ip_fw2.c (153163) | ip_fw2.c (153374) |
---|---|
1/*- 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * | 1/*- 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * |
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 153163 2005-12-06 10:45:49Z glebius $ | 25 * $FreeBSD: head/sys/netinet/ip_fw2.c 153374 2005-12-13 12:16:03Z glebius $ |
26 */ 27 28#define DEB(x) 29#define DDB(x) x 30 31/* 32 * Implement IP packet firewall (new version) 33 */ --- 2344 unchanged lines hidden (view full) --- 2378 (IP_FW_DIVERT_OUTPUT_FLAG | IP_FW_DIVERT_LOOPBACK_FLAG); 2379 m_tag_delete(m, mtag); 2380 } 2381 2382 /* 2383 * Now scan the rules, and parse microinstructions for each rule. 2384 */ 2385 for (; f; f = f->next) { | 26 */ 27 28#define DEB(x) 29#define DDB(x) x 30 31/* 32 * Implement IP packet firewall (new version) 33 */ --- 2344 unchanged lines hidden (view full) --- 2378 (IP_FW_DIVERT_OUTPUT_FLAG | IP_FW_DIVERT_LOOPBACK_FLAG); 2379 m_tag_delete(m, mtag); 2380 } 2381 2382 /* 2383 * Now scan the rules, and parse microinstructions for each rule. 2384 */ 2385 for (; f; f = f->next) { |
2386 int l, cmdlen; | |
2387 ipfw_insn *cmd; | 2386 ipfw_insn *cmd; |
2388 int skip_or; /* skip rest of OR block */ | 2387 uint32_t tablearg = 0; 2388 int l, cmdlen, skip_or; /* skip rest of OR block */ |
2389 2390again: 2391 if (set_disable & (1 << f->set) ) 2392 continue; 2393 2394 skip_or = 0; 2395 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; 2396 l -= cmdlen, cmd += cmdlen) { --- 146 unchanged lines hidden (view full) --- 2543 2544 match = lookup_table(chain, cmd->arg1, a, 2545 &v); 2546 if (!match) 2547 break; 2548 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 2549 match = 2550 ((ipfw_insn_u32 *)cmd)->d[0] == v; | 2389 2390again: 2391 if (set_disable & (1 << f->set) ) 2392 continue; 2393 2394 skip_or = 0; 2395 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; 2396 l -= cmdlen, cmd += cmdlen) { --- 146 unchanged lines hidden (view full) --- 2543 2544 match = lookup_table(chain, cmd->arg1, a, 2545 &v); 2546 if (!match) 2547 break; 2548 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 2549 match = 2550 ((ipfw_insn_u32 *)cmd)->d[0] == v; |
2551 else 2552 tablearg = v; |
|
2551 } 2552 break; 2553 2554 case O_IP_SRC_MASK: 2555 case O_IP_DST_MASK: 2556 if (is_ipv4) { 2557 uint32_t a = 2558 (cmd->opcode == O_IP_DST_MASK) ? --- 435 unchanged lines hidden (view full) --- 2994 2995 case O_ACCEPT: 2996 retval = 0; /* accept */ 2997 goto done; 2998 2999 case O_PIPE: 3000 case O_QUEUE: 3001 args->rule = f; /* report matching rule */ | 2553 } 2554 break; 2555 2556 case O_IP_SRC_MASK: 2557 case O_IP_DST_MASK: 2558 if (is_ipv4) { 2559 uint32_t a = 2560 (cmd->opcode == O_IP_DST_MASK) ? --- 435 unchanged lines hidden (view full) --- 2996 2997 case O_ACCEPT: 2998 retval = 0; /* accept */ 2999 goto done; 3000 3001 case O_PIPE: 3002 case O_QUEUE: 3003 args->rule = f; /* report matching rule */ |
3002 args->cookie = cmd->arg1; | 3004 if (cmd->arg1 == IP_FW_TABLEARG) 3005 args->cookie = tablearg; 3006 else 3007 args->cookie = cmd->arg1; |
3003 retval = IP_FW_DUMMYNET; 3004 goto done; 3005 3006 case O_DIVERT: 3007 case O_TEE: { 3008 struct divert_tag *dt; 3009 3010 if (args->eh) /* not on layer 2 */ --- 4 unchanged lines hidden (view full) --- 3015 if (mtag == NULL) { 3016 /* XXX statistic */ 3017 /* drop packet */ 3018 IPFW_RUNLOCK(chain); 3019 return (IP_FW_DENY); 3020 } 3021 dt = (struct divert_tag *)(mtag+1); 3022 dt->cookie = f->rulenum; | 3008 retval = IP_FW_DUMMYNET; 3009 goto done; 3010 3011 case O_DIVERT: 3012 case O_TEE: { 3013 struct divert_tag *dt; 3014 3015 if (args->eh) /* not on layer 2 */ --- 4 unchanged lines hidden (view full) --- 3020 if (mtag == NULL) { 3021 /* XXX statistic */ 3022 /* drop packet */ 3023 IPFW_RUNLOCK(chain); 3024 return (IP_FW_DENY); 3025 } 3026 dt = (struct divert_tag *)(mtag+1); 3027 dt->cookie = f->rulenum; |
3023 dt->info = cmd->arg1; | 3028 if (cmd->arg1 == IP_FW_TABLEARG) 3029 dt->info = tablearg; 3030 else 3031 dt->info = cmd->arg1; |
3024 m_tag_prepend(m, mtag); 3025 retval = (cmd->opcode == O_DIVERT) ? 3026 IP_FW_DIVERT : IP_FW_TEE; 3027 goto done; 3028 } 3029 3030 case O_COUNT: 3031 case O_SKIPTO: --- 48 unchanged lines hidden (view full) --- 3080 args->next_hop = 3081 &((ipfw_insn_sa *)cmd)->sa; 3082 retval = IP_FW_PASS; 3083 goto done; 3084 3085 case O_NETGRAPH: 3086 case O_NGTEE: 3087 args->rule = f; /* report matching rule */ | 3032 m_tag_prepend(m, mtag); 3033 retval = (cmd->opcode == O_DIVERT) ? 3034 IP_FW_DIVERT : IP_FW_TEE; 3035 goto done; 3036 } 3037 3038 case O_COUNT: 3039 case O_SKIPTO: --- 48 unchanged lines hidden (view full) --- 3088 args->next_hop = 3089 &((ipfw_insn_sa *)cmd)->sa; 3090 retval = IP_FW_PASS; 3091 goto done; 3092 3093 case O_NETGRAPH: 3094 case O_NGTEE: 3095 args->rule = f; /* report matching rule */ |
3088 args->cookie = cmd->arg1; | 3096 if (cmd->arg1 == IP_FW_TABLEARG) 3097 args->cookie = tablearg; 3098 else 3099 args->cookie = cmd->arg1; |
3089 retval = (cmd->opcode == O_NETGRAPH) ? 3090 IP_FW_NETGRAPH : IP_FW_NGTEE; 3091 goto done; 3092 3093 default: 3094 panic("-- unknown opcode %d\n", cmd->opcode); 3095 } /* end of switch() on opcodes */ 3096 --- 1138 unchanged lines hidden --- | 3100 retval = (cmd->opcode == O_NETGRAPH) ? 3101 IP_FW_NETGRAPH : IP_FW_NGTEE; 3102 goto done; 3103 3104 default: 3105 panic("-- unknown opcode %d\n", cmd->opcode); 3106 } /* end of switch() on opcodes */ 3107 --- 1138 unchanged lines hidden --- |