freebsd-skq/sys/netpfil/ipfw/nat64
ae 285cf94245 Reimplement how net.inet.ip.fw.dyn_keep_states works.
Turning on of this feature allows to keep dynamic states when parent
rule is deleted. But it works only when the default rule is
"allow from any to any".

Now when rule with dynamic opcode is going to be deleted, and
net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference
named objects corresponding to this rule, and also reference the rule.
And when ipfw_dyn_lookup_state() will find state for deleted parent rule,
it will return the pointer to the deleted rule, that is still valid.
This implementation doesn't support O_LIMIT_PARENT rules.

The refcnt field was added to struct ip_fw to keep reference, also
next pointer added to be able iterate rules and not damage the content
when deleted rules are chained.

Named objects are referenced only when states are going to be deleted to
be able reuse kidx of named objects when new parent rules will be
installed.

ipfw_dyn_get_count() function was modified and now it also looks into
dynamic states and constructs maps of existing named objects. This is
needed to correctly export orphaned states into userland.

ipfw_free_rule() was changed to be global, since now dynamic state can
free rule, when it is expired and references counters becomes 1.

External actions subsystem also modified, since external actions can be
deregisterd and instances can be destroyed. In these cases deleted rules,
that are referenced by orphaned states, must be modified to prevent access
to freed memory. ipfw_dyn_reset_eaction(), ipfw_reset_eaction_instance()
functions added for these purposes.

Obtained from:	Yandex LLC
MFC after:	2 months
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D17532
2018-12-04 16:01:25 +00:00
..
ip_fw_nat64.c Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability 2018-10-21 16:29:12 +00:00
ip_fw_nat64.h Bring in some last changes in NAT64 implementation: 2018-05-09 11:59:24 +00:00
nat64_translate.c Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability 2018-10-21 16:29:12 +00:00
nat64_translate.h Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability 2018-10-21 16:29:12 +00:00
nat64lsn_control.c Reimplement how net.inet.ip.fw.dyn_keep_states works. 2018-12-04 16:01:25 +00:00
nat64lsn.c Call inet_ntop() only when its result is needed. 2018-10-21 16:37:53 +00:00
nat64lsn.h Bring in some last changes in NAT64 implementation: 2018-05-09 11:59:24 +00:00
nat64stl_control.c Reimplement how net.inet.ip.fw.dyn_keep_states works. 2018-12-04 16:01:25 +00:00
nat64stl.c Bring in some last changes in NAT64 implementation: 2018-05-09 11:59:24 +00:00
nat64stl.h Bring in some last changes in NAT64 implementation: 2018-05-09 11:59:24 +00:00