134  * are disabled. Set RESVD_SET(31) is reserved for the default rule
196  * with the mask defined for the rule, then hashed, then matched
213  * Each dynamic rule holds a pointer to the parent ipfw rule so
215  * the parent rule is deleted. XXX we should make them survive.
238  * seconds of lifetime of a rule.
321 #define RULESIZE64(rule)  (sizeof(struct ip_fw_64) + \
322 							((struct ip_fw *)(rule))->cmd_len * 4 - 4)
324 #define RULESIZE32(rule)  (sizeof(struct ip_fw_32) + \
325 							((struct ip_fw *)(rule))->cmd_len * 4 - 4)
400 	struct ip_fw *rule;
403 	for (rule = layer3_chain; rule ; rule = rule->next) {
404 		if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
407 		if ( rule->act_ofs ){
408 			useraction =  (char*)ACTION_PTR( rule ); 
424 	struct ip_fw *rule;
427 	for (rule = layer3_chain; rule ; rule = rule->next) {
428 		if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
431 		if ( rule->act_ofs ){
432 			useraction =  (char *)ACTION_PTR( rule ); 
719 				dyn_rule_vers1->chain = (user32_addr_t)(p->rule->rulenum);
754 				dyn_rule_vers1->chain = (user64_addr_t) p->rule->rulenum;
1054  * We enter here when we have a rule with O_LOG.
1265  * unlink a dynamic rule from a chain. prev is a pointer to
1266  * the previous one, q is a pointer to the rule to delete,
1289  * Remove dynamic rules pointing to "rule", or all of them if rule == NULL.
1295  * a rule we absolutely do not want to remove (e.g. because we are
1301 remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me)
1333 			if (rule != NULL && rule != q->rule)
1345 					printf("ipfw: OUCH! cannot remove rule,"
1368  * lookup a dynamic rule.
1539  *   the third parameter is the parent rule and not the chain.
1543 add_dyn_rule(struct ip_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
1569 		ipfw_dyn_rule *parent = (ipfw_dyn_rule *)rule;
1574 		rule = parent->rule;
1579 	r->rule = rule;
1597  * lookup dynamic parent rule using pkt and rule as search keys.
1601 lookup_dyn_parent(struct ip_flow_id *pkt, struct ip_fw *rule)
1613 			    rule== q->rule &&
1624 	return add_dyn_rule(pkt, O_LIMIT_PARENT, rule);
1628  * Install dynamic state for rule type cmd->o.opcode
1634 install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
1660 		 * Run out of slots, try to remove any expired rule.
1673 	case O_KEEP_STATE: /* bidir rule */
1674 		add_dyn_rule(&args->fwa_id, O_KEEP_STATE, rule);
1683 		DEB(printf("ipfw: installing dyn-limit rule %d\n",
1698 		parent = lookup_dyn_parent(&id, rule);
1705 			 * See if we can remove some expired rule.
1707 			remove_dyn_rule(rule, parent);
1721 		printf("ipfw: unknown dynamic rule type %u\n", cmd->o.opcode);
1853  * to the next rule, which can be either the jump
1856  * The result is also written in the "next_rule" field of the rule.
1858  * rule...
1861  * the next rule is returned. When the ruleset is changed,
1868 	struct ip_fw *rule = NULL;
1876 		for (rule = me->next; rule ; rule = rule->next)
1877 			if (rule->rulenum >= cmd->arg1)
1879 	if (rule == NULL)			/* failure or not a skipto */
1880 		rule = me->next;
1881 	me->next_rule = rule;
1882 	return rule;
1899  *		Skip up to the first rule past this rule number;
1902  *	args->fwa_ipfw_rule	Pointer to the last matching rule (in/out)
1956 	struct ip_fw *f = NULL;		/* matching rule */
2098 		 * Packet has already been tagged. Look for the next rule
2115 		 * Find the starting rule. It can be either the first
2137 	 * Now scan the rules, and parse microinstructions for each rule.
2160 			 * the target rule.
2522 			 * i.e. the terminal part of a rule once the packet
2524 			 * Typically there is only one action for each rule,
2525 			 * and the opcode is stored at the end of the rule
2534 			 *   instead of terminating, we jump to the next rule
2541 			 *   before the 'action' part of the rule.
2550 			 *   to the 'action' part of the parent rule
2552 			 *   (CHECK_STATE only) a jump to the next rule if
2587 					 * the parent rule.
2591 					f = q->rule;
2598 				 * skip to next rule, if PROBE_STATE just
2612 				args->fwa_ipfw_rule = f; /* report matching rule */
2680 					break;		/* try next rule    */
2685 next_rule:;		/* try next rule		*/
2708  * When a rule is added/deleted, clear the next_rule pointers in all rules.
2715 	struct ip_fw *rule;
2717 	for (rule = layer3_chain; rule; rule = rule->next)
2718 		rule->next_rule = NULL;
2729 	struct ip_fw *rule;
2731 	for (rule = layer3_chain; rule; rule = rule->next) {
2732 		ipfw_insn_pipe *cmd = (ipfw_insn_pipe *)ACTION_PTR(rule);
2749  * Add a new rule to the list. Copy the rule into a malloc'ed area, then
2750  * possibly create a rule number and add the rule to the list.
2756 	struct ip_fw *rule, *f, *prev;
2762 	rule = _MALLOC(l, M_IPFW, M_WAIT);
2763 	if (rule == NULL) {
2768 	bzero(rule, l);
2769 	bcopy(input_rule, rule, l);
2771 	rule->next = NULL;
2772 	rule->next_rule = NULL;
2774 	rule->pcnt = 0;
2775 	rule->bcnt = 0;
2776 	rule->timestamp = 0;
2778 	if (*head == NULL) {	/* default rule */
2779 		*head = rule;
2784 	 * If rulenum is 0, find highest numbered rule before the
2785 	 * default rule, and add autoinc_step
2791 	if (rule->rulenum == 0) {
2793 		 * locate the highest numbered rule before default
2798 			rule->rulenum = f->rulenum;
2800 		if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step)
2801 			rule->rulenum += autoinc_step;
2802 		input_rule->rulenum = rule->rulenum;
2806 	 * Now insert the new rule in the right place in the sorted list.
2809 		if (f->rulenum > rule->rulenum) { /* found the location */
2811 				rule->next = f;
2812 				prev->next = rule;
2814 				rule->next = *head;
2815 				*head = rule;
2826 	DEB(printf("ipfw: installed rule %d, static count now %d\n",
2827 		rule->rulenum, static_count);)
2832  * Free storage associated with a static rule (including derived
2834  * The caller is in charge of clearing rule pointers to avoid
2841 delete_rule(struct ip_fw **head, struct ip_fw *prev, struct ip_fw *rule)
2844 	int l = RULESIZE(rule);
2846 	n = rule->next;
2847 	remove_dyn_rule(rule, NULL /* force removal */);
2854 	static_len_32 -= RULESIZE32(rule);
2855 	static_len_64 -= RULESIZE64(rule);
2859 		dn_ipfw_rule_delete(rule);
2861 	_FREE(rule, M_IPFW);
2869 	struct ip_fw *rule = *chain;
2871 	for (; rule; rule = rule->next) {
2872 		ipfw_insn	*cmd = ACTION_PTR(rule);
2874 		printf("ipfw: rule->rulenum = %d\n", rule->rulenum);
2876 		if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
2877 			printf("ipfw: rule->reserved = IPFW_RULE_INACTIVE\n");
2927 	struct ip_fw *rule, *prev;
2931 	for (rule = layer3_chain, prev = NULL; rule; ) {
2932 		if (rule == inactive_rule && rule->reserved_1 == IPFW_RULE_INACTIVE) {
2933 			struct ip_fw *n = rule;
2936 				layer3_chain = rule->next;
2939 				prev->next = rule->next;
2941 			rule = rule->next;
2945 			prev = rule;
2946 			rule = rule->next;
2957 mark_inactive(struct ip_fw **prev, struct ip_fw **rule)
2959 	int 			l = RULESIZE(*rule);
2961 	if ((*rule)->reserved_1 != IPFW_RULE_INACTIVE) {
2962 		(*rule)->reserved_1 = IPFW_RULE_INACTIVE;
2965 		static_len_32 -= RULESIZE32(*rule);
2966 		static_len_64 -= RULESIZE64(*rule);
2968 		timeout(flush_inactive, *rule, 30*hz); /* 30 sec. */
2971 	*prev = *rule;
2972 	*rule = (*rule)->next;
2983 	struct ip_fw *prev, *rule;
2986 	for (prev = NULL, rule = *chain; rule ; )
2987 		if (kill_default || rule->set != RESVD_SET) {
2988 			ipfw_insn	*cmd = ACTION_PTR(rule);
2994 				mark_inactive(&prev, &rule);
2997 				rule = delete_rule(chain, prev, rule);
3001 			prev = rule;
3002 			rule = rule->next;
3010  * The argument is an u_int32_t. The low 16 bit are the rule or set number,
3022 	struct ip_fw *prev = NULL, *rule = *chain;
3023 	u_int16_t rulenum;	/* rule or old_set */
3045 		 * locate first rule to delete
3047 		for (; rule->rulenum < rulenum; prev = rule, rule = rule->next)
3049 		if (rule->rulenum != rulenum)
3057 		while (rule->rulenum == rulenum) {
3058 			ipfw_insn	*insn = ACTION_PTR(rule);
3064 				mark_inactive(&prev, &rule);
3067 				rule = delete_rule(chain, prev, rule);
3074 		while (rule->rulenum < IPFW_DEFAULT_RULE) {
3075 			if (rule->set == rulenum) {
3076 				ipfw_insn	*insn = ACTION_PTR(rule);
3082 					mark_inactive(&prev, &rule);
3085 					rule = delete_rule(chain, prev, rule);
3089 				prev = rule;
3090 				rule = rule->next;
3096 		for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
3097 			if (rule->rulenum == rulenum)
3098 				rule->set = new_set;
3102 		for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
3103 			if (rule->set == rulenum)
3104 				rule->set = new_set;
3108 		for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
3109 			if (rule->set == rulenum)
3110 				rule->set = new_set;
3111 			else if (rule->set == new_set)
3112 				rule->set = rulenum;
3119  * Clear counters for a specific rule.
3122 clear_counters(struct ip_fw *rule, int log_only)
3124 	ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule);
3127 		rule->bcnt = rule->pcnt = 0;
3128 		rule->timestamp = 0;
3137  * rule number.
3143 	struct ip_fw *rule;
3148 		for (rule = layer3_chain; rule; rule = rule->next)
3149 			clear_counters(rule, log_only);
3158 		for (rule = layer3_chain; rule; rule = rule->next)
3159 			if (rule->rulenum == rulenum) {
3160 				while (rule && rule->rulenum == rulenum) {
3161 					clear_counters(rule, log_only);
3162 					rule = rule->next;
3181  * Fortunately rules are simple, so this mostly need to check rule sizes.
3184 check_ipfw_struct(struct ip_fw *rule, int size)
3190 	if (size < sizeof(*rule)) {
3191 		printf("ipfw: rule too short\n");
3195 	l = RULESIZE(rule);
3204 	for (l = rule->cmd_len, cmd = rule->cmd ;
3399 	struct ip_fw *bp , *buf, *rule;
3441 		 * followed by a possibly empty list of dynamic rule.
3442 		 * The last dynamic rule has NULL in the "next" field.
3473 		for (rule = layer3_chain; rule ; rule = rule->next) {
3475 			if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
3482 				copyto64fw( rule, (struct ip_fw_64 *)bp, size);
3490 				copyto32fw( rule, (struct ip_fw_32*)bp, size);
3514 						 * for the last dynamic rule.
3517 						ipfw_dyn_dst->rule = p->rule->rulenum;
3540 						 * for the last dynamic rule.
3543 						ipfw_dyn_dst->rule = p->rule->rulenum;
3560 			if (last != NULL) /* mark last dynamic rule */
3666 		 * the list to point to the default rule, and then freeing
3671 		free_chain(&layer3_chain, 0 /* keep default rule */);
3682 		rule = _MALLOC(RULE_MAXSIZE, M_TEMP, M_WAITOK);
3683 		if (rule == 0) {
3688 		bzero(rule, RULE_MAXSIZE);
3691 			error = ipfw_convert_to_latest(sopt, rule, api_version, is64user);
3695 			error = sooptcopyin_fw( sopt, rule, &rulesize); 
3701 				/* the rule has already been checked so just
3704 				sopt->sopt_valsize = RULESIZE(rule);
3705 				rulesize = RULESIZE(rule);
3707 			error = check_ipfw_struct(rule, rulesize);
3710 				error = add_rule(&layer3_chain, rule);
3715 				size = RULESIZE(rule);
3721 						ipfw_convert_from_latest(rule, &rule_vers0, api_version, is64user);
3727 						ipfw_convert_from_latest(rule, &rule_vers1, api_version, is64user);
3735 							userrule = (char*)rule;
3737 							copyto64fw( rule, (struct ip_fw_64*)userrule, savedsopt_valsize);
3740 								copyto32fw( rule, (struct ip_fw_32*)userrule, savedsopt_valsize);
3750 		_FREE(rule, M_TEMP);
3758 		 * rule->rulenum != 0 indicates single rule delete
3759 		 * rule->set_masks used to manipulate sets
3760 		 * rule->set_masks[0] contains info on sets to be 
3762 		 * rule->set_masks[1] contains sets to be enabled.
3765 		/* there is only a simple rule passed in
3790 				/* single rule */
3818 	case IP_FW_RESETLOG: /* using rule->rulenum */
3820 		/* there is only a simple rule passed in
3872  * dummynet needs a reference to the default rule, because rules can be
3874  * dummynet changes the reference to the default rule (it could well be a
3919 				continue;	/* too late, rule expired */
3974 		printf("ipfw2: add_rule failed adding default rule\n");

Indexes created Wed Sep 11 23:09:49 MDT 2024