| ip_fw_dynamic.c (200580) | ip_fw_dynamic.c (200601) |
|---|---|
| 1/*- 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> |
| 27__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_dynamic.c 200580 2009-12-15 16:15:14Z luigi $"); | 27__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_dynamic.c 200601 2009-12-16 10:48:40Z luigi $"); |
| 28 29#define DEB(x) 30#define DDB(x) x 31 32/* 33 * Dynamic rule support for ipfw 34 */ 35 --- 73 unchanged lines hidden (view full) --- 109 * Each dynamic rule holds a pointer to the parent ipfw rule so 110 * we know what action to perform. Dynamic rules are removed when 111 * the parent rule is deleted. XXX we should make them survive. 112 * 113 * There are some limitations with dynamic rules -- we do not 114 * obey the 'randomized match', and we do not do multiple 115 * passes through the firewall. XXX check the latter!!! 116 */ | 28 29#define DEB(x) 30#define DDB(x) x 31 32/* 33 * Dynamic rule support for ipfw 34 */ 35 --- 73 unchanged lines hidden (view full) --- 109 * Each dynamic rule holds a pointer to the parent ipfw rule so 110 * we know what action to perform. Dynamic rules are removed when 111 * the parent rule is deleted. XXX we should make them survive. 112 * 113 * There are some limitations with dynamic rules -- we do not 114 * obey the 'randomized match', and we do not do multiple 115 * passes through the firewall. XXX check the latter!!! 116 */ |
| 117 118/* 119 * Static variables followed by global ones 120 */ |
|
| 117static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); 118static VNET_DEFINE(u_int32_t, dyn_buckets); 119static VNET_DEFINE(u_int32_t, curr_dyn_buckets); 120static VNET_DEFINE(struct callout, ipfw_timeout); 121#define V_ipfw_dyn_v VNET(ipfw_dyn_v) 122#define V_dyn_buckets VNET(dyn_buckets) 123#define V_curr_dyn_buckets VNET(curr_dyn_buckets) 124#define V_ipfw_timeout VNET(ipfw_timeout) --- 244 unchanged lines hidden (view full) --- 369 q=q->next; 370 } 371 } 372 if (pass++ < max_pass) 373 goto next_pass; 374} 375 376void | 121static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); 122static VNET_DEFINE(u_int32_t, dyn_buckets); 123static VNET_DEFINE(u_int32_t, curr_dyn_buckets); 124static VNET_DEFINE(struct callout, ipfw_timeout); 125#define V_ipfw_dyn_v VNET(ipfw_dyn_v) 126#define V_dyn_buckets VNET(dyn_buckets) 127#define V_curr_dyn_buckets VNET(curr_dyn_buckets) 128#define V_ipfw_timeout VNET(ipfw_timeout) --- 244 unchanged lines hidden (view full) --- 373 q=q->next; 374 } 375 } 376 if (pass++ < max_pass) 377 goto next_pass; 378} 379 380void |
| 377remove_dyn_children(struct ip_fw *rule) | 381ipfw_remove_dyn_children(struct ip_fw *rule) |
| 378{ 379 IPFW_DYN_LOCK(); 380 remove_dyn_rule(rule, NULL /* force removal */); 381 IPFW_DYN_UNLOCK(); 382} 383 384/** | 382{ 383 IPFW_DYN_LOCK(); 384 remove_dyn_rule(rule, NULL /* force removal */); 385 IPFW_DYN_UNLOCK(); 386} 387 388/** |
| 385 * lookup a dynamic rule. | 389 * lookup a dynamic rule, locked version |
| 386 */ | 390 */ |
| 387ipfw_dyn_rule * | 391static ipfw_dyn_rule * |
| 388lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, 389 struct tcphdr *tcp) 390{ 391 /* 392 * stateful ipfw extensions. 393 * Lookup into dynamic session queue 394 */ 395#define MATCH_REVERSE 0 --- 127 unchanged lines hidden (view full) --- 523 } 524done: 525 if (match_direction) 526 *match_direction = dir; 527 return q; 528} 529 530ipfw_dyn_rule * | 392lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, 393 struct tcphdr *tcp) 394{ 395 /* 396 * stateful ipfw extensions. 397 * Lookup into dynamic session queue 398 */ 399#define MATCH_REVERSE 0 --- 127 unchanged lines hidden (view full) --- 527 } 528done: 529 if (match_direction) 530 *match_direction = dir; 531 return q; 532} 533 534ipfw_dyn_rule * |
| 531lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, | 535ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, |
| 532 struct tcphdr *tcp) 533{ 534 ipfw_dyn_rule *q; 535 536 IPFW_DYN_LOCK(); 537 q = lookup_dyn_rule_locked(pkt, match_direction, tcp); 538 if (q == NULL) 539 IPFW_DYN_UNLOCK(); --- 154 unchanged lines hidden (view full) --- 694 695/** 696 * Install dynamic state for rule type cmd->o.opcode 697 * 698 * Returns 1 (failure) if state is not installed because of errors or because 699 * session limitations are enforced. 700 */ 701int | 536 struct tcphdr *tcp) 537{ 538 ipfw_dyn_rule *q; 539 540 IPFW_DYN_LOCK(); 541 q = lookup_dyn_rule_locked(pkt, match_direction, tcp); 542 if (q == NULL) 543 IPFW_DYN_UNLOCK(); --- 154 unchanged lines hidden (view full) --- 698 699/** 700 * Install dynamic state for rule type cmd->o.opcode 701 * 702 * Returns 1 (failure) if state is not installed because of errors or because 703 * session limitations are enforced. 704 */ 705int |
| 702install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, | 706ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, |
| 703 struct ip_fw_args *args, uint32_t tablearg) 704{ 705 static int last_log; 706 ipfw_dyn_rule *q; 707 struct in_addr da; 708#ifdef INET6 709 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; 710#else --- 161 unchanged lines hidden (view full) --- 872 * Generate a TCP packet, containing either a RST or a keepalive. 873 * When flags & TH_RST, we are sending a RST packet, because of a 874 * "reset" action matched the packet. 875 * Otherwise we are sending a keepalive, and flags & TH_ 876 * The 'replyto' mbuf is the mbuf being replied to, if any, and is required 877 * so that MAC can label the reply appropriately. 878 */ 879struct mbuf * | 707 struct ip_fw_args *args, uint32_t tablearg) 708{ 709 static int last_log; 710 ipfw_dyn_rule *q; 711 struct in_addr da; 712#ifdef INET6 713 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; 714#else --- 161 unchanged lines hidden (view full) --- 876 * Generate a TCP packet, containing either a RST or a keepalive. 877 * When flags & TH_RST, we are sending a RST packet, because of a 878 * "reset" action matched the packet. 879 * Otherwise we are sending a keepalive, and flags & TH_ 880 * The 'replyto' mbuf is the mbuf being replied to, if any, and is required 881 * so that MAC can label the reply appropriately. 882 */ 883struct mbuf * |
| 880send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, | 884ipfw_send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, |
| 881 u_int32_t ack, int flags) 882{ 883 struct mbuf *m; 884 int len, dir; 885 struct ip *h = NULL; /* stupid compiler */ 886#ifdef INET6 887 struct ip6_hdr *h6 = NULL; 888#endif --- 171 unchanged lines hidden (view full) --- 1060 if ( (q->state & BOTH_SYN) != BOTH_SYN) 1061 continue; 1062 if (TIME_LEQ(time_uptime + V_dyn_keepalive_interval, 1063 q->expire)) 1064 continue; /* too early */ 1065 if (TIME_LEQ(q->expire, time_uptime)) 1066 continue; /* too late, rule expired */ 1067 | 885 u_int32_t ack, int flags) 886{ 887 struct mbuf *m; 888 int len, dir; 889 struct ip *h = NULL; /* stupid compiler */ 890#ifdef INET6 891 struct ip6_hdr *h6 = NULL; 892#endif --- 171 unchanged lines hidden (view full) --- 1064 if ( (q->state & BOTH_SYN) != BOTH_SYN) 1065 continue; 1066 if (TIME_LEQ(time_uptime + V_dyn_keepalive_interval, 1067 q->expire)) 1068 continue; /* too early */ 1069 if (TIME_LEQ(q->expire, time_uptime)) 1070 continue; /* too late, rule expired */ 1071 |
| 1068 m = send_pkt(NULL, &(q->id), q->ack_rev - 1, | 1072 m = ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1, |
| 1069 q->ack_fwd, TH_SYN); | 1073 q->ack_fwd, TH_SYN); |
| 1070 mnext = send_pkt(NULL, &(q->id), q->ack_fwd - 1, | 1074 mnext = ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1, |
| 1071 q->ack_rev, 0); 1072 1073 switch (q->id.addr_type) { 1074 case 4: 1075 if (m != NULL) { 1076 *mtailp = m; 1077 mtailp = &(*mtailp)->m_nextpkt; 1078 } --- 138 unchanged lines hidden (view full) --- 1217 bp += sizeof(ipfw_dyn_rule); 1218 } 1219 } 1220 IPFW_DYN_UNLOCK(); 1221 if (last != NULL) /* mark last dynamic rule */ 1222 bzero(&last->next, sizeof(last)); 1223 *pbp = bp; 1224} | 1075 q->ack_rev, 0); 1076 1077 switch (q->id.addr_type) { 1078 case 4: 1079 if (m != NULL) { 1080 *mtailp = m; 1081 mtailp = &(*mtailp)->m_nextpkt; 1082 } --- 138 unchanged lines hidden (view full) --- 1221 bp += sizeof(ipfw_dyn_rule); 1222 } 1223 } 1224 IPFW_DYN_UNLOCK(); 1225 if (last != NULL) /* mark last dynamic rule */ 1226 bzero(&last->next, sizeof(last)); 1227 *pbp = bp; 1228} |
| 1229/* end of file */ |
|