Lines Matching defs:and
228 * hand side to allow for binary searching of the array and include a trailer
427 * for each of IPv4 and IPv6. Adding a new protocol, for which there
429 * a new routine and expanding the ipf_pr_ipinit*() function rather than by
457 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
477 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
612 * and destroy whatever packet was here. The caller of this function
650 /* big enough for it to be in, checking if it is repeated and setting a */
812 /* Examine the IPv6 fragment header and extract fragment offset information.*/
833 /* and no packet is allowed to overlay that where offset = 0. */
1074 /* header being present and no authentication data (null algorithm used.) */
1218 /* except extrememly bad packets, both type and code will be present. */
1333 /* and make some checks with how they interact with other fields. */
1335 /* valid and mark the packet as bad if not. */
1383 * also be set and vice versa. Good TCP packets do not have
1404 * SYN with URG and PUSH set is not for normal TCP but it is
1414 * not set and if URG, PSH or FIN are set, consdier
1439 * marking up which TCP options are and are not present. The one we
1503 /* Extract the UDP source and destination ports, if present. If compiled */
1607 /* header being present and no authentication data (null algorithm used.) */
1642 * Adjust fin_dp and fin_dlen for skipping over the authentication
1689 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
1690 /* Check all options present and flag their presence if any exist. */
1715 /* Get both TTL and protocol */
1735 * set packet attribute flags based on the offset and
1756 * must have a length greater than 0 and it
1766 * Call per-protocol setup and checking
1812 * list of options present with this packet and set flags to indicate
1813 * which ones are here and which ones are not. For the somewhat out
1814 * of date and obscure security classification options, set a flag to
1930 /* header and returns that whilst also storing the highest sensitivity */
1934 /* by the user (rather than the protocol) and can be rather numerous on the */
2028 /* which is useful for comparing IP headers with and store this information */
2091 * Do opposite test to that required and continue if that succeeds.
2376 /* return value and fin->fin_fr points to the matched rule. */
2508 * in the rule, if it exists and use the results from that.
2603 * the rule to "not match" and keep on processing
2752 * If the rule has "keep frag" and the packet is actually a fragment,
2797 /* directed by firewall rules and of course whether or not to allow the */
2800 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
2833 * the packet is distilled, collected into a fr_info_t structure and
2881 * XXX For now, IP Filter and fast-forwarding of cached flows
2960 * becomes NULL and so we have no packet to free.
3111 * Up the reference on fr_lock and exit ipf_mutex. The generation of
3172 * After the above so that ICMP unreachables and TCP RSTs get
3179 * If we didn't drop off the bottom of the list of rules (and thus
3393 /* and the TCP header. We also assume that data blocks aren't allocated in */
3396 /* Expects ip_len and ip_off to be in network byte order when called. */
3611 /* and thus its reference count needs to be lowered and the group free'd if */
3636 /* Remove the group from the list of groups and free it. */
3684 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
3717 /* encountered. if a rule is the head of a group and it has lost all its */
3777 /* and IPv6) as defined by the value of flags. */
3825 /* Walk through all of the groups under the given group head and remove all */
3829 /* what is fg_next and fg_next after that. So if a filter rule is actually */
3879 /* Search dst for a sequence of bytes matching those at src and extend for */
4006 /* Walk through a list of filter rules and resolve any interface names into */
4011 /* when the name points to a pool and that pool doest not exist. If this */
4129 /* filter rules, NAT entries and the state table and check if anything */
4168 * end up being unaligned) and on the kernel's local stack.
4178 /* to start copying from (src) and a pointer to where to store it (dst). */
4214 /* to start copying from (src) and a pointer to where to store it (dst). */
4244 /* Get the new value for the lock integer, set it and return the old value */
4451 /* names are resolved here and other sanity checks are made on the content */
4453 /* then make sure they are created and initialised before exiting. */
4764 * Allowing a rule with both "keep state" and "with oow" is
4938 * If zero'ing statistics, copy current to caller and zero.
4946 * Copy and reduce lock because of impending copyout.
4948 * this call and the correctness of fr_hits and
5151 /* it from any linked lists and remove any groups it is responsible for. */
5215 * We've got to the last rule and everything
5246 /* When using pools and hash tables to store addresses for matching in */
5248 /* name or address (and return that pointer) and also provide the means by */
5367 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
5475 /* free it and any associated storage space being used by it. */
5544 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
5545 /* fr_ptr is later used by ipf_srcgrpmap and ipf_dstgrpmap. */
5604 /* the key, and descend into that group and continue matching rules against */
5634 /* address as the key, and descend into that group and continue matching */
5677 /* being requested. If it finds one, increments the reference counter and */
5678 /* returns a pointer to it. If none are found, it allocates a new one and */
5701 * gets reused rather than freed and reallocated.
5739 /* check the list of user defined timeout queues and call the free function */
5768 /* Remove a user defined timeout queue from the list of queues it is in and */
5805 /* Remove a tail queue entry from its queue and make it an orphan. */
5879 /* We use use ticks to calculate the expiration and mark for when we last */
5923 /* Add a new item to this queue and put it on the very end. */
5924 /* We use use ticks to calculate the expiration and mark for when we last */
5957 /* If it notices that the current entry is already last and does not need */
5968 * If the queue hasn't changed and we last touched this entry at the
5978 * queue and one not, could end up with things in a bizarre state.
6007 * lock on the old queue and get a lock on the new queue.
6042 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
6366 /* but it must not be smaller than the size defined for the type and the */
6429 /* but it must not be smaller than the size defined for the type and the */
6556 /* already populated with information and now we just need to use it. */
6623 * If the TCP packet isn't a fragment, isn't too short and otherwise
6752 i6addr_t *src, *and;
6755 and = (i6addr_t *)&mask->sin6_addr;
6768 inpmask->i6[0] = and->i6[0];
6769 inpmask->i6[1] = and->i6[1];
6770 inpmask->i6[2] = and->i6[2];
6771 inpmask->i6[3] = and->i6[3];
6774 inp->i6[0] = src->i6[0] & and->i6[0];
6775 inp->i6[1] = src->i6[1] & and->i6[1];
6776 inp->i6[2] = src->i6[2] & and->i6[2];
6777 inp->i6[3] = src->i6[3] & and->i6[3];
6799 /* comparison. This function should only be called with both tag1 and tag2 */
6936 /* Search the static array of tuneables and the list of dynamic tuneables */
6998 /* pointers so we don't need to walk parts of it with ++ and others with */
7067 /* Allocate memory for a new set of tuneable values and copy everything */
7176 /* returned and no further ones removed. */
7205 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
7206 /* three ioctls provide the means to access and control global variables */
7207 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
7209 /* and 'destruction' routines of the various components of ipfilter are all */
7236 * entry we looked at, so find it (if possible) and return a
7239 * to NULL and return that, indicating end of list, erstwhile
7326 * getting the new value safely and correctly out of
7388 /* Copies the current statistics out to userspace and then zero's the */
7425 /* Looks up an interface name in the frdest structure pointed to by fdp and */
7478 /* to that passed in and that is also being used for that IP protocol */
7480 /* for both IPv4 and IPv6 on the same physical NIC. */
7511 /* have been held for too long and need to be freed up. */
7535 /* Loop through all of the existing tokens and call deref to see if they */
7538 /* of greater than one and in that case the the reference would drop twice */
7721 /* Drop the reference count on the token structure and if it drops to zero, */
7841 /* When we have found the rule to return, increase its reference count and */
7986 /* This function serves as a stepping stone between ipf_ipf_ioctl and */
7988 /* the process doing the ioctl and use that to ask for the next rule. */
8401 /* buffer to point to the start of the inner packet and start processing */
8449 * there and bounce over it.
8452 /* This is really heavy weight and lots of room for error, */
8453 /* so for now, put it off and get the simple stuff right. */
8566 * that is local to the decapsulation processing and back into the
8600 /* describes it. Sanity checking and array size limitations are enforced */
8603 /* required is malloc'd and returned through changing *arrayptr. The */
8682 * (minimum 4 in length) and a trailer, for a total of 6.
8709 * (or else there is nothing to comapre with!) and it
8728 /* This function is used to apply a matching array against a packet and */
8752 * This is currently used with TCP and UDP port compares and
8884 /* This fucntion gets called when the state/NAT hash tables fill up and we */
8891 /* TCPS_TIME_WAIT and TCPS_CLOSED are considered to be the perfect */
8893 /* CLOSED or both CLOSED and TIME_WAIT brings us to the low watermark, */
8896 /* 2) Look for the oldest entries on each timeout queue and free them if */
8898 /* window starts and the steps taken to increase its size depend upon */
8913 /* ipf_ticks any given timeout queue and vice versa. */
8914 /* - both tqe_die and tqe_touched increase over time */
8916 /* bottom and therefore the smallest values of each are at the top */
8922 /* found in that range, "interval" is adjusted (so long as it isn't 30) and */
8923 /* we start again with a new value for "iend" and "istart". This is */
8961 * and kernels don't like floating point...
9080 /* state and NAT code, telling them to update their timeout queues. */
9111 /* to walk the entire list and apply the change. The sort order will not */
9146 /* This function applies the new timeout (p) to the TCP tunable (t) and */
9410 /* Work through all of the subsystems inside IPFilter and call the load */
9443 /* Work through all of the subsystems inside IPFilter and call the unload */
9476 /* Work through all of the subsystems inside IPFilter and call the create */
9548 /* Work through all of the subsystems inside IPFilter and call the destroy */
9610 /* Work through all of the subsystems inside IPFilter and call the init */
9656 /* Work through all of the subsystems inside IPFilter and call the fini */
9705 /* firewall rules. Both inactive and active lists are scanned for items to */
9760 /* family and the address itself. */
9813 /* have to be wary of that and not allow 32-128 to happen. */
9884 /* tree or a matching node exists and we're able to bump up its activity. */
9943 /* Try and find the address passed in amongst the leavese on this tree to */
10012 /* and free'ing each one. */