Date: Mon, 15 May 2017 21:25:31 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 219316] Wildcard matching of ipfw flow tables Message-ID: <bug-219316-8-xmn7crv8fp@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-219316-8@https.bugs.freebsd.org/bugzilla/> References: <bug-219316-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219316 --- Comment #3 from lutz@donnerhacke.de --- In order to process the new ipfw configuration-opcode, the kernel backend n= eeds to be changed, too. This backend patch does not defined any functionality besides parsing the options and checking if an optional algorithm specific function is available. Otherwise the call returns ENOTSUP. Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/netinet/ip_fw.h (revision 314807) +++ sys/netinet/ip_fw.h (working copy) @@ -110,6 +110,7 @@ #define IP_FW_DUMP_SOPTCODES 116 /* Dump available sopts/versions */ #define IP_FW_DUMP_SRVOBJECTS 117 /* Dump existing named obje= cts */ +#define IP_FW_TABLE_XSETMASK 118 /* set a generic input mask= */ /* * The kernel representation of ipfw rules is made of a list of * 'instructions' (for all practical purposes equivalent to BPF Index: sys/netpfil/ipfw/ip_fw_table.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/netpfil/ipfw/ip_fw_table.c (revision 314807) +++ sys/netpfil/ipfw/ip_fw_table.c (working copy) @@ -1143,6 +1143,78 @@ } /* + * Set a generic input mask for a table + * Data layout (v0)(current): + * Request: [ ipfw_obj_header ipfw_obj_tentry ] + * Reply: [ ipfw_obj_header ipfw_obj_tentry ] + * + * Returns 0 on success + */ +static int +set_table_mask(struct ip_fw_chain *ch, ip_fw3_opheader *op3, + struct sockopt_data *sd) +{ + ipfw_obj_tentry *tent; + ipfw_obj_header *oh; + struct tid_info ti; + struct table_config *tc; + struct table_algo *ta; + struct table_info *kti; + struct namedobj_instance *ni; + int error; + size_t sz; + + /* Check minimum header size */ + sz =3D sizeof(*oh) + sizeof(*tent); + if (sd->valsize !=3D sz) + return (EINVAL); + + oh =3D (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); + tent =3D (ipfw_obj_tentry *)(oh + 1); + + /* Basic length checks for TLVs */ + if (oh->ntlv.head.length !=3D sizeof(oh->ntlv)) + return (EINVAL); + + objheader_to_ti(oh, &ti); + ti.type =3D oh->ntlv.type; + ti.uidx =3D tent->idx; + + IPFW_UH_WLOCK(ch); + ni =3D CHAIN_TO_NI(ch); + + /* + * Find existing table and check its type . + */ + ta =3D NULL; + if ((tc =3D find_table(ni, &ti)) =3D=3D NULL) { + IPFW_UH_WUNLOCK(ch); + return (ESRCH); + } + + /* check table type */ + if (tc->no.subtype !=3D ti.type) { + IPFW_UH_WUNLOCK(ch); + return (EINVAL); + } + + kti =3D KIDX_TO_TI(ch, tc->no.kidx); + ta =3D tc->ta; + + if (ta->set_mask =3D=3D NULL) { + IPFW_UH_WUNLOCK(ch); + return (ENOTSUP); + } + + IPFW_WLOCK(ch); + error =3D ta->set_mask(tc->astate, kti, tent); + IPFW_WUNLOCK(ch); + IPFW_UH_WUNLOCK(ch); + + return (error); +} + +/* * Flushes all entries or destroys given table. * Data layout (v0)(current): * Request: [ ipfw_obj_header ] @@ -3258,6 +3330,7 @@ { IP_FW_TABLE_XSWAP, 0, HDIR_SET, swap_table }, { IP_FW_TABLES_ALIST, 0, HDIR_GET, list_table_algo }, { IP_FW_TABLE_XGETSIZE, 0, HDIR_GET, get_table_size }, + { IP_FW_TABLE_XSETMASK, 0, HDIR_SET, set_table_mask }, }; static int Index: sys/netpfil/ipfw/ip_fw_table.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/netpfil/ipfw/ip_fw_table.h (revision 314807) +++ sys/netpfil/ipfw/ip_fw_table.h (working copy) @@ -108,6 +108,8 @@ ipfw_obj_tentry *tent); typedef int ta_find_tentry(void *ta_state, struct table_info *ti, ipfw_obj_tentry *tent); +typedef int ta_set_mask(void *ta_state, struct table_info *ti, + ipfw_obj_tentry *tent); typedef void ta_dump_tinfo(void *ta_state, struct table_info *ti, ipfw_ta_tinfo *tinfo); typedef uint32_t ta_get_count(void *ta_state, struct table_info *ti); @@ -139,6 +141,7 @@ ta_print_config *print_config; ta_dump_tinfo *dump_tinfo; ta_get_count *get_count; + ta_set_mask *set_mask; }; #define TA_FLAG_DEFAULT 0x01 /* Algo is default for given type */ #define TA_FLAG_READONLY 0x02 /* Algo does not support modifications*/ --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219316-8-xmn7crv8fp>