#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
fc727ad6 |
|
24-Apr-2023 |
Boris Lytochkin <lytboris@gmail.com> |
ipfw: add [fw]mark implementation for ipfw Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
|
#
e81fcbec |
|
16-Dec-2022 |
Justin Hibbits <jhibbits@FreeBSD.org> |
ipfw: Constify name argument for hash lookup The name doesn't get modified, and it gets passed through to a hash function that accepts only a const pointer. Const it for correctness. Sponsored by: Juniper Networks, Inc.
|
#
05b9737f |
|
17-Aug-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
ipfw: make it possible to specify MTU for "unreach needfrag" action Reviewed by: ae, pauamma Differential revision: https://reviews.freebsd.org/D36140
|
#
d62830c5 |
|
21-Jul-2022 |
Dimitry Andric <dim@FreeBSD.org> |
Adjust ipfw_{init,destroy}_sopt_handler() definitions to avoid clang 15 warning With clang 15, the following -Werror warning are produced: sys/netpfil/ipfw/ip_fw_sockopt.c:3477:23: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] ipfw_init_sopt_handler() ^ void sys/netpfil/ipfw/ip_fw_sockopt.c:3485:26: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] ipfw_destroy_sopt_handler() ^ void This is because ipfw_init_sopt_handler() and ipfw_destroy_sopt_handler() are declared with (void) argument lists, but defined with empty argument lists. Make the definitions match the declarations. MFC after: 3 days
|
#
62030bb8 |
|
21-Jul-2022 |
Dimitry Andric <dim@FreeBSD.org> |
Adjust ipfw_{init,destroy}_*() definitions to avoid clang 15 warning With clang 15, the following -Werror warnings are produced: sys/netpfil/ipfw/ip_fw_sockopt.c:187:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] ipfw_init_counters() ^ void sys/netpfil/ipfw/ip_fw_sockopt.c:196:22: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] ipfw_destroy_counters() ^ void sys/netpfil/ipfw/ip_fw_sockopt.c:3241:23: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] ipfw_init_obj_rewriter() ^ void sys/netpfil/ipfw/ip_fw_sockopt.c:3249:26: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] ipfw_destroy_obj_rewriter() ^ void This is because ipfw_init_counters(), ipfw_destroy_counters(), ipfw_init_obj_rewriter(), and ipfw_destroy_obj_rewriter() are declared with (void) argument lists, but defined with empty argument lists. Make the definitions match the declarations. MFC after: 3 days
|
#
81cac390 |
|
04-Jun-2022 |
Arseny Smalyuk <smalukav@gmail.com> |
ipfw: add support radix tables and table lookup for MAC addresses By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
|
#
60a28b09 |
|
18-Dec-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipfw: plug set-but-not-used vars Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
e758846c |
|
29-Jul-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
dd ipfw_get_action() function to get the pointer to action opcode. ACTION_PTR() returns pointer to the start of rule action section, but rule can keep several rule modifiers like O_LOG, O_TAG and O_ALTQ, and only then real action opcode is stored. ipfw_get_action() function inspects the rule action section, skips all modifiers and returns action opcode. Use this function in ipfw_reset_eaction() and flush_nat_ptrs(). MFC after: 1 week Sponsored by: Yandex LLC
|
#
978f2d17 |
|
21-Jun-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "tcpmss" opcode to match the TCP MSS value. With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
f712b161 |
|
31-Jan-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Revert r316461: Remove "IPFW static rules" rmlock, and use pfil's global lock. The pfil(9) system is about to be converted to epoch(9) synchronization, so we need [temporarily] go back with ipfw internal locking. Discussed with: ae
|
#
d66f9c86 |
|
04-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to request listing and deleting only for dynamic states. This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC
|
#
cefe3d67 |
|
04-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Reimplement how net.inet.ip.fw.dyn_keep_states works. Turning on of this feature allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects corresponding to this rule, and also reference the rule. And when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid. This implementation doesn't support O_LIMIT_PARENT rules. The refcnt field was added to struct ip_fw to keep reference, also next pointer added to be able iterate rules and not damage the content when deleted rules are chained. Named objects are referenced only when states are going to be deleted to be able reuse kidx of named objects when new parent rules will be installed. ipfw_dyn_get_count() function was modified and now it also looks into dynamic states and constructs maps of existing named objects. This is needed to correctly export orphaned states into userland. ipfw_free_rule() was changed to be global, since now dynamic state can free rule, when it is expired and references counters becomes 1. External actions subsystem also modified, since external actions can be deregisterd and instances can be destroyed. In these cases deleted rules, that are referenced by orphaned states, must be modified to prevent access to freed memory. ipfw_dyn_reset_eaction(), ipfw_reset_eaction_instance() functions added for these purposes. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D17532
|
#
5f901c92 |
|
24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables. Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
#
0a2c13d3 |
|
12-Jul-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use correct size when we are allocating array for skipto index. Also, there is no need to use M_ZERO for idxmap_back. It will be re-filled just after allocation in update_skipto_cache(). PR: 229665 MFC after: 1 week
|
#
f7c4fdee |
|
09-Jul-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "record-state", "set-limit" and "defer-action" rule options to ipfw. "record-state" is similar to "keep-state", but it doesn't produce implicit O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the same feature as "record-state", it is single opcode without implicit O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic states. When rule with this opcode is matched, the rule's action will not be executed, instead dynamic state will be created. And when this state will be matched by "check-state", then rule action will be executed. This allows create a more complicated rulesets. Submitted by: lev MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D1776
|
#
4e180881 |
|
08-Jun-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
uma: implement provisional api for per-cpu zones Per-cpu zone allocations are very rarely done compared to regular zones. The intent is to avoid pessimizing the latter case with per-cpu specific code. In particular contrary to the claim in r334824, M_ZERO is sometimes being used for such zones. But the zeroing method is completely different and braching on it in the fast path for regular zones is a waste of time.
|
#
b99a6823 |
|
07-Feb-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework ipfw dynamic states implementation to be lockless on fast path. o added struct ipfw_dyn_info that keeps all needed for ipfw_chk and for dynamic states implementation information; o added DYN_LOOKUP_NEEDED() macro that can be used to determine the need of new lookup of dynamic states; o ipfw_dyn_rule now becomes obsolete. Currently it used to pass information from kernel to userland only. o IPv4 and IPv6 states now described by different structures dyn_ipv4_state and dyn_ipv6_state; o IPv6 scope zones support is added; o ipfw(4) now depends from Concurrency Kit; o states are linked with "entry" field using CK_SLIST. This allows lockless lookup and protected by mutex modifications. o the "expired" SLIST field is used for states expiring. o struct dyn_data is used to keep generic information for both IPv4 and IPv6; o struct dyn_parent is used to keep O_LIMIT_PARENT information; o IPv4 and IPv6 states are stored in different hash tables; o O_LIMIT_PARENT states now are kept separately from O_LIMIT and O_KEEP_STATE states; o per-cpu dyn_hp pointers are used to implement hazard pointers and they prevent freeing states that are locklessly used by lookup threads; o mutexes to protect modification of lists in hash tables now kept in separate arrays. 65535 limit to maximum number of hash buckets now removed. o Separate lookup and install functions added for IPv4 and IPv6 states and for parent states. o By default now is used Jenkinks hash function. Obtained from: Yandex LLC MFC after: 42 days Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D12685
|
#
d821d364 |
|
21-Jan-2018 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
Unsign some values related to allocation. When allocating memory through malloc(9), we always expect the amount of memory requested to be unsigned as a negative value would either stand for an error or an overflow. Unsign some values, found when considering the use of mallocarray(9), to avoid unnecessary casting. Also consider that indexes should be of at least the same size/type as the upper limit they pretend to index. MFC after: 3 weeks
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
288bf455 |
|
22-Nov-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework rule ranges matching. Use comparison rule id with UINT32_MAX to match all rules with the same rule number. Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
7143bb76 |
|
21-Nov-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_add_protected_rule() function that creates rule with 65535 number in the reserved set 31. Use this function to create default rule. Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
88d950a6 |
|
03-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove "IPFW static rules" rmlock. Make PFIL's lock global and use it for this purpose. This reduces the number of locks needed to acquire for each packet. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10154
|
#
11c56650 |
|
02-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add O_EXTERNAL_DATA opcode support. This opcode can be used to attach some data to external action opcode. And unlike to O_EXTERNAL_INSTANCE opcode, this opcode does not require creating of named instance to pass configuration arguments to external action handler. The data is coming just next to O_EXTERNAL_ACTION opcode. The userlevel part currenly supports formatting for opcode with ipfw_insn size, by default it expects u16 numeric value in the arg1. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
54e5669d |
|
05-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add IPv6 support to O_IP_DST_LOOKUP opcode. o check the size of O_IP_SRC_LOOKUP opcode, it can not exceed the size of ipfw_insn_u32; o rename ipfw_lookup_table_extended() function into ipfw_lookup_table() and remove old ipfw_lookup_table(); o use args->f_id.flow_id6 that is in host byte order to get DSCP value; o add SCTP ports support to 'lookup src/dst-port' opcode; o add IPv6 support to 'lookup src/dst-ip' opcode. PR: 217292 Reviewed by: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9873
|
#
c750a569 |
|
05-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Reject invalid object types that can not be used with specific opcodes. When we doing reference counting of named objects in the new rule, for existing objects check that opcode references to correct object, otherwise return EINVAL. PR: 217391 MFC after: 1 week Sponsored by: Yandex LLC
|
#
e099b90b |
|
21-Feb-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: Replace zero with NULL for pointers. Found with: devel/coccinelle MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D9694
|
#
e7560c83 |
|
15-Aug-2016 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Fix command: ipfw set (enable|disable) N (where N > 4). enable_sets() expects set bitmasks, not set numbers. MFC after: 3 days
|
#
d6eb9b02 |
|
11-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Restore "nat global" support. Now zero value of arg1 used to specify "tablearg", use the old "tablearg" value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace hardcoded magic number to specify "nat global". Also replace 65535 magic number with corresponding macro. Fix typo in comments. PR: 211256 Tested by: Victor Chernov MFC after: 3 days
|
#
584b675e |
|
27-Jul-2016 |
Konstantin Belousov <kib@FreeBSD.org> |
Hide the boottime and bootimebin globals, provide the getboottime(9) and getboottimebin(9) KPI. Change consumers of boottime to use the KPI. The variables were renamed to avoid shadowing issues with local variables of the same name. Issue is that boottime* should be adjusted from tc_windup(), which requires them to be members of the timehands structure. As a preparation, this commit only introduces the interface. Some uses of boottime were found doubtful, e.g. NLM uses boottime to identify the system boot instance. Arguably the identity should not change on the leap second adjustment, but the commit is about the timekeeping code and the consumers were kept bug-to-bug compatible. Tested by: pho (as part of the bigger patch) Reviewed by: jhb (same) Discussed with: bde Sponsored by: The FreeBSD Foundation MFC after: 1 month X-Differential revision: https://reviews.freebsd.org/D7302
|
#
ed22e564 |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add named dynamic states support to ipfw(4). The keep-state, limit and check-state now will have additional argument flowname. This flowname will be assigned to dynamic rule by keep-state or limit opcode. And then can be matched by check-state opcode or O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize compatibility with old rulesets default flowname introduced. It will be assigned to the rules when user has omitted state name in keep-state and check-state opcodes. Also if name is ambiguous (can be evaluated as rule opcode) it will be replaced to default. Reviewed by: julian Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6674
|
#
2685841b |
|
17-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Make named objects set-aware. Now it is possible to create named objects with the same name in different sets. Add optional manage_sets() callback to objects rewriting framework. It is intended to implement handler for moving and swapping named object's sets. Add ipfw_obj_manage_sets() function that implements generic sets handler. Use new callback to implement sets support for lookup tables. External actions objects are global and they don't support sets. Modify eaction_findbyname() to reflect this. ipfw(8) now may fail to move rules or sets, because some named objects in target set may have conflicting names. Note that ipfw_obj_ntlv type was changed, but since lookup tables actually didn't support sets, this change is harmless. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
9f2e5ed3 |
|
11-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix memory leak possible in error case. Use free_rule() instead of free(), it will also release memory allocated for rule counters. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
b309f085 |
|
05-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Change the type of objhash_cb_t callback function to be able return an error code. Use it to interrupt the loop in ipfw_objhash_foreach(). Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
2df1a11f |
|
05-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rename find_name_tlv_type() to ipfw_find_name_tlv_type() and make it global. Use it in ip_fw_table.c instead of find_name_tlv() to reduce duplicated code. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
a4641f4e |
|
03-May-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/net*: minor spelling fixes. No functional change.
|
#
9a5be809 |
|
27-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Make create_object callback optional and return EOPNOTSUPP when it isn't defined. Remove eaction_create_compat() and use designated initializers to initialize eaction_opcodes structure. Obtained from: Yandex LLC
|
#
7a6ab8f1 |
|
14-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
netpfil: for pointers replace 0 with NULL. These are mostly cosmetical, no functional change. Found with devel/coccinelle. Reviewed by: ae
|
#
2acdf79f |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add External Actions KPI to ipfw(9). It allows implementing loadable kernel modules with new actions and without needing to modify kernel headers and ipfw(8). The module registers its action handler and keyword string, that will be used as action name. Using generic syntax user can add rules with this action. Also ipfw(8) can be easily modified to extend basic syntax for external actions, that become a part base system. Sample modules will coming soon. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
4bd91656 |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Change the type of 'etlv' field in struct named_object to uint16_t. It should match with the type field in struct ipfw_obj_tlv. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
f8e26ca3 |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Adjust some comments and make ref_opcode_object() static.
|
#
b2df1f7e |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
o Teach opcode rewriting framework handle several rewriters for the same opcode. o Reduce number of times classifier callback is called. It is redundant to call it just after find_op_rw(), since the last does call it already and can have all results. o Do immediately opcode rewrite in the ref_opcode_object(). This eliminates additional classifier lookup later on bulk update. For unresolved opcodes the behavior still the same, we save information from classifier callback in the obj_idx array, then perform automatic objects creation, then perform rewriting for opcodes using indeces from created objects. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
f976a4ed |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Move several functions related to opcode rewriting framework from ip_fw_table.c into ip_fw_sockopt.c and make them static. Obtained from: Yandex LLC
|
#
74b8d63d |
|
10-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
Cleanup unnecessary semicolons from the kernel. Found with devel/coccinelle.
|
#
cd82d21b |
|
18-Feb-2016 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix obvious typo, that lead to incorrect sorting. Found by: PVS-Studio
|
#
1cf09efe |
|
23-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add destroy_object callback to object rewriting framework. It is called when last reference to named object is going to be released and allows to do additional cleanup for implementation of named objects. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
b554a278 |
|
07-Nov-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix setfib target. Problem was introduced in r272840 when converting tablearg value to 0. Submitted by: Denis Schneider <v1ne2go at gmail>
|
#
748c9559 |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Eliminate any conditional increments of object_opcodes in the check_ipfw_rule_body() function. This function is intended to just determine that rule has some opcodes that can be rewrited. Then the ref_rule_objects() function will determine real number of rewritten opcodes using classify callback. Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
f81431cc |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_check_object_name_generic() function to do basic checks for an object name correctness. Each type of object can do more strict checking in own implementation. Do such checks for tables in check_table_name(). Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
5dc5a0e0 |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Implement `ipfw internal olist` command to list named objects. Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
c6fb65b1 |
|
02-Oct-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Bump number of prefixes in O_IP_<SRC|DST> from 15 to 31 (max possible). PR: 203459 Submitted by: groos at xiplink.com MFC after: 2 weeks
|
#
62f42cf8 |
|
19-May-2015 |
Luigi Rizzo <luigi@FreeBSD.org> |
use proper types to represent function pointers
|
#
e9484895 |
|
28-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix panic introduced by r282070. Arm friendly KASSERT() to ease debug of similar crashes. Submitted by: Olivier Cochard-Labbé
|
#
a1bddc75 |
|
27-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix 'may be used uninitialized' warning not caught by clang.
|
#
74b22066 |
|
27-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make rule table kernel-index rewriting support any kind of objects. Currently we have tables identified by their names in userland with internal kernel-assigned indices. This works the following way: When userland wishes to communicate with kernel to add or change rule(s), it makes indexed sorted array of table names (internally ipfw_obj_ntlv entries), and refer to indices in that array in rule manipulation. Prior to committing new rule to the ruleset kernel a) finds all referenced tables, bump their refcounts and change values inside the opcodes to be real kernel indices b) auto-creates all referenced but not existing tables and then do a) for them. Kernel does almost the same when exporting rules to userland: prepares array of used tables in all rules in range, and prepends it before the actual ruleset retaining actual in-kernel indexes for that. There is also special translation layer for legacy clients which is able to provide 'real' indices for table names (basically doing atoi()). While it is arguable that every subsystem really needs names instead of numbers, there are several things that should be noted: 1) every non-singleton subsystem needs to store its runtime state somewhere inside ipfw chain (and be able to get it fast) 2) we can't assume object numbers provided by humans will be dense. Existing nat implementation (O(n) access and LIST inside chain) is a good example. Hence the following: * Convert table-centric rewrite code to be more generic, callback-based * Move most of the code from ip_fw_table.c to ip_fw_sockopt.c * Provide abstract API to permit subsystems convert their objects between userland string identifier and in-kernel index. (See struct opcode_obj_rewrite) for more details * Create another per-chain index (in next commit) shared among all subsystems * Convert current NAT44 implementation to use new API, O(1) lookups, shared index and names instead of numbers (in next commit). Sponsored by: Yandex LLC
|
#
03be41e6 |
|
21-Oct-2014 |
Luigi Rizzo <luigi@FreeBSD.org> |
remove/fix old code for building ipfw and dummynet in userspace
|
#
54b38fcf |
|
20-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use copyout() directly instead of updating various fields before/after each sooptcopyout() call. Found by: luigi Sponsored by: Yandex LLC
|
#
0d90989b |
|
18-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use IPFW_RULE_CNTR_SIZE macro instead of non-relevant ip_fw_cntr structure. Found by: luigi
|
#
2930362f |
|
13-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix matching default rule on clear/show commands. Found by: Oleg Ginzburg
|
#
5f8ad2bd |
|
10-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix KASSERT argument type.
|
#
ce575f53 |
|
08-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Wire large user buffer before processing GET request. * Fix incorrect size calculation for IP_FW_XGET request.
|
#
be8bc457 |
|
08-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add IP_FW_DUMP_SOPTCODES sopt to be able to determine which opcodes are currently available in kernel.
|
#
e530ca73 |
|
04-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Please GCC by specifying proper cast.
|
#
e3cadfdb |
|
03-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Bump max rule size to 512 opcodes.
|
#
ccba94b8 |
|
04-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Switch ipfw to use rmlock for runtime locking.
|
#
be3cc1b5 |
|
04-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Bump max rule size to 512 opcodes.
|
#
1a33e799 |
|
05-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Change copyrights to the proper one.
|
#
6b988f3a |
|
05-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use modular opcode handling inside ipfw_ctl3() instead of static switch. * Provide hints for subsystem initializers if they are called for the first/last time. * Convert every IP_FW3 opcode user to use new sopt API.
|
#
e822d936 |
|
03-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Be consistent and use same arguments for ctl3 opcodes. Move legacy IP_FW_TABLE_XGETSIZE handling to separate function.
|
#
0cba2b28 |
|
31-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for multi-field values inside ipfw tables. This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
|
#
13263632 |
|
30-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Make objhash api a bit more abstract by providing ability to specify own hash/compare functions. * Add requirement for table algorithms to copy "valie" field in @add callback instead of "prepare_add". * Document existing requirement for table algorithms to store value of deleted record to @tei.
|
#
e86bb35d |
|
23-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Whitespace/style changes merged from projects/ipfw.
|
#
18ad4197 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix displaying dynamic rules for large rulesets. * Clean up some comments.
|
#
c8d5d308 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Clarify ipfw_swap_table operations * Ensure <add|del>_table_entry handle ta change properly.
|
#
e5eec6dd |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Rename ipfw_[un]bind_table_rule to ipfw_[un]ref_rule_tables * Update their descriptions.
|
#
1940fa77 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Change tablearg value to be 0 (try #2). Most of the tablearg-supported opcodes does not accept 0 as valid value: O_TAG, O_TAGGED, O_PIPE, O_QUEUE, O_DIVERT, O_TEE, O_SKIPTO, O_CALLRET, O_NETGRAPH, O_NGTEE, O_NAT treats 0 as invalid input. The rest are O_SETDSCP and O_SETFIB. 'Fix' them by adding high-order bit (0x8000) set for non-tablearg values. Do translation in kernel for old clients (import_rule0 / export_rule0), teach current ipfw(8) binary to add/remove given bit. This change does not affect handling SETDSCP values, but limit O_SETFIB values to 32767 instead of 65k. Since currently we have either old (16) or new (2^32) max fibs, this should not be a big deal: we're definitely OK for former and have to add another opcode to deal with latter, regardless of tablearg value.
|
#
56f43a5e |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Do not use index 0 for tables.
|
#
3a845e10 |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add support for batched add/delete for ipfw tables * Add support for atomic batches add (all or none). * Fix panic on deleting non-existing entry in radix algo. Examples: # si is empty # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 added: 1.1.1.1/32 1111 added: 2.2.2.2/32 2222 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 4444 ipfw: Adding record failed: record already exists ^^^^^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444 # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 5.5.5.5/32 5555 added(reverted): 3.3.3.3/32 3333 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 5555 ipfw: Adding record failed: record already exists ^^^^^ Returns error and reverts added records # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444
|
#
030b184f |
|
09-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use 2 32-bits field inside rule instead of 2 pointer to save skipto state. * Introduce ipfw_reap_add() to unify unlinking rules/adding it to reap queue * Unbreak FreeBSD7 export format.
|
#
8bd19212 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Partially revert previous commit: "0" value is perfectly valid for O_SETFIB and O_SETDSCP, so tablearg remains to be 655535 for now.
|
#
2c452b20 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Switch tablearg value from 65535 to 0. * Use u16 table kidx instead of integer on for iface opcode. * Provide compability layer for old clients.
|
#
adf3b2b9 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add IP_FW_TABLE_XMODIFY opcode * Since there seems to be lack of consensus on strict value typing, remove non-default value types. Use userland-only "value format type" to print values. Kernel changes: * Add IP_FW_XMODIFY to permit table run-time modifications. Currently we support changing limit and value format type. Userland changes: * Support IP_FW_XMODIFY opcode. * Support specifying value format type (ftype) in tablble create/modify req * Fine-print value type/value format type.
|
#
28ea4fa3 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove IP_FW_TABLES_XGETSIZE opcode. It is superseded by IP_FW_TABLES_XLIST.
|
#
91e721d7 |
|
07-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Since all of base IP_FW opcodes has been converted to IP_FW3, switch default sopt handler to ipfw_clt3. Add some comments for ipfw_get_sopt* api.
|
#
a73d728d |
|
07-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Kernel changes: * Implement proper checks for switching between global and set-aware tables * Split IP_FW_DEL mess into the following opcodes: * IP_FW_XDEL (del rules matching pattern) * IP_FW_XMOVE (move rules matching pattern to another set) * IP_FW_SET_SWAP (swap between 2 sets) * IP_FW_SET_MOVE (move one set to another one) * IP_FW_SET_ENABLE (enable/disable sets) * Add IP_FW_XZERO / IP_FW_XRESETLOG to finish IP_FW3 migration. * Use unified ipfw_range_tlv as range description for all of the above. * Check dynamic states IFF there was non-zero number of deleted dyn rules, * Del relevant dynamic states with singe traversal instead of per-rule one. Userland changes: * Switch ipfw(8) to use new opcodes.
|
#
46d52008 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Implement atomic ipfw table swap. Kernel changes: * Add opcode IP_FW_TABLE_XSWAP * Add support for swapping 2 tables with the same type/ftype/vtype. * Make skipto cache init after ipfw locks init. Userland changes: * Add "table X swap Y" command.
|
#
d5eb80cb |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Implement O(1) skipto using indexed array. This adds 512K (2 * sizeof(u32) * 65k) bytes to the memory footprint. This feature is optionaly and may be turned on in any time (however it starts immediately in this commit. This will be changed.)
|
#
b6ee846e |
|
02-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix case when returning more that 4096 bytes of data * Use different approach to ensure algo has enough space to store N elements: - explicitly ask algo (under UH_WLOCK) before/after insertion. This (along with existing reallocation callbacks) really guarantees us that it is safe to insert N elements at once while holding UH_WLOCK+WLOCK. - remove old aflags/flags approach
|
#
914bffb6 |
|
31-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new "flow" table type to support N=1..5-tuple lookups * Add "flow:hash" algorithm Kernel changes: * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups * Add IPFW_TABLE_FLOW table type * Add "struct tflow_entry" as strage for 6-tuple flows * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table. Additionally, we store mask of fields we need to compare in each instance/ * Increase ipfw_obj_tentry size by adding struct tflow_entry * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info * Increase algoname length: 32 -> 64 (algo options passed there as string) * Assume every table type can be customized by flags, use u8 to store "tflags" field. * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback. * Fix bug in cidr:chash resize procedure. Userland changes: * add "flow table(NAME)" syntax to support n-tuple checking tables. * make fill_flags() separate function to ease working with _s_x arrays * change "table info" output to reflect longer "type" fields Syntax: ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] Examples: 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 0:03 [2] zfscurr0# ipfw show 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 617 59416 allow ip from any to any 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 Trying 78.46.89.105... .. 0:04 [2] zfscurr0# ipfw show 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 682 66733 allow ip from any to any
|
#
b429d43c |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Introduce ipfw_ctl3() handler and move all IP_FW3 opcodes there. The long-term goal is to switch remaining opcodes to IP_FW3 versions and use ipfw_ctl3() as default handler simplifying ipfw(4) interaction with external world.
|
#
9d099b4f |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Dump available table algorithms via "ipfw talist" cmd. Kernel changes: * Add type/refcount fields to table algo instances. * Add IP_FW_TABLES_ALIST opcode to export available algorihms to userland. Userland changes: * Fix cores on empty input inside "ipfw table" handler. * Add "ipfw talist" cmd to print availabled kernel algorithms. * Change "table info" output to reflect long algorithm config lines.
|
#
68394ec8 |
|
28-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add generic ipfw interface tracking API * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting
|
#
db785d31 |
|
26-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Require explicit table creation before use on kernel side. * Add resize callbacks for upcoming table-based algorithms. Kernel changes: * s/ipfw_modify_table/ipfw_manage_table_ent/ * Simplify add_table_entry(): make table creation a separate piece of code. Do not perform creation if not in "compat" mode. * Add ability to perform modification of algorithm state (like table resize). The following callbacks were added: - prepare_mod (allocate new state, without locks) - fill_mod (UH_WLOCK, copy old state to new one) - modify (UH_WLOCK + WLOCK, switch state) - flush_mod (no locks, flushes allocated data) Given callbacks are called if table modification has been requested by add or delete callbacks. Additional u64 tc->'flags' field was added to pass these requests. * Change add/del table ent format: permit adding/removing multiple entries at once (only 1 supported at the moment). Userland changes: * Auto-create tables with warning
|
#
7e767c79 |
|
08-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use different rule structures in kernel/userland. * Switch kernel to use per-cpu counters for rules. * Keep ABI/API. Kernel changes: * Each rules is now exported as TLV with optional extenable counter block (ip_fW_bcounter for base one) and ip_fw_rule for rule&cmd data. * Counters needs to be explicitly requested by IPFW_CFG_GET_COUNTERS flag. * Separate counters from rules in kernel and clean up ip_fw a bit. * Pack each rule in IPFW_TLV_RULE_ENT tlv to ease parsing. * Introduce versioning in container TLV (may be needed in future). * Fix ipfw_cfg_lheader broken u64 alignment. Userland changes: * Use set_mask from cfg header when requesting config * Fix incorrect read accouting in ipfw_show_config() * Use IPFW_RULE_NOOPT flag instead of playing with _pad * Fix "ipfw -d list": do not print counters for dynamic states * Some small fixes
|
#
6447bae6 |
|
06-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Prepare to pass other dynamic states via ipfw_dump_config() Kernel changes: * Change dump format for dynamic states: each state is now stored inside ipfw_obj_dyntlv last dynamic state is indicated by IPFW_DF_LAST flag * Do not perform sooptcopyout() for !SOPT_GET requests. Userland changes: * Introduce foreach_state() function handler to ease work with different states passed by ipfw_dump_config().
|
#
81d3153d |
|
06-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add "lookup" table functionality to permit userland entry lookups. * Bump table dump format preserving old ABI. Kernel size: * Add IP_FW_TABLE_XFIND to handle "lookup" request from userland. * Add ta_find_tentry() algorithm callbacks/handlers to support lookups. * Fully switch to ipfw_obj_tentry for various table dumps: algorithms are now required to support the latest (ipfw_obj_tentry) entry dump format, the rest is handled by generic dump code. IP_FW_TABLE_XLIST opcode version bumped (0 -> 1). * Eliminate legacy ta_dump_entry algo handler: dump_table_entry() converts data from current to legacy format. Userland side: * Add "lookup" table parameter. * Change the way table type is guessed: call table_get_info() first, and check value for IPv4/IPv6 type IFF table does not exist. * Fix table_get_list(): do more tries if supplied buffer is not enough. * Sparate table_show_entry() from table_show_list().
|
#
1832a7b3 |
|
04-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Issue warning while requesting ruleset with new tables via legacy binary. Convert each unresolved table as table 65535 (which cannot be used normally). * Perform s/^ipfw_// for add_table_entry, del_table_entry and flush_table since these are internal functions exported to keep legacy interface. * Remove macro TABLE_SET. Operations with tables can be done in any set, the only thing net.inet.ip.fw.tables_sets affects is the set in which tables are looked up while binding them to the rule.
|
#
ac35ff17 |
|
03-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fully switch to named tables: Kernel changes: * Introduce ipfw_obj_tentry table entry structure to force u64 alignment. * Support "update-on-existing-key" "add" bahavior (TEI_FLAGS_UPDATED). * Use "subtype" field to distingush between IPv4 and IPv6 table records instead of previous hack. * Add value type (vtype) field for kernel tables. Current types are number,ip and dscp * Fix sets mask retrieval for old binaries * Fix crash while using interface tables Userland changes: * Switch ipfw_table_handler() to use named-only tables. * Add "table NAME create [type {cidr|iface|u32} [valtype {number|ip|dscp}] ..." * Switch ipfw_table_handler to match_token()-based parser. * Switch ipfw_sets_handler to use new ipfw_get_config() for mask retrieval. * Allow ipfw set X table ... syntax to permit using per-set table namespaces.
|
#
6c2997ff |
|
29-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new IP_FW_XADD opcode which permits to a) specify table ids as names b) add multiple rules at once. Partially convert current code for atomic addition of multiple rules.
|
#
2aa75134 |
|
29-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Enable kernel-side rule filtering based on user request. Make do_get3() function return real error.
|
#
563b5ab1 |
|
28-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Suppord showing named tables in ipfw(8) rule listing. Kernel changes: * change base TLV header to be u64 (so size can be u32). * Introduce ipfw_obj_ctlv generc container TLV. * Add IP_FW_XGET opcode which is now used for atomic configuration retrieval. One can specify needed configuration pieces to retrieve via flags field. Currently supported are IPFW_CFG_GET_STATIC (static rules) and IPFW_CFG_GET_STATES (dynamic states). Other configuration pieces (tables, pipes, etc..) support is planned. Userland changes: * Switch ipfw(8) to use new IP_FW_XGET for rule listing. * Split rule listing code get and show pieces. * Make several steps forward towards libipfw: permit printing states and rules(paritally) to supplied buffer. do not die on malloc/kernel failure inside given printing functions. stop assuming cmdline_opts is global symbol.
|
#
2d99a349 |
|
27-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use different approach for filling large datasets to userspace: Instead of trying to allocate bing contiguous chunk of memory, use intermediate-sized (page size) buffer as sliding window reducing number of sooptcopyout() calls to perform. This reduces dump functions complexity and provides additional layer of abstraction. User-visible api consists of 2 functions: ipfw_get_sopt_space() - gets contigious amount of storage (or NULL) and ipfw_get_sopt_header() - the same, but zeroes the rest of the buffer.
|
#
9490a627 |
|
16-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add IP_FW_TABLE_XCREATE / IP_FW_TABLE_XMODIFY opcodes. * Add 'algoname' string to ipfw_xtable_info permitting to specify lookup algoritm with parameters. * Rework part of ipfw_rewrite_table_uidx() Sponsored by: Yandex LLC
|
#
d3a4f924 |
|
15-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Simplify opcode handling. * Use one u16 from op3 header to implement opcode versioning. * IP_FW_TABLE_XLIST has now 2 handlers, for ver.0 (old) and ver.1 (current). * Every getsockopt request is now handled in ip_fw_table.c * Rename new opcodes: IP_FW_OBJ_DEL -> IP_FW_TABLE_XDESTROY IP_FW_OBJ_LISTSIZE -> IP_FW_TABLES_XGETSIZE IP_FW_OBJ_LIST -> IP_FW_TABLES_XLIST IP_FW_OBJ_INFO -> IP_FW_TABLE_XINFO IP_FW_OBJ_INFO -> IP_FW_TABLE_XFLUSH * Add some docs about using given opcodes. * Group some legacy opcode/handlers.
|
#
f1220db8 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move further to eliminate next pieces of number-assuming code inside tables. Kernel changes: * Add IP_FW_OBJ_FLUSH opcode (flush table based on its name/set) * Add IP_FW_OBJ_DUMP opcode (dumps table data based on its names/set) * Add IP_FW_OBJ_LISTSIZE / IP_FW_OBJ_LIST opcodes (get list of kernel tables) Userland changes: * move tables code to separate tables.c file * get rid of tables_max * switch "all"/list handling to new opcodes
|
#
ea761a5d |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move most of external table structures/functions to separate ip_fw_table.h
|
#
9f7d47b0 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add API to ease adding new algorithms/new tabletypes to ipfw. Kernel-side changelog: * Split general tables code and algorithm-specific table data. Current algorithms (IPv4/IPv6 radix and interface tables radix) moved to new ip_fw_table_algo.c file. Tables code now supports any algorithm implementing the following callbacks: +struct table_algo { + char name[64]; + int idx; + ta_init *init; + ta_destroy *destroy; + table_lookup_t *lookup; + ta_prepare_add *prepare_add; + ta_prepare_del *prepare_del; + ta_add *add; + ta_del *del; + ta_flush_entry *flush_entry; + ta_foreach *foreach; + ta_dump_entry *dump_entry; + ta_dump_xentry *dump_xentry; +}; * Change ->state, ->xstate, ->tabletype fields of ip_fw_chain to ->tablestate pointer (array of 32 bytes structures necessary for runtime lookups (can be probably shrinked to 16 bytes later): +struct table_info { + table_lookup_t *lookup; /* Lookup function */ + void *state; /* Lookup radix/other structure */ + void *xstate; /* eXtended state */ + u_long data; /* Hints for given func */ +}; * Add count method for namedobj instance to ease size calculations * Bump ip_fw3 buffer in ipfw_clt 128->256 bytes. * Improve bitmask resizing on tables_max change. * Remove table numbers checking from most places. * Fix wrong nesting in ipfw_rewrite_table_uidx(). * Add IP_FW_OBJ_LIST opcode (list all objects of given type, currently implemented for IPFW_OBJTYPE_TABLE). * Add IP_FW_OBJ_LISTSIZE (get buffer size to hold IP_FW_OBJ_LIST data, currenly implemented for IPFW_OBJTYPE_TABLE). * Add IP_FW_OBJ_INFO (requests info for one object of given type). Some name changes: s/ipfw_xtable_tlv/ipfw_obj_tlv/ (no table specifics) s/ipfw_xtable_ntlv/ipfw_obj_ntlv/ (no table specifics) Userland changes: * Add do_set3() cmd to ipfw2 to ease dealing with op3-embeded opcodes. * Add/improve support for destroy/info cmds.
|
#
b074b7bb |
|
12-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make ipfw tables use names as used-level identifier internally: * Add namedobject set-aware api capable of searching/allocation objects by their name/idx. * Switch tables code to use string ids for configuration tasks. * Change locking model: most configuration changes are protected with UH lock, runtime-visible are protected with both locks. * Reduce number of arguments passed to ipfw_table_add/del by using separate structure. * Add internal V_fw_tables_sets tunable (set to 0) to prepare for set-aware tables (requires opcodes/client support) * Implement typed table referencing (and tables are implicitly allocated with all state like radix ptrs on reference) * Add "destroy" ipfw(8) using new IP_FW_DELOBJ opcode Namedobj more detailed: * Blackbox api providing methods to add/del/search/enumerate objects * Statically-sized hashes for names/indexes * Per-set bitmask to indicate free indexes * Separate methods for index alloc/delete/resize Basically, there should not be any user-visible changes except the following: * reducing table_max is not supported * flush & add change table type won't work if table is referenced Sponsored by: Yandex LLC
|
#
7946c49f |
|
13-Apr-2014 |
Christian Brueffer <brueffer@FreeBSD.org> |
Free resources and error cases; re-indent a curly brace while here. CID: 1199366 Found with: Coverity Prevent(tm) MFC after: 1 week
|
#
5fa3fdd3 |
|
24-Jan-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Reorder struct ip_fw_chain: * move rarely-used fields down * move uh_lock to different cacheline * remove some usused fields Sponsored by: Yandex LLC
|
#
1058f177 |
|
28-Nov-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel <umka@localka.net> MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
4037b828 |
|
01-Apr-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix ipfw rule validation partially broken by r248552. Pointed by: avg MFC with: r248552
|
#
5b466128 |
|
25-Mar-2013 |
Andrey V. Elsukov <ae@FreeBSD.org> |
When we are removing a specific set, call ipfw_expire_dyn_rules only once. Obtained from: Yandex LLC MFC after: 1 week
|
#
ae01d73c |
|
20-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks
|
#
c187c1fb |
|
30-Nov-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use common macros for working with rule/dynamic counters. This is done as preparation to introduce per-cpu ipfw counters. MFC after: 3 weeks
|
#
2e089d5c |
|
30-Nov-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make ipfw dynamic states operations SMP-ready. * Global IPFW_DYN_LOCK() is changed to per-bucket mutex. * State expiration is done in ipfw_tick every second. * No expiration is done on forwarding path. * hash table resize is done automatically and does not flush all states. * Dynamic UMA zone is now allocated per each VNET * State limiting is now done via UMA(9) api. Discussed with: ipfw MFC after: 3 weeks Sponsored by: Yandex LLC
|
#
c1de64a4 |
|
25-Oct-2012 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
#
3b3a8eb9 |
|
14-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
|