diff options
| author | luigi <luigi@FreeBSD.org> | 2001-09-20 13:52:49 +0000 |
|---|---|---|
| committer | luigi <luigi@FreeBSD.org> | 2001-09-20 13:52:49 +0000 |
| commit | 571d41f16011722ff95afd59b4546c5a48ac1012 (patch) | |
| tree | 4f7e4a76577dadc8b3a56fdfc60d112bf59dffc0 /sys/netinet/ip_fw.h | |
| parent | 785a826aae4983f7e57dcbdc604162c156ceace5 (diff) | |
| download | FreeBSD-src-571d41f16011722ff95afd59b4546c5a48ac1012.zip FreeBSD-src-571d41f16011722ff95afd59b4546c5a48ac1012.tar.gz | |
A bunch of minor changes to the code (see below) for readability, code size
and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.
BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).
OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.
Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.
keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations
initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.
merge zero_entry() and resetlog_entry(), they use basically the
same code.
clean up and reduce replication of code for removing rules,
both for readability and code size.
introduce a separate lifetime for dynamic UDP rules.
fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)
restructure dynamic rule descriptors
introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 7abae15..a4d3f24 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -108,8 +108,11 @@ struct ip_fw { struct ip_fw_ext { /* extended structure */ struct ip_fw rule; /* must be at offset 0 */ - long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ - u_int dyn_type; /* type for dynamic rule */ + long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ + u_char dyn_type; /* type for dynamic rule */ +#define DYN_KEEP_STATE 0 /* type for keep-state rules */ + u_char _pad1 ; /* for future use */ + u_short _pad2 ; /* for future use */ }; #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) @@ -129,6 +132,18 @@ struct ip_fw_ext { /* extended structure */ #define fw_pipe_nr fw_un.fu_pipe_nr #define fw_fwd_ip fw_un.fu_fwd_ip +/** + * + * chain_ptr -------------+ + * V + * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]---> + * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<--- + * +--[ rule ] +--[ rule ] +--[ rule ] + * | | | + * +->[ <ip_fw> ] +->[ <ip_fw> ] +->[ <ip_fw> ] + * + */ + struct ip_fw_chain { LIST_ENTRY(ip_fw_chain) next; struct ip_fw *rule; @@ -150,15 +165,15 @@ struct ipfw_flow_id { struct ipfw_dyn_rule { struct ipfw_dyn_rule *next ; - struct ipfw_flow_id id ; - struct ipfw_flow_id mask ; - struct ip_fw_chain *chain ; /* pointer to parent rule */ - u_int32_t type ; /* rule type */ + struct ipfw_flow_id id ; /* (masked) flow id */ + struct ip_fw_chain *chain ; /* pointer to chain */ u_int32_t expire ; /* expire time */ u_int64_t pcnt, bcnt; /* match counters */ u_int32_t bucket ; /* which bucket in hash table */ u_int32_t state ; /* state of this rule (typ. a */ /* combination of TCP flags) */ + u_int16_t dyn_type; /* rule type */ + u_int16_t count; /* refcount */ } ; /* |
