120 	bool			subnet_apply; /* Apply rule on whole subnet. */
135 	struct ip_rule *rule;
137 	while ((rule = TAILQ_FIRST(head)) != NULL) {
138 		TAILQ_REMOVE(head, rule, r_entries);
139 		free(rule, M_IPACL);
161 parse_rule_element(char *element, struct ip_rule *rule)
173 	rule->jid = strtol(tok, &p, 10);
179 	rule->allow = strtol(tok, &p, 10);
186 	strlcpy(rule->if_name, tok, strlen(tok) + 1);
190 	rule->af = (strcmp(tok, "AF_INET") == 0) ? AF_INET :
192 	if (rule->af == -1)
197 	if (inet_pton(rule->af, tok, rule->addr.addr32) != 1)
207 		rule->subnet_apply = false;
209 		rule->subnet_apply = true;
210 		switch (rule->af) {
217 				rule->mask.addr32[0] = htonl(0);
219 				rule->mask.addr32[0] =
221 			rule->addr.addr32[0] &= rule->mask.addr32[0];
230 				rule->mask.addr8[i] = prefix >= 8 ? 0xFF :
233 				rule->addr.addr8[i] &= rule->mask.addr8[i];
322 	struct ip_rule *rule;
335 	 * a set of IP addresses, the rule that is defined later in the list
336 	 * determines the outcome, disregarding any previous rule for that IP
338 	 * Walk the policy rules list in reverse order until rule applicable
341 	TAILQ_FOREACH_REVERSE(rule, &rule_head, rulehead, r_entries) {
342 		/* Skip if current rule applies to different jail. */
343 		if (cred->cr_prison->pr_id != rule->jid)
346 		if (strcmp(rule->if_name, "\0") &&
347 		    strcmp(rule->if_name, if_name(ifp)))
350 		switch (rule->af) {
353 			if (rule->subnet_apply) {
354 				if (rule->addr.v4.s_addr !=
355 				    (ip_addr->v4.s_addr & rule->mask.v4.s_addr))
358 				if (ip_addr->v4.s_addr != rule->addr.v4.s_addr)
364 			if (rule->subnet_apply) {
367 					if (rule->addr.v6.s6_addr[i] !=
369 					    rule->mask.v6.s6_addr[i])) {
376 				if (bcmp(&rule->addr, ip_addr,
383 		if (rule->allow)

Indexes created Thu Jun 20 12:38:36 MDT 2024