107  * Each state holds a pointer to the parent ipfw rule so we know what
108  * action to perform. Dynamic rules are removed when the parent rule is
131 	void		*parent;	/* pointer to parent rule */
133 	uint32_t	f_pos;		/* cached rule index */
139 	uint16_t	rulenum;	/* parent rule number */
140 	uint32_t	ruleid;		/* parent rule id */
162 	void		*parent;	/* pointer to parent rule */
165 	uint16_t	rulenum;	/* parent rule number */
166 	uint32_t	ruleid;		/* parent rule id */
352  * seconds of lifetime of a rule.
490     "Do not flush dynamic states on rule deletion");
782 hash_parent(const struct ipfw_flow_id *id, const void *rule)
785 	return (hash_packet(id) ^ ((uintptr_t)rule));
878 hash_parent(const struct ipfw_flow_id *id, const void *rule)
881 	return (jenkins_hash32((const uint32_t *)&rule,
882 	    sizeof(rule) / sizeof(uint32_t), hash_packet(id)));
1112 dyn_lookup_ipv4_parent(const struct ipfw_flow_id *pkt, const void *rule,
1126 		 * NOTE: we do not need to check kidx, because parent rule
1128 		 * And parent rule always created for forward direction.
1130 		if (s->limit->parent == rule &&
1149     const void *rule, uint32_t ruleid, uint16_t rulenum, uint32_t bucket)
1155 		if (s->limit->parent == rule &&
1262     const void *rule, uint32_t ruleid, uint16_t rulenum, uint32_t hashval)
1275 		 * NOTE: we do not need to check kidx, because parent rule
1277 		 * Also parent rule always created for forward direction.
1279 		if (s->limit->parent == rule &&
1299     const void *rule, uint32_t ruleid, uint16_t rulenum, uint32_t bucket)
1305 		if (s->limit->parent == rule &&
1325  * Returns pointer to state's parent rule and dyn_info. If there is
1334 	struct ip_fw *rule;
1339 	rule = NULL;
1352 			 * so it is assumed, that parent rule for O_LIMIT
1358 				rule = s->limit->parent;
1360 				rule = data->parent;
1373 				rule = s->limit->parent;
1375 				rule = data->parent;
1381 		 * If cached chain id is the same, we can avoid rule index
1393 			 * rule can be deleted. If found rule doesn't
1403 			 * pointer to deleted rule and f_pos value
1404 			 * corresponding to penultimate rule.
1407 			 * flag and rule will keep around. So we can return
1410 			 * handling if the search will continue, the next rule
1411 			 * will be the last one - the default rule.
1413 			if (V_layer3_chain.map[data->f_pos] == rule) {
1418 				 * The original rule pointer is still usable.
1420 				 * changed to point to the penultimate rule.
1427 				rule = NULL;
1429 				DYN_DEBUG("rule %p  [%u, %u] is considered "
1430 				    "invalid in data %p", rule, data->ruleid,
1440 	 * Return MATCH_NONE if parent rule is in disabled set.
1445 	 *	  rule set is changed.
1447 	if (rule != NULL && (V_set_disable & (1 << rule->set))) {
1448 		rule = NULL;
1452 	return (rule);
1537 dyn_add_ipv4_parent(void *rule, uint32_t ruleid, uint16_t rulenum,
1552 		s = dyn_lookup_ipv4_parent_locked(pkt, rule, ruleid,
1566 	limit = dyn_alloc_parent(rule, ruleid, rulenum, hashval);
1668 dyn_add_ipv6_parent(void *rule, uint32_t ruleid, uint16_t rulenum,
1683 		s = dyn_lookup_ipv6_parent_locked(pkt, zoneid, rule, ruleid,
1697 	limit = dyn_alloc_parent(rule, ruleid, rulenum, hashval);
1772     struct ip_fw *rule, uint32_t hashval, uint32_t limit, uint16_t kidx)
1787 		s = dyn_lookup_ipv4_parent(pkt, rule, rule->id,
1788 		    rule->rulenum, bucket);
1796 			s = dyn_add_ipv4_parent(rule, rule->id,
1797 			    rule->rulenum, pkt, hashval, version, kidx);
1810 		s = dyn_lookup_ipv6_parent(pkt, zoneid, rule, rule->id,
1811 		    rule->rulenum, bucket);
1819 			s = dyn_add_ipv6_parent(rule, rule->id,
1820 			    rule->rulenum, pkt, zoneid, hashval, version,
1841 			    rule->rulenum);
1864     uint16_t fibnum, const void *ulp, int pktlen, struct ip_fw *rule,
1874 	ruleid = rule->id;
1875 	rulenum = rule->rulenum;
1906 		parent_hashval = hash_parent(&id, rule);
1907 		rule = dyn_get_parent_state(&id, zoneid, rule, parent_hashval,
1909 		if (rule == NULL) {
1914 				    "%u drop session", rule->rulenum);
1924 		 * Now rule points to parent state.
1930 		ret = dyn_add_ipv4_state(rule, ruleid, rulenum, pkt,
1934 		ret = dyn_add_ipv6_state(rule, ruleid, rulenum, pkt,
1945 			 * we must revert counter back. The 'rule' points to
1948 			 * XXXAE: it should be safe to use 'rule' pointer
1954 				    ((struct dyn_ipv4_state *)rule)->limit);
1958 				    ((struct dyn_ipv6_state *)rule)->limit);
1976  *  rule - the parent rule that installs the state;
1988 ipfw_dyn_install_state(struct ip_fw_chain *chain, struct ip_fw *rule,
2007 	    0, M_GETFIB(args->m), ulp, pktlen, rule, info, limit,
2134     struct ip_fw *rule, uint16_t kidx)
2140 	 * This can happen when rule deletion executed for
2155 	/* Reference the parent rule */
2156 	rule->refcnt++;
2161     struct ip_fw *rule, uint16_t kidx)
2174 	if (--rule->refcnt == 1)
2175 		ipfw_free_rule(rule);
2181  * and there is no matching state. So, since the old parent rule was deleted
2190 	struct ip_fw *rule;
2194 		rule = s->limit->parent;
2195 		return (dyn_match_range(s->limit->rulenum, rule->set, rt));
2198 	rule = s->data->parent;
2200 		rule = ((struct dyn_ipv4_state *)rule)->limit->parent;
2202 	ret = dyn_match_range(s->data->rulenum, rule->set, rt);
2206 	dyn_acquire_rule(ch, s->data, rule, s->kidx);
2215 	struct ip_fw *rule;
2219 		rule = s->limit->parent;
2220 		return (dyn_match_range(s->limit->rulenum, rule->set, rt));
2223 	rule = s->data->parent;
2225 		rule = ((struct dyn_ipv6_state *)rule)->limit->parent;
2227 	ret = dyn_match_range(s->data->rulenum, rule->set, rt);
2231 	dyn_acquire_rule(ch, s->data, rule, s->kidx);
2249 	void *rule;
2292 					rule = s->data->parent;		\
2294 						rule = ((__typeof(s))	\
2295 						    rule)->limit->parent;\
2297 					    rule, s->kidx);		\
2830 	struct ip_fw *rule;
2837 		rule = s->data->parent;					\
2839 			rule = ((__typeof(s))rule)->limit->parent;	\
2840 		ipfw_reset_eaction(ch, rule, eaction_id,		\
2906  * Check if rule contains at least one dynamic opcode.
2911 ipfw_is_dyn_rule(struct ip_fw *rule)
2916 	l = rule->cmd_len;
2917 	cmd = rule->cmd;
2945 	/* 'rule' is used to pass up the rule number and set */
2946 	memcpy(&dst->rule, &p->rulenum, sizeof(p->rulenum));
2948 	/* store set number into high word of dst->rule pointer. */
2949 	memcpy((char *)&dst->rule + sizeof(p->rulenum), &set, sizeof(set));
2961 	 * for the last dynamic rule.
2978 	/* 'rule' is used to pass up the rule number and set */
2979 	memcpy(&dst->rule, &data->rulenum, sizeof(data->rulenum));
2981 	/* store set number into high word of dst->rule pointer. */
2982 	memcpy((char *)&dst->rule + sizeof(data->rulenum), &set, sizeof(set));
2996 	 * for the last dynamic rule.
3004 	struct ip_fw *rule;
3008 		rule = s->limit->parent;
3009 		dyn_export_parent(s->limit, s->kidx, rule->set, dst);
3012 		rule = s->data->parent;
3014 			rule = ((struct dyn_ipv4_state *)rule)->limit->parent;
3015 		dyn_export_data(s->data, s->kidx, s->type, rule->set, dst);
3036 	struct ip_fw *rule;
3040 		rule = s->limit->parent;
3041 		dyn_export_parent(s->limit, s->kidx, rule->set, dst);
3044 		rule = s->data->parent;
3046 			rule = ((struct dyn_ipv6_state *)rule)->limit->parent;
3047 		dyn_export_data(s->data, s->kidx, s->type, rule->set, dst);
3119 	/* mark last dynamic rule */
3166 	if (last != NULL) /* mark last dynamic rule */

Indexes created Wed Jul 17 19:16:04 MDT 2024