Cross Reference: /freebsd-10.3-release/sys/netpfil/ipfw/ip

Deleted Added

sdiff udiff text old ( 153163 ) new ( 153374 )

full compact

ip_fw2.c (153163)	ip_fw2.c (153374)
1/- 2 Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 *	1/- 2 Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 *
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 153163 2005-12-06 10:45:49Z glebius $	25 * $FreeBSD: head/sys/netinet/ip_fw2.c 153374 2005-12-13 12:16:03Z glebius $
26 / 27 28#define DEB(x) 29#define DDB(x) x 30 31/ 32 * Implement IP packet firewall (new version) 33 / --- 2344 unchanged lines hidden* (view full) --- 2378 (IP_FW_DIVERT_OUTPUT_FLAG \| IP_FW_DIVERT_LOOPBACK_FLAG); 2379 m_tag_delete(m, mtag); 2380 } 2381 2382 /* 2383 * Now scan the rules, and parse microinstructions for each rule. 2384 / 2385* for (; f; f = f->next) {	26 / 27 28#define DEB(x) 29#define DDB(x) x 30 31/ 32 * Implement IP packet firewall (new version) 33 / --- 2344 unchanged lines hidden* (view full) --- 2378 (IP_FW_DIVERT_OUTPUT_FLAG \| IP_FW_DIVERT_LOOPBACK_FLAG); 2379 m_tag_delete(m, mtag); 2380 } 2381 2382 /* 2383 * Now scan the rules, and parse microinstructions for each rule. 2384 / 2385* for (; f; f = f->next) {
2386 int l, cmdlen;
2387 ipfw_insn *cmd;	2386 ipfw_insn *cmd;
2388 int skip_or; /* skip rest of OR block */	2387 uint32_t tablearg = 0; 2388 int l, cmdlen, skip_or; /* skip rest of OR block */
2389 2390again: 2391 if (set_disable & (1 << f->set) ) 2392 continue; 2393 2394 skip_or = 0; 2395 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; 2396 l -= cmdlen, cmd += cmdlen) { --- 146 unchanged lines hidden (view full) --- 2543 2544 match = lookup_table(chain, cmd->arg1, a, 2545 &v); 2546 if (!match) 2547 break; 2548 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 2549 match = 2550 ((ipfw_insn_u32 *)cmd)->d[0] == v;	2389 2390again: 2391 if (set_disable & (1 << f->set) ) 2392 continue; 2393 2394 skip_or = 0; 2395 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; 2396 l -= cmdlen, cmd += cmdlen) { --- 146 unchanged lines hidden (view full) --- 2543 2544 match = lookup_table(chain, cmd->arg1, a, 2545 &v); 2546 if (!match) 2547 break; 2548 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 2549 match = 2550 ((ipfw_insn_u32 *)cmd)->d[0] == v;
	2551 else 2552 tablearg = v;
2551 } 2552 break; 2553 2554 case O_IP_SRC_MASK: 2555 case O_IP_DST_MASK: 2556 if (is_ipv4) { 2557 uint32_t a = 2558 (cmd->opcode == O_IP_DST_MASK) ? --- 435 unchanged lines hidden (view full) --- 2994 2995 case O_ACCEPT: 2996 retval = 0; /* accept / 2997* goto done; 2998 2999 case O_PIPE: 3000 case O_QUEUE: 3001 args->rule = f; /* report matching rule */	2553 } 2554 break; 2555 2556 case O_IP_SRC_MASK: 2557 case O_IP_DST_MASK: 2558 if (is_ipv4) { 2559 uint32_t a = 2560 (cmd->opcode == O_IP_DST_MASK) ? --- 435 unchanged lines hidden (view full) --- 2996 2997 case O_ACCEPT: 2998 retval = 0; /* accept / 2999* goto done; 3000 3001 case O_PIPE: 3002 case O_QUEUE: 3003 args->rule = f; /* report matching rule */
3002 args->cookie = cmd->arg1;	3004 if (cmd->arg1 == IP_FW_TABLEARG) 3005 args->cookie = tablearg; 3006 else 3007 args->cookie = cmd->arg1;
3003 retval = IP_FW_DUMMYNET; 3004 goto done; 3005 3006 case O_DIVERT: 3007 case O_TEE: { 3008 struct divert_tag dt; 3009* 3010 if (args->eh) /* not on layer 2 / --- 4 unchanged lines hidden* (view full) --- 3015 if (mtag == NULL) { 3016 /* XXX statistic / 3017* /* drop packet / 3018* IPFW_RUNLOCK(chain); 3019 return (IP_FW_DENY); 3020 } 3021 dt = (struct divert_tag )(mtag+1); 3022* dt->cookie = f->rulenum;	3008 retval = IP_FW_DUMMYNET; 3009 goto done; 3010 3011 case O_DIVERT: 3012 case O_TEE: { 3013 struct divert_tag dt; 3014* 3015 if (args->eh) /* not on layer 2 / --- 4 unchanged lines hidden* (view full) --- 3020 if (mtag == NULL) { 3021 /* XXX statistic / 3022* /* drop packet / 3023* IPFW_RUNLOCK(chain); 3024 return (IP_FW_DENY); 3025 } 3026 dt = (struct divert_tag )(mtag+1); 3027* dt->cookie = f->rulenum;
3023 dt->info = cmd->arg1;	3028 if (cmd->arg1 == IP_FW_TABLEARG) 3029 dt->info = tablearg; 3030 else 3031 dt->info = cmd->arg1;
3024 m_tag_prepend(m, mtag); 3025 retval = (cmd->opcode == O_DIVERT) ? 3026 IP_FW_DIVERT : IP_FW_TEE; 3027 goto done; 3028 } 3029 3030 case O_COUNT: 3031 case O_SKIPTO: --- 48 unchanged lines hidden (view full) --- 3080 args->next_hop = 3081 &((ipfw_insn_sa )cmd)->sa; 3082* retval = IP_FW_PASS; 3083 goto done; 3084 3085 case O_NETGRAPH: 3086 case O_NGTEE: 3087 args->rule = f; /* report matching rule */	3032 m_tag_prepend(m, mtag); 3033 retval = (cmd->opcode == O_DIVERT) ? 3034 IP_FW_DIVERT : IP_FW_TEE; 3035 goto done; 3036 } 3037 3038 case O_COUNT: 3039 case O_SKIPTO: --- 48 unchanged lines hidden (view full) --- 3088 args->next_hop = 3089 &((ipfw_insn_sa )cmd)->sa; 3090* retval = IP_FW_PASS; 3091 goto done; 3092 3093 case O_NETGRAPH: 3094 case O_NGTEE: 3095 args->rule = f; /* report matching rule */
3088 args->cookie = cmd->arg1;	3096 if (cmd->arg1 == IP_FW_TABLEARG) 3097 args->cookie = tablearg; 3098 else 3099 args->cookie = cmd->arg1;
3089 retval = (cmd->opcode == O_NETGRAPH) ? 3090 IP_FW_NETGRAPH : IP_FW_NGTEE; 3091 goto done; 3092 3093 default: 3094 panic("-- unknown opcode %d\n", cmd->opcode); 3095 } /* end of switch() on opcodes / 3096* --- 1138 unchanged lines hidden ---	3100 retval = (cmd->opcode == O_NETGRAPH) ? 3101 IP_FW_NETGRAPH : IP_FW_NGTEE; 3102 goto done; 3103 3104 default: 3105 panic("-- unknown opcode %d\n", cmd->opcode); 3106 } /* end of switch() on opcodes / 3107* --- 1138 unchanged lines hidden ---