Lines Matching defs:rule
104 * are disabled. Set RESVD_SET(31) is reserved for the default rule
165 * with the mask defined for the rule, then hashed, then matched
182 * Each dynamic rule holds a pointer to the parent ipfw rule so
184 * the parent rule is deleted. XXX we should make them survive.
207 * seconds of lifetime of a rule.
556 * We enter here when we have a rule with O_LOG.
767 * unlink a dynamic rule from a chain. prev is a pointer to
768 * the previous one, q is a pointer to the rule to delete,
791 * Remove dynamic rules pointing to "rule", or all of them if rule == NULL.
797 * a rule we absolutely do not want to remove (e.g. because we are
803 remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me)
835 if (rule != NULL && rule != q->rule)
847 printf("ipfw: OUCH! cannot remove rule,"
870 * lookup a dynamic rule.
1041 * the third parameter is the parent rule and not the chain.
1045 add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
1071 ipfw_dyn_rule *parent = (ipfw_dyn_rule *)rule;
1076 rule = parent->rule;
1081 r->rule = rule;
1099 * lookup dynamic parent rule using pkt and rule as search keys.
1103 lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
1115 rule== q->rule &&
1126 return add_dyn_rule(pkt, O_LIMIT_PARENT, rule);
1130 * Install dynamic state for rule type cmd->o.opcode
1136 install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
1162 * Run out of slots, try to remove any expired rule.
1175 case O_KEEP_STATE: /* bidir rule */
1176 add_dyn_rule(&args->f_id, O_KEEP_STATE, rule);
1185 DEB(printf("ipfw: installing dyn-limit rule %d\n",
1200 parent = lookup_dyn_parent(&id, rule);
1207 * See if we can remove some expired rule.
1209 remove_dyn_rule(rule, parent);
1223 printf("ipfw: unknown dynamic rule type %u\n", cmd->o.opcode);
1351 * to the next rule, which can be either the jump
1354 * The result is also written in the "next_rule" field of the rule.
1356 * rule...
1359 * the next rule is returned. When the ruleset is changed,
1366 struct ip_fw *rule = NULL;
1374 for (rule = me->next; rule ; rule = rule->next)
1375 if (rule->rulenum >= cmd->arg1)
1377 if (rule == NULL) /* failure or not a skipto */
1378 rule = me->next;
1379 me->next_rule = rule;
1380 return rule;
1397 * Skip up to the first rule past this rule number;
1400 * args->rule Pointer to the last matching rule (in/out)
1454 struct ip_fw *f = NULL; /* matching rule */
1594 if (args->rule) {
1596 * Packet has already been tagged. Look for the next rule
1608 f = args->rule->next_rule;
1610 f = lookup_next_rule(args->rule);
1613 * Find the starting rule. It can be either the first
1635 * Now scan the rules, and parse microinstructions for each rule.
1658 * the target rule.
2018 * i.e. the terminal part of a rule once the packet
2020 * Typically there is only one action for each rule,
2021 * and the opcode is stored at the end of the rule
2030 * instead of terminating, we jump to the next rule
2037 * before the 'action' part of the rule.
2046 * to the 'action' part of the parent rule
2048 * (CHECK_STATE only) a jump to the next rule if
2083 * the parent rule.
2087 f = q->rule;
2094 * skip to next rule, if PROBE_STATE just
2108 args->rule = f; /* report matching rule */
2176 break; /* try next rule */
2181 next_rule:; /* try next rule */
2204 * When a rule is added/deleted, clear the next_rule pointers in all rules.
2211 struct ip_fw *rule;
2213 for (rule = layer3_chain; rule; rule = rule->next)
2214 rule->next_rule = NULL;
2225 struct ip_fw *rule;
2227 for (rule = layer3_chain; rule; rule = rule->next) {
2228 ipfw_insn_pipe *cmd = (ipfw_insn_pipe *)ACTION_PTR(rule);
2245 * Add a new rule to the list. Copy the rule into a malloc'ed area, then
2246 * possibly create a rule number and add the rule to the list.
2252 struct ip_fw *rule, *f, *prev;
2258 rule = _MALLOC(l, M_IPFW, M_WAIT);
2259 if (rule == NULL) {
2264 bzero(rule, l);
2265 bcopy(input_rule, rule, l);
2267 rule->next = NULL;
2268 rule->next_rule = NULL;
2270 rule->pcnt = 0;
2271 rule->bcnt = 0;
2272 rule->timestamp = 0;
2274 if (*head == NULL) { /* default rule */
2275 *head = rule;
2280 * If rulenum is 0, find highest numbered rule before the
2281 * default rule, and add autoinc_step
2287 if (rule->rulenum == 0) {
2289 * locate the highest numbered rule before default
2294 rule->rulenum = f->rulenum;
2296 if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step)
2297 rule->rulenum += autoinc_step;
2298 input_rule->rulenum = rule->rulenum;
2302 * Now insert the new rule in the right place in the sorted list.
2305 if (f->rulenum > rule->rulenum) { /* found the location */
2307 rule->next = f;
2308 prev->next = rule;
2310 rule->next = *head;
2311 *head = rule;
2320 DEB(printf("ipfw: installed rule %d, static count now %d\n",
2321 rule->rulenum, static_count);)
2326 * Free storage associated with a static rule (including derived
2328 * The caller is in charge of clearing rule pointers to avoid
2335 delete_rule(struct ip_fw **head, struct ip_fw *prev, struct ip_fw *rule)
2338 int l = RULESIZE(rule);
2340 n = rule->next;
2341 remove_dyn_rule(rule, NULL /* force removal */);
2351 ip_dn_ruledel_ptr(rule);
2353 _FREE(rule, M_IPFW);
2361 struct ip_fw *rule = *chain;
2363 for (; rule; rule = rule->next) {
2364 ipfw_insn *cmd = ACTION_PTR(rule);
2366 printf("ipfw: rule->rulenum = %d\n", rule->rulenum);
2368 if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
2369 printf("ipfw: rule->reserved = IPFW_RULE_INACTIVE\n");
2419 struct ip_fw *rule, *prev;
2423 for (rule = layer3_chain, prev = NULL; rule; ) {
2424 if (rule == inactive_rule && rule->reserved_1 == IPFW_RULE_INACTIVE) {
2425 struct ip_fw *n = rule;
2428 layer3_chain = rule->next;
2431 prev->next = rule->next;
2433 rule = rule->next;
2437 prev = rule;
2438 rule = rule->next;
2449 mark_inactive(struct ip_fw **prev, struct ip_fw **rule)
2451 int l = RULESIZE(*rule);
2453 if ((*rule)->reserved_1 != IPFW_RULE_INACTIVE) {
2454 (*rule)->reserved_1 = IPFW_RULE_INACTIVE;
2458 timeout(flush_inactive, *rule, 30*hz); /* 30 sec. */
2461 *prev = *rule;
2462 *rule = (*rule)->next;
2473 struct ip_fw *prev, *rule;
2476 for (prev = NULL, rule = *chain; rule ; )
2477 if (kill_default || rule->set != RESVD_SET) {
2478 ipfw_insn *cmd = ACTION_PTR(rule);
2484 mark_inactive(&prev, &rule);
2487 rule = delete_rule(chain, prev, rule);
2491 prev = rule;
2492 rule = rule->next;
2500 * The argument is an u_int32_t. The low 16 bit are the rule or set number,
2512 struct ip_fw *prev = NULL, *rule = *chain;
2513 u_int16_t rulenum; /* rule or old_set */
2535 * locate first rule to delete
2537 for (; rule->rulenum < rulenum; prev = rule, rule = rule->next)
2539 if (rule->rulenum != rulenum)
2547 while (rule->rulenum == rulenum) {
2548 ipfw_insn *insn = ACTION_PTR(rule);
2554 mark_inactive(&prev, &rule);
2557 rule = delete_rule(chain, prev, rule);
2564 while (rule->rulenum < IPFW_DEFAULT_RULE) {
2565 if (rule->set == rulenum) {
2566 ipfw_insn *insn = ACTION_PTR(rule);
2572 mark_inactive(&prev, &rule);
2575 rule = delete_rule(chain, prev, rule);
2579 prev = rule;
2580 rule = rule->next;
2586 for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
2587 if (rule->rulenum == rulenum)
2588 rule->set = new_set;
2592 for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
2593 if (rule->set == rulenum)
2594 rule->set = new_set;
2598 for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
2599 if (rule->set == rulenum)
2600 rule->set = new_set;
2601 else if (rule->set == new_set)
2602 rule->set = rulenum;
2609 * Clear counters for a specific rule.
2612 clear_counters(struct ip_fw *rule, int log_only)
2614 ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule);
2617 rule->bcnt = rule->pcnt = 0;
2618 rule->timestamp = 0;
2627 * rule number.
2633 struct ip_fw *rule;
2638 for (rule = layer3_chain; rule; rule = rule->next)
2639 clear_counters(rule, log_only);
2648 for (rule = layer3_chain; rule; rule = rule->next)
2649 if (rule->rulenum == rulenum) {
2650 while (rule && rule->rulenum == rulenum) {
2651 clear_counters(rule, log_only);
2652 rule = rule->next;
2671 * Fortunately rules are simple, so this mostly need to check rule sizes.
2674 check_ipfw_struct(struct ip_fw *rule, int size)
2680 if (size < sizeof(*rule)) {
2681 printf("ipfw: rule too short\n");
2685 l = RULESIZE(rule);
2694 for (l = rule->cmd_len, cmd = rule->cmd ;
2888 struct ip_fw *bp , *buf, *rule;
2925 * followed by a possibly empty list of dynamic rule.
2926 * The last dynamic rule has NULL in the "next" field.
2948 for (rule = layer3_chain; rule ; rule = rule->next) {
2949 int i = RULESIZE(rule);
2951 if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
2954 bcopy(rule, bp, i);
2968 bcopy(&(p->rule->rulenum), &(dst->rule),
2969 sizeof(p->rule->rulenum));
2974 * for the last dynamic rule.
2982 if (last != NULL) /* mark last dynamic rule */
3050 dyn_rule_vers1->chain = p->rule->rulenum;
3094 * the list to point to the default rule, and then freeing
3099 free_chain(&layer3_chain, 0 /* keep default rule */);
3108 rule = _MALLOC(RULE_MAXSIZE, M_TEMP, M_WAITOK);
3109 if (rule == 0) {
3114 bzero(rule, RULE_MAXSIZE);
3117 error = ipfw_convert_to_latest(sopt, rule, api_version);
3120 error = sooptcopyin(sopt, rule, RULE_MAXSIZE,
3126 /* the rule has already been checked so just
3129 sopt->sopt_valsize = RULESIZE(rule);
3131 error = check_ipfw_struct(rule, sopt->sopt_valsize);
3134 error = add_rule(&layer3_chain, rule);
3139 size = RULESIZE(rule);
3145 ipfw_convert_from_latest(rule, &rule_vers0, api_version);
3152 ipfw_convert_from_latest(rule, &rule_vers1, api_version);
3157 error = sooptcopyout(sopt, rule, size);
3163 _FREE(rule, M_TEMP);
3171 * rule->rulenum != 0 indicates single rule delete
3172 * rule->set_masks used to manipulate sets
3173 * rule->set_masks[0] contains info on sets to be
3175 * rule->set_masks[1] contains sets to be enabled.
3178 /* there is only a simple rule passed in
3204 /* single rule */
3232 case IP_FW_RESETLOG: /* using rule->rulenum */
3234 /* there is only a simple rule passed in
3287 * dummynet needs a reference to the default rule, because rules can be
3289 * dummynet changes the reference to the default rule (it could well be a
3325 continue; /* too late, rule expired */
3368 printf("ipfw2: add_rule failed adding default rule\n");