diff options
author | green <green@FreeBSD.org> | 2004-10-03 00:17:46 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2004-10-03 00:17:46 +0000 |
commit | a1ab5f0c7dae91ac2b8d9c2be9463083757f5fe6 (patch) | |
tree | e40a46b2deb9dd73b5b7b3f96b1f19d44079a888 /sbin/ipfw/ipfw2.c | |
parent | c4db706631d6435563c38ac0b9ba4acbbfddccb6 (diff) | |
download | FreeBSD-src-a1ab5f0c7dae91ac2b8d9c2be9463083757f5fe6.zip FreeBSD-src-a1ab5f0c7dae91ac2b8d9c2be9463083757f5fe6.tar.gz |
Add to IPFW the ability to do ALTQ classification/tagging.
Diffstat (limited to 'sbin/ipfw/ipfw2.c')
-rw-r--r-- | sbin/ipfw/ipfw2.c | 247 |
1 files changed, 216 insertions, 31 deletions
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 97cbf4c..7828fab 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -27,6 +27,7 @@ #include <sys/sysctl.h> #include <sys/time.h> #include <sys/wait.h> +#include <sys/queue.h> #include <ctype.h> #include <err.h> @@ -43,8 +44,11 @@ #include <timeconv.h> /* XXX do we need this ? */ #include <unistd.h> #include <sysexits.h> +#include <unistd.h> +#include <fcntl.h> #include <net/if.h> +#include <net/pfvar.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -202,6 +206,9 @@ enum tokens { TOK_UNREACH, TOK_CHECKSTATE, + TOK_ALTQ, + TOK_LOG, + TOK_UID, TOK_GID, TOK_JAIL, @@ -302,6 +309,12 @@ struct _s_x rule_actions[] = { { NULL, 0 } /* terminator */ }; +struct _s_x rule_action_params[] = { + { "altq", TOK_ALTQ }, + { "log", TOK_LOG }, + { NULL, 0 } /* terminator */ +}; + struct _s_x rule_options[] = { { "uid", TOK_UID }, { "gid", TOK_GID }, @@ -563,6 +576,107 @@ strtoport(char *s, char **end, int base, int proto) } /* + * Map between current altq queue id numbers and names. + */ +static int altq_fetched = 0; +static TAILQ_HEAD(, pf_altq) altq_entries = + TAILQ_HEAD_INITIALIZER(altq_entries); + +static void +altq_set_enabled(int enabled) +{ + int pffd; + + pffd = open("/dev/pf", O_RDWR); + if (pffd == -1) + err(EX_UNAVAILABLE, + "altq support opening pf(4) control device"); + if (enabled) { + if (ioctl(pffd, DIOCSTARTALTQ) != 0 && errno != EEXIST) + err(EX_UNAVAILABLE, "enabling altq"); + } else { + if (ioctl(pffd, DIOCSTOPALTQ) != 0 && errno != ENOENT) + err(EX_UNAVAILABLE, "disabling altq"); + } + close(pffd); +} + +static void +altq_fetch() +{ + struct pfioc_altq pfioc; + struct pf_altq *altq; + int pffd, mnr; + + if (altq_fetched) + return; + altq_fetched = 1; + pffd = open("/dev/pf", O_RDONLY); + if (pffd == -1) { + warn("altq support opening pf(4) control device"); + return; + } + bzero(&pfioc, sizeof(pfioc)); + if (ioctl(pffd, DIOCGETALTQS, &pfioc) != 0) { + warn("altq support getting queue list"); + close(pffd); + return; + } + mnr = pfioc.nr; + for (pfioc.nr = 0; pfioc.nr < mnr; pfioc.nr++) { + if (ioctl(pffd, DIOCGETALTQ, &pfioc) != 0) { + if (errno == EBUSY) + break; + warn("altq support getting queue list"); + close(pffd); + return; + } + if (pfioc.altq.qid == 0) + continue; + altq = malloc(sizeof(*altq)); + if (altq == NULL) + err(EX_OSERR, "malloc"); + *altq = pfioc.altq; + TAILQ_INSERT_TAIL(&altq_entries, altq, entries); + } + close(pffd); +} + +static u_int32_t +altq_name_to_qid(const char *name) +{ + struct pf_altq *altq; + + altq_fetch(); + TAILQ_FOREACH(altq, &altq_entries, entries) + if (strcmp(name, altq->qname) == 0) + break; + if (altq == NULL) + errx(EX_DATAERR, "altq has no queue named `%s'", name); + return altq->qid; +} + +static const char * +altq_qid_to_name(u_int32_t qid) +{ + struct pf_altq *altq; + + altq_fetch(); + TAILQ_FOREACH(altq, &altq_entries, entries) + if (qid == altq->qid) + break; + if (altq == NULL) + return NULL; + return altq->qname; +} + +static void +fill_altq_qid(u_int32_t *qid, const char *av) +{ + *qid = altq_name_to_qid(av); +} + +/* * Fill the body of the command with the list of port ranges. */ static int @@ -908,6 +1022,7 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) int proto = 0; /* default */ int flags = 0; /* prerequisites */ ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */ + ipfw_insn_altq *altqptr = NULL; /* set if we find an O_ALTQ */ int or_block = 0; /* we are in an or block */ uint32_t set_disable; @@ -1033,8 +1148,12 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) logptr = (ipfw_insn_log *)cmd; break; + case O_ALTQ: /* O_ALTQ is printed after O_LOG */ + altqptr = (ipfw_insn_altq *)cmd; + break; + default: - printf("** unrecognized action %d len %d", + printf("** unrecognized action %d len %d ", cmd->opcode, cmd->len); } } @@ -1044,6 +1163,15 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) else printf(" log"); } + if (altqptr) { + const char *qname; + + qname = altq_qid_to_name(altqptr->qid); + if (qname == NULL) + printf(" altq ?<%u>", altqptr->qid); + else + printf(" altq %s", qname); + } /* * then print the body. @@ -1174,6 +1302,23 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) printf(cmd->len & F_NOT ? " out" : " in"); break; + case O_DIVERTED: + switch (cmd->arg1) { + case 3: + printf(" diverted"); + break; + case 1: + printf(" diverted-loopback"); + break; + case 2: + printf(" diverted-output"); + break; + default: + printf(" diverted-?<%u>", cmd->arg1); + break; + } + break; + case O_LAYER2: printf(" layer2"); break; @@ -1709,6 +1854,8 @@ sysctl_handler(int ac, char *av[], int which) } else if (strncmp(*av, "dyn_keepalive", strlen(*av)) == 0) { sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0, &which, sizeof(which)); + } else if (strncmp(*av, "altq", strlen(*av)) == 0) { + altq_set_enabled(which); } else { warnx("unrecognize enable/disable keyword: %s\n", *av); } @@ -1903,9 +2050,10 @@ help(void) "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n" "table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n" "\n" -"RULE-BODY: check-state [LOG] | ACTION [LOG] ADDR [OPTION_LIST]\n" +"RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n" "ACTION: check-state | allow | count | deny | reject | skipto N |\n" " {divert|tee} PORT | forward ADDR | pipe N | queue N\n" +"PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n" "ADDR: [ MAC dst src ether_type ] \n" " [ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" "IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }\n" @@ -2756,11 +2904,11 @@ add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode) * Rules are added into the 'rulebuf' and then copied in the correct order * into the actual rule. * - * The syntax for a rule starts with the action, followed by an - * optional log action, and the various match patterns. + * The syntax for a rule starts with the action, followed by + * optional action parameters, and the various match patterns. * In the assembled microcode, the first opcode must be an O_PROBE_STATE * (generated if the rule includes a keep-state option), then the - * various match patterns, the "log" action, and the actual action. + * various match patterns, log/altq actions, and the actual action. * */ static void @@ -2783,6 +2931,7 @@ add(int ac, char *av[]) * various flags used to record that we entered some fields. */ ipfw_insn *have_state = NULL; /* check-state or keep-state */ + ipfw_insn *have_log = NULL, *have_altq = NULL; size_t len; int i; @@ -2945,32 +3094,63 @@ add(int ac, char *av[]) action = next_cmd(action); /* + * [altq queuename] -- altq tag, optional * [log [logamount N]] -- log, optional * - * If exists, it goes first in the cmdbuf, but then it is + * If they exist, it go first in the cmdbuf, but then it is * skipped in the copy section to the end of the buffer. */ - if (ac && !strncmp(*av, "log", strlen(*av))) { - ipfw_insn_log *c = (ipfw_insn_log *)cmd; - int l; + while (ac != 0 && (i = match_token(rule_action_params, *av)) != -1) { + ac--; av++; + switch (i) { + case TOK_LOG: + { + ipfw_insn_log *c = (ipfw_insn_log *)cmd; + int l; - cmd->len = F_INSN_SIZE(ipfw_insn_log); - cmd->opcode = O_LOG; - av++; ac--; - if (ac && !strncmp(*av, "logamount", strlen(*av))) { - ac--; av++; - NEED1("logamount requires argument"); - l = atoi(*av); - if (l < 0) - errx(EX_DATAERR, "logamount must be positive"); - c->max_log = l; + if (have_log) + errx(EX_DATAERR, + "log cannot be specified more than once"); + have_log = (ipfw_insn *)c; + cmd->len = F_INSN_SIZE(ipfw_insn_log); + cmd->opcode = O_LOG; + if (ac && !strncmp(*av, "logamount", strlen(*av))) { + ac--; av++; + NEED1("logamount requires argument"); + l = atoi(*av); + if (l < 0) + errx(EX_DATAERR, + "logamount must be positive"); + c->max_log = l; + ac--; av++; + } else { + len = sizeof(c->max_log); + if (sysctlbyname("net.inet.ip.fw.verbose_limit", + &c->max_log, &len, NULL, 0) == -1) + errx(1, "sysctlbyname(\"%s\")", + "net.inet.ip.fw.verbose_limit"); + } + } + break; + + case TOK_ALTQ: + { + ipfw_insn_altq *a = (ipfw_insn_altq *)cmd; + + NEED1("missing altq queue name"); + if (have_altq) + errx(EX_DATAERR, + "altq cannot be specified more than once"); + have_altq = (ipfw_insn *)a; + cmd->len = F_INSN_SIZE(ipfw_insn_altq); + cmd->opcode = O_ALTQ; + fill_altq_qid(&a->qid, *av); ac--; av++; - } else { - len = sizeof(c->max_log); - if (sysctlbyname("net.inet.ip.fw.verbose_limit", - &c->max_log, &len, NULL, 0) == -1) - errx(1, "sysctlbyname(\"%s\")", - "net.inet.ip.fw.verbose_limit"); + } + break; + + default: + abort(); } cmd = next_cmd(cmd); } @@ -3533,7 +3713,7 @@ done: dst = next_cmd(dst); } /* - * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT + * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ */ for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) { i = F_LEN(src); @@ -3542,6 +3722,7 @@ done: case O_LOG: case O_KEEP_STATE: case O_LIMIT: + case O_ALTQ: break; default: bcopy(src, dst, i * sizeof(uint32_t)); @@ -3563,12 +3744,16 @@ done: rule->act_ofs = dst - rule->cmd; /* - * put back O_LOG if necessary + * put back O_LOG, O_ALTQ if necessary */ - src = (ipfw_insn *)cmdbuf; - if (src->opcode == O_LOG) { - i = F_LEN(src); - bcopy(src, dst, i * sizeof(uint32_t)); + if (have_log) { + i = F_LEN(have_log); + bcopy(have_log, dst, i * sizeof(uint32_t)); + dst += i; + } + if (have_altq) { + i = F_LEN(have_altq); + bcopy(have_altq, dst, i * sizeof(uint32_t)); dst += i; } /* |