From owner-p4-projects Fri Jun 28 11: 8:43 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 8CA6537B406; Fri, 28 Jun 2002 11:06:06 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13D8537B405 for ; Fri, 28 Jun 2002 11:06:02 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4771C43E09 for ; Fri, 28 Jun 2002 11:06:01 -0700 (PDT) (envelope-from bmilekic@freebsd.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g5SI61JU089403 for ; Fri, 28 Jun 2002 11:06:01 -0700 (PDT) (envelope-from bmilekic@freebsd.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g5SI6071089395 for perforce@freebsd.org; Fri, 28 Jun 2002 11:06:00 -0700 (PDT) Date: Fri, 28 Jun 2002 11:06:00 -0700 (PDT) Message-Id: <200206281806.g5SI6071089395@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bmilekic@freebsd.org using -f From: Bosko Milekic Subject: PERFORCE change 13530 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=13530 Change 13530 by bmilekic@bmilekic_angela on 2002/06/28 11:05:23 IFC (waiting for KSE III to see what to do next) Affected files ... .. //depot/projects/interrupt/sys/alpha/alpha/pmap.c#5 integrate .. //depot/projects/interrupt/sys/compat/linux/linux_ioctl.c#4 integrate .. //depot/projects/interrupt/sys/conf/files#10 integrate .. //depot/projects/interrupt/sys/dev/sound/pci/ich.c#4 integrate .. //depot/projects/interrupt/sys/dev/sound/pci/maestro3.c#4 integrate .. //depot/projects/interrupt/sys/i386/i386/pmap.c#7 integrate .. //depot/projects/interrupt/sys/kern/kern_acl.c#6 integrate .. //depot/projects/interrupt/sys/kern/kern_poll.c#5 integrate .. //depot/projects/interrupt/sys/kern/vfs_subr.c#8 integrate .. //depot/projects/interrupt/sys/kern/vfs_vnops.c#8 integrate .. //depot/projects/interrupt/sys/modules/ipfw/Makefile#3 integrate .. //depot/projects/interrupt/sys/netinet/ip_dummynet.c#5 integrate .. //depot/projects/interrupt/sys/netinet/ip_fw.h#4 integrate .. //depot/projects/interrupt/sys/netinet/ip_fw2.c#1 branch .. //depot/projects/interrupt/sys/netinet/ip_input.c#5 integrate .. //depot/projects/interrupt/sys/netinet/ip_mroute.c#4 integrate .. //depot/projects/interrupt/sys/netinet/ip_output.c#5 integrate .. //depot/projects/interrupt/sys/pccard/pcic_pci.c#6 integrate .. //depot/projects/interrupt/sys/sparc64/conf/GENERIC#5 integrate .. //depot/projects/interrupt/sys/ufs/ffs/ffs_vfsops.c#7 integrate .. //depot/projects/interrupt/sys/vm/swap_pager.c#7 integrate .. //depot/projects/interrupt/sys/vm/vm_map.c#9 integrate .. //depot/projects/interrupt/sys/vm/vm_object.c#7 integrate Differences ... ==== //depot/projects/interrupt/sys/alpha/alpha/pmap.c#5 (text+ko) ==== @@ -43,7 +43,7 @@ * from: @(#)pmap.c 7.7 (Berkeley) 5/12/91 * from: i386 Id: pmap.c,v 1.193 1998/04/19 15:22:48 bde Exp * with some ideas from NetBSD's alpha pmap - * $FreeBSD: src/sys/alpha/alpha/pmap.c,v 1.92 2002/04/29 07:43:08 peter Exp $ + * $FreeBSD: src/sys/alpha/alpha/pmap.c,v 1.93 2002/06/27 04:08:45 jeff Exp $ */ /* @@ -610,7 +610,7 @@ if (initial_pvs < MINPV) initial_pvs = MINPV; pvzone = uma_zcreate("PV ENTRY", sizeof (struct pv_entry), NULL, NULL, - NULL, NULL, UMA_ALIGN_PTR, 0); + NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_VM); uma_zone_set_allocf(pvzone, pmap_allocf); uma_prealloc(pvzone, initial_pvs); /* ==== //depot/projects/interrupt/sys/compat/linux/linux_ioctl.c#4 (text+ko) ==== @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/sys/compat/linux/linux_ioctl.c,v 1.85 2002/06/02 20:05:41 schweikh Exp $ + * $FreeBSD: src/sys/compat/linux/linux_ioctl.c,v 1.86 2002/06/26 15:53:11 arr Exp $ */ #include @@ -2027,15 +2027,10 @@ ifp = NULL; error = 0; - mtx_lock(&Giant); - if ((error = fget(td, args->fd, &fp)) != 0) { - mtx_unlock(&Giant); + if ((error = fget(td, args->fd, &fp)) != 0) return (error); - } type = fp->f_type; fdrop(fp, td); - mtx_unlock(&Giant); - if (type != DTYPE_SOCKET) { /* not a socket - probably a tap / vmnet device */ switch (args->cmd) { @@ -2243,14 +2238,10 @@ struct file *fp; int error, type; - mtx_lock(&Giant); - if ((error = fget(td, args->fd, &fp)) != 0) { - mtx_unlock(&Giant); + if ((error = fget(td, args->fd, &fp)) != 0) return (error); - } type = fp->f_type; fdrop(fp, td); - mtx_unlock(&Giant); if (type == DTYPE_SOCKET) return (linux_ioctl_socket(td, args)); return (ENOIOCTL); ==== //depot/projects/interrupt/sys/conf/files#10 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/sys/conf/files,v 1.654 2002/06/26 03:34:43 ken Exp $ +# $FreeBSD: src/sys/conf/files,v 1.655 2002/06/27 23:02:17 luigi Exp $ # # The long compile-with and dependency lines are required because of # limitations in config: backslash-newline doesn't work in strings, and @@ -1164,7 +1164,7 @@ netinet/ip_encap.c optional inet netinet/ip_encap.c optional inet6 netinet/ip_flow.c optional inet -netinet/ip_fw.c optional ipfirewall +netinet/ip_fw2.c optional ipfirewall netinet/ip_icmp.c optional inet netinet/ip_input.c optional inet netinet/ip_mroute.c optional inet ==== //depot/projects/interrupt/sys/dev/sound/pci/ich.c#4 (text+ko) ==== @@ -32,7 +32,7 @@ #include #include -SND_DECLARE_FILE("$FreeBSD: src/sys/dev/sound/pci/ich.c,v 1.21 2002/05/05 15:37:09 orion Exp $"); +SND_DECLARE_FILE("$FreeBSD: src/sys/dev/sound/pci/ich.c,v 1.22 2002/06/27 22:36:01 scottl Exp $"); /* -------------------------------------------------------------------- */ @@ -85,6 +85,8 @@ struct sc_chinfo ch[3]; int ac97rate; struct ich_desc *dtbl; + struct intr_config_hook intrhook; + int use_intrhook; }; /* -------------------------------------------------------------------- */ @@ -455,13 +457,20 @@ /* Calibrate card (some boards are overclocked and need scaling) */ static -unsigned int ich_calibrate(struct sc_info *sc) +void ich_calibrate(void *arg) { - struct sc_chinfo *ch = &sc->ch[1]; + struct sc_info *sc; + struct sc_chinfo *ch; struct timeval t1, t2; u_int8_t ociv, nciv; u_int32_t wait_us, actual_48k_rate, bytes; + sc = (struct sc_info *)arg; + ch = &sc->ch[1]; + + if (sc->use_intrhook) + config_intrhook_disestablish(&sc->intrhook); + /* * Grab audio from input for fixed interval and compare how * much we actually get with what we expect. Interval needs @@ -516,7 +525,7 @@ if (nciv == ociv) { device_printf(sc->dev, "ac97 link rate calibration timed out after %d us\n", wait_us); - return 0; + return; } actual_48k_rate = (bytes * 250000) / wait_us; @@ -534,7 +543,7 @@ printf("\n"); } - return sc->ac97rate; + return; } /* -------------------------------------------------------------------- */ @@ -708,7 +717,15 @@ pcm_setstatus(dev, status); ich_initsys(sc); - ich_calibrate(sc); + + sc->intrhook.ich_func = ich_calibrate; + sc->intrhook.ich_arg = sc; + sc->use_intrhook = 1; + if (config_intrhook_establish(&sc->intrhook) != 0) { + device_printf(dev, "Cannot establish calibration hook, will calibrate now\n"); + sc->use_intrhook = 0; + ich_calibrate(sc); + } return 0; ==== //depot/projects/interrupt/sys/dev/sound/pci/maestro3.c#4 (text+ko) ==== @@ -61,7 +61,7 @@ #include #include -SND_DECLARE_FILE("$FreeBSD: src/sys/dev/sound/pci/maestro3.c,v 1.14 2002/06/24 15:28:47 robert Exp $"); +SND_DECLARE_FILE("$FreeBSD: src/sys/dev/sound/pci/maestro3.c,v 1.15 2002/06/28 06:11:26 scottl Exp $"); /* -------------------------------------------------------------------- */ @@ -1390,7 +1390,7 @@ hv_cfg = HV_BUTTON_FROM_GD; data = pci_read_config(sc->dev, PCI_ALLEGRO_CONFIG, 4); - data &= HV_BUTTON_FROM_GD; + data &= ~HV_BUTTON_FROM_GD; data |= REDUCED_DEBOUNCE | HV_CTRL_ENABLE | hv_cfg; data |= PM_CTRL_ENABLE | CLK_DIV_BY_49 | USE_PCI_TIMING; pci_write_config(sc->dev, PCI_ALLEGRO_CONFIG, data, 4); ==== //depot/projects/interrupt/sys/i386/i386/pmap.c#7 (text+ko) ==== @@ -39,7 +39,7 @@ * SUCH DAMAGE. * * from: @(#)pmap.c 7.7 (Berkeley) 5/12/91 - * $FreeBSD: src/sys/i386/i386/pmap.c,v 1.324 2002/06/25 22:14:06 iedowse Exp $ + * $FreeBSD: src/sys/i386/i386/pmap.c,v 1.326 2002/06/27 06:34:03 arr Exp $ */ /* @@ -2010,7 +2010,7 @@ register pt_entry_t *ptbase; vm_offset_t pdnxt; pd_entry_t ptpaddr; - vm_pindex_t sindex, eindex; + vm_offset_t sindex, eindex; int anychanged; if (pmap == NULL) @@ -2493,7 +2493,7 @@ ((objpgs > 0) && (p != NULL)); p = TAILQ_NEXT(p, listq)) { - if (p->pindex < pindex || p->pindex - pindex > psize) { + if (p->pindex < pindex || p->pindex - pindex >= psize) { continue; } tmpidx = p->pindex - pindex; ==== //depot/projects/interrupt/sys/kern/kern_acl.c#6 (text+ko) ==== @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/kern/kern_acl.c,v 1.28 2002/06/13 23:17:39 rwatson Exp $ + * $FreeBSD: src/sys/kern/kern_acl.c,v 1.30 2002/06/27 19:31:15 rwatson Exp $ */ /* * Developed by the TrustedBSD Project. @@ -50,12 +50,12 @@ MALLOC_DEFINE(M_ACL, "acl", "access control list"); -static int vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type, - struct acl *aclp); -static int vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type, - struct acl *aclp); +static int vacl_set_acl(struct thread *td, struct vnode *vp, + acl_type_t type, struct acl *aclp); +static int vacl_get_acl(struct thread *td, struct vnode *vp, + acl_type_t type, struct acl *aclp); static int vacl_aclcheck(struct thread *td, struct vnode *vp, - acl_type_t type, struct acl *aclp); + acl_type_t type, struct acl *aclp); /* * Implement a version of vaccess() that understands POSIX.1e ACL semantics. @@ -621,7 +621,7 @@ return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = VOP_SETACL(vp, ACL_TYPE_DEFAULT, 0, td->td_ucred, td); + error = VOP_SETACL(vp, type, NULL, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); ==== //depot/projects/interrupt/sys/kern/kern_poll.c#5 (text+ko) ==== @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/kern/kern_poll.c,v 1.6 2002/03/09 08:02:52 luigi Exp $ + * $FreeBSD: src/sys/kern/kern_poll.c,v 1.7 2002/06/27 23:23:04 luigi Exp $ */ #include @@ -195,6 +195,12 @@ /* * Hook from hardclock. Tries to schedule a netisr, but keeps track * of lost ticks due to the previous handler taking too long. + * Normally, this should not happen, because polling handler should + * run for a short time. However, in some cases (e.g. when there are + * changes in link status etc.) the drivers take a very long time + * (even in the order of milliseconds) to reset and reconfigure the + * device, causing apparent lost polls. + * * The first part of the code is just for debugging purposes, and tries * to count how often hardclock ticks are shorter than they should, * meaning either stray interrupts or delayed events. @@ -217,10 +223,11 @@ prev_t = t; if (pending_polls > 100) { - /* too much, assume it has stalled */ + /* + * Too much, assume it has stalled (not always true + * see comment above). + */ stalled++; - printf("poll stalled [%d] in phase %d\n", - stalled, phase); pending_polls = 0; phase = 0; } ==== //depot/projects/interrupt/sys/kern/vfs_subr.c#8 (text+ko) ==== @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)vfs_subr.c 8.31 (Berkeley) 5/26/95 - * $FreeBSD: src/sys/kern/vfs_subr.c,v 1.362 2002/06/20 20:03:41 mux Exp $ + * $FreeBSD: src/sys/kern/vfs_subr.c,v 1.363 2002/06/28 16:17:47 green Exp $ */ /* @@ -812,8 +812,8 @@ object->ref_count)) { TAILQ_INSERT_TAIL(&vnode_free_list, vp, v_freelist); + VOP_UNLOCK(vp, 0, td); vp = NULL; - VOP_UNLOCK(vp, 0, td); continue; } if (LIST_FIRST(&vp->v_cache_src)) { ==== //depot/projects/interrupt/sys/kern/vfs_vnops.c#8 (text+ko) ==== @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)vfs_vnops.c 8.2 (Berkeley) 1/21/94 - * $FreeBSD: src/sys/kern/vfs_vnops.c,v 1.149 2002/06/24 07:14:44 mckusick Exp $ + * $FreeBSD: src/sys/kern/vfs_vnops.c,v 1.150 2002/06/28 17:51:11 jeff Exp $ */ #include @@ -356,11 +356,16 @@ if ((ioflg & IO_NODELOCKED) == 0) { mp = NULL; - if (rw == UIO_WRITE && - vp->v_type != VCHR && - (error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) - return (error); - vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + if (rw == UIO_WRITE) { + if (vp->v_type != VCHR && + (error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) + != 0) + return (error); + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + } else { + vn_lock(vp, LK_SHARED | LK_RETRY, td); + } + } auio.uio_iov = &aiov; auio.uio_iovcnt = 1; @@ -382,7 +387,8 @@ if (auio.uio_resid && error == 0) error = EIO; if ((ioflg & IO_NODELOCKED) == 0) { - vn_finished_write(mp); + if (rw == UIO_WRITE) + vn_finished_write(mp); VOP_UNLOCK(vp, 0, td); } return (error); ==== //depot/projects/interrupt/sys/modules/ipfw/Makefile#3 (text+ko) ==== @@ -1,9 +1,9 @@ -# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.15 2002/01/11 15:48:49 ru Exp $ +# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.16 2002/06/28 08:10:07 julian Exp $ .PATH: ${.CURDIR}/../../netinet KMOD= ipfw -SRCS= ip_fw.c +SRCS= ip_fw2.c CFLAGS+= -DIPFIREWALL # ==== //depot/projects/interrupt/sys/netinet/ip_dummynet.c#5 (text+ko) ==== @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998-2001 Luigi Rizzo, Universita` di Pisa + * Copyright (c) 1998-2002 Luigi Rizzo, Universita` di Pisa * Portions Copyright (c) 2000 Akamba Corp. * All rights reserved * @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/netinet/ip_dummynet.c,v 1.47 2002/06/22 11:51:02 luigi Exp $ + * $FreeBSD: src/sys/netinet/ip_dummynet.c,v 1.48 2002/06/27 23:02:17 luigi Exp $ */ #define DEB(x) @@ -61,7 +61,6 @@ #include #include #include -#include /* XXX */ #include #include #include @@ -166,12 +165,6 @@ int if_tx_rdy(struct ifnet *ifp); -/* - * ip_fw_chain_head is used when deleting a pipe, because ipfw rules can - * hold references to the pipe. - */ -extern LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chain_head; - static void rt_unref(struct rtentry *rt) { @@ -1023,9 +1016,13 @@ struct dn_flow_set * locate_flowset(int pipe_nr, struct ip_fw *rule) { - struct dn_flow_set *fs = NULL ; + ipfw_insn_pipe *cmd = (ipfw_insn_pipe *)(rule->cmd + rule->act_ofs); + struct dn_flow_set *fs = (struct dn_flow_set *)(cmd->pipe_ptr); + + if (fs != NULL) + return fs; - if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE ) + if ( cmd->o.opcode == O_QUEUE ) for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next) ; else { @@ -1035,8 +1032,7 @@ if (p1 != NULL) fs = &(p1->fs) ; } - if (fs != NULL) - rule->pipe_ptr = fs ; /* record for the future */ + (struct dn_flow_set *)(cmd->pipe_ptr) = fs; /* record for the future */ return fs ; } @@ -1065,16 +1061,18 @@ u_int64_t len = m->m_pkthdr.len ; struct dn_flow_queue *q = NULL ; int s ; + int action = fwa->rule->cmd[fwa->rule->act_ofs].opcode; s = splimp(); pipe_nr &= 0xffff ; - if ( (fs = fwa->rule->pipe_ptr) == NULL ) { - fs = locate_flowset(pipe_nr, fwa->rule); - if (fs == NULL) - goto dropit ; /* this queue/pipe does not exist! */ - } + /* + * this is a dummynet rule, so we expect a O_PIPE or O_QUEUE rule + */ + fs = locate_flowset(pipe_nr, fwa->rule); + if (fs == NULL) + goto dropit ; /* this queue/pipe does not exist! */ pipe = fs->pipe ; if (pipe == NULL) { /* must be a queue, try find a matching pipe */ for (pipe = all_pipes; pipe && pipe->pipe_nr != fs->parent_nr; @@ -1152,7 +1150,7 @@ * to schedule it. This involves different actions for fixed-rate or * WF2Q queues. */ - if ( (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE ) { + if ( action == O_PIPE ) { /* * Fixed-rate queue: just insert into the ready_heap. */ @@ -1302,15 +1300,13 @@ dummynet_flush() { struct dn_pipe *curr_p, *p ; - struct ip_fw *rule ; struct dn_flow_set *fs, *curr_fs; int s ; s = splimp() ; /* remove all references to pipes ...*/ - LIST_FOREACH(rule, &ip_fw_chain_head, next) - rule->pipe_ptr = NULL ; + flush_pipe_ptrs(NULL); /* prevent future matches... */ p = all_pipes ; all_pipes = NULL ; @@ -1375,8 +1371,8 @@ fs = &(p->fs) ; dn_rule_delete_fs(fs, r); for (pkt = p->head ; pkt ; pkt = DN_NEXT(pkt) ) - if (pkt->rule == r) - pkt->rule = ip_fw_default_rule ; + if (pkt->hdr.mh_data == r) + pkt->hdr.mh_data = (void *)ip_fw_default_rule ; } } @@ -1663,7 +1659,6 @@ delete_pipe(struct dn_pipe *p) { int s ; - struct ip_fw *rule ; if (p->pipe_nr == 0 && p->fs.fs_nr == 0) return EINVAL ; @@ -1687,9 +1682,7 @@ else a->next = b->next ; /* remove references to this pipe from the ip_fw rules. */ - LIST_FOREACH(rule, &ip_fw_chain_head, next) - if (rule->pipe_ptr == &(b->fs)) - rule->pipe_ptr = NULL ; + flush_pipe_ptrs(&(b->fs)); /* remove all references to this pipe from flow_sets */ for (fs = all_flow_sets; fs; fs= fs->next ) @@ -1721,9 +1714,7 @@ else a->next = b->next ; /* remove references to this flow_set from the ip_fw rules. */ - LIST_FOREACH(rule, &ip_fw_chain_head, next) - if (rule->pipe_ptr == b) - rule->pipe_ptr = NULL ; + flush_pipe_ptrs(b); if (b->pipe != NULL) { /* Update total weight on parent pipe and cleanup parent heaps */ @@ -1847,9 +1838,14 @@ /* Disallow sets in really-really secure mode. */ if (sopt->sopt_dir == SOPT_SET) { +#if __FreeBSD_version >= 500034 error = securelevel_ge(sopt->sopt_td->td_ucred, 3); if (error) return (error); +#else + if (securelevel >= 3) + return (EPERM); +#endif } switch (sopt->sopt_name) { ==== //depot/projects/interrupt/sys/netinet/ip_fw.h#4 (text+ko) ==== @@ -1,183 +1,305 @@ /* - * Copyright (c) 1993 Daniel Boulet - * Copyright (c) 1994 Ugen J.S.Antsilevich + * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * Redistribution and use in source forms, with and without modification, - * are permitted provided that this entire comment appears intact. + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. * - * Redistribution in binary form may occur without any restrictions. - * Obviously, it would be nice if you gave credit where credit is due - * but requiring it would be too onerous. + * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.69 2002/06/27 23:02:17 luigi Exp $ + */ + +#ifndef _IPFW2_H +#define _IPFW2_H + +/* + * The kernel representation of ipfw rules is made of a list of + * 'instructions' (for all practical purposes equivalent to BPF + * instructions), which specify which fields of the packet + * (or its metatada) should be analysed. * - * This software is provided ``AS IS'' without any warranties of any kind. + * Each instruction is stored in a structure which begins with + * "ipfw_insn", and can contain extra fields depending on the + * instruction type (listed below). * - * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.68 2002/06/22 11:51:02 luigi Exp $ + * "enum ipfw_opcodes" are the opcodes supported. We can have up + * to 256 different opcodes. */ -#ifndef _IP_FW_H -#define _IP_FW_H +enum ipfw_opcodes { /* arguments (4 byte each) */ + O_NOP, + + O_IP_SRC, /* u32 = IP */ + O_IP_SRC_MASK, /* ip = IP/mask */ + O_IP_SRC_ME, /* none */ + O_IP_SRC_SET, /* u32=base, arg1=len, bitmap */ + + O_IP_DST, /* u32 = IP */ + O_IP_DST_MASK, /* ip = IP/mask */ + O_IP_DST_ME, /* none */ + O_IP_DST_SET, /* u32=base, arg1=len, bitmap */ + + O_IP_SRCPORT, /* (n)port list:mask 4 byte ea */ + O_IP_DSTPORT, /* (n)port list:mask 4 byte ea */ + O_PROTO, /* arg1=protocol */ + + O_MACADDR2, /* 2 mac addr:mask */ + O_MAC_TYPE, /* same as srcport */ + + O_LAYER2, /* none */ + O_IN, /* none */ + O_FRAG, /* none */ + + O_RECV, /* none */ + O_XMIT, /* none */ + O_VIA, /* none */ + + O_IPOPT, /* arg1 = 2*u8 bitmap */ + O_IPLEN, /* arg1 = len */ + O_IPID, /* arg1 = id */ + + O_IPPRE, /* arg1 = id */ + O_IPTOS, /* arg1 = id */ + O_IPTTL, /* arg1 = TTL */ + + O_IPVER, /* arg1 = version */ + O_UID, /* u32 = id */ + O_GID, /* u32 = id */ + O_ESTAB, /* none (tcp established) */ + O_TCPFLAGS, /* arg1 = 2*u8 bitmap */ + O_TCPWIN, /* arg1 = desired win */ + O_TCPSEQ, /* u32 = desired seq. */ + O_TCPACK, /* u32 = desired seq. */ + O_ICMPTYPE, /* u32 = icmp bitmap */ + O_TCPOPTS, /* arg1 = 2*u8 bitmap */ + O_IPOPTS, /* arg1 = 2*u8 bitmap */ + + O_PROBE_STATE, /* none */ + O_KEEP_STATE, /* none */ + O_LIMIT, /* ipfw_insn_limit */ + O_LIMIT_PARENT, /* dyn_type, not an opcode. */ + /* + * these are really 'actions', and must be last in the list. + */ + + O_LOG, /* ipfw_insn_log */ + O_PROB, /* u32 = match probability */ -#include + O_CHECK_STATE, /* none */ + O_ACCEPT, /* none */ + O_DENY, /* none */ + O_REJECT, /* arg1=icmp arg (same as deny) */ + O_COUNT, /* none */ + O_SKIPTO, /* arg1=next rule number */ + O_PIPE, /* arg1=pipe number */ + O_QUEUE, /* arg1=queue number */ + O_DIVERT, /* arg1=port number */ + O_TEE, /* arg1=port number */ + O_FORWARD_IP, /* fwd sockaddr */ + O_FORWARD_MAC, /* fwd mac */ + O_LAST_OPCODE /* not an opcode! */ +}; /* - * This union structure identifies an interface, either explicitly - * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME - * and IP_FW_F_OIFNAME say how to interpret this structure. An - * interface unit number of -1 matches any unit number, while an - * IP address of 0.0.0.0 indicates matches any interface. + * Template for instructions. + * + * ipfw_insn is used for all instructions which require no operands, + * a single 16-bit value (arg1), or a couple of 8-bit values. + * + * For other instructions which require different/larger arguments + * we have derived structures, ipfw_insn_*. + * + * The size of the instruction (in 32-bit words) is in the low + * 6 bits of "len". The 2 remaining bits are used to implement + * NOT and OR on individual instructions. Given a type, you can + * compute the length to be put in "len" using F_INSN_SIZE(t) + * + * F_NOT negates the match result of the instruction. + * + * F_OR is used to build or blocks. By default, instructions + * are evaluated as part of a logical AND. An "or" block + * { X or Y or Z } contains F_OR set in all but the last + * instruction of the block. A match will cause the code + * to skip past the last instruction of the block. + * + * NOTA BENE: in a couple of places we assume that + * sizeof(ipfw_insn) == sizeof(u_int32_t) + * this needs to be fixed. * - * The receive and transmit interfaces are only compared against the - * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) - * is set. Note some packets lack a receive or transmit interface - * (in which case the missing "interface" never matches). */ +typedef struct _ipfw_insn { /* template for instructions */ + enum ipfw_opcodes opcode:8; + u_int8_t len; /* numer of 32-byte words */ +#define F_NOT 0x80 +#define F_OR 0x40 +#define F_LEN_MASK 0x3f +#define F_LEN(cmd) ((cmd)->len & F_LEN_MASK) -union ip_fw_if { - struct in_addr fu_via_ip; /* Specified by IP address */ - struct { /* Specified by interface name */ -#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */ - char name[FW_IFNLEN]; - short unit; /* -1 means match any unit */ - } fu_via_if; -}; + u_int16_t arg1; +} ipfw_insn; + +/* + * The F_INSN_SIZE(type) computes the size, in 4-byte words, of + * a given type. + */ +#define F_INSN_SIZE(t) ((sizeof (t))/sizeof(u_int32_t)) /* - * Format of an IP firewall descriptor - * - * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. - * fw_flg and fw_n*p are stored in host byte order (of course). - * Port numbers are stored in HOST byte order. + * This is used to store an array of 16-bit entries (ports etc.) */ +typedef struct _ipfw_insn_u16 { + ipfw_insn o; + u_int16_t ports[2]; /* there may be more */ +} ipfw_insn_u16; /* - * To match MAC headers: - * 12 bytes at fw_mac_hdr contain the dst-src MAC address after masking. - * 12 bytes at fw_mac_mask contain the mask to apply to dst-src - * 2 bytes at fw_mac_type contain the mac type after mask (in net format) - * 2 bytes at fw_mac_type_mask contain the mac type mask - * If IP_FW_F_SRNG, the two contain the low-high of a range of types. - * IP_FW_F_DRNG is used to indicare we want to match a vlan. + * This is used to store an array of 32-bit entries + * (uid, single IPv4 addresses etc.) */ -#define fw_mac_hdr fw_src -#define fw_mac_mask fw_uar -#define fw_mac_type fw_iplen -#define fw_mac_mask_type fw_ipid +typedef struct _ipfw_insn_u32 { + ipfw_insn o; + u_int32_t d[1]; /* one or more */ +} ipfw_insn_u32; -struct ip_fw { - LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */ - u_int fw_flg; /* Operational Flags word */ - u_int64_t fw_pcnt; /* Packet counters */ - u_int64_t fw_bcnt; /* Byte counters */ +/* + * This is used to store IP addr-mask pairs. + */ +typedef struct _ipfw_insn_ip { + ipfw_insn o; + struct in_addr addr; + struct in_addr mask; +} ipfw_insn_ip; - struct in_addr fw_src; /* Source IP address */ - struct in_addr fw_dst; /* Destination IP address */ - struct in_addr fw_smsk; /* Mask for source IP address */ - struct in_addr fw_dmsk; /* Mask for destination address */ - u_short fw_number; /* Rule number */ - u_char fw_prot; /* IP protocol */ -#if 1 - u_char fw_nports; /* # of src/dst port in array */ -#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) -#define IP_FW_SETNSRCP(rule, n) do { \ - (rule)->fw_nports &= ~0x0f; \ - (rule)->fw_nports |= (n); \ - } while (0) -#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) -#define IP_FW_SETNDSTP(rule, n) do { \ - (rule)->fw_nports &= ~0xf0; \ - (rule)->fw_nports |= (n) << 4;\ - } while (0) -#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0) -#else - u_char __pad[1]; - u_int _nsrcp; - u_int _ndstp; -#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp -#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n -#define IP_FW_GETNDSTP(rule) (rule)->_ndstp -#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n -#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0) -#endif -#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ - union { - u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */ -#define IP_FW_ICMPTYPES_MAX 128 -#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) - unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/ - } fw_uar; +/* + * This is used to forward to a given address (ip) + */ +typedef struct _ipfw_insn_sa { + ipfw_insn o; + struct sockaddr_in sa; +} ipfw_insn_sa; - u_int fw_ipflg; /* IP flags word */ - u_short fw_iplen; /* IP length */ - u_short fw_ipid; /* Identification */ - u_char fw_ipopt; /* IP options set */ - u_char fw_ipnopt; /* IP options unset */ - u_char fw_iptos; /* IP type of service set */ - u_char fw_ipntos; /* IP type of service unset */ - u_char fw_ipttl; /* IP time to live */ - u_int fw_ipver:4; /* IP version */ - u_char fw_tcpopt; /* TCP options set */ - u_char fw_tcpnopt; /* TCP options unset */ - u_char fw_tcpf; /* TCP flags set */ - u_char fw_tcpnf; /* TCP flags unset */ - u_short fw_tcpwin; /* TCP window size */ - u_int32_t fw_tcpseq; /* TCP sequence */ - u_int32_t fw_tcpack; /* TCP acknowledgement */ - long timestamp; /* timestamp (tv_sec) of last match */ - union ip_fw_if fw_in_if; /* Incoming interfaces */ - union ip_fw_if fw_out_if; /* Outgoing interfaces */ - union { - u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ - u_short fu_pipe_nr; /* queue number (option DUMMYNET) */ - u_short fu_skipto_rule; /* SKIPTO command rule number */ - u_short fu_reject_code; /* REJECT response code */ - struct sockaddr_in fu_fwd_ip; - } fw_un; - void *pipe_ptr; /* flow_set ptr for dummynet pipe */ - void *next_rule_ptr; /* next rule in case of match */ - uid_t fw_uid; /* uid to match */ - gid_t fw_gid; /* gid to match */ - int fw_logamount; /* amount to log */ - u_int64_t fw_loghighest; /* highest number packet to log */ +/* + * This is used for MAC addr-mask pairs. + */ +typedef struct _ipfw_insn_mac { + ipfw_insn o; + u_char addr[12]; /* dst[6] + src[6] */ + u_char mask[12]; /* dst[6] + src[6] */ +} ipfw_insn_mac; - long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ - u_char dyn_type; /* type for dynamic rule */ +/* + * This is used for interface match rules (recv xx, xmit xx) + */ +typedef struct _ipfw_insn_if { + ipfw_insn o; + union { + struct in_addr ip; + int unit; + } p; + char name[IFNAMSIZ]; +} ipfw_insn_if; -#define DYN_KEEP_STATE 0 /* type for keep-state rules */ -#define DYN_LIMIT 1 /* type for limit connection rules */ -#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */ +/* + * This is used for pipe and queue actions, which need to store + * a single pointer (which can have different size on different + * architectures. + */ +typedef struct _ipfw_insn_pipe { + ipfw_insn o; + void *pipe_ptr; +} ipfw_insn_pipe; - /* following two fields are used to limit number of connections - * basing on either src, srcport, dst, dstport. - */ - u_char limit_mask; /* mask type for limit rule, can - * have many. - */ +/* + * This is used for limit rules. + */ +typedef struct _ipfw_insn_limit { + ipfw_insn o; + u_int8_t _pad; + u_int8_t limit_mask; /* combination of DYN_* below */ #define DYN_SRC_ADDR 0x1 #define DYN_SRC_PORT 0x2 #define DYN_DST_ADDR 0x4 #define DYN_DST_PORT 0x8 - u_short conn_limit; /* # of connections for limit rule */ -}; + u_int16_t conn_limit; +} ipfw_insn_limit; -#define fw_divert_port fw_un.fu_divert_port -#define fw_skipto_rule fw_un.fu_skipto_rule -#define fw_reject_code fw_un.fu_reject_code -#define fw_pipe_nr fw_un.fu_pipe_nr -#define fw_fwd_ip fw_un.fu_fwd_ip +/* + * This is used for log instructions + */ +typedef struct _ipfw_insn_log { + ipfw_insn o; + u_int32_t max_log; /* how many do we log -- 0 = all */ + u_int32_t log_left; /* how many left to log */ +} ipfw_insn_log; /* + * Here we have the structure representing an ipfw rule. + * + * It starts with a general area (with link fields and counters) + * followed by an array of one or more instructions, which the code + * accesses as an array of 32-bit values. + * + * Given a rule pointer r: + * + * r->cmd is the start of the first instruction. + * ACTION_PTR(r) is the start of the first action (things to do + * once a rule matched). + * + * When assembling instruction, remember the following: * - * rule_ptr -------------+ - * V - * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]---> - * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<--- - * [ body ] [ body ] [ body ] + * + if a rule has a "keep-state" (or "limit") option, then the + * first instruction (at r->cmd) MUST BE an O_PROBE_STATE + * + if a rule has a "log" option, then the first action + * (at ACTION_PTR(r)) MUST be O_LOG * + * NOTE: we use a simple linked list of rules because we never need + * to delete a rule without scanning the list. We do not use + * queue(3) macros for portability and readability. */ +struct ip_fw { + struct ip_fw *next; /* linked list of rules */ >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message