Lines Matching defs:and
184 * hand side to allow for binary searching of the array and include a trailer
383 * for each of IPv4 and IPv6. Adding a new protocol, for which there
385 * a new routine and expanding the ipf_pr_ipinit*() function rather than by
413 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
431 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
565 * and destroy whatever packet was here. The caller of this function
604 /* big enough for it to be in, checking if it is repeated and setting a */
764 /* Examine the IPv6 fragment header and extract fragment offset information.*/
785 /* and no packet is allowed to overlay that where offset = 0. */
1026 /* header being present and no authentication data (null algorithm used.) */
1167 /* except extrememly bad packets, both type and code will be present. */
1288 /* and make some checks with how they interact with other fields. */
1290 /* valid and mark the packet as bad if not. */
1338 * also be set and vice versa. Good TCP packets do not have
1362 * SYN with URG and PUSH set is not for normal TCP but it is
1373 * not set and if URG, PSH or FIN are set, consdier
1401 * marking up which TCP options are and are not present. The one we
1465 /* Extract the UDP source and destination ports, if present. If compiled */
1565 /* header being present and no authentication data (null algorithm used.) */
1599 * Adjust fin_dp and fin_dlen for skipping over the authentication
1645 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
1646 /* Check all options present and flag their presence if any exist. */
1670 /* Get both TTL and protocol */
1690 * set packet attribute flags based on the offset and
1715 * must have a length greater than 0 and it
1726 * Call per-protocol setup and checking
1772 * list of options present with this packet and set flags to indicate
1773 * which ones are here and which ones are not. For the somewhat out
1774 * of date and obscure security classification options, set a flag to
1891 /* header and returns that whilst also storing the highest sensitivity */
1895 /* by the user (rather than the protocol) and can be rather numerous on the */
1993 /* which is useful for comparing IP headers with and store this information */
2051 * Do opposite test to that required and continue if that succeeds.
2331 /* return value and fin->fin_fr points to the matched rule. */
2461 * in the rule, if it exists and use the results from that.
2556 * the rule to "not match" and keep on processing
2701 * If the rule has "keep frag" and the packet is actually a fragment,
2747 /* directed by firewall rules and of course whether or not to allow the */
2750 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
2776 * the packet is distilled, collected into a fr_info_t structure and
2824 * XXX For now, IP Filter and fast-forwarding of cached flows
2902 * becomes NULL and so we have no packet to free.
3053 * Up the reference on fr_lock and exit ipf_mutex. The generation of
3114 * After the above so that ICMP unreachables and TCP RSTs get
3121 * If we didn't drop off the bottom of the list of rules (and thus
3333 /* and the TCP header. We also assume that data blocks aren't allocated in */
3336 /* Expects ip_len and ip_off to be in network byte order when called. */
3524 /* and thus its reference count needs to be lowered and the group free'd if */
3546 /* Remove the group from the list of groups and free it. */
3591 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
3620 /* encountered. if a rule is the head of a group and it has lost all its */
3677 /* and IPv6) as defined by the value of flags. */
3722 /* Walk through all of the groups under the given group head and remove all */
3726 /* what is fg_next and fg_next after that. So if a filter rule is actually */
3773 /* Search dst for a sequence of bytes matching those at src and extend for */
3893 /* Walk through a list of filter rules and resolve any interface names into */
3898 /* when the name points to a pool and that pool doest not exist. If this */
4013 /* filter rules, NAT entries and the state table and check if anything */
4050 * end up being unaligned) and on the kernel's local stack.
4060 /* to start copying from (src) and a pointer to where to store it (dst). */
4093 /* to start copying from (src) and a pointer to where to store it (dst). */
4118 /* Get the new value for the lock integer, set it and return the old value */
4331 /* Compare two rules and return 0 if they match or a number indicating */
4397 /* names are resolved here and other sanity checks are made on the content */
4399 /* then make sure they are created and initialised before exiting. */
4408 OP_ZERO /* zero statistics and counters */ }
4481 addrem = OP_ZERO; /* Zero statistics and counters */
4718 * Allowing a rule with both "keep state" and "with oow" is
4879 * If zero'ing statistics, copy current to caller and zero.
4887 * Copy and reduce lock because of impending copyout.
4889 * this call and the correctness of fr_hits and
5095 /* it from any linked lists and remove any groups it is responsible for. */
5153 * We've got to the last rule and everything
5184 /* When using pools and hash tables to store addresses for matching in */
5186 /* name or address (and return that pointer) and also provide the means by */
5297 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
5398 /* free it and any associated storage space being used by it. */
5465 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
5466 /* fr_ptr is later used by ipf_srcgrpmap and ipf_dstgrpmap. */
5517 /* the key, and descend into that group and continue matching rules against */
5545 /* address as the key, and descend into that group and continue matching */
5586 /* being requested. If it finds one, increments the reference counter and */
5587 /* returns a pointer to it. If none are found, it allocates a new one and */
5607 * gets reused rather than freed and reallocated.
5645 /* check the list of user defined timeout queues and call the free function */
5673 /* Remove a user defined timeout queue from the list of queues it is in and */
5708 /* Remove a tail queue entry from its queue and make it an orphan. */
5780 /* We use use ticks to calculate the expiration and mark for when we last */
5822 /* Add a new item to this queue and put it on the very end. */
5823 /* We use use ticks to calculate the expiration and mark for when we last */
5852 /* If it notices that the current entry is already last and does not need */
5860 * If the queue hasn't changed and we last touched this entry at the
5870 * queue and one not, could end up with things in a bizarre state.
5899 * lock on the old queue and get a lock on the new queue.
5934 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
6241 /* but it must not be smaller than the size defined for the type and the */
6300 /* but it must not be smaller than the size defined for the type and the */
6419 /* already populated with information and now we just need to use it. */
6482 * If the TCP packet isn't a fragment, isn't too short and otherwise
6620 i6addr_t *src, *and;
6623 and = (i6addr_t *)&mask->sin6_addr;
6636 inpmask->i6[0] = and->i6[0];
6637 inpmask->i6[1] = and->i6[1];
6638 inpmask->i6[2] = and->i6[2];
6639 inpmask->i6[3] = and->i6[3];
6642 inp->i6[0] = src->i6[0] & and->i6[0];
6643 inp->i6[1] = src->i6[1] & and->i6[1];
6644 inp->i6[2] = src->i6[2] & and->i6[2];
6645 inp->i6[3] = src->i6[3] & and->i6[3];
6667 /* comparison. This function should only be called with both tag1 and tag2 */
6800 /* Search the static array of tuneables and the list of dynamic tuneables */
6858 /* pointers so we don't need to walk parts of it with ++ and others with */
6923 /* Allocate memory for a new set of tuneable values and copy everything */
7025 /* returned and no further ones removed. */
7052 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
7053 /* three ioctls provide the means to access and control global variables */
7054 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
7056 /* and 'destruction' routines of the various components of ipfilter are all */
7080 * entry we looked at, so find it (if possible) and return a
7083 * to NULL and return that, indicating end of list, erstwhile
7170 * getting the new value safely and correctly out of
7232 /* Copies the current statistics out to userspace and then zero's the */
7267 /* Looks up an interface name in the frdest structure pointed to by fdp and */
7312 /* to that passed in and that is also being used for that IP protocol */
7314 /* for both IPv4 and IPv6 on the same physical NIC. */
7342 /* have been held for too long and need to be freed up. */
7365 /* Loop through all of the existing tokens and call deref to see if they */
7368 /* of greater than one and in that case the reference would drop twice */
7536 /* Drop the reference count on the token structure and if it drops to zero, */
7651 /* When we have found the rule to return, increase its reference count and */
7793 /* This function serves as a stepping stone between ipf_ipf_ioctl and */
7795 /* the process doing the ioctl and use that to ask for the next rule. */
8195 /* buffer to point to the start of the inner packet and start processing */
8240 * there and bounce over it.
8243 /* This is really heavy weight and lots of room for error, */
8244 /* so for now, put it off and get the simple stuff right. */
8357 * that is local to the decapsulation processing and back into the
8391 /* describes it. Sanity checking and array size limitations are enforced */
8394 /* required is malloc'd and returned through changing *arrayptr. The */
8469 * (minimum 4 in length) and a trailer, for a total of 6.
8496 * (or else there is nothing to comapre with!) and it
8515 /* This function is used to apply a matching array against a packet and */
8537 * This is currently used with TCP and UDP port compares and
8669 /* This fucntion gets called when the state/NAT hash tables fill up and we */
8676 /* TCPS_TIME_WAIT and TCPS_CLOSED are considered to be the perfect */
8678 /* CLOSED or both CLOSED and TIME_WAIT brings us to the low watermark, */
8681 /* 2) Look for the oldest entries on each timeout queue and free them if */
8683 /* window starts and the steps taken to increase its size depend upon */
8698 /* ipf_ticks any given timeout queue and vice versa. */
8699 /* - both tqe_die and tqe_touched increase over time */
8701 /* bottom and therefore the smallest values of each are at the top */
8707 /* found in that range, "interval" is adjusted (so long as it isn't 30) and */
8708 /* we start again with a new value for "iend" and "istart". This is */
8742 * and kernels don't like floating point...
8858 /* state and NAT code, telling them to update their timeout queues. */
8887 /* to walk the entire list and apply the change. The sort order will not */
8920 /* This function applies the new timeout (p) to the TCP tunable (t) and */
9182 /* Work through all of the subsystems inside IPFilter and call the load */
9215 /* Work through all of the subsystems inside IPFilter and call the unload */
9248 /* Work through all of the subsystems inside IPFilter and call the create */
9319 /* Work through all of the subsystems inside IPFilter and call the destroy */
9380 /* Work through all of the subsystems inside IPFilter and call the init */
9425 /* Work through all of the subsystems inside IPFilter and call the fini */
9473 /* firewall rules. Both inactive and active lists are scanned for items to */
9527 /* family and the address itself. */
9579 /* have to be wary of that and not allow 32-128 to happen. */
9647 /* tree or a matching node exists and we're able to bump up its activity. */
9703 /* Try and find the address passed in amongst the leavese on this tree to */
9766 /* and free'ing each one. */