| ip_fw_private.h (261117) | ip_fw_private.h (272840) |
|---|---|
| 1/*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * | 1/*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * |
| 25 * $FreeBSD: head/sys/netpfil/ipfw/ip_fw_private.h 261117 2014-01-24 09:13:30Z melifaro $ | 25 * $FreeBSD: head/sys/netpfil/ipfw/ip_fw_private.h 272840 2014-10-09 19:32:35Z melifaro $ |
| 26 */ 27 28#ifndef _IPFW2_PRIVATE_H 29#define _IPFW2_PRIVATE_H 30 31/* 32 * Internal constants and data structures used by ipfw components 33 * and not meant to be exported outside the kernel. --- 113 unchanged lines hidden (view full) --- 147/* attach (arg = 1) or detach (arg = 0) hooks */ 148int ipfw_attach_hooks(int); 149#ifdef NOTYET 150void ipfw_nat_destroy(void); 151#endif 152 153/* In ip_fw_log.c */ 154struct ip; | 26 */ 27 28#ifndef _IPFW2_PRIVATE_H 29#define _IPFW2_PRIVATE_H 30 31/* 32 * Internal constants and data structures used by ipfw components 33 * and not meant to be exported outside the kernel. --- 113 unchanged lines hidden (view full) --- 147/* attach (arg = 1) or detach (arg = 0) hooks */ 148int ipfw_attach_hooks(int); 149#ifdef NOTYET 150void ipfw_nat_destroy(void); 151#endif 152 153/* In ip_fw_log.c */ 154struct ip; |
| 155struct ip_fw_chain; |
|
| 155void ipfw_log_bpf(int); | 156void ipfw_log_bpf(int); |
| 156void ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, 157 struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, 158 struct ip *ip); | 157void ipfw_log(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen, 158 struct ip_fw_args *args, struct mbuf *m, struct ifnet *oif, 159 u_short offset, uint32_t tablearg, struct ip *ip); |
| 159VNET_DECLARE(u_int64_t, norule_counter); 160#define V_norule_counter VNET(norule_counter) 161VNET_DECLARE(int, verbose_limit); 162#define V_verbose_limit VNET(verbose_limit) 163 164/* In ip_fw_dynamic.c */ 165 166enum { /* result for matching dynamic rules */ --- 4 unchanged lines hidden (view full) --- 171}; 172 173/* 174 * The lock for dynamic rules is only used once outside the file, 175 * and only to release the result of lookup_dyn_rule(). 176 * Eventually we may implement it with a callback on the function. 177 */ 178struct ip_fw_chain; | 160VNET_DECLARE(u_int64_t, norule_counter); 161#define V_norule_counter VNET(norule_counter) 162VNET_DECLARE(int, verbose_limit); 163#define V_verbose_limit VNET(verbose_limit) 164 165/* In ip_fw_dynamic.c */ 166 167enum { /* result for matching dynamic rules */ --- 4 unchanged lines hidden (view full) --- 172}; 173 174/* 175 * The lock for dynamic rules is only used once outside the file, 176 * and only to release the result of lookup_dyn_rule(). 177 * Eventually we may implement it with a callback on the function. 178 */ 179struct ip_fw_chain; |
| 179void ipfw_expire_dyn_rules(struct ip_fw_chain *, struct ip_fw *, int); | 180struct sockopt_data; 181int ipfw_is_dyn_rule(struct ip_fw *rule); 182void ipfw_expire_dyn_rules(struct ip_fw_chain *, ipfw_range_tlv *); |
| 180void ipfw_dyn_unlock(ipfw_dyn_rule *q); 181 182struct tcphdr; 183struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, 184 u_int32_t, u_int32_t, int); | 183void ipfw_dyn_unlock(ipfw_dyn_rule *q); 184 185struct tcphdr; 186struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, 187 u_int32_t, u_int32_t, int); |
| 185int ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, 186 struct ip_fw_args *args, uint32_t tablearg); | 188int ipfw_install_state(struct ip_fw_chain *chain, struct ip_fw *rule, 189 ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg); |
| 187ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, 188 int *match_direction, struct tcphdr *tcp); 189void ipfw_remove_dyn_children(struct ip_fw *rule); 190void ipfw_get_dynamic(struct ip_fw_chain *chain, char **bp, const char *ep); | 190ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, 191 int *match_direction, struct tcphdr *tcp); 192void ipfw_remove_dyn_children(struct ip_fw *rule); 193void ipfw_get_dynamic(struct ip_fw_chain *chain, char **bp, const char *ep); |
| 194int ipfw_dump_states(struct ip_fw_chain *chain, struct sockopt_data *sd); |
|
| 191 192void ipfw_dyn_init(struct ip_fw_chain *); /* per-vnet initialization */ 193void ipfw_dyn_uninit(int); /* per-vnet deinitialization */ 194int ipfw_dyn_len(void); | 195 196void ipfw_dyn_init(struct ip_fw_chain *); /* per-vnet initialization */ 197void ipfw_dyn_uninit(int); /* per-vnet deinitialization */ 198int ipfw_dyn_len(void); |
| 199int ipfw_dyn_get_count(void); |
|
| 195 196/* common variables */ 197VNET_DECLARE(int, fw_one_pass); 198#define V_fw_one_pass VNET(fw_one_pass) 199 200VNET_DECLARE(int, fw_verbose); 201#define V_fw_verbose VNET(fw_verbose) 202 203VNET_DECLARE(struct ip_fw_chain, layer3_chain); 204#define V_layer3_chain VNET(layer3_chain) 205 | 200 201/* common variables */ 202VNET_DECLARE(int, fw_one_pass); 203#define V_fw_one_pass VNET(fw_one_pass) 204 205VNET_DECLARE(int, fw_verbose); 206#define V_fw_verbose VNET(fw_verbose) 207 208VNET_DECLARE(struct ip_fw_chain, layer3_chain); 209#define V_layer3_chain VNET(layer3_chain) 210 |
| 211VNET_DECLARE(int, ipfw_vnet_ready); 212#define V_ipfw_vnet_ready VNET(ipfw_vnet_ready) 213 |
|
| 206VNET_DECLARE(u_int32_t, set_disable); 207#define V_set_disable VNET(set_disable) 208 209VNET_DECLARE(int, autoinc_step); 210#define V_autoinc_step VNET(autoinc_step) 211 212VNET_DECLARE(unsigned int, fw_tables_max); 213#define V_fw_tables_max VNET(fw_tables_max) 214 | 214VNET_DECLARE(u_int32_t, set_disable); 215#define V_set_disable VNET(set_disable) 216 217VNET_DECLARE(int, autoinc_step); 218#define V_autoinc_step VNET(autoinc_step) 219 220VNET_DECLARE(unsigned int, fw_tables_max); 221#define V_fw_tables_max VNET(fw_tables_max) 222 |
| 223VNET_DECLARE(unsigned int, fw_tables_sets); 224#define V_fw_tables_sets VNET(fw_tables_sets) 225 226struct tables_config; 227 228#ifdef _KERNEL 229typedef struct ip_fw_cntr { 230 uint64_t pcnt; /* Packet counter */ 231 uint64_t bcnt; /* Byte counter */ 232 uint64_t timestamp; /* tv_sec of last match */ 233} ip_fw_cntr; 234 235/* 236 * Here we have the structure representing an ipfw rule. 237 * 238 * It starts with a general area 239 * followed by an array of one or more instructions, which the code 240 * accesses as an array of 32-bit values. 241 * 242 * Given a rule pointer r: 243 * 244 * r->cmd is the start of the first instruction. 245 * ACTION_PTR(r) is the start of the first action (things to do 246 * once a rule matched). 247 */ 248 249struct ip_fw { 250 uint16_t act_ofs; /* offset of action in 32-bit units */ 251 uint16_t cmd_len; /* # of 32-bit words in cmd */ 252 uint16_t rulenum; /* rule number */ 253 uint8_t set; /* rule set (0..31) */ 254 uint8_t flags; /* currently unused */ 255 counter_u64_t cntr; /* Pointer to rule counters */ 256 uint32_t timestamp; /* tv_sec of last match */ 257 uint32_t id; /* rule id */ 258 uint32_t cached_id; /* used by jump_fast */ 259 uint32_t cached_pos; /* used by jump_fast */ 260 261 ipfw_insn cmd[1]; /* storage for commands */ 262}; 263 264#endif 265 |
|
| 215struct ip_fw_chain { 216 struct ip_fw **map; /* array of rule ptrs to ease lookup */ 217 uint32_t id; /* ruleset id */ 218 int n_rules; /* number of static rules */ 219 LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */ | 266struct ip_fw_chain { 267 struct ip_fw **map; /* array of rule ptrs to ease lookup */ 268 uint32_t id; /* ruleset id */ 269 int n_rules; /* number of static rules */ 270 LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */ |
| 220 struct radix_node_head **tables; /* IPv4 tables */ 221 struct radix_node_head **xtables; /* extended tables */ 222 uint8_t *tabletype; /* Array of table types */ | 271 void *tablestate; /* runtime table info */ 272 void *valuestate; /* runtime table value info */ 273 int *idxmap; /* skipto array of rules */ |
| 223#if defined( __linux__ ) || defined( _WIN32 ) 224 spinlock_t rwmtx; 225#else | 274#if defined( __linux__ ) || defined( _WIN32 ) 275 spinlock_t rwmtx; 276#else |
| 226 struct rwlock rwmtx; | 277 struct rmlock rwmtx; |
| 227#endif | 278#endif |
| 228 int static_len; /* total len of static rules */ | 279 int static_len; /* total len of static rules (v0) */ |
| 229 uint32_t gencnt; /* NAT generation count */ | 280 uint32_t gencnt; /* NAT generation count */ |
| 230 struct ip_fw *reap; /* list of rules to reap */ | |
| 231 struct ip_fw *default_rule; | 281 struct ip_fw *default_rule; |
| 282 struct tables_config *tblcfg; /* tables module data */ 283 void *ifcfg; /* interface module data */ 284 int *idxmap_back; /* standby skipto array of rules */ |
|
| 232#if defined( __linux__ ) || defined( _WIN32 ) 233 spinlock_t uh_lock; 234#else 235 struct rwlock uh_lock; /* lock for upper half */ 236#endif 237}; 238 | 285#if defined( __linux__ ) || defined( _WIN32 ) 286 spinlock_t uh_lock; 287#else 288 struct rwlock uh_lock; /* lock for upper half */ 289#endif 290}; 291 |
| 292/* 64-byte structure representing multi-field table value */ 293struct table_value { 294 uint32_t tag; /* O_TAG/O_TAGGED */ 295 uint32_t pipe; /* O_PIPE/O_QUEUE */ 296 uint16_t divert; /* O_DIVERT/O_TEE */ 297 uint16_t skipto; /* skipto, CALLRET */ 298 uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */ 299 uint32_t fib; /* O_SETFIB */ 300 uint32_t nat; /* O_NAT */ 301 uint32_t nh4; 302 uint8_t dscp; 303 uint8_t spare0[3]; 304 /* -- 32 bytes -- */ 305 struct in6_addr nh6; 306 uint32_t limit; /* O_LIMIT */ 307 uint32_t spare1; 308 uint64_t refcnt; /* Number of references */ 309}; 310 311struct namedobj_instance; 312 313struct named_object { 314 TAILQ_ENTRY(named_object) nn_next; /* namehash */ 315 TAILQ_ENTRY(named_object) nv_next; /* valuehash */ 316 char *name; /* object name */ 317 uint8_t type; /* object type */ 318 uint8_t compat; /* Object name is number */ 319 uint16_t kidx; /* object kernel index */ 320 uint16_t uidx; /* userland idx for compat records */ 321 uint32_t set; /* set object belongs to */ 322 uint32_t refcnt; /* number of references */ 323}; 324TAILQ_HEAD(namedobjects_head, named_object); 325 |
|
| 239struct sockopt; /* used by tcp_var.h */ | 326struct sockopt; /* used by tcp_var.h */ |
| 327struct sockopt_data { 328 caddr_t kbuf; /* allocated buffer */ 329 size_t ksize; /* given buffer size */ 330 size_t koff; /* data already used */ 331 size_t kavail; /* number of bytes available */ 332 size_t ktotal; /* total bytes pushed */ 333 struct sockopt *sopt; /* socket data */ 334 caddr_t sopt_val; /* sopt user buffer */ 335 size_t valsize; /* original data size */ 336}; |
|
| 240 | 337 |
| 338struct ipfw_ifc; 339 340typedef void (ipfw_ifc_cb)(struct ip_fw_chain *ch, void *cbdata, 341 uint16_t ifindex); 342 343struct ipfw_iface { 344 struct named_object no; 345 char ifname[64]; 346 int resolved; 347 uint16_t ifindex; 348 uint16_t spare; 349 uint64_t gencnt; 350 TAILQ_HEAD(, ipfw_ifc) consumers; 351}; 352 353struct ipfw_ifc { 354 TAILQ_ENTRY(ipfw_ifc) next; 355 struct ipfw_iface *iface; 356 ipfw_ifc_cb *cb; 357 void *cbdata; 358}; 359 |
|
| 241/* Macro for working with various counters */ | 360/* Macro for working with various counters */ |
| 361#ifdef USERSPACE |
|
| 242#define IPFW_INC_RULE_COUNTER(_cntr, _bytes) do { \ 243 (_cntr)->pcnt++; \ 244 (_cntr)->bcnt += _bytes; \ 245 (_cntr)->timestamp = time_uptime; \ 246 } while (0) 247 248#define IPFW_INC_DYN_COUNTER(_cntr, _bytes) do { \ 249 (_cntr)->pcnt++; \ --- 5 unchanged lines hidden (view full) --- 255 (_cntr)->bcnt = 0; \ 256 (_cntr)->timestamp = 0; \ 257 } while (0) 258 259#define IPFW_ZERO_DYN_COUNTER(_cntr) do { \ 260 (_cntr)->pcnt = 0; \ 261 (_cntr)->bcnt = 0; \ 262 } while (0) | 362#define IPFW_INC_RULE_COUNTER(_cntr, _bytes) do { \ 363 (_cntr)->pcnt++; \ 364 (_cntr)->bcnt += _bytes; \ 365 (_cntr)->timestamp = time_uptime; \ 366 } while (0) 367 368#define IPFW_INC_DYN_COUNTER(_cntr, _bytes) do { \ 369 (_cntr)->pcnt++; \ --- 5 unchanged lines hidden (view full) --- 375 (_cntr)->bcnt = 0; \ 376 (_cntr)->timestamp = 0; \ 377 } while (0) 378 379#define IPFW_ZERO_DYN_COUNTER(_cntr) do { \ 380 (_cntr)->pcnt = 0; \ 381 (_cntr)->bcnt = 0; \ 382 } while (0) |
| 383#else 384#define IPFW_INC_RULE_COUNTER(_cntr, _bytes) do { \ 385 counter_u64_add((_cntr)->cntr, 1); \ 386 counter_u64_add((_cntr)->cntr + 1, _bytes); \ 387 if ((_cntr)->timestamp != time_uptime) \ 388 (_cntr)->timestamp = time_uptime; \ 389 } while (0) |
|
| 263 | 390 |
| 264#define IP_FW_ARG_TABLEARG(a) (((a) == IP_FW_TABLEARG) ? tablearg : (a)) | 391#define IPFW_INC_DYN_COUNTER(_cntr, _bytes) do { \ 392 (_cntr)->pcnt++; \ 393 (_cntr)->bcnt += _bytes; \ 394 } while (0) 395 396#define IPFW_ZERO_RULE_COUNTER(_cntr) do { \ 397 counter_u64_zero((_cntr)->cntr); \ 398 counter_u64_zero((_cntr)->cntr + 1); \ 399 (_cntr)->timestamp = 0; \ 400 } while (0) 401 402#define IPFW_ZERO_DYN_COUNTER(_cntr) do { \ 403 (_cntr)->pcnt = 0; \ 404 (_cntr)->bcnt = 0; \ 405 } while (0) 406#endif 407 408#define TARG_VAL(ch, k, f) ((struct table_value *)((ch)->valuestate))[k].f 409#define IP_FW_ARG_TABLEARG(ch, a, f) \ 410 (((a) == IP_FW_TARG) ? TARG_VAL(ch, tablearg, f) : (a)) |
| 265/* 266 * The lock is heavily used by ip_fw2.c (the main file) and ip_fw_nat.c 267 * so the variable and the macros must be here. 268 */ 269 | 411/* 412 * The lock is heavily used by ip_fw2.c (the main file) and ip_fw_nat.c 413 * so the variable and the macros must be here. 414 */ 415 |
| 416#if defined( __linux__ ) || defined( _WIN32 ) |
|
| 270#define IPFW_LOCK_INIT(_chain) do { \ 271 rw_init(&(_chain)->rwmtx, "IPFW static rules"); \ 272 rw_init(&(_chain)->uh_lock, "IPFW UH lock"); \ 273 } while (0) 274 275#define IPFW_LOCK_DESTROY(_chain) do { \ 276 rw_destroy(&(_chain)->rwmtx); \ 277 rw_destroy(&(_chain)->uh_lock); \ 278 } while (0) 279 280#define IPFW_RLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_RLOCKED) 281#define IPFW_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_WLOCKED) 282 | 417#define IPFW_LOCK_INIT(_chain) do { \ 418 rw_init(&(_chain)->rwmtx, "IPFW static rules"); \ 419 rw_init(&(_chain)->uh_lock, "IPFW UH lock"); \ 420 } while (0) 421 422#define IPFW_LOCK_DESTROY(_chain) do { \ 423 rw_destroy(&(_chain)->rwmtx); \ 424 rw_destroy(&(_chain)->uh_lock); \ 425 } while (0) 426 427#define IPFW_RLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_RLOCKED) 428#define IPFW_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_WLOCKED) 429 |
| 430#define IPFW_RLOCK_TRACKER |
|
| 283#define IPFW_RLOCK(p) rw_rlock(&(p)->rwmtx) 284#define IPFW_RUNLOCK(p) rw_runlock(&(p)->rwmtx) 285#define IPFW_WLOCK(p) rw_wlock(&(p)->rwmtx) 286#define IPFW_WUNLOCK(p) rw_wunlock(&(p)->rwmtx) 287#define IPFW_PF_RLOCK(p) IPFW_RLOCK(p) 288#define IPFW_PF_RUNLOCK(p) IPFW_RUNLOCK(p) | 431#define IPFW_RLOCK(p) rw_rlock(&(p)->rwmtx) 432#define IPFW_RUNLOCK(p) rw_runlock(&(p)->rwmtx) 433#define IPFW_WLOCK(p) rw_wlock(&(p)->rwmtx) 434#define IPFW_WUNLOCK(p) rw_wunlock(&(p)->rwmtx) 435#define IPFW_PF_RLOCK(p) IPFW_RLOCK(p) 436#define IPFW_PF_RUNLOCK(p) IPFW_RUNLOCK(p) |
| 437#else /* FreeBSD */ 438#define IPFW_LOCK_INIT(_chain) do { \ 439 rm_init(&(_chain)->rwmtx, "IPFW static rules"); \ 440 rw_init(&(_chain)->uh_lock, "IPFW UH lock"); \ 441 } while (0) |
|
| 289 | 442 |
| 443#define IPFW_LOCK_DESTROY(_chain) do { \ 444 rm_destroy(&(_chain)->rwmtx); \ 445 rw_destroy(&(_chain)->uh_lock); \ 446 } while (0) 447 448#define IPFW_RLOCK_ASSERT(_chain) rm_assert(&(_chain)->rwmtx, RA_RLOCKED) 449#define IPFW_WLOCK_ASSERT(_chain) rm_assert(&(_chain)->rwmtx, RA_WLOCKED) 450 451#define IPFW_RLOCK_TRACKER struct rm_priotracker _tracker 452#define IPFW_RLOCK(p) rm_rlock(&(p)->rwmtx, &_tracker) 453#define IPFW_RUNLOCK(p) rm_runlock(&(p)->rwmtx, &_tracker) 454#define IPFW_WLOCK(p) rm_wlock(&(p)->rwmtx) 455#define IPFW_WUNLOCK(p) rm_wunlock(&(p)->rwmtx) 456#define IPFW_PF_RLOCK(p) IPFW_RLOCK(p) 457#define IPFW_PF_RUNLOCK(p) IPFW_RUNLOCK(p) 458#endif 459 |
|
| 290#define IPFW_UH_RLOCK_ASSERT(_chain) rw_assert(&(_chain)->uh_lock, RA_RLOCKED) 291#define IPFW_UH_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->uh_lock, RA_WLOCKED) 292 293#define IPFW_UH_RLOCK(p) rw_rlock(&(p)->uh_lock) 294#define IPFW_UH_RUNLOCK(p) rw_runlock(&(p)->uh_lock) 295#define IPFW_UH_WLOCK(p) rw_wlock(&(p)->uh_lock) 296#define IPFW_UH_WUNLOCK(p) rw_wunlock(&(p)->uh_lock) 297 | 460#define IPFW_UH_RLOCK_ASSERT(_chain) rw_assert(&(_chain)->uh_lock, RA_RLOCKED) 461#define IPFW_UH_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->uh_lock, RA_WLOCKED) 462 463#define IPFW_UH_RLOCK(p) rw_rlock(&(p)->uh_lock) 464#define IPFW_UH_RUNLOCK(p) rw_runlock(&(p)->uh_lock) 465#define IPFW_UH_WLOCK(p) rw_wlock(&(p)->uh_lock) 466#define IPFW_UH_WUNLOCK(p) rw_wunlock(&(p)->uh_lock) 467 |
| 468struct obj_idx { 469 uint16_t uidx; /* internal index supplied by userland */ 470 uint16_t kidx; /* kernel object index */ 471 uint16_t off; /* tlv offset from rule end in 4-byte words */ 472 uint8_t spare; 473 uint8_t type; /* object type within its category */ 474}; 475 476struct rule_check_info { 477 uint16_t flags; /* rule-specific check flags */ 478 uint16_t table_opcodes; /* count of opcodes referencing table */ 479 uint16_t urule_numoff; /* offset of rulenum in bytes */ 480 uint8_t version; /* rule version */ 481 uint8_t spare; 482 ipfw_obj_ctlv *ctlv; /* name TLV containter */ 483 struct ip_fw *krule; /* resulting rule pointer */ 484 caddr_t urule; /* original rule pointer */ 485 struct obj_idx obuf[8]; /* table references storage */ 486}; 487 488/* Legacy interface support */ 489/* 490 * FreeBSD 8 export rule format 491 */ 492struct ip_fw_rule0 { 493 struct ip_fw *x_next; /* linked list of rules */ 494 struct ip_fw *next_rule; /* ptr to next [skipto] rule */ 495 /* 'next_rule' is used to pass up 'set_disable' status */ 496 497 uint16_t act_ofs; /* offset of action in 32-bit units */ 498 uint16_t cmd_len; /* # of 32-bit words in cmd */ 499 uint16_t rulenum; /* rule number */ 500 uint8_t set; /* rule set (0..31) */ 501 uint8_t _pad; /* padding */ 502 uint32_t id; /* rule id */ 503 504 /* These fields are present in all rules. */ 505 uint64_t pcnt; /* Packet counter */ 506 uint64_t bcnt; /* Byte counter */ 507 uint32_t timestamp; /* tv_sec of last match */ 508 509 ipfw_insn cmd[1]; /* storage for commands */ 510}; 511 512struct ip_fw_bcounter0 { 513 uint64_t pcnt; /* Packet counter */ 514 uint64_t bcnt; /* Byte counter */ 515 uint32_t timestamp; /* tv_sec of last match */ 516}; 517 518/* Kernel rule length */ 519/* 520 * RULE _K_ SIZE _V_ -> 521 * get kernel size from userland rool version _V_. 522 * RULE _U_ SIZE _V_ -> 523 * get user size version _V_ from kernel rule 524 * RULESIZE _V_ -> 525 * get user size rule length 526 */ 527/* FreeBSD8 <> current kernel format */ 528#define RULEUSIZE0(r) (sizeof(struct ip_fw_rule0) + (r)->cmd_len * 4 - 4) 529#define RULEKSIZE0(r) roundup2((sizeof(struct ip_fw) + (r)->cmd_len*4 - 4), 8) 530/* FreeBSD11 <> current kernel format */ 531#define RULEUSIZE1(r) (roundup2(sizeof(struct ip_fw_rule) + \ 532 (r)->cmd_len * 4 - 4, 8)) 533#define RULEKSIZE1(r) roundup2((sizeof(struct ip_fw) + (r)->cmd_len*4 - 4), 8) 534 535 536/* In ip_fw_iface.c */ 537int ipfw_iface_init(void); 538void ipfw_iface_destroy(void); 539void vnet_ipfw_iface_destroy(struct ip_fw_chain *ch); 540int ipfw_iface_ref(struct ip_fw_chain *ch, char *name, 541 struct ipfw_ifc *ic); 542void ipfw_iface_unref(struct ip_fw_chain *ch, struct ipfw_ifc *ic); 543void ipfw_iface_add_notify(struct ip_fw_chain *ch, struct ipfw_ifc *ic); 544void ipfw_iface_del_notify(struct ip_fw_chain *ch, struct ipfw_ifc *ic); 545 |
|
| 298/* In ip_fw_sockopt.c */ | 546/* In ip_fw_sockopt.c */ |
| 547void ipfw_init_skipto_cache(struct ip_fw_chain *chain); 548void ipfw_destroy_skipto_cache(struct ip_fw_chain *chain); |
|
| 299int ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id); | 549int ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id); |
| 300int ipfw_add_rule(struct ip_fw_chain *chain, struct ip_fw *input_rule); 301int ipfw_ctl(struct sockopt *sopt); | 550int ipfw_ctl3(struct sockopt *sopt); |
| 302int ipfw_chk(struct ip_fw_args *args); | 551int ipfw_chk(struct ip_fw_args *args); |
| 552void ipfw_reap_add(struct ip_fw_chain *chain, struct ip_fw **head, 553 struct ip_fw *rule); |
|
| 303void ipfw_reap_rules(struct ip_fw *head); | 554void ipfw_reap_rules(struct ip_fw *head); |
| 555void ipfw_init_counters(void); 556void ipfw_destroy_counters(void); 557struct ip_fw *ipfw_alloc_rule(struct ip_fw_chain *chain, size_t rulesize); 558int ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt); |
|
| 304 | 559 |
| 560typedef int (sopt_handler_f)(struct ip_fw_chain *ch, 561 ip_fw3_opheader *op3, struct sockopt_data *sd); 562struct ipfw_sopt_handler { 563 uint16_t opcode; 564 uint8_t version; 565 uint8_t dir; 566 sopt_handler_f *handler; 567 uint64_t refcnt; 568}; 569#define HDIR_SET 0x01 /* Handler is used to set some data */ 570#define HDIR_GET 0x02 /* Handler is used to retrieve data */ 571#define HDIR_BOTH HDIR_GET|HDIR_SET 572 573void ipfw_init_sopt_handler(void); 574void ipfw_destroy_sopt_handler(void); 575void ipfw_add_sopt_handler(struct ipfw_sopt_handler *sh, size_t count); 576int ipfw_del_sopt_handler(struct ipfw_sopt_handler *sh, size_t count); 577caddr_t ipfw_get_sopt_space(struct sockopt_data *sd, size_t needed); 578caddr_t ipfw_get_sopt_header(struct sockopt_data *sd, size_t needed); 579#define IPFW_ADD_SOPT_HANDLER(f, c) do { \ 580 if ((f) != 0) \ 581 ipfw_add_sopt_handler(c, \ 582 sizeof(c) / sizeof(c[0])); \ 583 } while(0) 584#define IPFW_DEL_SOPT_HANDLER(l, c) do { \ 585 if ((l) != 0) \ 586 ipfw_del_sopt_handler(c, \ 587 sizeof(c) / sizeof(c[0])); \ 588 } while(0) 589 590typedef void (objhash_cb_t)(struct namedobj_instance *ni, struct named_object *, 591 void *arg); 592typedef uint32_t (objhash_hash_f)(struct namedobj_instance *ni, void *key, 593 uint32_t kopt); 594typedef int (objhash_cmp_f)(struct named_object *no, void *key, uint32_t kopt); 595struct namedobj_instance *ipfw_objhash_create(uint32_t items); 596void ipfw_objhash_destroy(struct namedobj_instance *); 597void ipfw_objhash_bitmap_alloc(uint32_t items, void **idx, int *pblocks); 598void ipfw_objhash_bitmap_merge(struct namedobj_instance *ni, 599 void **idx, int *blocks); 600void ipfw_objhash_bitmap_swap(struct namedobj_instance *ni, 601 void **idx, int *blocks); 602void ipfw_objhash_bitmap_free(void *idx, int blocks); 603void ipfw_objhash_set_hashf(struct namedobj_instance *ni, objhash_hash_f *f); 604struct named_object *ipfw_objhash_lookup_name(struct namedobj_instance *ni, 605 uint32_t set, char *name); 606struct named_object *ipfw_objhash_lookup_kidx(struct namedobj_instance *ni, 607 uint16_t idx); 608int ipfw_objhash_same_name(struct namedobj_instance *ni, struct named_object *a, 609 struct named_object *b); 610void ipfw_objhash_add(struct namedobj_instance *ni, struct named_object *no); 611void ipfw_objhash_del(struct namedobj_instance *ni, struct named_object *no); 612uint32_t ipfw_objhash_count(struct namedobj_instance *ni); 613void ipfw_objhash_foreach(struct namedobj_instance *ni, objhash_cb_t *f, 614 void *arg); 615int ipfw_objhash_free_idx(struct namedobj_instance *ni, uint16_t idx); 616int ipfw_objhash_alloc_idx(void *n, uint16_t *pidx); 617void ipfw_objhash_set_funcs(struct namedobj_instance *ni, 618 objhash_hash_f *hash_f, objhash_cmp_f *cmp_f); 619 |
|
| 305/* In ip_fw_table.c */ | 620/* In ip_fw_table.c */ |
| 306struct radix_node; | 621struct table_info; 622 623typedef int (table_lookup_t)(struct table_info *ti, void *key, uint32_t keylen, 624 uint32_t *val); 625 |
| 307int ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 308 uint32_t *val); | 626int ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 627 uint32_t *val); |
| 309int ipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, 310 uint32_t *val, int type); 311int ipfw_init_tables(struct ip_fw_chain *ch); 312void ipfw_destroy_tables(struct ip_fw_chain *ch); 313int ipfw_flush_table(struct ip_fw_chain *ch, uint16_t tbl); 314int ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, 315 uint8_t plen, uint8_t mlen, uint8_t type, uint32_t value); 316int ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, 317 uint8_t plen, uint8_t mlen, uint8_t type); 318int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); 319int ipfw_dump_table_entry(struct radix_node *rn, void *arg); 320int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl); 321int ipfw_count_xtable(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); 322int ipfw_dump_xtable(struct ip_fw_chain *ch, ipfw_xtable *tbl); | 628int ipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, uint16_t plen, 629 void *paddr, uint32_t *val); 630int ipfw_init_tables(struct ip_fw_chain *ch, int first); |
| 323int ipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables); | 631int ipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables); |
| 632int ipfw_switch_tables_namespace(struct ip_fw_chain *ch, unsigned int nsets); 633void ipfw_destroy_tables(struct ip_fw_chain *ch, int last); |
|
| 324 325/* In ip_fw_nat.c -- XXX to be moved to ip_var.h */ 326 327extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); 328 329typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); 330typedef int ipfw_nat_cfg_t(struct sockopt *); 331 --- 12 unchanged lines hidden --- | 634 635/* In ip_fw_nat.c -- XXX to be moved to ip_var.h */ 636 637extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); 638 639typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); 640typedef int ipfw_nat_cfg_t(struct sockopt *); 641 --- 12 unchanged lines hidden --- |