#
f0a0420d |
|
12-Jun-2024 |
Doug Moore <dougm@FreeBSD.org> |
powerof2: replace loops with fls or ilog2 In several places, a loop tests for powers of two, or iterates through powers of two. In those places, replace the loop with an invocation of fls or ilog2 without changing the meaning of the code. Reviewed by: alc, markj, kib, np, erj, avg (previous version) Differential Revision: https://reviews.freebsd.org/D45494
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
fc727ad6 |
|
24-Apr-2023 |
Boris Lytochkin <lytboris@gmail.com> |
ipfw: add [fw]mark implementation for ipfw Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
|
#
81cac390 |
|
04-Jun-2022 |
Arseny Smalyuk <smalukav@gmail.com> |
ipfw: add support radix tables and table lookup for MAC addresses By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
|
#
60a28b09 |
|
18-Dec-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipfw: plug set-but-not-used vars Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
57ddf396 |
|
19-Dec-2019 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw: Don't rollback state in alloc_table_vidx() if atomicity is not required. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22662
|
#
00b45f58 |
|
19-Dec-2019 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Revert r355908 to commit it with a proper message.
|
#
88026663 |
|
19-Dec-2019 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
svn-commit.tmp
|
#
f712b161 |
|
31-Jan-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Revert r316461: Remove "IPFW static rules" rmlock, and use pfil's global lock. The pfil(9) system is about to be converted to epoch(9) synchronization, so we need [temporarily] go back with ipfw internal locking. Discussed with: ae
|
#
3995ad17 |
|
11-Apr-2018 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Fix ipfw table creation when net.inet.ip.fw.tables_sets = 0 and non zero set specified on table creation. This fixes following: # sysctl net.inet.ip.fw.tables_sets net.inet.ip.fw.tables_sets: 0 # ipfw table all info # ipfw set 1 table 1 create type addr # ipfw set 1 table 1 create type addr # ipfw add 10 set 1 count ip from table\(1\) to any 00010 count ip from table(1) to any # ipfw add 10 set 1 count ip from table\(1\) to any 00010 count ip from table(1) to any # ipfw table all info --- table(1), set(1) --- kindex: 4, type: addr references: 1, valtype: legacy algorithm: addr:radix items: 0, size: 296 --- table(1), set(1) --- kindex: 3, type: addr references: 1, valtype: legacy algorithm: addr:radix items: 0, size: 296 --- table(1), set(1) --- kindex: 2, type: addr references: 0, valtype: legacy algorithm: addr:radix items: 0, size: 296 --- table(1), set(1) --- kindex: 1, type: addr references: 0, valtype: legacy algorithm: addr:radix items: 0, size: 296 # MFC after: 1 week
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
369bc48d |
|
20-Sep-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Do not acquire IPFW_WLOCK when a named object is created and destroyed. Acquiring of IPFW_WLOCK is requried for cases when we are going to change some data that can be accessed during processing of packets flow. When we create new named object, there are not yet any rules, that references it, thus holding IPFW_UH_WLOCK is enough to safely update needed structures. When we destroy an object, we do this only when its reference counter becomes zero. And it is safe to not acquire IPFW_WLOCK, because noone references it. The another case is when we failed to finish some action and thus we are doing rollback and destroying an object, in this case it is still not referenced by rules and no need to acquire IPFW_WLOCK. This also fixes panic with INVARIANTS due to recursive IPFW_WLOCK acquiring. MFC after: 1 week Sponsored by: Yandex LLC
|
#
9ffd0f54 |
|
20-Jul-2017 |
Luiz Otavio O Souza <loos@FreeBSD.org> |
Fix a couple of typos in a comment. MFC after: 1 week Sponsored by: Rubicon Communications, LLC (Netgate)
|
#
88d950a6 |
|
03-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove "IPFW static rules" rmlock. Make PFIL's lock global and use it for this purpose. This reduces the number of locks needed to acquire for each packet. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10154
|
#
f621c2cd |
|
09-Mar-2017 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Typo in the comment fixed. PR: 217617 Submitted by: lutz
|
#
54e5669d |
|
05-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add IPv6 support to O_IP_DST_LOOKUP opcode. o check the size of O_IP_SRC_LOOKUP opcode, it can not exceed the size of ipfw_insn_u32; o rename ipfw_lookup_table_extended() function into ipfw_lookup_table() and remove old ipfw_lookup_table(); o use args->f_id.flow_id6 that is in host byte order to get DSCP value; o add SCTP ports support to 'lookup src/dst-port' opcode; o add IPv6 support to 'lookup src/dst-ip' opcode. PR: 217292 Reviewed by: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9873
|
#
308f2c6d |
|
19-Oct-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix `ipfw table lookup` handler to return entry value, but not its index. Submitted by: loos MFC after: 1 week
|
#
70c1466d |
|
13-Sep-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix swap tables between sets when this functional is enabled. We have 6 opcode rewriters for table opcodes. When `set swap' command invoked, it is called for each rewriter, so at the end we get the same result, because opcode rewriter uses ETLV type to match opcode. And all tables opcodes have the same ETLV type. To solve this problem, use separate sets handler for one opcode rewriter. Use it to handle TEST_ALL, SWAP_ALL and MOVE_ALL commands. PR: 212630 MFC after: 1 week
|
#
6951cecf |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add three helper function to manage tables from external modules. ipfw_objhash_lookup_table_kidx does lookup kernel index of table; ipfw_ref_table/ipfw_unref_table takes and releases reference to table. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
2685841b |
|
17-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Make named objects set-aware. Now it is possible to create named objects with the same name in different sets. Add optional manage_sets() callback to objects rewriting framework. It is intended to implement handler for moving and swapping named object's sets. Add ipfw_obj_manage_sets() function that implements generic sets handler. Use new callback to implement sets support for lookup tables. External actions objects are global and they don't support sets. Modify eaction_findbyname() to reflect this. ipfw(8) now may fail to move rules or sets, because some named objects in target set may have conflicting names. Note that ipfw_obj_ntlv type was changed, but since lookup tables actually didn't support sets, this change is harmless. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
b309f085 |
|
05-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Change the type of objhash_cb_t callback function to be able return an error code. Use it to interrupt the loop in ipfw_objhash_foreach(). Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
2df1a11f |
|
05-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rename find_name_tlv_type() to ipfw_find_name_tlv_type() and make it global. Use it in ip_fw_table.c instead of find_name_tlv() to reduce duplicated code. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
a4641f4e |
|
03-May-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/net*: minor spelling fixes. No functional change.
|
#
7a6ab8f1 |
|
14-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
netpfil: for pointers replace 0 with NULL. These are mostly cosmetical, no functional change. Found with devel/coccinelle. Reviewed by: ae
|
#
f976a4ed |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Move several functions related to opcode rewriting framework from ip_fw_table.c into ip_fw_sockopt.c and make them static. Obtained from: Yandex LLC
|
#
36738284 |
|
09-Jan-2016 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use already pre-calculated number of entries instead of tc->count.
|
#
ee09cb0b |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove now obsolete KASSERT. Actually, object classify callbacks can skip some opcodes, that could be rewritten. We will deteremine real numbed of rewritten opcodes a bit later in this function. Reported by: David H. Wolfskill <david at catwhisker dot org>
|
#
748c9559 |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Eliminate any conditional increments of object_opcodes in the check_ipfw_rule_body() function. This function is intended to just determine that rule has some opcodes that can be rewrited. Then the ref_rule_objects() function will determine real number of rewritten opcodes using classify callback. Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
f81431cc |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_check_object_name_generic() function to do basic checks for an object name correctness. Each type of object can do more strict checking in own implementation. Do such checks for tables in check_table_name(). Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
b45fa3fa |
|
06-May-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix panic when prepare_batch_buffer() returns error.
|
#
caf99391 |
|
30-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix KASSERT introduced in r282155. Found by: dhw
|
#
e9484895 |
|
28-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix panic introduced by r282070. Arm friendly KASSERT() to ease debug of similar crashes. Submitted by: Olivier Cochard-Labbé
|
#
74b22066 |
|
27-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make rule table kernel-index rewriting support any kind of objects. Currently we have tables identified by their names in userland with internal kernel-assigned indices. This works the following way: When userland wishes to communicate with kernel to add or change rule(s), it makes indexed sorted array of table names (internally ipfw_obj_ntlv entries), and refer to indices in that array in rule manipulation. Prior to committing new rule to the ruleset kernel a) finds all referenced tables, bump their refcounts and change values inside the opcodes to be real kernel indices b) auto-creates all referenced but not existing tables and then do a) for them. Kernel does almost the same when exporting rules to userland: prepares array of used tables in all rules in range, and prepends it before the actual ruleset retaining actual in-kernel indexes for that. There is also special translation layer for legacy clients which is able to provide 'real' indices for table names (basically doing atoi()). While it is arguable that every subsystem really needs names instead of numbers, there are several things that should be noted: 1) every non-singleton subsystem needs to store its runtime state somewhere inside ipfw chain (and be able to get it fast) 2) we can't assume object numbers provided by humans will be dense. Existing nat implementation (O(n) access and LIST inside chain) is a good example. Hence the following: * Convert table-centric rewrite code to be more generic, callback-based * Move most of the code from ip_fw_table.c to ip_fw_sockopt.c * Provide abstract API to permit subsystems convert their objects between userland string identifier and in-kernel index. (See struct opcode_obj_rewrite) for more details * Create another per-chain index (in next commit) shared among all subsystems * Convert current NAT44 implementation to use new API, O(1) lookups, shared index and names instead of numbers (in next commit). Sponsored by: Yandex LLC
|
#
0caab009 |
|
05-Feb-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Make sure table algorithm destroy hook is always called without locks * Explicitly lock freeing interface references in ta_destroy_ifidx * Change ipfw_iface_unref() to require UH lock * Add forgotten ipfw_iface_unref() to destroy_ifidx_locked() PR: kern/197276 Submitted by: lev Sponsored by: Yandex LLC
|
#
038263c3 |
|
04-Nov-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove unused variable. Found by: Coverity CID: 1245739
|
#
4040f4ec |
|
19-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Perform more checks on the number of tables supplied by user.
|
#
4c060d85 |
|
09-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix core on table destroy inroduced by table values code. Rename @ti array copy to 'ti_copy'.
|
#
79e86902 |
|
07-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Notify table algo aboute runtime data change on table flush.
|
#
8ebca97f |
|
07-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix crash in interface tracker due to using old "linked" field. * Ensure we're flushing entries without any locks held. * Free memory in (rare) case when interface tracker fails to register ifp. * Add KASSERT on table values refcounts.
|
#
d4e1b515 |
|
04-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix build with gcc.
|
#
ccba94b8 |
|
04-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Switch ipfw to use rmlock for runtime locking.
|
#
1a33e799 |
|
05-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Change copyrights to the proper one.
|
#
6b988f3a |
|
05-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use modular opcode handling inside ipfw_ctl3() instead of static switch. * Provide hints for subsystem initializers if they are called for the first/last time. * Convert every IP_FW3 opcode user to use new sopt API.
|
#
e822d936 |
|
03-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Be consistent and use same arguments for ctl3 opcodes. Move legacy IP_FW_TABLE_XGETSIZE handling to separate function.
|
#
fb4b37a3 |
|
02-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix crash due to forgotten value refcouting in ipfw_link_table_values() * Fix argument order in rollback_toperation_state() * Make flush_table() use operation state API to ease checks.
|
#
71af39bf |
|
02-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add more comments on newly-added functions. Add back opstate handler function.
|
#
0cba2b28 |
|
31-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for multi-field values inside ipfw tables. This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
|
#
867708f7 |
|
22-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Simplify table reference/create chain.
|
#
4dff4ae0 |
|
23-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use OP_ADD/OP_DEL macro instead of plain integers. * ipfw_foreach_table_tentry() to permit listing arbitrary ipfw table using standart format.
|
#
4bbd1577 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make room for multi-type values in struct tentry.
|
#
c21034b7 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Replace "cidr" table type with "addr" type. Suggested by: luigi
|
#
d3b00c08 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add cidr:kfib algo type just for fun. It binds kernel fib of given number to a table. Example: # ipfw table fib2 create algo "cidr:kfib fib=2" # ipfw table fib2 info +++ table(fib2), set(0) +++ kindex: 2, type: cidr, locked valtype: number, references: 0 algorithm: cidr:kfib fib=2 items: 11, size: 288 # ipfw table fib2 list +++ table(fib2), set(0) +++ 10.0.0.0/24 0 127.0.0.1/32 0 ::/96 0 ::1/128 0 ::ffff:0.0.0.0/96 0 2a02:978:2::/112 0 fe80::/10 0 fe80:1::/64 0 fe80:2::/64 0 fe80:3::/64 0 ff02::/16 0 # ipfw table fib2 lookup 10.0.0.5 10.0.0.0/24 0 # ipfw table fib2 lookup 2a02:978:2::11 2a02:978:2::/112 0 # ipfw table fib2 detail +++ table(fib2), set(0) +++ kindex: 2, type: cidr, locked valtype: number, references: 0 algorithm: cidr:kfib fib=2 items: 11, size: 288 IPv4 algorithm radix info items: 0 itemsize: 200 IPv6 algorithm radix info items: 0 itemsize: 200
|
#
fd0869d5 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Document internal commands. * Do not require/set default table type if algo name is specified. * Add TA_FLAG_READONLY option for algorithms.
|
#
18ad4197 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix displaying dynamic rules for large rulesets. * Clean up some comments.
|
#
fddbbf75 |
|
13-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix assertion.
|
#
40e5f498 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Pass proper table set numbers from userland side. * Ignore them, but honor V_fw_tables_sets value on kernel side.
|
#
c8d5d308 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Clarify ipfw_swap_table operations * Ensure <add|del>_table_entry handle ta change properly.
|
#
e5eec6dd |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Rename ipfw_[un]bind_table_rule to ipfw_[un]ref_rule_tables * Update their descriptions.
|
#
1940fa77 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Change tablearg value to be 0 (try #2). Most of the tablearg-supported opcodes does not accept 0 as valid value: O_TAG, O_TAGGED, O_PIPE, O_QUEUE, O_DIVERT, O_TEE, O_SKIPTO, O_CALLRET, O_NETGRAPH, O_NGTEE, O_NAT treats 0 as invalid input. The rest are O_SETDSCP and O_SETFIB. 'Fix' them by adding high-order bit (0x8000) set for non-tablearg values. Do translation in kernel for old clients (import_rule0 / export_rule0), teach current ipfw(8) binary to add/remove given bit. This change does not affect handling SETDSCP values, but limit O_SETFIB values to 32767 instead of 65k. Since currently we have either old (16) or new (2^32) max fibs, this should not be a big deal: we're definitely OK for former and have to add another opcode to deal with latter, regardless of tablearg value.
|
#
301290bc |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Rename has_space to need_modify to be consistent with 0 as return values. * document all callbacks supported by algorithms code.
|
#
f99fbf96 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
No functional changes, do better functions grouping.
|
#
0468c5ba |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Simplify table auto-creation for old userland users.
|
#
1bc0d457 |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Simplify add/del_table_entry() by making their common pieces common functions.
|
#
35e1bbd0 |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Update functions descriptions.
|
#
4f43138a |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add the abilify to lock/unlock given table from changes. Example: # ipfw table si lock # ipfw table si info +++ table(si), set(0) +++ kindex: 0, type: cidr, locked valtype: number, references: 0 algorithm: cidr:radix items: 0, size: 288 # ipfw table si add 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Adding record failed: table is locked # ipfw table si unlock # ipfw table si add 4.5.6.7 added: 4.5.6.7/32 0 # ipfw table si lock # ipfw table si delete 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Deleting record failed: table is locked # ipfw table si unlock # ipfw table si delete 4.5.6.7 deleted: 4.5.6.7/32 0
|
#
3a845e10 |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add support for batched add/delete for ipfw tables * Add support for atomic batches add (all or none). * Fix panic on deleting non-existing entry in radix algo. Examples: # si is empty # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 added: 1.1.1.1/32 1111 added: 2.2.2.2/32 2222 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 4444 ipfw: Adding record failed: record already exists ^^^^^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444 # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 5.5.5.5/32 5555 added(reverted): 3.3.3.3/32 3333 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 5555 ipfw: Adding record failed: record already exists ^^^^^ Returns error and reverts added records # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444
|
#
030b184f |
|
09-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use 2 32-bits field inside rule instead of 2 pointer to save skipto state. * Introduce ipfw_reap_add() to unify unlinking rules/adding it to reap queue * Unbreak FreeBSD7 export format.
|
#
720ee730 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Kernel changes: * Fix buffer calculation for table dumps * Fix IPv6 radix entiries addition broken in r269371. Userland changes: * Fix bug in retrieving statric ruleset * Fix several bugs in retrieving table list
|
#
8bd19212 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Partially revert previous commit: "0" value is perfectly valid for O_SETFIB and O_SETDSCP, so tablearg remains to be 655535 for now.
|
#
2c452b20 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Switch tablearg value from 65535 to 0. * Use u16 table kidx instead of integer on for iface opcode. * Provide compability layer for old clients.
|
#
adf3b2b9 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add IP_FW_TABLE_XMODIFY opcode * Since there seems to be lack of consensus on strict value typing, remove non-default value types. Use userland-only "value format type" to print values. Kernel changes: * Add IP_FW_XMODIFY to permit table run-time modifications. Currently we support changing limit and value format type. Userland changes: * Support IP_FW_XMODIFY opcode. * Support specifying value format type (ftype) in tablble create/modify req * Fine-print value type/value format type.
|
#
28ea4fa3 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove IP_FW_TABLES_XGETSIZE opcode. It is superseded by IP_FW_TABLES_XLIST.
|
#
a73d728d |
|
07-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Kernel changes: * Implement proper checks for switching between global and set-aware tables * Split IP_FW_DEL mess into the following opcodes: * IP_FW_XDEL (del rules matching pattern) * IP_FW_XMOVE (move rules matching pattern to another set) * IP_FW_SET_SWAP (swap between 2 sets) * IP_FW_SET_MOVE (move one set to another one) * IP_FW_SET_ENABLE (enable/disable sets) * Add IP_FW_XZERO / IP_FW_XRESETLOG to finish IP_FW3 migration. * Use unified ipfw_range_tlv as range description for all of the above. * Check dynamic states IFF there was non-zero number of deleted dyn rules, * Del relevant dynamic states with singe traversal instead of per-rule one. Userland changes: * Switch ipfw(8) to use new opcodes.
|
#
46d52008 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Implement atomic ipfw table swap. Kernel changes: * Add opcode IP_FW_TABLE_XSWAP * Add support for swapping 2 tables with the same type/ftype/vtype. * Make skipto cache init after ipfw locks init. Userland changes: * Add "table X swap Y" command.
|
#
5f379342 |
|
02-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Show algorithm-specific data in "table info" output.
|
#
d20facb2 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove unneded headers.
|
#
b6ee846e |
|
02-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix case when returning more that 4096 bytes of data * Use different approach to ensure algo has enough space to store N elements: - explicitly ask algo (under UH_WLOCK) before/after insertion. This (along with existing reallocation callbacks) really guarantees us that it is safe to insert N elements at once while holding UH_WLOCK+WLOCK. - remove old aflags/flags approach
|
#
4c0c07a5 |
|
01-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Permit limiting number of items in table. Kernel changes: * Add TEI_FLAGS_DONTADD entry flag to indicate that insert is not possible * Support given flag in all algorithms * Add "limit" field to ipfw_xtable_info * Add actual limiting code into add_table_entry() Userland changes: * Add "limit" option as "create" table sub-option. Limit modification is currently impossible. * Print human-readable errors in table enry addition/deletion code.
|
#
57a1cf95 |
|
01-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use TA_FLAG_DEFAULT for default algorithm selection instead of exporting algorithm structures directly. * Pass needed state buffer size in algo structures as preparation for tables add/del requests batching.
|
#
914bffb6 |
|
31-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new "flow" table type to support N=1..5-tuple lookups * Add "flow:hash" algorithm Kernel changes: * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups * Add IPFW_TABLE_FLOW table type * Add "struct tflow_entry" as strage for 6-tuple flows * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table. Additionally, we store mask of fields we need to compare in each instance/ * Increase ipfw_obj_tentry size by adding struct tflow_entry * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info * Increase algoname length: 32 -> 64 (algo options passed there as string) * Assume every table type can be customized by flags, use u8 to store "tflags" field. * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback. * Fix bug in cidr:chash resize procedure. Userland changes: * add "flow table(NAME)" syntax to support n-tuple checking tables. * make fill_flags() separate function to ease working with _s_x arrays * change "table info" output to reflect longer "type" fields Syntax: ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] Examples: 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 0:03 [2] zfscurr0# ipfw show 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 617 59416 allow ip from any to any 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 Trying 78.46.89.105... .. 0:04 [2] zfscurr0# ipfw show 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 682 66733 allow ip from any to any
|
#
b23d5de9 |
|
30-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add number:array algorithm lookup method. Kernel changes: * s/IPFW_TABLE_U32/IPFW_TABLE_NUMBER/ * Force "lookup <port|uid|gid|jid>" to be IPFW_TABLE_NUMBER * Support "lookup" method for number tables * Add number:array algorihm (i32 as key, auto-growing). Userland changes: * Support named tables in "lookup <tag> Table" * Fix handling of "table(NAME,val)" case * Support printing "number" table data.
|
#
daabb523 |
|
30-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix "flush" cmd for algorithms wih non-default parameters.
|
#
9d099b4f |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Dump available table algorithms via "ipfw talist" cmd. Kernel changes: * Add type/refcount fields to table algo instances. * Add IP_FW_TABLES_ALIST opcode to export available algorihms to userland. Userland changes: * Fix cores on empty input inside "ipfw table" handler. * Add "ipfw talist" cmd to print availabled kernel algorithms. * Change "table info" output to reflect long algorithm config lines.
|
#
0b565ac0 |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Copy ta structures to stable storage to ease future extension. * Remove algo .lookup field since table lookup function is set by algo code.
|
#
74b941f0 |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new ipfw cidr algorihm: hash table. Algorithm works with both IPv4 and IPv6 prefixes, /32 and /128 ranges are assumed by default. It works the following way: input IP address is masked to specified mask, hashed and searched inside hash bucket. Current implementation does not support "lookup" method and hash auto-resize. This will be changed soon. some examples: ipfw table mi_test2 create type cidr algo cidr:hash ipfw table mi_test create type cidr algo "cidr:hash masks=/30,/64" ipfw table mi_test2 info +++ table(mi_test2), set(0) +++ type: cidr, kindex: 7 valtype: number, references: 0 algorithm: cidr:hash items: 0, size: 220 ipfw table mi_test info +++ table(mi_test), set(0) +++ type: cidr, kindex: 6 valtype: number, references: 0 algorithm: cidr:hash masks=/30,/64 items: 0, size: 220 ipfw table mi_test add 10.0.0.5/30 ipfw table mi_test add 10.0.0.8/30 ipfw table mi_test add 2a02:6b8:b010::1/64 25 ipfw table mi_test list +++ table(mi_test), set(0) +++ 10.0.0.4/30 0 10.0.0.8/30 0 2a02:6b8:b010::/64 25
|
#
adea6201 |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Change algorthm names to "type:algo" (e.g. "iface:array", "cidr:radix") format. * Pass number of items changed in add/del hooks to permit adding/deleting multiple values at once.
|
#
68394ec8 |
|
28-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add generic ipfw interface tracking API * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting
|
#
db785d31 |
|
26-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Require explicit table creation before use on kernel side. * Add resize callbacks for upcoming table-based algorithms. Kernel changes: * s/ipfw_modify_table/ipfw_manage_table_ent/ * Simplify add_table_entry(): make table creation a separate piece of code. Do not perform creation if not in "compat" mode. * Add ability to perform modification of algorithm state (like table resize). The following callbacks were added: - prepare_mod (allocate new state, without locks) - fill_mod (UH_WLOCK, copy old state to new one) - modify (UH_WLOCK + WLOCK, switch state) - flush_mod (no locks, flushes allocated data) Given callbacks are called if table modification has been requested by add or delete callbacks. Additional u64 tc->'flags' field was added to pass these requests. * Change add/del table ent format: permit adding/removing multiple entries at once (only 1 supported at the moment). Userland changes: * Auto-create tables with warning
|
#
7e767c79 |
|
08-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use different rule structures in kernel/userland. * Switch kernel to use per-cpu counters for rules. * Keep ABI/API. Kernel changes: * Each rules is now exported as TLV with optional extenable counter block (ip_fW_bcounter for base one) and ip_fw_rule for rule&cmd data. * Counters needs to be explicitly requested by IPFW_CFG_GET_COUNTERS flag. * Separate counters from rules in kernel and clean up ip_fw a bit. * Pack each rule in IPFW_TLV_RULE_ENT tlv to ease parsing. * Introduce versioning in container TLV (may be needed in future). * Fix ipfw_cfg_lheader broken u64 alignment. Userland changes: * Use set_mask from cfg header when requesting config * Fix incorrect read accouting in ipfw_show_config() * Use IPFW_RULE_NOOPT flag instead of playing with _pad * Fix "ipfw -d list": do not print counters for dynamic states * Some small fixes
|
#
81d3153d |
|
06-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add "lookup" table functionality to permit userland entry lookups. * Bump table dump format preserving old ABI. Kernel size: * Add IP_FW_TABLE_XFIND to handle "lookup" request from userland. * Add ta_find_tentry() algorithm callbacks/handlers to support lookups. * Fully switch to ipfw_obj_tentry for various table dumps: algorithms are now required to support the latest (ipfw_obj_tentry) entry dump format, the rest is handled by generic dump code. IP_FW_TABLE_XLIST opcode version bumped (0 -> 1). * Eliminate legacy ta_dump_entry algo handler: dump_table_entry() converts data from current to legacy format. Userland side: * Add "lookup" table parameter. * Change the way table type is guessed: call table_get_info() first, and check value for IPv4/IPv6 type IFF table does not exist. * Fix table_get_list(): do more tries if supplied buffer is not enough. * Sparate table_show_entry() from table_show_list().
|
#
1832a7b3 |
|
04-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Issue warning while requesting ruleset with new tables via legacy binary. Convert each unresolved table as table 65535 (which cannot be used normally). * Perform s/^ipfw_// for add_table_entry, del_table_entry and flush_table since these are internal functions exported to keep legacy interface. * Remove macro TABLE_SET. Operations with tables can be done in any set, the only thing net.inet.ip.fw.tables_sets affects is the set in which tables are looked up while binding them to the rule.
|
#
ac35ff17 |
|
03-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fully switch to named tables: Kernel changes: * Introduce ipfw_obj_tentry table entry structure to force u64 alignment. * Support "update-on-existing-key" "add" bahavior (TEI_FLAGS_UPDATED). * Use "subtype" field to distingush between IPv4 and IPv6 table records instead of previous hack. * Add value type (vtype) field for kernel tables. Current types are number,ip and dscp * Fix sets mask retrieval for old binaries * Fix crash while using interface tables Userland changes: * Switch ipfw_table_handler() to use named-only tables. * Add "table NAME create [type {cidr|iface|u32} [valtype {number|ip|dscp}] ..." * Switch ipfw_table_handler to match_token()-based parser. * Switch ipfw_sets_handler to use new ipfw_get_config() for mask retrieval. * Allow ipfw set X table ... syntax to permit using per-set table namespaces.
|
#
6c2997ff |
|
29-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new IP_FW_XADD opcode which permits to a) specify table ids as names b) add multiple rules at once. Partially convert current code for atomic addition of multiple rules.
|
#
563b5ab1 |
|
28-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Suppord showing named tables in ipfw(8) rule listing. Kernel changes: * change base TLV header to be u64 (so size can be u32). * Introduce ipfw_obj_ctlv generc container TLV. * Add IP_FW_XGET opcode which is now used for atomic configuration retrieval. One can specify needed configuration pieces to retrieve via flags field. Currently supported are IPFW_CFG_GET_STATIC (static rules) and IPFW_CFG_GET_STATES (dynamic states). Other configuration pieces (tables, pipes, etc..) support is planned. Userland changes: * Switch ipfw(8) to use new IP_FW_XGET for rule listing. * Split rule listing code get and show pieces. * Make several steps forward towards libipfw: permit printing states and rules(paritally) to supplied buffer. do not die on malloc/kernel failure inside given printing functions. stop assuming cmdline_opts is global symbol.
|
#
2d99a349 |
|
27-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use different approach for filling large datasets to userspace: Instead of trying to allocate bing contiguous chunk of memory, use intermediate-sized (page size) buffer as sliding window reducing number of sooptcopyout() calls to perform. This reduces dump functions complexity and provides additional layer of abstraction. User-visible api consists of 2 functions: ipfw_get_sopt_space() - gets contigious amount of storage (or NULL) and ipfw_get_sopt_header() - the same, but zeroes the rest of the buffer.
|
#
9490a627 |
|
16-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add IP_FW_TABLE_XCREATE / IP_FW_TABLE_XMODIFY opcodes. * Add 'algoname' string to ipfw_xtable_info permitting to specify lookup algoritm with parameters. * Rework part of ipfw_rewrite_table_uidx() Sponsored by: Yandex LLC
|
#
9c3c43aa |
|
15-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove unused ipfw_dump_xtable().
|
#
d3a4f924 |
|
15-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Simplify opcode handling. * Use one u16 from op3 header to implement opcode versioning. * IP_FW_TABLE_XLIST has now 2 handlers, for ver.0 (old) and ver.1 (current). * Every getsockopt request is now handled in ip_fw_table.c * Rename new opcodes: IP_FW_OBJ_DEL -> IP_FW_TABLE_XDESTROY IP_FW_OBJ_LISTSIZE -> IP_FW_TABLES_XGETSIZE IP_FW_OBJ_LIST -> IP_FW_TABLES_XLIST IP_FW_OBJ_INFO -> IP_FW_TABLE_XINFO IP_FW_OBJ_INFO -> IP_FW_TABLE_XFLUSH * Add some docs about using given opcodes. * Group some legacy opcode/handlers.
|
#
f1220db8 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move further to eliminate next pieces of number-assuming code inside tables. Kernel changes: * Add IP_FW_OBJ_FLUSH opcode (flush table based on its name/set) * Add IP_FW_OBJ_DUMP opcode (dumps table data based on its names/set) * Add IP_FW_OBJ_LISTSIZE / IP_FW_OBJ_LIST opcodes (get list of kernel tables) Userland changes: * move tables code to separate tables.c file * get rid of tables_max * switch "all"/list handling to new opcodes
|
#
ea761a5d |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move most of external table structures/functions to separate ip_fw_table.h
|
#
9f7d47b0 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add API to ease adding new algorithms/new tabletypes to ipfw. Kernel-side changelog: * Split general tables code and algorithm-specific table data. Current algorithms (IPv4/IPv6 radix and interface tables radix) moved to new ip_fw_table_algo.c file. Tables code now supports any algorithm implementing the following callbacks: +struct table_algo { + char name[64]; + int idx; + ta_init *init; + ta_destroy *destroy; + table_lookup_t *lookup; + ta_prepare_add *prepare_add; + ta_prepare_del *prepare_del; + ta_add *add; + ta_del *del; + ta_flush_entry *flush_entry; + ta_foreach *foreach; + ta_dump_entry *dump_entry; + ta_dump_xentry *dump_xentry; +}; * Change ->state, ->xstate, ->tabletype fields of ip_fw_chain to ->tablestate pointer (array of 32 bytes structures necessary for runtime lookups (can be probably shrinked to 16 bytes later): +struct table_info { + table_lookup_t *lookup; /* Lookup function */ + void *state; /* Lookup radix/other structure */ + void *xstate; /* eXtended state */ + u_long data; /* Hints for given func */ +}; * Add count method for namedobj instance to ease size calculations * Bump ip_fw3 buffer in ipfw_clt 128->256 bytes. * Improve bitmask resizing on tables_max change. * Remove table numbers checking from most places. * Fix wrong nesting in ipfw_rewrite_table_uidx(). * Add IP_FW_OBJ_LIST opcode (list all objects of given type, currently implemented for IPFW_OBJTYPE_TABLE). * Add IP_FW_OBJ_LISTSIZE (get buffer size to hold IP_FW_OBJ_LIST data, currenly implemented for IPFW_OBJTYPE_TABLE). * Add IP_FW_OBJ_INFO (requests info for one object of given type). Some name changes: s/ipfw_xtable_tlv/ipfw_obj_tlv/ (no table specifics) s/ipfw_xtable_ntlv/ipfw_obj_ntlv/ (no table specifics) Userland changes: * Add do_set3() cmd to ipfw2 to ease dealing with op3-embeded opcodes. * Add/improve support for destroy/info cmds.
|
#
b074b7bb |
|
12-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make ipfw tables use names as used-level identifier internally: * Add namedobject set-aware api capable of searching/allocation objects by their name/idx. * Switch tables code to use string ids for configuration tasks. * Change locking model: most configuration changes are protected with UH lock, runtime-visible are protected with both locks. * Reduce number of arguments passed to ipfw_table_add/del by using separate structure. * Add internal V_fw_tables_sets tunable (set to 0) to prepare for set-aware tables (requires opcodes/client support) * Implement typed table referencing (and tables are implicitly allocated with all state like radix ptrs on reference) * Add "destroy" ipfw(8) using new IP_FW_DELOBJ opcode Namedobj more detailed: * Blackbox api providing methods to add/del/search/enumerate objects * Statically-sized hashes for names/indexes * Per-set bitmask to indicate free indexes * Separate methods for index alloc/delete/resize Basically, there should not be any user-visible changes except the following: * reducing table_max is not supported * flush & add change table type won't work if table is referenced Sponsored by: Yandex LLC
|
#
c3015737 |
|
17-May-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix wrong formatting of 0.0.0.0/X table records in ipfw(8). Add `flags` u16 field to the hole in ipfw_table_xentry structure. Kernel has been guessing address family for supplied record based on xent length size. Userland, however, has been getting fixed-size ipfw_table_xentry structures guessing address family by checking address by IN6_IS_ADDR_V4COMPAT(). Fix this behavior by providing specific IPFW_TCF_INET flag for IPv4 records. PR: bin/189471 Submitted by: Dennis Yusupoff <dyr@smartspb.net> MFC after: 2 weeks
|
#
a3043eee |
|
14-Feb-2014 |
Dimitry Andric <dim@FreeBSD.org> |
Under sys/netpfil/ipfw, surround two IPv6-specific static functions with #ifdef INET6, since they are unused when INET6 is disabled. MFC after: 3 days
|
#
d28d2aa4 |
|
03-Jan-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use rnh_matchaddr instead of rnh_lookup for longest-prefix match. rnh_lookup is effectively the same as rnh_matchaddr if called with empy network mask. MFC after: 2 weeks
|
#
3b3a8eb9 |
|
14-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
|