Add ipfw_add_protected_rule() function that creates rule with 65535

number in the reserved set 31. Use this function to create default rule.

Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC
This commit is contained in:
ae 2017-11-22 05:49:21 +00:00
parent 203c5f3815
commit 4cd3b30b2f
3 changed files with 31 additions and 13 deletions

View File

@ -2842,11 +2842,6 @@ vnet_ipfw_init(const void *unused)
ipfw_init_srv(chain);
ipfw_init_counters();
/* insert the default rule and create the initial map */
chain->n_rules = 1;
chain->map = malloc(sizeof(struct ip_fw *), M_IPFW, M_WAITOK | M_ZERO);
rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw));
/* Set initial number of tables */
V_fw_tables_max = default_fw_tables;
error = ipfw_init_tables(chain, first);
@ -2857,19 +2852,16 @@ vnet_ipfw_init(const void *unused)
return (ENOSPC);
}
IPFW_LOCK_INIT(chain);
/* fill and insert the default rule */
rule->act_ofs = 0;
rule->rulenum = IPFW_DEFAULT_RULE;
rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw));
rule->cmd_len = 1;
rule->set = RESVD_SET;
rule->cmd[0].len = 1;
rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY;
chain->default_rule = chain->map[0] = rule;
chain->id = rule->id = 1;
/* Pre-calculate rules length for legacy dump format */
chain->static_len = sizeof(struct ip_fw_rule0);
chain->default_rule = rule;
ipfw_add_protected_rule(chain, rule, 0);
IPFW_LOCK_INIT(chain);
ipfw_dyn_init(chain);
ipfw_eaction_init(chain, first);
#ifdef LINEAR_SKIPTO

View File

@ -625,6 +625,8 @@ void ipfw_destroy_skipto_cache(struct ip_fw_chain *chain);
int ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id);
int ipfw_ctl3(struct sockopt *sopt);
int ipfw_chk(struct ip_fw_args *args);
int ipfw_add_protected_rule(struct ip_fw_chain *chain, struct ip_fw *rule,
int locked);
void ipfw_reap_add(struct ip_fw_chain *chain, struct ip_fw **head,
struct ip_fw *rule);
void ipfw_reap_rules(struct ip_fw *head);

View File

@ -790,6 +790,30 @@ commit_rules(struct ip_fw_chain *chain, struct rule_check_info *rci, int count)
return (0);
}
int
ipfw_add_protected_rule(struct ip_fw_chain *chain, struct ip_fw *rule,
int locked)
{
struct ip_fw **map;
map = get_map(chain, 1, locked);
if (map == NULL)
return (ENOMEM);
if (chain->n_rules > 0)
bcopy(chain->map, map,
chain->n_rules * sizeof(struct ip_fw *));
map[chain->n_rules] = rule;
rule->rulenum = IPFW_DEFAULT_RULE;
rule->set = RESVD_SET;
rule->id = chain->id + 1;
/* We add rule in the end of chain, no need to update skipto cache */
map = swap_map(chain, map, chain->n_rules + 1);
chain->static_len += RULEUSIZE0(rule);
IPFW_UH_WUNLOCK(chain);
free(map, M_IPFW);
return (0);
}
/*
* Adds @rule to the list of rules to reap
*/