V_ip_fw_chk_ptr = ipfw_chk;
if (V_fw_enable && ipfw_hook() != 0) {
error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
printf("ipfw_hook() error\n");
}
#ifdef INET6
if (V_fw6_enable && ipfw6_hook() != 0) {
error = ENOENT;
printf("ipfw6_hook() error\n");
}
#endif
error = ipfw_attach_hooks();
return (error);
}
/***********************
/*
* Called for the removal of each instance.
*/
static int
@ -2514,4 +2511,4 @@ SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER,
ipfw_destroy, NULL);
VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER,
vnet_ipfw_uninit, NULL);
/* end of file */

View File

@ -114,6 +114,10 @@ __FBSDID("$FreeBSD$");
* obey the 'randomized match', and we do not do multiple
* passes through the firewall. XXX check the latter!!!
*/
/*
* Static variables followed by global ones
*/
static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v);
static VNET_DEFINE(u_int32_t, dyn_buckets);
static VNET_DEFINE(u_int32_t, curr_dyn_buckets);
@ -374,7 +378,7 @@ next:
}
void
remove_dyn_children(struct ip_fw *rule)
ipfw_remove_dyn_children(struct ip_fw *rule)
{
IPFW_DYN_LOCK();
remove_dyn_rule(rule, NULL /* force removal */);
@ -382,9 +386,9 @@ remove_dyn_children(struct ip_fw *rule)
}
/**
* lookup a dynamic rule.
* lookup a dynamic rule, locked version
*/
ipfw_dyn_rule *
static ipfw_dyn_rule *
lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp)
{
@ -528,7 +532,7 @@ done:
}
ipfw_dyn_rule *
lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp)
{
ipfw_dyn_rule *q;
@ -699,7 +703,7 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
* session limitations are enforced.
*/
int
install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
struct ip_fw_args *args, uint32_t tablearg)
{
static int last_log;
@ -877,7 +881,7 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
* so that MAC can label the reply appropriately.
*/
struct mbuf *
send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
ipfw_send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
u_int32_t ack, int flags)
{
struct mbuf *m;
@ -1065,9 +1069,9 @@ ipfw_tick(void * vnetx)
if (TIME_LEQ(q->expire, time_uptime))
continue; /* too late, rule expired */
m = send_pkt(NULL, &(q->id), q->ack_rev - 1,
m = ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1,
q->ack_fwd, TH_SYN);
mnext = send_pkt(NULL, &(q->id), q->ack_fwd - 1,
mnext = ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1,
q->ack_rev, 0);
switch (q->id.addr_type) {
@ -1222,3 +1226,4 @@ ipfw_get_dynamic(char **pbp, const char *ep)
bzero(&last->next, sizeof(last));
*pbp = bp;
}
/* end of file */

View File

@ -85,10 +85,6 @@ __FBSDID("$FreeBSD$");
#define ICMP(p) ((struct icmphdr *)(p))
#define ICMP6(p) ((struct icmp6_hdr *)(p))
/* counter for ipfw_log(NULL...) */
VNET_DEFINE(u_int64_t, norule_counter);
VNET_DEFINE(int, verbose_limit);
#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
#define SNP(buf) buf, sizeof(buf)
@ -369,3 +365,4 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args,
"ipfw: limit %d reached on entry %d\n",
limit_reached, f ? f->rulenum : -1);
}
/* end of file */

View File

@ -671,3 +671,4 @@ DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY
MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1);
MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2);
MODULE_VERSION(ipfw_nat, 1);
/* end of file */

View File

@ -68,9 +68,12 @@ __FBSDID("$FreeBSD$");
#include <machine/in_cksum.h>
VNET_DEFINE(int, fw_enable) = 1;
static VNET_DEFINE(int, fw_enable) = 1;
#define V_fw_enable VNET(fw_enable)
#ifdef INET6
VNET_DEFINE(int, fw6_enable) = 1;
static VNET_DEFINE(int, fw6_enable) = 1;
#define V_fw6_enable VNET(fw6_enable)
#endif
int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
@ -86,6 +89,19 @@ static int ipfw_divert(struct mbuf **, int, int);
#define DIV_DIR_IN 1
#define DIV_DIR_OUT 0
#ifdef SYSCTL_NODE
SYSCTL_DECL(_net_inet_ip_fw);
SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
ipfw_chg_hook, "I", "Enable ipfw");
#ifdef INET6
SYSCTL_DECL(_net_inet6_ip6_fw);
SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
ipfw_chg_hook, "I", "Enable ipfw+6");
#endif /* INET6 */
#endif /* SYSCTL_NODE */
int
ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
struct inpcb *inp)
@ -443,7 +459,7 @@ nodivert:
return 1;
}
int
static int
ipfw_hook(void)
{
struct pfil_head *pfh_inet;
@ -478,7 +494,7 @@ ipfw_unhook(void)
}
#ifdef INET6
int
static int
ipfw6_hook(void)
{
struct pfil_head *pfh_inet6;
@ -513,6 +529,24 @@ ipfw6_unhook(void)
}
#endif /* INET6 */
int
ipfw_attach_hooks(void)
{
int error = 0;
if (V_fw_enable && ipfw_hook() != 0) {
error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
printf("ipfw_hook() error\n");
}
#ifdef INET6
if (V_fw6_enable && ipfw6_hook() != 0) {
error = ENOENT;
printf("ipfw6_hook() error\n");
}
#endif
return error;
}
int
ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
{
@ -566,4 +600,4 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
return (0);
}
/* end of file */

View File

@ -99,12 +99,12 @@ MALLOC_DECLARE(M_IPFW);
/* Firewall hooks */
int ipfw_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp);
int ipfw_check_out(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp);
int ipfw_check_in(void *, struct mbuf **, struct ifnet *,
int, struct inpcb *inp);
int ipfw_check_out(void *, struct mbuf **, struct ifnet *,
int, struct inpcb *inp);
int ipfw_hook(void);
int ipfw6_hook(void);
int ipfw_attach_hooks(void);
int ipfw_unhook(void);
int ipfw6_unhook(void);
#ifdef NOTYET
@ -138,15 +138,13 @@ enum { /* result for matching dynamic rules */
void ipfw_dyn_unlock(void);
struct tcphdr;
struct mbuf *send_pkt(struct mbuf *, struct ipfw_flow_id *,
struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *,
u_int32_t, u_int32_t, int);
int install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
int ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
struct ip_fw_args *args, uint32_t tablearg);
ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp);
ipfw_dyn_rule * lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp);
void remove_dyn_children(struct ip_fw *rule);
ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt,
int *match_direction, struct tcphdr *tcp);
void ipfw_remove_dyn_children(struct ip_fw *rule);
void ipfw_get_dynamic(char **bp, const char *ep);
void ipfw_dyn_attach(void); /* uma_zcreate .... */
@ -157,25 +155,24 @@ int ipfw_dyn_len(void);
/* common variables */
VNET_DECLARE(int, fw_one_pass);
VNET_DECLARE(int, fw_enable);
VNET_DECLARE(int, fw_verbose);
VNET_DECLARE(struct ip_fw_chain, layer3_chain);
VNET_DECLARE(u_int32_t, set_disable);
#define V_fw_one_pass VNET(fw_one_pass)
#define V_fw_enable VNET(fw_enable)
#define V_fw_verbose VNET(fw_enable)
VNET_DECLARE(int, fw_verbose);
#define V_fw_verbose VNET(fw_verbose)
VNET_DECLARE(struct ip_fw_chain, layer3_chain);
#define V_layer3_chain VNET(layer3_chain)
VNET_DECLARE(u_int32_t, set_disable);
#define V_set_disable VNET(set_disable)
#ifdef INET6
VNET_DECLARE(int, fw6_enable);
#define V_fw6_enable VNET(fw6_enable)
#endif
VNET_DECLARE(int, autoinc_step);
#define V_autoinc_step VNET(autoinc_step)
struct ip_fw_chain {
struct ip_fw *rules; /* list of rules */
struct ip_fw *reap; /* list of rules to reap */
struct ip_fw *default_rule;
LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */
struct radix_node_head *tables[IPFW_TABLES_MAX];
struct rwlock rwmtx;
@ -236,6 +233,5 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr;
extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
#endif /* _KERNEL */
#endif /* _IPFW2_PRIVATE_H */

View File

@ -30,7 +30,8 @@ __FBSDID("$FreeBSD$");
#define DDB(x) x
/*
* Sockopt support for ipfw
* Sockopt support for ipfw. The routines here implement
* the upper half of the ipfw code.
*/
#if !defined(KLD_MODULE)
@ -72,8 +73,11 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_framework.h>
#endif
static VNET_DEFINE(int, autoinc_step);
#define V_autoinc_step VNET(autoinc_step)
MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
/*
* static variables followed by global ones
*/
static VNET_DEFINE(u_int32_t, static_count); /* # of static rules */
static VNET_DEFINE(u_int32_t, static_len); /* bytes of static rules */
@ -210,7 +214,7 @@ remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule,
IPFW_WLOCK_ASSERT(chain);
n = rule->next;
remove_dyn_children(rule);
ipfw_remove_dyn_children(rule);
if (prev == NULL)
chain->rules = n;
else
@ -474,7 +478,7 @@ zero_entry(struct ip_fw_chain *chain, u_int32_t arg, int log_only)
/*
* Check validity of the structure before insert.
* Fortunately rules are simple, so this mostly need to check rule sizes.
* Rules are simple, so this mostly need to check rule sizes.
*/
static int
check_ipfw_struct(struct ip_fw *rule, int size)
@ -821,7 +825,7 @@ ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space)
}
}
IPFW_RUNLOCK(chain);
ipfw_get_dynamic(&bp, ep);
ipfw_get_dynamic(&bp, ep); /* protected by the dynamic lock */
return (bp - (char *)buf);
}
@ -1094,3 +1098,4 @@ ipfw_ctl(struct sockopt *sopt)
return (error);
#undef RULE_MAXSIZE
}
/* end of file */

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
* Copyright (c) 2002 .........
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -26,11 +26,14 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#define DEB(x)
#define DDB(x) x
/*
* Sockopt support for ipfw
* Lookup table support for ipfw
*
* Lookup tables are implemented (at the moment) using the radix
* tree used for routing tables. Tables store key-value entries, where
* keys are network prefixes (addr/masklen), and values are integers.
* As a degenerate case we can interpret keys as 32-bit integers
* (with a /32 mask).
*/
#if !defined(KLD_MODULE)
@ -259,3 +262,4 @@ ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl)
rnh->rnh_walktree(rnh, dump_table_entry, tbl);
return (0);
}
/* end of file */