diff options
| author | ae <ae@FreeBSD.org> | 2018-02-02 07:55:31 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2018-02-02 07:55:31 +0000 |
| commit | 52526a38bdff4a98f2d9080ef5340ced36bcc2cb (patch) | |
| tree | bdba33f40ca905fb8b5fdbe9eb02e116baad7495 | |
| parent | 73f9a6a8284d34b704d330261b85973b93e47ed2 (diff) | |
| download | FreeBSD-src-52526a38bdff4a98f2d9080ef5340ced36bcc2cb.zip FreeBSD-src-52526a38bdff4a98f2d9080ef5340ced36bcc2cb.tar.gz | |
MFC r328161:
Add UDPLite support to ipfw(4).
Now it is possible to use UDPLite's port numbers in rules,
create dynamic states for UDPLite packets and see "UDPLite" for matched
packets in log.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 16 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_dynamic.c | 3 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_log.c | 5 |
3 files changed, 19 insertions, 5 deletions
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index ca1897c..6d04a37 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -850,6 +850,9 @@ check_uidgid(ipfw_insn_u32 *insn, struct ip_fw_args *args, int *ugid_lookupp, } else if (id->proto == IPPROTO_UDP) { lookupflags = INPLOOKUP_WILDCARD; pi = &V_udbinfo; + } else if (id->proto == IPPROTO_UDPLITE) { + lookupflags = INPLOOKUP_WILDCARD; + pi = &V_ulitecbinfo; } else return 0; lookupflags |= INPLOOKUP_RLOCKPCB; @@ -1209,6 +1212,7 @@ do { \ break; case IPPROTO_UDP: + case IPPROTO_UDPLITE: PULLUP_TO(hlen, ulp, struct udphdr); dst_port = UDP(ulp)->uh_dport; src_port = UDP(ulp)->uh_sport; @@ -1386,6 +1390,7 @@ do { \ break; case IPPROTO_UDP: + case IPPROTO_UDPLITE: PULLUP_TO(hlen, ulp, struct udphdr); dst_port = UDP(ulp)->uh_dport; src_port = UDP(ulp)->uh_sport; @@ -1517,7 +1522,8 @@ do { \ if (offset != 0) break; if (proto == IPPROTO_TCP || - proto == IPPROTO_UDP) + proto == IPPROTO_UDP || + proto == IPPROTO_UDPLITE) match = check_uidgid( (ipfw_insn_u32 *)cmd, args, &ucred_lookup, @@ -1656,6 +1662,7 @@ do { \ /* Skip proto without ports */ if (proto != IPPROTO_TCP && proto != IPPROTO_UDP && + proto != IPPROTO_UDPLITE && proto != IPPROTO_SCTP) break; if (vidx == 2 /* dst-port */) @@ -1812,8 +1819,9 @@ do { \ * to guarantee that we have a * packet with port info. */ - if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP) - && offset == 0) { + if ((proto == IPPROTO_UDP || + proto == IPPROTO_UDPLITE || + proto == IPPROTO_TCP) && offset == 0) { u_int16_t x = (cmd->opcode == O_IP_SRCPORT) ? src_port : dst_port ; @@ -2200,6 +2208,8 @@ do { \ pi = &V_tcbinfo; else if (proto == IPPROTO_UDP) pi = &V_udbinfo; + else if (proto == IPPROTO_UDPLITE) + pi = &V_ulitecbinfo; else break; diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index db20cf2..2b23c58 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -582,7 +582,8 @@ dyn_update_proto_state(ipfw_dyn_rule *q, const struct ipfw_flow_id *id, q->expire = time_uptime + V_dyn_rst_lifetime; break; } - } else if (id->proto == IPPROTO_UDP) { + } else if (id->proto == IPPROTO_UDP || + id->proto == IPPROTO_UDPLITE) { q->expire = time_uptime + V_dyn_udp_lifetime; } else { /* other protocols */ diff --git a/sys/netpfil/ipfw/ip_fw_log.c b/sys/netpfil/ipfw/ip_fw_log.c index b10b4e7..d7a38fd 100644 --- a/sys/netpfil/ipfw/ip_fw_log.c +++ b/sys/netpfil/ipfw/ip_fw_log.c @@ -332,7 +332,10 @@ ipfw_log(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen, break; case IPPROTO_UDP: - len = snprintf(SNPARGS(proto, 0), "UDP %s", src); + case IPPROTO_UDPLITE: + len = snprintf(SNPARGS(proto, 0), "UDP%s%s", + args->f_id.proto == IPPROTO_UDP ? " ": "Lite ", + src); if (offset == 0) snprintf(SNPARGS(proto, len), ":%d %s:%d", ntohs(udp->uh_sport), |
