diff options
author | luigi <luigi@FreeBSD.org> | 2002-05-09 10:34:57 +0000 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2002-05-09 10:34:57 +0000 |
commit | 23cf222c8133558823b20c5e939ce537d5099c9e (patch) | |
tree | 290f0a0b2936ec4f8d0958565aefddebe98c19a9 /sys/netinet/ip_fw.h | |
parent | b6d1cd6b33e9d941abd387b6b03841797624e220 (diff) | |
download | FreeBSD-src-23cf222c8133558823b20c5e939ce537d5099c9e.zip FreeBSD-src-23cf222c8133558823b20c5e939ce537d5099c9e.tar.gz |
Cleanup the interface to ip_fw_chk, two of the input arguments
were totally useless and have been removed.
ip_input.c, ip_output.c:
Properly initialize the "ip" pointer in case the firewall does an
m_pullup() on the packet.
Remove some debugging code forgotten long ago.
ip_fw.[ch], bridge.c:
Prepare the grounds for matching MAC header fields in bridged packets,
so we can have 'etherfw' functionality without a lot of kernel and
userland bloat.
Diffstat (limited to 'sys/netinet/ip_fw.h')
-rw-r--r-- | sys/netinet/ip_fw.h | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 468d66f..c41eb31 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -49,11 +49,26 @@ union ip_fw_if { * Port numbers are stored in HOST byte order. */ +/* + * To match MAC headers: + * 12 bytes at fw_mac_hdr contain the dst-src MAC address after masking. + * 12 bytes at fw_mac_mask contain the mask to apply to dst-src + * 2 bytes at fw_mac_type contain the mac type after mask (in net format) + * 2 bytes at fw_mac_type_mask contain the mac type mask + * If IP_FW_F_SRNG, the two contain the low-high of a range of types. + * IP_FW_F_DRNG is used to indicare we want to match a vlan. + */ +#define fw_mac_hdr fw_src +#define fw_mac_mask fw_uar +#define fw_mac_type fw_iplen +#define fw_mac_mask_type fw_ipid + struct ip_fw { LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */ u_int fw_flg; /* Operational Flags word */ u_int64_t fw_pcnt; /* Packet counters */ u_int64_t fw_bcnt; /* Byte counters */ + struct in_addr fw_src; /* Source IP address */ struct in_addr fw_dst; /* Destination IP address */ struct in_addr fw_smsk; /* Mask for source IP address */ @@ -238,8 +253,9 @@ struct ipfw_dyn_rule { #define IP_FW_F_CHECK_S 0x10000000 /* check state */ #define IP_FW_F_SME 0x20000000 /* source = me */ #define IP_FW_F_DME 0x40000000 /* destination = me */ +#define IP_FW_F_MAC 0x80000000 /* match MAC header */ -#define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ +#define IP_FW_F_MASK 0xFFFFFFFF /* All possible flag bits mask */ /* * Flags for the 'fw_ipflg' field, for comparing values @@ -320,8 +336,8 @@ void ip_fw_init(void); /* Firewall hooks */ struct ip; struct sockopt; -typedef int ip_fw_chk_t (struct ip **, int, struct ifnet *, u_int16_t *, - struct mbuf **, struct ip_fw **, struct sockaddr_in **); +typedef int ip_fw_chk_t (struct mbuf **m, struct ifnet *oif, + u_int16_t *cookie, struct ip_fw **rule, struct sockaddr_in **next_hop); typedef int ip_fw_ctl_t (struct sockopt *); extern ip_fw_chk_t *ip_fw_chk_ptr; extern ip_fw_ctl_t *ip_fw_ctl_ptr; |