diff options
author | glebius <glebius@FreeBSD.org> | 2005-01-14 09:00:46 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2005-01-14 09:00:46 +0000 |
commit | 4db2b8d392653d006688b34d58bdb4ff6bc93523 (patch) | |
tree | d9fa7d7031281028b0d46da348135c088236c843 /sys/netinet/ip_fw_pfil.c | |
parent | 3c319ea2eac56f153a87df3c9616031973d63110 (diff) | |
download | FreeBSD-src-4db2b8d392653d006688b34d58bdb4ff6bc93523.zip FreeBSD-src-4db2b8d392653d006688b34d58bdb4ff6bc93523.tar.gz |
o Clean up interface between ip_fw_chk() and its callers:
- ip_fw_chk() returns action as function return value. Field retval is
removed from args structure. Action is not flag any more. It is one
of integer constants.
- Any action-specific cookies are returned either in new "cookie" field
in args structure (dummynet, future netgraph glue), or in mbuf tag
attached to packet (divert, tee, some future action).
o Convert parsing of return value from ip_fw_chk() in ipfw_check_{in,out}()
to a switch structure, so that the functions are more readable, and a future
actions can be added with less modifications.
Approved by: andre
MFC after: 2 months
Diffstat (limited to 'sys/netinet/ip_fw_pfil.c')
-rw-r--r-- | sys/netinet/ip_fw_pfil.c | 126 |
1 files changed, 74 insertions, 52 deletions
diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c index 44e8652..d186aab 100644 --- a/sys/netinet/ip_fw_pfil.c +++ b/sys/netinet/ip_fw_pfil.c @@ -82,6 +82,7 @@ ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, struct m_tag *dn_tag; int ipfw = 0; int divert; + int tee; #ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; #endif @@ -108,35 +109,17 @@ again: args.inp = inp; ipfw = ipfw_chk(&args); *m0 = args.m; + tee = 0; - if ((ipfw & IP_FW_PORT_DENY_FLAG) || *m0 == NULL) - goto drop; - - if (ipfw == 0 && args.next_hop == NULL) - goto pass; - - if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) { - ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_IN, &args); - *m0 = NULL; - return 0; /* packet consumed */ - } - - if (ipfw != 0 && (ipfw & IP_FW_PORT_DYNT_FLAG) == 0) { - if ((ipfw & IP_FW_PORT_TEE_FLAG) != 0) - divert = ipfw_divert(m0, DIV_DIR_IN, 1); - else - divert = ipfw_divert(m0, DIV_DIR_IN, 0); + KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", + __func__)); - /* tee should continue again with the firewall. */ - if (divert) { - *m0 = NULL; - return 0; /* packet consumed */ - } else - goto again; /* continue with packet */ - } + switch (ipfw) { + case IP_FW_PASS: + if (args.next_hop == NULL) + goto pass; #ifdef IPFIREWALL_FORWARD - if (ipfw == 0 && args.next_hop != NULL) { fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, sizeof(struct sockaddr_in), M_NOWAIT); if (fwd_tag == NULL) @@ -147,8 +130,35 @@ again: if (in_localip(args.next_hop->sin_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; goto pass; - } #endif + break; /* not reached */ + + case IP_FW_DENY: + goto drop; + break; /* not reached */ + + case IP_FW_DUMMYNET: + if (!DUMMYNET_LOADED) + goto drop; + ip_dn_io_ptr(*m0, args.cookie, DN_TO_IP_IN, &args); + *m0 = NULL; + return 0; /* packet consumed */ + + case IP_FW_TEE: + tee = 1; + /* fall through */ + + case IP_FW_DIVERT: + divert = ipfw_divert(m0, DIV_DIR_IN, tee); + if (divert) { + *m0 = NULL; + return 0; /* packet consumed */ + } else + goto again; /* continue with packet */ + + default: + KASSERT(0, ("%s: unknown retval", __func__)); + } drop: if (*m0) @@ -167,6 +177,7 @@ ipfw_check_out(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, struct m_tag *dn_tag; int ipfw = 0; int divert; + int tee; #ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; #endif @@ -194,34 +205,16 @@ again: args.inp = inp; ipfw = ipfw_chk(&args); *m0 = args.m; + tee = 0; - if ((ipfw & IP_FW_PORT_DENY_FLAG) || *m0 == NULL) - goto drop; - - if (ipfw == 0 && args.next_hop == NULL) - goto pass; - - if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) { - ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_OUT, &args); - *m0 = NULL; - return 0; /* packet consumed */ - } - - if (ipfw != 0 && (ipfw & IP_FW_PORT_DYNT_FLAG) == 0) { - if ((ipfw & IP_FW_PORT_TEE_FLAG) != 0) - divert = ipfw_divert(m0, DIV_DIR_OUT, 1); - else - divert = ipfw_divert(m0, DIV_DIR_OUT, 0); - - if (divert) { - *m0 = NULL; - return 0; /* packet consumed */ - } else - goto again; /* continue with packet */ - } + KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", + __func__)); + switch (ipfw) { + case IP_FW_PASS: + if (args.next_hop == NULL) + goto pass; #ifdef IPFIREWALL_FORWARD - if (ipfw == 0 && args.next_hop != NULL) { /* Overwrite existing tag. */ fwd_tag = m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL); if (fwd_tag == NULL) { @@ -237,8 +230,37 @@ again: if (in_localip(args.next_hop->sin_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; goto pass; - } #endif + break; /* not reached */ + + case IP_FW_DENY: + goto drop; + break; /* not reached */ + + case IP_FW_DUMMYNET: + if (!DUMMYNET_LOADED) + break; + ip_dn_io_ptr(*m0, args.cookie, DN_TO_IP_OUT, &args); + *m0 = NULL; + return 0; /* packet consumed */ + + break; + + case IP_FW_TEE: + tee = 1; + /* fall through */ + + case IP_FW_DIVERT: + divert = ipfw_divert(m0, DIV_DIR_OUT, tee); + if (divert) { + *m0 = NULL; + return 0; /* packet consumed */ + } else + goto again; /* continue with packet */ + + default: + KASSERT(0, ("%s: unknown retval", __func__)); + } drop: if (*m0) |