diff options
| author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-08-21 09:39:55 +0200 |
|---|---|---|
| committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-09-21 10:29:40 +0200 |
| commit | 2df56dbd60bb5d925d2ce0ddbdefdbe6107ea783 (patch) | |
| tree | bd7bad558534db4a1f400bc38a2c9aa7ea4f411e /freebsd/sys/netpfil/ipfw | |
| parent | Update to FreeBSD head 2018-02-01 (diff) | |
| download | rtems-libbsd-2df56dbd60bb5d925d2ce0ddbdefdbe6107ea783.tar.bz2 | |
Update to FreeBSD head 2018-04-01
Git mirror commit 8dfb1ccc26d1cea7e2529303003ff61f9f1784c4.
Update #3472.
Diffstat (limited to 'freebsd/sys/netpfil/ipfw')
| -rw-r--r-- | freebsd/sys/netpfil/ipfw/ip_fw_private.h | 44 |
1 files changed, 36 insertions, 8 deletions
diff --git a/freebsd/sys/netpfil/ipfw/ip_fw_private.h b/freebsd/sys/netpfil/ipfw/ip_fw_private.h index b6471a02..c389e01a 100644 --- a/freebsd/sys/netpfil/ipfw/ip_fw_private.h +++ b/freebsd/sys/netpfil/ipfw/ip_fw_private.h @@ -1,4 +1,6 @@ /*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa * * Redistribution and use in source and binary forms, with or without @@ -182,24 +184,48 @@ enum { /* result for matching dynamic rules */ struct ip_fw_chain; struct sockopt_data; int ipfw_is_dyn_rule(struct ip_fw *rule); -void ipfw_expire_dyn_rules(struct ip_fw_chain *, ipfw_range_tlv *); -void ipfw_dyn_unlock(ipfw_dyn_rule *q); +void ipfw_expire_dyn_states(struct ip_fw_chain *, ipfw_range_tlv *); struct tcphdr; struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, u_int32_t, u_int32_t, int); -int ipfw_install_state(struct ip_fw_chain *chain, struct ip_fw *rule, - ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg); -ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, - int *match_direction, struct tcphdr *tcp, uint16_t kidx); -void ipfw_remove_dyn_children(struct ip_fw *rule); +/* + * Macro to determine that we need to do or redo dynamic state lookup. + * direction == MATCH_UNKNOWN means that this is first lookup, then we need + * to do lookup. + * Otherwise check the state name, if previous lookup was for "any" name, + * this means there is no state with specific name. Thus no need to do + * lookup. If previous name was not "any", redo lookup for specific name. + */ +#define DYN_LOOKUP_NEEDED(p, cmd) \ + ((p)->direction == MATCH_UNKNOWN || \ + ((p)->kidx != 0 && (p)->kidx != (cmd)->arg1)) +#define DYN_INFO_INIT(p) do { \ + (p)->direction = MATCH_UNKNOWN; \ + (p)->kidx = 0; \ +} while (0) +struct ipfw_dyn_info { + uint16_t direction; /* match direction */ + uint16_t kidx; /* state name kidx */ + uint32_t hashval; /* hash value */ + uint32_t version; /* bucket version */ + uint32_t f_pos; +}; +int ipfw_dyn_install_state(struct ip_fw_chain *chain, struct ip_fw *rule, + const ipfw_insn_limit *cmd, const struct ip_fw_args *args, + const void *ulp, int pktlen, struct ipfw_dyn_info *info, + uint32_t tablearg); +struct ip_fw *ipfw_dyn_lookup_state(const struct ip_fw_args *args, + const void *ulp, int pktlen, const ipfw_insn *cmd, + struct ipfw_dyn_info *info); + void ipfw_get_dynamic(struct ip_fw_chain *chain, char **bp, const char *ep); int ipfw_dump_states(struct ip_fw_chain *chain, struct sockopt_data *sd); void ipfw_dyn_init(struct ip_fw_chain *); /* per-vnet initialization */ void ipfw_dyn_uninit(int); /* per-vnet deinitialization */ int ipfw_dyn_len(void); -int ipfw_dyn_get_count(void); +uint32_t ipfw_dyn_get_count(void); /* common variables */ VNET_DECLARE(int, fw_one_pass); @@ -625,6 +651,8 @@ void ipfw_destroy_skipto_cache(struct ip_fw_chain *chain); int ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id); int ipfw_ctl3(struct sockopt *sopt); int ipfw_chk(struct ip_fw_args *args); +int ipfw_add_protected_rule(struct ip_fw_chain *chain, struct ip_fw *rule, + int locked); void ipfw_reap_add(struct ip_fw_chain *chain, struct ip_fw **head, struct ip_fw *rule); void ipfw_reap_rules(struct ip_fw *head); |