diff options
| author | luigi <luigi@FreeBSD.org> | 2009-12-15 16:15:14 +0000 |
|---|---|---|
| committer | luigi <luigi@FreeBSD.org> | 2009-12-15 16:15:14 +0000 |
| commit | c4e6c7a490d49b3d223f8dfbc5978cd7abefc6ff (patch) | |
| tree | 36cbadf9b9732e76c72e3e2eb0b4b62a48ef743d /sys/netinet/ip_fw.h | |
| parent | 2ffe7d61d93a8c10c0336f394d7c3614ae58d642 (diff) | |
| download | FreeBSD-src-c4e6c7a490d49b3d223f8dfbc5978cd7abefc6ff.zip FreeBSD-src-c4e6c7a490d49b3d223f8dfbc5978cd7abefc6ff.tar.gz | |
Start splitting ip_fw2.c and ip_fw.h into smaller components.
At this time we pull out from ip_fw2.c the logging functions, and
support for dynamic rules, and move kernel-only stuff into
netinet/ipfw/ip_fw_private.h
No ABI change involved in this commit, unless I made some mistake.
ip_fw.h has changed, though not in the userland-visible part.
Files touched by this commit:
conf/files
now references the two new source files
netinet/ip_fw.h
remove kernel-only definitions gone into netinet/ipfw/ip_fw_private.h.
netinet/ipfw/ip_fw_private.h
new file with kernel-specific ipfw definitions
netinet/ipfw/ip_fw_log.c
ipfw_log and related functions
netinet/ipfw/ip_fw_dynamic.c
code related to dynamic rules
netinet/ipfw/ip_fw2.c
removed the pieces that goes in the new files
netinet/ipfw/ip_fw_nat.c
minor rearrangement to remove LOOKUP_NAT from the
main headers. This require a new function pointer.
A bunch of other kernel files that included netinet/ip_fw.h now
require netinet/ipfw/ip_fw_private.h as well.
Not 100% sure i caught all of them.
MFC after: 1 month
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 129 |
1 files changed, 0 insertions, 129 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 1e6feb4..34540fd 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -571,133 +571,4 @@ typedef struct _ipfw_table { ipfw_table_entry ent[0]; /* entries */ } ipfw_table; -/* - * Main firewall chains definitions and global var's definitions. - */ -#ifdef _KERNEL - -#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ - -/* Return values from ipfw_chk() */ -enum { - IP_FW_PASS = 0, - IP_FW_DENY, - IP_FW_DIVERT, - IP_FW_TEE, - IP_FW_DUMMYNET, - IP_FW_NETGRAPH, - IP_FW_NGTEE, - IP_FW_NAT, - IP_FW_REASS, -}; - -/* flags for divert mtag */ -#define IP_FW_DIVERT_LOOPBACK_FLAG 0x00080000 -#define IP_FW_DIVERT_OUTPUT_FLAG 0x00100000 - -/* - * Structure for collecting parameters to dummynet for ip6_output forwarding - */ -struct _ip6dn_args { - struct ip6_pktopts *opt_or; - struct route_in6 ro_or; - int flags_or; - struct ip6_moptions *im6o_or; - struct ifnet *origifp_or; - struct ifnet *ifp_or; - struct sockaddr_in6 dst_or; - u_long mtu_or; - struct route_in6 ro_pmtu_or; -}; - -/* - * Arguments for calling ipfw_chk() and dummynet_io(). We put them - * all into a structure because this way it is easier and more - * efficient to pass variables around and extend the interface. - */ -struct ip_fw_args { - struct mbuf *m; /* the mbuf chain */ - struct ifnet *oif; /* output interface */ - struct sockaddr_in *next_hop; /* forward address */ - struct ip_fw *rule; /* matching rule */ - uint32_t rule_id; /* matching rule id */ - uint32_t chain_id; /* ruleset id */ - struct ether_header *eh; /* for bridged packets */ - - struct ipfw_flow_id f_id; /* grabbed from IP header */ - uint32_t cookie; /* a cookie depending on rule action */ - struct inpcb *inp; - - struct _ip6dn_args dummypar; /* dummynet->ip6_output */ - struct sockaddr_in hopstore; /* store here if cannot use a pointer */ -}; - -/* - * Function definitions. - */ - -/* Firewall hooks */ -struct sockopt; -struct dn_flow_set; - -int ipfw_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); -int ipfw_check_out(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); - -int ipfw_chk(struct ip_fw_args *); - -int ipfw_hook(void); -int ipfw6_hook(void); -int ipfw_unhook(void); -int ipfw6_unhook(void); -#ifdef NOTYET -void ipfw_nat_destroy(void); -#endif - -VNET_DECLARE(int, fw_one_pass); -VNET_DECLARE(int, fw_enable); -#define V_fw_one_pass VNET(fw_one_pass) -#define V_fw_enable VNET(fw_enable) - -#ifdef INET6 -VNET_DECLARE(int, fw6_enable); -#define V_fw6_enable VNET(fw6_enable) -#endif - -struct ip_fw_chain { - struct ip_fw *rules; /* list of rules */ - struct ip_fw *reap; /* list of rules to reap */ - LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ - struct radix_node_head *tables[IPFW_TABLES_MAX]; - struct rwlock rwmtx; - uint32_t id; /* ruleset id */ -}; - -#ifdef IPFW_INTERNAL - -#define IPFW_LOCK_INIT(_chain) \ - rw_init(&(_chain)->rwmtx, "IPFW static rules") -#define IPFW_LOCK_DESTROY(_chain) rw_destroy(&(_chain)->rwmtx) -#define IPFW_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_WLOCKED) - -#define IPFW_RLOCK(p) rw_rlock(&(p)->rwmtx) -#define IPFW_RUNLOCK(p) rw_runlock(&(p)->rwmtx) -#define IPFW_WLOCK(p) rw_wlock(&(p)->rwmtx) -#define IPFW_WUNLOCK(p) rw_wunlock(&(p)->rwmtx) - -#define LOOKUP_NAT(l, i, p) do { \ - LIST_FOREACH((p), &(l.nat), _next) { \ - if ((p)->id == (i)) { \ - break; \ - } \ - } \ - } while (0) - -typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); -typedef int ipfw_nat_cfg_t(struct sockopt *); -#endif - -VNET_DECLARE(struct ip_fw_chain, layer3_chain); -#define V_layer3_chain VNET(layer3_chain) - -#endif /* _KERNEL */ #endif /* _IPFW2_H */ |
