From c0800296d85fb306ca944f4545228720771891fe Mon Sep 17 00:00:00 2001 From: sephe Date: Sun, 2 Sep 2007 13:27:23 +0000 Subject: [PATCH] Switch ipfw from ipfw1 to ipfw2. Approved-by: dillon@ Submitted-by: Gary Allan (w/ modification) --- lib/libalias/Makefile | 5 +- lib/libalias/alias_db.c | 63 +------ sbin/ipfw/Makefile | 5 +- sbin/ipfw/ipfw.8 | 30 +--- sys/conf/files | 5 +- sys/conf/options | 3 +- sys/config/LINT | 3 +- sys/net/dummynet/Makefile | 5 +- sys/net/dummynet/ip_dummynet.c | 17 +- sys/net/ipfw/Makefile | 7 +- sys/net/ipfw/ip_fw.h | 398 +++-------------------------------------- sys/net/ipfw/ip_fw2.c | 4 +- 12 files changed, 35 insertions(+), 510 deletions(-) rewrite sys/net/ipfw/ip_fw.h (94%) diff --git a/lib/libalias/Makefile b/lib/libalias/Makefile index 3db8d00bc0..458d3ea443 100644 --- a/lib/libalias/Makefile +++ b/lib/libalias/Makefile @@ -1,12 +1,9 @@ # $FreeBSD: src/lib/libalias/Makefile,v 1.13.2.5 2002/07/24 03:21:24 luigi Exp $ -# $DragonFly: src/lib/libalias/Makefile,v 1.4 2007/07/30 22:49:20 swildner Exp $ +# $DragonFly: src/lib/libalias/Makefile,v 1.5 2007/09/02 13:27:22 sephe Exp $ LIB= alias SHLIB_MAJOR= 5 CFLAGS+= -Wall -Wmissing-prototypes -.if defined(IPFW2) -CFLAGS+= -DIPFW2 -.endif SRCS= alias.c alias_cuseeme.c alias_db.c alias_ftp.c alias_irc.c \ alias_nbt.c alias_pptp.c alias_proxy.c alias_smedia.c \ alias_util.c diff --git a/lib/libalias/alias_db.c b/lib/libalias/alias_db.c index 6904a325ae..82a0dae48e 100644 --- a/lib/libalias/alias_db.c +++ b/lib/libalias/alias_db.c @@ -26,7 +26,7 @@ * SUCH DAMAGE. * * $FreeBSD: src/lib/libalias/alias_db.c,v 1.21.2.14 2002/07/24 03:21:24 luigi Exp $ - * $DragonFly: src/lib/libalias/alias_db.c,v 1.4 2004/08/20 00:08:17 joerg Exp $ + * $DragonFly: src/lib/libalias/alias_db.c,v 1.5 2007/09/02 13:27:22 sephe Exp $ */ /* @@ -2643,7 +2643,6 @@ PacketAliasCheckNewLink(void) #include #include -#if IPFW2 /* support for new firewall code */ /* * helper function, updates the pointer to cmd with the length * of the current command, and also cleans up the first word of @@ -2713,7 +2712,6 @@ fill_rule(void *buf, int bufsize, int rulenum, return ((void *)cmd - buf); } -#endif /* IPFW2 */ static void ClearAllFWHoles(void); @@ -2761,7 +2759,6 @@ UninitPunchFW(void) { void PunchFWHole(struct alias_link *link) { int r; /* Result code */ - struct ip_fw rule; /* On-the-fly built rule */ int fwhole; /* Where to punch hole */ /* Don't do anything unless we are asked to */ @@ -2770,8 +2767,6 @@ PunchFWHole(struct alias_link *link) { link->link_type != LINK_TCP) return; - memset(&rule, 0, sizeof rule); - /** Build rule **/ /* Find empty slot */ @@ -2804,7 +2799,6 @@ PunchFWHole(struct alias_link *link) { * add fwhole accept tcp from OAddr OPort to DAddr DPort * add fwhole accept tcp from DAddr DPort to OAddr OPort */ -#if IPFW2 if (GetOriginalPort(link) != 0 && GetDestPort(link) != 0) { u_int32_t rulebuf[255]; int i; @@ -2825,44 +2819,6 @@ PunchFWHole(struct alias_link *link) { if (r) err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); } -#else /* !IPFW2, old code to generate ipfw rule */ - - /* Build generic part of the two rules */ - rule.fw_number = fwhole; - IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */ - IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */ - rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT; - rule.fw_prot = IPPROTO_TCP; - rule.fw_smsk.s_addr = INADDR_BROADCAST; - rule.fw_dmsk.s_addr = INADDR_BROADCAST; - - /* Build and apply specific part of the rules */ - rule.fw_src = GetOriginalAddress(link); - rule.fw_dst = GetDestAddress(link); - rule.fw_uar.fw_pts[0] = ntohs(GetOriginalPort(link)); - rule.fw_uar.fw_pts[1] = ntohs(GetDestPort(link)); - - /* Skip non-bound links - XXX should not be strictly necessary, - but seems to leave hole if not done. Leak of non-bound links? - (Code should be left even if the problem is fixed - it is a - clear optimization) */ - if (rule.fw_uar.fw_pts[0] != 0 && rule.fw_uar.fw_pts[1] != 0) { - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)"); -#endif - rule.fw_src = GetDestAddress(link); - rule.fw_dst = GetOriginalAddress(link); - rule.fw_uar.fw_pts[0] = ntohs(GetDestPort(link)); - rule.fw_uar.fw_pts[1] = ntohs(GetOriginalPort(link)); - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); -#endif - } -#endif /* !IPFW2 */ /* Indicate hole applied */ link->data.tcp->fwhole = fwhole; fw_setfield(fireWallField, fwhole); @@ -2874,22 +2830,13 @@ static void ClearFWHole(struct alias_link *link) { if (link->link_type == LINK_TCP) { int fwhole = link->data.tcp->fwhole; /* Where is the firewall hole? */ - struct ip_fw rule; if (fwhole < 0) return; - memset(&rule, 0, sizeof rule); /* useless for ipfw2 */ -#if IPFW2 while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &fwhole, sizeof fwhole)) ; -#else /* !IPFW2 */ - rule.fw_number = fwhole; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, - &rule, sizeof rule)) - ; -#endif /* !IPFW2 */ fw_clrfield(fireWallField, fwhole); link->data.tcp->fwhole = -1; } @@ -2898,23 +2845,15 @@ ClearFWHole(struct alias_link *link) { /* Clear out the entire range dedicated to firewall holes. */ static void ClearAllFWHoles(void) { - struct ip_fw rule; /* On-the-fly built rule */ int i; if (fireWallFD < 0) return; - memset(&rule, 0, sizeof rule); for (i = fireWallBaseNum; i < fireWallBaseNum + fireWallNumNums; i++) { -#if IPFW2 int r = i; while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r)) ; -#else /* !IPFW2 */ - rule.fw_number = i; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule)) - ; -#endif /* !IPFW2 */ } memset(fireWallField, 0, fireWallNumNums); } diff --git a/sbin/ipfw/Makefile b/sbin/ipfw/Makefile index db650a573a..d2a9335b7a 100644 --- a/sbin/ipfw/Makefile +++ b/sbin/ipfw/Makefile @@ -1,12 +1,9 @@ # $FreeBSD: src/sbin/ipfw/Makefile,v 1.6.6.3 2002/07/24 03:21:23 luigi Exp $ -# $DragonFly: src/sbin/ipfw/Makefile,v 1.3 2006/10/17 00:55:41 pavalos Exp $ +# $DragonFly: src/sbin/ipfw/Makefile,v 1.4 2007/09/02 13:27:23 sephe Exp $ PROG= ipfw MAN= ipfw.8 -.if defined(IPFW2) SRCS= ipfw2.c -CFLAGS+= -DIPFW2 -.endif WARNS?= 2 .include diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 07484fdc1f..3d7c5e3157 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,6 +1,6 @@ .\" .\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.63.2.33 2003/02/04 01:36:02 brueffer Exp $ -.\" $DragonFly: src/sbin/ipfw/ipfw.8,v 1.11 2007/04/09 20:47:01 swildner Exp $ +.\" $DragonFly: src/sbin/ipfw/ipfw.8,v 1.12 2007/09/02 13:27:23 sephe Exp $ .\" .Dd August 13, 2002 .Dt IPFW 8 @@ -89,13 +89,6 @@ The differences between the two are listed in Section .Sx IPFW2 ENHANCEMENTS , which you are encouraged to read to revise older rulesets and possibly write them more efficiently. -See Section -.Sx USING IPFW2 IN FreeBSD-STABLE -for instructions on how to run -.Nm ipfw2 -on -.Fx -STABLE. .Ed .Pp An @@ -1626,27 +1619,6 @@ Controls whether layer-2 packets are passed to .Nm . Default is no. .El -.Sh USING IPFW2 IN FreeBSD-STABLE -.Nm ipfw2 -is standard in -.Fx -CURRENT, whereas -.Fx -STABLE still uses -.Nm ipfw1 -unless the kernel is compiled with -.Cd options IPFW2 , -and -.Nm /sbin/ipfw -and -.Nm /usr/lib/libalias -are recompiled with -.Cm -DIPFW2 -and reinstalled (the same effect can be achieved by adding -.Cm IPFW2=TRUE -to -.Nm /etc/make.conf -before a buildworld). .Sh IPFW2 ENHANCEMENTS This Section lists the features that have been introduced in .Nm ipfw2 diff --git a/sys/conf/files b/sys/conf/files index d1b649af63..8981df38ad 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,5 +1,5 @@ # $FreeBSD: src/sys/conf/files,v 1.340.2.137 2003/06/04 17:10:30 sam Exp $ -# $DragonFly: src/sys/conf/files,v 1.179 2007/08/31 11:26:44 swildner Exp $ +# $DragonFly: src/sys/conf/files,v 1.180 2007/09/02 13:27:23 sephe Exp $ # # The long compile-with and dependency lines are required because of # limitations in config: backslash-newline doesn't work in strings, and @@ -899,8 +899,7 @@ netinet/ip_encap.c optional inet6 netinet/ip_divert.c optional ipdivert net/dummynet/ip_dummynet.c optional dummynet netinet/ip_flow.c optional inet -net/ipfw/ip_fw.c optional ipfirewall -net/ipfw/ip_fw2.c optional ipfw2 +net/ipfw/ip_fw2.c optional ipfirewall netinet/ip_icmp.c optional inet netinet/ip_input.c optional inet netinet/ip_demux.c optional inet diff --git a/sys/conf/options b/sys/conf/options index 1ac584c746..68bfe9f250 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -1,5 +1,5 @@ # $FreeBSD: src/sys/conf/options,v 1.191.2.53 2003/06/04 17:56:58 sam Exp $ -# $DragonFly: src/sys/conf/options,v 1.71 2007/08/16 20:03:52 dillon Exp $ +# $DragonFly: src/sys/conf/options,v 1.72 2007/09/02 13:27:23 sephe Exp $ # # On the handling of kernel options # @@ -285,7 +285,6 @@ IPFILTER opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFIREWALL opt_ipfw.h -IPFW2 opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h diff --git a/sys/config/LINT b/sys/config/LINT index bcb5e3b323..a839da1a18 100644 --- a/sys/config/LINT +++ b/sys/config/LINT @@ -3,7 +3,7 @@ # as much of the source tree as it can. # # $FreeBSD: src/sys/i386/conf/LINT,v 1.749.2.144 2003/06/04 17:56:59 sam Exp $ -# $DragonFly: src/sys/config/LINT,v 1.130 2007/08/29 15:42:05 swildner Exp $ +# $DragonFly: src/sys/config/LINT,v 1.131 2007/09/02 13:27:23 sephe Exp $ # # NB: You probably don't want to try running a kernel built from this # file. Instead, you should start from GENERIC, and add options from @@ -2687,7 +2687,6 @@ options FB_INSTALL_CDEV options FE_8BIT_SUPPORT options I4B_SMP_WORKAROUND options I586_PMC_GUPROF=0x70000 -options IPFW2 options KBDIO_DEBUG=10 options KBD_MAXRETRY=4 options KBD_MAXWAIT=6 diff --git a/sys/net/dummynet/Makefile b/sys/net/dummynet/Makefile index ac411ecbb9..91824db9c0 100644 --- a/sys/net/dummynet/Makefile +++ b/sys/net/dummynet/Makefile @@ -1,13 +1,10 @@ # $FreeBSD: src/sys/modules/dummynet/Makefile,v 1.1.2.2 2003/04/08 10:18:00 maxim Exp $ -# $DragonFly: src/sys/net/dummynet/Makefile,v 1.3 2006/06/25 11:02:39 corecode Exp $ +# $DragonFly: src/sys/net/dummynet/Makefile,v 1.4 2007/09/02 13:27:23 sephe Exp $ .PATH: ${.CURDIR}/../../netinet KMOD= dummynet SRCS= ip_dummynet.c NOMAN= -.if defined(IPFW2) -CFLAGS+= -DIPFW2 -.endif KMODDEPS= ipfw .include diff --git a/sys/net/dummynet/ip_dummynet.c b/sys/net/dummynet/ip_dummynet.c index cd916ab51d..f9d0d9012b 100644 --- a/sys/net/dummynet/ip_dummynet.c +++ b/sys/net/dummynet/ip_dummynet.c @@ -25,7 +25,7 @@ * SUCH DAMAGE. * * $FreeBSD: src/sys/netinet/ip_dummynet.c,v 1.24.2.22 2003/05/13 09:31:06 maxim Exp $ - * $DragonFly: src/sys/net/dummynet/ip_dummynet.c,v 1.22 2006/12/22 23:44:55 swildner Exp $ + * $DragonFly: src/sys/net/dummynet/ip_dummynet.c,v 1.23 2007/09/02 13:27:23 sephe Exp $ */ #if !defined(KLD_MODULE) @@ -1000,7 +1000,6 @@ static __inline struct dn_flow_set * locate_flowset(int pipe_nr, struct ip_fw *rule) { -#if IPFW2 struct dn_flow_set *fs; ipfw_insn *cmd = rule->cmd + rule->act_ofs; @@ -1012,11 +1011,6 @@ locate_flowset(int pipe_nr, struct ip_fw *rule) return fs; if (cmd->opcode == O_QUEUE) -#else /* !IPFW2 */ - struct dn_flow_set *fs = NULL ; - - if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE ) -#endif /* !IPFW2 */ for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next) ; else { @@ -1027,12 +1021,7 @@ locate_flowset(int pipe_nr, struct ip_fw *rule) fs = &(p1->fs) ; } /* record for the future */ -#if IPFW2 ((ipfw_insn_pipe *)cmd)->pipe_ptr = fs; -#else - if (fs != NULL) - rule->pipe_ptr = fs; -#endif return fs ; } @@ -1062,15 +1051,11 @@ dummynet_io(struct mbuf *m, int pipe_nr, int dir, struct ip_fw_args *fwa) int is_pipe; crit_enter(); -#if IPFW2 ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs; if (cmd->opcode == O_LOG) cmd += F_LEN(cmd); is_pipe = (cmd->opcode == O_PIPE); -#else - is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE; -#endif pipe_nr &= 0xffff ; diff --git a/sys/net/ipfw/Makefile b/sys/net/ipfw/Makefile index 3474686e7c..d47af11880 100644 --- a/sys/net/ipfw/Makefile +++ b/sys/net/ipfw/Makefile @@ -1,16 +1,11 @@ # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11.2.1 2003/02/14 14:09:21 maxim Exp $ -# $DragonFly: src/sys/net/ipfw/Makefile,v 1.2 2003/06/17 04:28:44 dillon Exp $ +# $DragonFly: src/sys/net/ipfw/Makefile,v 1.3 2007/09/02 13:27:23 sephe Exp $ .PATH: ${.CURDIR}/../../netinet KMOD= ipfw NOMAN= CFLAGS+= -DIPFIREWALL -.if defined(IPFW2) SRCS= ip_fw2.c -CFLAGS+= -DIPFW2 -.else -SRCS= ip_fw.c -.endif # #If you want it verbose #CFLAGS+= -DIPFIREWALL_VERBOSE diff --git a/sys/net/ipfw/ip_fw.h b/sys/net/ipfw/ip_fw.h dissimilarity index 94% index 8829e292c4..23b1f79c9b 100644 --- a/sys/net/ipfw/ip_fw.h +++ b/sys/net/ipfw/ip_fw.h @@ -1,375 +1,23 @@ -/* - * Copyright (c) 1993 Daniel Boulet - * Copyright (c) 1994 Ugen J.S.Antsilevich - * - * Redistribution and use in source forms, with and without modification, - * are permitted provided that this entire comment appears intact. - * - * Redistribution in binary form may occur without any restrictions. - * Obviously, it would be nice if you gave credit where credit is due - * but requiring it would be too onerous. - * - * This software is provided ``AS IS'' without any warranties of any kind. - * - * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.47.2.11 2002/07/09 09:11:42 luigi Exp $ - * $DragonFly: src/sys/net/ipfw/ip_fw.h,v 1.7 2006/06/25 11:02:39 corecode Exp $ - */ - -#ifndef _IP_FW_H -#define _IP_FW_H - -#if IPFW2 -#include "ip_fw2.h" -#else /* !IPFW2, good old ipfw */ - -#include - -/* - * This union structure identifies an interface, either explicitly - * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME - * and IP_FW_F_OIFNAME say how to interpret this structure. An - * interface unit number of -1 matches any unit number, while an - * IP address of 0.0.0.0 indicates matches any interface. - * - * The receive and transmit interfaces are only compared against the - * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) - * is set. Note some packets lack a receive or transmit interface - * (in which case the missing "interface" never matches). - */ - -union ip_fw_if { - struct in_addr fu_via_ip; /* Specified by IP address */ - struct { /* Specified by interface name */ -#define FW_IFNLEN IFNAMSIZ - char name[FW_IFNLEN]; - short glob; - } fu_via_if; -}; - -/* - * Format of an IP firewall descriptor - * - * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. - * fw_flg and fw_n*p are stored in host byte order (of course). - * Port numbers are stored in HOST byte order. - */ - -struct ip_fw { - LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */ - u_int32_t fw_flg; /* Operational Flags word */ - u_int64_t fw_pcnt; /* Packet counters */ - u_int64_t fw_bcnt; /* Byte counters */ - struct in_addr fw_src; /* Source IP address */ - struct in_addr fw_dst; /* Destination IP address */ - struct in_addr fw_smsk; /* Mask for source IP address */ - struct in_addr fw_dmsk; /* Mask for destination address */ - u_short fw_number; /* Rule number */ - u_char fw_prot; /* IP protocol */ -#if 1 - u_char fw_nports; /* # of src/dst port in array */ -#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) -#define IP_FW_SETNSRCP(rule, n) do { \ - (rule)->fw_nports &= ~0x0f; \ - (rule)->fw_nports |= (n); \ - } while (0) -#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) -#define IP_FW_SETNDSTP(rule, n) do { \ - (rule)->fw_nports &= ~0xf0; \ - (rule)->fw_nports |= (n) << 4;\ - } while (0) -#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0) -#else - u_char __pad[1]; - u_int _nsrcp; - u_int _ndstp; -#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp -#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n -#define IP_FW_GETNDSTP(rule) (rule)->_ndstp -#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n -#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0) -#endif -#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ - union { - u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */ -#define IP_FW_ICMPTYPES_MAX 128 -#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) - unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/ - } fw_uar; - - u_int fw_ipflg; /* IP flags word */ - u_short fw_iplen; /* IP length XXX */ - u_short fw_ipid; /* Identification XXX */ - - u_char fw_ipopt; /* IP options set */ - u_char fw_ipnopt; /* IP options unset */ - u_char fw_iptos; /* IP type of service set XXX */ - u_char fw_ipntos; /* IP type of service unset XXX */ - - u_char fw_ipttl; /* IP time to live XXX */ - u_char fw_ipver:4; /* IP version XXX */ - u_char fw_tcpopt; /* TCP options set */ - u_char fw_tcpnopt; /* TCP options unset */ - - u_char fw_tcpf; /* TCP flags set/unset */ - u_char fw_tcpnf; /* TCP flags set/unset */ - u_short fw_tcpwin; /* TCP window size XXX */ - - u_int32_t fw_tcpseq; /* TCP sequence XXX */ - u_int32_t fw_tcpack; /* TCP acknowledgement XXX */ - - long timestamp; /* timestamp (tv_sec) of last match */ - union ip_fw_if fw_in_if; /* Incoming interfaces */ - union ip_fw_if fw_out_if; /* Outgoing interfaces */ - union { - u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ - u_short fu_pipe_nr; /* queue number (option DUMMYNET) */ - u_short fu_skipto_rule; /* SKIPTO command rule number */ - u_short fu_reject_code; /* REJECT response code */ - struct sockaddr_in fu_fwd_ip; - } fw_un; - - /* - * N'of src ports and # of dst ports in ports array (dst ports - * follow src ports; max of 10 ports in all; count of 0 means - * match all ports) - */ - void *pipe_ptr; /* flow_set ptr for dummynet pipe */ - void *next_rule_ptr; /* next rule in case of match */ - uid_t fw_uid; /* uid to match */ - gid_t fw_gid; /* gid to match */ - int fw_logamount; /* amount to log */ - u_int64_t fw_loghighest; /* highest number packet to log */ - - long dont_match_prob; /* 0x7fffffff means 1.0-always fail */ - u_char dyn_type; /* type for dynamic rule */ - -#define DYN_KEEP_STATE 0 /* type for keep-state rules */ -#define DYN_LIMIT 1 /* type for limit connection rules */ -#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */ - - /* - * following two fields are used to limit number of connections - * basing on either src, srcport, dst, dstport. - */ - u_char limit_mask; /* mask type for limit rule, can - * have many. - */ -#define DYN_SRC_ADDR 0x1 -#define DYN_SRC_PORT 0x2 -#define DYN_DST_ADDR 0x4 -#define DYN_DST_PORT 0x8 - - u_short conn_limit; /* # of connections for limit rule */ -}; - -#define fw_divert_port fw_un.fu_divert_port -#define fw_skipto_rule fw_un.fu_skipto_rule -#define fw_reject_code fw_un.fu_reject_code -#define fw_pipe_nr fw_un.fu_pipe_nr -#define fw_fwd_ip fw_un.fu_fwd_ip - -/* - * - * rule_ptr -------------+ - * V - * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]---> - * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<--- - * [ body ] [ body ] [ body ] - * - */ - -/* - * Flow mask/flow id for each queue. - */ -struct ipfw_flow_id { - u_int32_t dst_ip; - u_int32_t src_ip; - u_int16_t dst_port; - u_int16_t src_port; - u_int8_t proto; - u_int8_t flags; /* protocol-specific flags */ -}; - -/* - * dynamic ipfw rule - */ -struct ipfw_dyn_rule { - struct ipfw_dyn_rule *next; - struct ipfw_flow_id id; /* (masked) flow id */ - struct ip_fw *rule; /* pointer to rule */ - struct ipfw_dyn_rule *parent; /* pointer to parent rule */ - u_int32_t expire; /* expire time */ - u_int64_t pcnt; /* packet match counters */ - u_int64_t bcnt; /* byte match counters */ - u_int32_t bucket; /* which bucket in hash table */ - u_int32_t state; /* state of this rule (typically a - * combination of TCP flags) - */ - u_int16_t dyn_type; /* rule type */ - u_int16_t count; /* refcount */ -}; - -/* - * Values for "flags" field . - */ -#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ -#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */ -#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */ -#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */ -#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */ -#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */ -#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */ -#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */ -#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding - * address" rule - */ -#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */ -#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */ - -#define IP_FW_F_IN 0x00000100 /* Check inbound packets */ -#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */ -#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */ -#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */ -#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */ -#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min - * and max range (stored in host byte - * order). - */ -#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min - * and max range (stored in host byte - * order). - */ -#define IP_FW_F_FRAG 0x00008000 /* Fragment */ -#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */ -#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/ -#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */ -#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */ -#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ -#define IP_FW_F_UID 0x00200000 /* filter by uid */ -#define IP_FW_F_GID 0x00400000 /* filter by gid */ -#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ -#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */ -#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */ -#define IP_FW_UNUSED0 0x04000000 -#define IP_FW_F_KEEP_S 0x08000000 /* keep state */ -#define IP_FW_F_CHECK_S 0x10000000 /* check state */ -#define IP_FW_F_SME 0x20000000 /* source = me */ -#define IP_FW_F_DME 0x40000000 /* destination = me */ - -#define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ - -/* - * Flags for the 'fw_ipflg' field, for comparing values - * of ip and its protocols. Not all are currently used, - * IP_FW_IF_*MSK list the one actually used. - */ -#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */ -#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */ -#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */ -#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */ -#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */ -#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */ -#define IP_FW_IF_TCPMSK 0x00000020 /* mask of all tcp values */ - -#define IP_FW_IF_IPOPT 0x00000100 /* ip options */ -#define IP_FW_IF_IPLEN 0x00000200 /* ip length */ -#define IP_FW_IF_IPID 0x00000400 /* ip identification */ -#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */ -#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */ -#define IP_FW_IF_IPVER 0x00002000 /* ip version */ -#define IP_FW_IF_IPMSK 0x00000000 /* mask of all ip values */ - -#define IP_FW_IF_MSK 0x00000020 /* All possible bits mask */ - -/* - * For backwards compatibility with rules specifying "via iface" but - * not restricted to only "in" or "out" packets, we define this combination - * of bits to represent this configuration. - */ - -#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) - -/* - * Definitions for REJECT response codes. - * Values less than 256 correspond to ICMP unreachable codes. - */ -#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ - -/* - * Definitions for IP option names. - */ -#define IP_FW_IPOPT_LSRR 0x01 -#define IP_FW_IPOPT_SSRR 0x02 -#define IP_FW_IPOPT_RR 0x04 -#define IP_FW_IPOPT_TS 0x08 - -/* - * Definitions for TCP option names. - */ -#define IP_FW_TCPOPT_MSS 0x01 -#define IP_FW_TCPOPT_WINDOW 0x02 -#define IP_FW_TCPOPT_SACK 0x04 -#define IP_FW_TCPOPT_TS 0x08 -#define IP_FW_TCPOPT_CC 0x10 - -/* - * Definitions for TCP flags. - */ -#define IP_FW_TCPF_FIN TH_FIN -#define IP_FW_TCPF_SYN TH_SYN -#define IP_FW_TCPF_RST TH_RST -#define IP_FW_TCPF_PSH TH_PUSH -#define IP_FW_TCPF_ACK TH_ACK -#define IP_FW_TCPF_URG TH_URG - -/* - * Main firewall chains definitions and global var's definitions. - */ -#ifdef _KERNEL - -#define IP_FW_PORT_DYNT_FLAG 0x10000 -#define IP_FW_PORT_TEE_FLAG 0x20000 -#define IP_FW_PORT_DENY_FLAG 0x40000 - -/* - * arguments for calling ipfw_chk() and dummynet_io(). We put them - * all into a structure because this way it is easier and more - * efficient to pass variables around and extend the interface. - */ -struct ip_fw_args { - struct mbuf *m; /* the mbuf chain */ - struct ifnet *oif; /* output interface */ - struct sockaddr_in *next_hop; /* forward address */ - struct ip_fw *rule; /* matching rule */ - struct ether_header *eh; /* for bridged packets */ - - struct route *ro; /* for dummynet */ - struct sockaddr_in *dst; /* for dummynet */ - int flags; /* for dummynet */ - - struct ipfw_flow_id f_id; /* grabbed from IP header */ - u_int32_t retval; -}; - -/* - * Function definitions. - */ -void ip_fw_init (void); - -/* Firewall hooks */ -struct sockopt; -struct dn_flow_set; -void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */ - -typedef int ip_fw_chk_t (struct ip_fw_args *args); -typedef int ip_fw_ctl_t (struct sockopt *); -extern ip_fw_chk_t *ip_fw_chk_ptr; -extern ip_fw_ctl_t *ip_fw_ctl_ptr; -extern int fw_one_pass; -extern int fw_enable; -extern struct ipfw_flow_id last_pkt; -#define IPFW_LOADED (ip_fw_chk_ptr != NULL) -#endif /* _KERNEL */ - -#endif /* !IPFW2 */ -#endif /* _IP_FW_H */ +/* + * Copyright (c) 1993 Daniel Boulet + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + * + * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.47.2.11 2002/07/09 09:11:42 luigi Exp $ + * $DragonFly: src/sys/net/ipfw/ip_fw.h,v 1.8 2007/09/02 13:27:23 sephe Exp $ + */ + +#ifndef _IP_FW_H +#define _IP_FW_H + +#include "ip_fw2.h" + +#endif /* _IP_FW_H */ diff --git a/sys/net/ipfw/ip_fw2.c b/sys/net/ipfw/ip_fw2.c index c42c8fcec3..7a93a1228c 100644 --- a/sys/net/ipfw/ip_fw2.c +++ b/sys/net/ipfw/ip_fw2.c @@ -23,7 +23,7 @@ * SUCH DAMAGE. * * $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.6.2.12 2003/04/08 10:42:32 maxim Exp $ - * $DragonFly: src/sys/net/ipfw/ip_fw2.c,v 1.26 2006/12/22 23:44:57 swildner Exp $ + * $DragonFly: src/sys/net/ipfw/ip_fw2.c,v 1.27 2007/09/02 13:27:23 sephe Exp $ */ #define DEB(x) @@ -43,7 +43,6 @@ #endif /* INET */ #endif -#if IPFW2 #include #include #include @@ -2769,4 +2768,3 @@ static moduledata_t ipfwmod = { }; DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY); MODULE_VERSION(ipfw, 1); -#endif /* IPFW2 */ -- 2.11.4.GIT