diff options
-rw-r--r-- | sbin/ipfw/ipfw.8 | 18 | ||||
-rw-r--r-- | sbin/ipfw/tables.c | 17 | ||||
-rw-r--r-- | sys/netinet/ip_fw.h | 6 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_table.c | 14 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_table_algo.c | 112 |
5 files changed, 84 insertions, 83 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 6584bdb..4f12738 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1886,11 +1886,11 @@ There may be up to 65535 different lookup tables. .Pp The following table types are supported: .Bl -tag -width indent -.It Ar table-type : Ar cidr | iface | number | flow +.It Ar table-type : Ar addr | iface | number | flow .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port -.It Cm cidr +.It Cm addr matches IPv4 or IPv6 address. Each entry is represented by an .Ar addr Ns Op / Ns Ar masklen @@ -2030,18 +2030,18 @@ Shows generic table information and algo-specific data. The following lookup algorithms are supported: .Bl -tag -width indent .It Ar algo-desc : algo-name | "algo-name algo-data" -.It Ar algo-name: Ar cidr:radix | cidr:hash | iface:arrray | number:array | flow:hash -.It Cm cidr:radix +.It Ar algo-name: Ar addr:radix | addr:hash | iface:arrray | number:array | flow:hash +.It Cm addr:radix Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see .Xr route 4 ) . Default choice for .Ar -cidr +addr type. -.It Cm cidr:hash +.It Cm addr:hash Separate auto-growing hashes for IPv4 and IPv6. Accepts entries with the same mask length specified initially via -.Cm "cidr:hash masks=/v4,/v6" +.Cm "addr:hash masks=/v4,/v6" algorithm creation options. Assume /32 and /128 masks by default. Search removes host bits (according to mask) from supplied address and checks @@ -3454,7 +3454,7 @@ Then we classify traffic using a single rule: .Dl "ipfw pipe 1 config bw 1000Kbyte/s" .Dl "ipfw pipe 4 config bw 4000Kbyte/s" .Dl "..." -.Dl "ipfw table T1 create type cidr" +.Dl "ipfw table T1 create type addr" .Dl "ipfw table T1 add 192.168.2.0/24 1" .Dl "ipfw table T1 add 192.168.0.0/27 4" .Dl "ipfw table T1 add 192.168.0.2 1" @@ -3465,7 +3465,7 @@ Using the .Cm fwd action, the table entries may include hostnames and IP addresses. .Pp -.Dl "ipfw table T2 create type cidr ftype ip" +.Dl "ipfw table T2 create type addr ftype ip" .Dl "ipfw table T2 add 192.168.2.0/24 10.23.2.1" .Dl "ipfw table T21 add 192.168.0.0/27 router1.dmz" .Dl "..." diff --git a/sbin/ipfw/tables.c b/sbin/ipfw/tables.c index db88f30..9ffbdef 100644 --- a/sbin/ipfw/tables.c +++ b/sbin/ipfw/tables.c @@ -79,7 +79,7 @@ static int tables_foreach(table_cb_t *f, void *arg, int sort); #endif static struct _s_x tabletypes[] = { - { "cidr", IPFW_TABLE_CIDR }, + { "addr", IPFW_TABLE_ADDR }, { "iface", IPFW_TABLE_INTERFACE }, { "number", IPFW_TABLE_NUMBER }, { "flow", IPFW_TABLE_FLOW }, @@ -375,8 +375,7 @@ table_print_type(char *tbuf, size_t size, uint8_t type, uint8_t tflags) /* * Creates new table * - * ipfw table NAME create [ type { cidr | iface | u32 } ] - * [ valtype { number | ip | dscp } ] + * ipfw table NAME create [ type { addr | iface | number | flow } ] * [ algo algoname ] */ static void @@ -462,7 +461,7 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) /* Set some defaults to preserve compability */ if (xi.algoname[0] == '\0' && xi.type == 0) - xi.type = IPFW_TABLE_CIDR; + xi.type = IPFW_TABLE_ADDR; if (xi.vtype == 0) xi.vtype = IPFW_VTYPE_U32; @@ -1142,7 +1141,7 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type, paddr = (struct in6_addr *)&tentry->k; switch (type) { - case IPFW_TABLE_CIDR: + case IPFW_TABLE_ADDR: /* Remove / if exists */ if ((p = strchr(arg, '/')) != NULL) { *p = '\0'; @@ -1172,7 +1171,7 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type, errx(EX_NOHOST, "hostname ``%s'' unknown", arg); masklen = 32; - type = IPFW_TABLE_CIDR; + type = IPFW_TABLE_ADDR; af = AF_INET; } break; @@ -1351,7 +1350,7 @@ tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key, oh->ntlv.name); /* * Table does not exist. - * Compability layer: try to interpret data as CIDR + * Compability layer: try to interpret data as ADDR * before failing. */ if ((del = strchr(key, '/')) != NULL) @@ -1359,7 +1358,7 @@ tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key, if (inet_pton(AF_INET, key, &tent->k.addr6) == 1 || inet_pton(AF_INET6, key, &tent->k.addr6) == 1) { /* OK Prepare and send */ - type = IPFW_TABLE_CIDR; + type = IPFW_TABLE_ADDR; /* * XXX: Value type is forced to be u32. * This should be changed for MFC. @@ -1575,7 +1574,7 @@ table_show_entry(ipfw_xtable_info *i, ipfw_obj_tentry *tent) snprintf(pval, sizeof(pval), "%u", tval); switch (i->type) { - case IPFW_TABLE_CIDR: + case IPFW_TABLE_ADDR: /* IPv4 or IPv6 prefixes */ inet_ntop(tent->subtype, &tent->k, tbuf, sizeof(tbuf)); printf("%s/%u %s\n", tbuf, tent->masklen, pval); diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index cc6c474..9dee50f 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -654,12 +654,14 @@ struct _ipfw_dyn_rule { * These are used for lookup tables. */ -#define IPFW_TABLE_CIDR 1 /* Table for holding IPv4/IPv6 prefixes */ +#define IPFW_TABLE_ADDR 1 /* Table for holding IPv4/IPv6 prefixes */ #define IPFW_TABLE_INTERFACE 2 /* Table for holding interface names */ #define IPFW_TABLE_NUMBER 3 /* Table for holding ports/uid/gid/etc */ #define IPFW_TABLE_FLOW 4 /* Table for holding flow data */ #define IPFW_TABLE_MAXTYPE 4 /* Maximum valid number */ +#define IPFW_TABLE_CIDR IPFW_TABLE_ADDR /* compat */ + /* Value types */ #define IPFW_VTYPE_U32 1 /* Skipto/tablearg integer */ @@ -833,7 +835,7 @@ typedef struct _ipfw_ta_tinfo { #define IPFW_TATFLAGS_AFITEM 0x0004 /* diff. items per AF */ typedef struct _ipfw_xtable_info { - uint8_t type; /* table type (cidr,iface,..) */ + uint8_t type; /* table type (addr,iface,..) */ uint8_t tflags; /* type flags */ uint8_t vtype; /* value type (u32) */ uint8_t vftype; /* value format type (ip,number)*/ diff --git a/sys/netpfil/ipfw/ip_fw_table.c b/sys/netpfil/ipfw/ip_fw_table.c index 78b3222..7f5fae6 100644 --- a/sys/netpfil/ipfw/ip_fw_table.c +++ b/sys/netpfil/ipfw/ip_fw_table.c @@ -61,7 +61,7 @@ __FBSDID("$FreeBSD$"); /* * Table has the following `type` concepts: * - * `no.type` represents lookup key type (cidr, ifp, uid, etc..) + * `no.type` represents lookup key type (addr, ifp, uid, etc..) * `vtype` represents table value type (currently U32) * `ftype` (at the moment )is pure userland field helping to properly * format value data e.g. "value is IPv4 nexthop" or "value is DSCP" @@ -784,7 +784,7 @@ ipfw_manage_table_ent_v0(struct ip_fw_chain *ch, ip_fw3_opheader *op3, tei.value = xent->value; /* Old requests compability */ tei.flags = TEI_FLAGS_COMPAT; - if (xent->type == IPFW_TABLE_CIDR) { + if (xent->type == IPFW_TABLE_ADDR) { if (xent->len - hdrlen == sizeof(in_addr_t)) tei.subtype = AF_INET; else @@ -2268,7 +2268,7 @@ ipfw_dump_table_legacy(struct ip_fw_chain *ch, struct tid_info *ti, ta = tc->ta; /* This dump format supports IPv4 only */ - if (tc->no.type != IPFW_TABLE_CIDR) + if (tc->no.type != IPFW_TABLE_ADDR) return (0); memset(&da, 0, sizeof(da)); @@ -2347,7 +2347,7 @@ dump_table_xentry(void *e, void *arg) xent->masklen = tent->masklen; xent->value = tent->value; /* Apply some hacks */ - if (tc->no.type == IPFW_TABLE_CIDR && tent->subtype == AF_INET) { + if (tc->no.type == IPFW_TABLE_ADDR && tent->subtype == AF_INET) { xent->k.addr6.s6_addr32[3] = tent->k.addr.s_addr; xent->flags = IPFW_TCF_INET; } else @@ -2395,7 +2395,7 @@ find_table_algo(struct tables_config *tcfg, struct tid_info *ti, char *name) * One can supply additional algorithm * parameters so we compare only the first word * of supplied name: - * 'hash_cidr hsize=32' + * 'addr:chash hsize=32' * '^^^^^^^^^' * */ @@ -2559,8 +2559,8 @@ classify_table_opcode(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype) case O_IP_DST_LOOKUP: /* Basic IPv4/IPv6 or u32 lookups */ *puidx = cmd->arg1; - /* Assume CIDR by default */ - *ptype = IPFW_TABLE_CIDR; + /* Assume ADDR by default */ + *ptype = IPFW_TABLE_ADDR; skip = 0; if (F_LEN(cmd) > F_INSN_SIZE(ipfw_insn_u32)) { diff --git a/sys/netpfil/ipfw/ip_fw_table_algo.c b/sys/netpfil/ipfw/ip_fw_table_algo.c index 2e4c0de..3d05867 100644 --- a/sys/netpfil/ipfw/ip_fw_table_algo.c +++ b/sys/netpfil/ipfw/ip_fw_table_algo.c @@ -65,8 +65,8 @@ __FBSDID("$FreeBSD: projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c 267384 2014-06- * * Algo init: * * struct table_algo has to be filled with: - * name: "type:algoname" format, e.g. "cidr:radix". Currently - * there are the following types: "cidr", "iface", "number" and "flow". + * name: "type:algoname" format, e.g. "addr:radix". Currently + * there are the following types: "addr", "iface", "number" and "flow". * type: one of IPFW_TABLE_* types * flags: one or more TA_FLAGS_* * ta_buf_size: size of structure used to store add/del item state. @@ -292,7 +292,7 @@ static int bdel(const void *key, void *base, size_t nmemb, size_t size, /* - * CIDR implementation using radix + * ADDR implementation using radix * */ @@ -315,7 +315,7 @@ static int bdel(const void *key, void *base, size_t nmemb, size_t size, #define OFF_LEN_INET (8 * offsetof(struct sockaddr_in, sin_addr)) #define OFF_LEN_INET6 (8 * offsetof(struct sa_in6, sin6_addr)) -struct radix_cidr_entry { +struct radix_addr_entry { struct radix_node rn[2]; struct sockaddr_in addr; uint32_t value; @@ -329,7 +329,7 @@ struct sa_in6 { struct in6_addr sin6_addr; }; -struct radix_cidr_xentry { +struct radix_addr_xentry { struct radix_node rn[2]; struct sa_in6 addr6; uint32_t value; @@ -343,7 +343,7 @@ struct radix_cfg { size_t count6; }; -struct ta_buf_cidr +struct ta_buf_radix { void *ent_ptr; struct sockaddr *addr_ptr; @@ -367,23 +367,23 @@ ta_lookup_radix(struct table_info *ti, void *key, uint32_t keylen, struct radix_node_head *rnh; if (keylen == sizeof(in_addr_t)) { - struct radix_cidr_entry *ent; + struct radix_addr_entry *ent; struct sockaddr_in sa; KEY_LEN(sa) = KEY_LEN_INET; sa.sin_addr.s_addr = *((in_addr_t *)key); rnh = (struct radix_node_head *)ti->state; - ent = (struct radix_cidr_entry *)(rnh->rnh_matchaddr(&sa, rnh)); + ent = (struct radix_addr_entry *)(rnh->rnh_matchaddr(&sa, rnh)); if (ent != NULL) { *val = ent->value; return (1); } } else { - struct radix_cidr_xentry *xent; + struct radix_addr_xentry *xent; struct sa_in6 sa6; KEY_LEN(sa6) = KEY_LEN_INET6; memcpy(&sa6.sin6_addr, key, sizeof(struct in6_addr)); rnh = (struct radix_node_head *)ti->xstate; - xent = (struct radix_cidr_xentry *)(rnh->rnh_matchaddr(&sa6, rnh)); + xent = (struct radix_addr_xentry *)(rnh->rnh_matchaddr(&sa6, rnh)); if (xent != NULL) { *val = xent->value; return (1); @@ -421,9 +421,9 @@ static int flush_radix_entry(struct radix_node *rn, void *arg) { struct radix_node_head * const rnh = arg; - struct radix_cidr_entry *ent; + struct radix_addr_entry *ent; - ent = (struct radix_cidr_entry *) + ent = (struct radix_addr_entry *) rnh->rnh_deladdr(rn->rn_key, rn->rn_mask, rnh); if (ent != NULL) free(ent, M_IPFW_TBL); @@ -462,20 +462,20 @@ ta_dump_radix_tinfo(void *ta_state, struct table_info *ti, ipfw_ta_tinfo *tinfo) tinfo->flags = IPFW_TATFLAGS_AFDATA | IPFW_TATFLAGS_AFITEM; tinfo->taclass4 = IPFW_TACLASS_RADIX; tinfo->count4 = cfg->count4; - tinfo->itemsize4 = sizeof(struct radix_cidr_entry); + tinfo->itemsize4 = sizeof(struct radix_addr_entry); tinfo->taclass6 = IPFW_TACLASS_RADIX; tinfo->count6 = cfg->count6; - tinfo->itemsize6 = sizeof(struct radix_cidr_xentry); + tinfo->itemsize6 = sizeof(struct radix_addr_xentry); } static int ta_dump_radix_tentry(void *ta_state, struct table_info *ti, void *e, ipfw_obj_tentry *tent) { - struct radix_cidr_entry *n; - struct radix_cidr_xentry *xn; + struct radix_addr_entry *n; + struct radix_addr_xentry *xn; - n = (struct radix_cidr_entry *)e; + n = (struct radix_addr_entry *)e; /* Guess IPv4/IPv6 radix by sockaddr family */ if (n->addr.sin_family == AF_INET) { @@ -485,7 +485,7 @@ ta_dump_radix_tentry(void *ta_state, struct table_info *ti, void *e, tent->value = n->value; #ifdef INET6 } else { - xn = (struct radix_cidr_xentry *)e; + xn = (struct radix_addr_xentry *)e; memcpy(&tent->k, &xn->addr6.sin6_addr, sizeof(struct in6_addr)); tent->masklen = xn->masklen; tent->subtype = AF_INET6; @@ -604,13 +604,13 @@ static int ta_prepare_add_radix(struct ip_fw_chain *ch, struct tentry_info *tei, void *ta_buf) { - struct ta_buf_cidr *tb; - struct radix_cidr_entry *ent; - struct radix_cidr_xentry *xent; + struct ta_buf_radix *tb; + struct radix_addr_entry *ent; + struct radix_addr_xentry *xent; struct sockaddr *addr, *mask; int mlen, set_mask; - tb = (struct ta_buf_cidr *)ta_buf; + tb = (struct ta_buf_radix *)ta_buf; mlen = tei->masklen; set_mask = 0; @@ -661,11 +661,11 @@ ta_add_radix(void *ta_state, struct table_info *ti, struct tentry_info *tei, struct radix_cfg *cfg; struct radix_node_head *rnh; struct radix_node *rn; - struct ta_buf_cidr *tb; + struct ta_buf_radix *tb; uint32_t *old_value, value; cfg = (struct radix_cfg *)ta_state; - tb = (struct ta_buf_cidr *)ta_buf; + tb = (struct ta_buf_radix *)ta_buf; if (tei->subtype == AF_INET) rnh = ti->state; @@ -679,9 +679,9 @@ ta_add_radix(void *ta_state, struct table_info *ti, struct tentry_info *tei, return (EEXIST); /* Record already exists. Update value if we're asked to */ if (tei->subtype == AF_INET) - old_value = &((struct radix_cidr_entry *)rn)->value; + old_value = &((struct radix_addr_entry *)rn)->value; else - old_value = &((struct radix_cidr_xentry *)rn)->value; + old_value = &((struct radix_addr_xentry *)rn)->value; value = *old_value; *old_value = tei->value; @@ -717,11 +717,11 @@ static int ta_prepare_del_radix(struct ip_fw_chain *ch, struct tentry_info *tei, void *ta_buf) { - struct ta_buf_cidr *tb; + struct ta_buf_radix *tb; struct sockaddr *addr, *mask; int mlen, set_mask; - tb = (struct ta_buf_cidr *)ta_buf; + tb = (struct ta_buf_radix *)ta_buf; mlen = tei->masklen; set_mask = 0; @@ -758,10 +758,10 @@ ta_del_radix(void *ta_state, struct table_info *ti, struct tentry_info *tei, struct radix_cfg *cfg; struct radix_node_head *rnh; struct radix_node *rn; - struct ta_buf_cidr *tb; + struct ta_buf_radix *tb; cfg = (struct radix_cfg *)ta_state; - tb = (struct ta_buf_cidr *)ta_buf; + tb = (struct ta_buf_radix *)ta_buf; if (tei->subtype == AF_INET) rnh = ti->state; @@ -775,9 +775,9 @@ ta_del_radix(void *ta_state, struct table_info *ti, struct tentry_info *tei, /* Save entry value to @tei */ if (tei->subtype == AF_INET) - tei->value = ((struct radix_cidr_entry *)rn)->value; + tei->value = ((struct radix_addr_entry *)rn)->value; else - tei->value = ((struct radix_cidr_xentry *)rn)->value; + tei->value = ((struct radix_addr_xentry *)rn)->value; tb->ent_ptr = rn; @@ -794,9 +794,9 @@ static void ta_flush_radix_entry(struct ip_fw_chain *ch, struct tentry_info *tei, void *ta_buf) { - struct ta_buf_cidr *tb; + struct ta_buf_radix *tb; - tb = (struct ta_buf_cidr *)ta_buf; + tb = (struct ta_buf_radix *)ta_buf; if (tb->ent_ptr != NULL) free(tb->ent_ptr, M_IPFW_TBL); @@ -816,11 +816,11 @@ ta_need_modify_radix(void *ta_state, struct table_info *ti, uint32_t count, return (0); } -struct table_algo cidr_radix = { - .name = "cidr:radix", - .type = IPFW_TABLE_CIDR, +struct table_algo addr_radix = { + .name = "addr:radix", + .type = IPFW_TABLE_ADDR, .flags = TA_FLAG_DEFAULT, - .ta_buf_size = sizeof(struct ta_buf_cidr), + .ta_buf_size = sizeof(struct ta_buf_radix), .init = ta_init_radix, .destroy = ta_destroy_radix, .prepare_add = ta_prepare_add_radix, @@ -837,7 +837,7 @@ struct table_algo cidr_radix = { /* - * cidr:hash cmds + * addr:hash cmds * * * ti->data: @@ -1124,10 +1124,10 @@ ta_print_chash_config(void *ta_state, struct table_info *ti, char *buf, cfg = (struct chash_cfg *)ta_state; if (cfg->mask4 != 32 || cfg->mask6 != 128) - snprintf(buf, bufsize, "%s masks=/%d,/%d", "cidr:hash", + snprintf(buf, bufsize, "%s masks=/%d,/%d", "addr:hash", cfg->mask4, cfg->mask6); else - snprintf(buf, bufsize, "%s", "cidr:hash"); + snprintf(buf, bufsize, "%s", "addr:hash"); } static int @@ -1145,7 +1145,7 @@ log2(uint32_t v) /* * New table. * We assume 'data' to be either NULL or the following format: - * 'cidr:hash [masks=/32[,/128]]' + * 'addr:hash [masks=/32[,/128]]' */ static int ta_init_chash(struct ip_fw_chain *ch, void **ta_state, struct table_info *ti, @@ -1728,9 +1728,9 @@ ta_flush_mod_chash(void *ta_buf) free(mi->main_ptr6, M_IPFW); } -struct table_algo cidr_hash = { - .name = "cidr:hash", - .type = IPFW_TABLE_CIDR, +struct table_algo addr_hash = { + .name = "addr:hash", + .type = IPFW_TABLE_ADDR, .ta_buf_size = sizeof(struct ta_buf_chash), .init = ta_init_chash, .destroy = ta_destroy_chash, @@ -3605,9 +3605,9 @@ ta_print_kfib_config(void *ta_state, struct table_info *ti, char *buf, { if (ti->data != 0) - snprintf(buf, bufsize, "%s fib=%lu", "cidr:kfib", ti->data); + snprintf(buf, bufsize, "%s fib=%lu", "addr:kfib", ti->data); else - snprintf(buf, bufsize, "%s", "cidr:kfib"); + snprintf(buf, bufsize, "%s", "addr:kfib"); } static int @@ -3763,9 +3763,9 @@ ta_foreach_kfib(void *ta_state, struct table_info *ti, ta_foreach_f *f, } } -struct table_algo cidr_kfib = { - .name = "cidr:kfib", - .type = IPFW_TABLE_CIDR, +struct table_algo addr_kfib = { + .name = "addr:kfib", + .type = IPFW_TABLE_ADDR, .flags = TA_FLAG_READONLY, .ta_buf_size = 0, .init = ta_init_kfib, @@ -3786,24 +3786,24 @@ ipfw_table_algo_init(struct ip_fw_chain *ch) * Register all algorithms presented here. */ sz = sizeof(struct table_algo); - ipfw_add_table_algo(ch, &cidr_radix, sz, &cidr_radix.idx); - ipfw_add_table_algo(ch, &cidr_hash, sz, &cidr_hash.idx); + ipfw_add_table_algo(ch, &addr_radix, sz, &addr_radix.idx); + ipfw_add_table_algo(ch, &addr_hash, sz, &addr_hash.idx); ipfw_add_table_algo(ch, &iface_idx, sz, &iface_idx.idx); ipfw_add_table_algo(ch, &number_array, sz, &number_array.idx); ipfw_add_table_algo(ch, &flow_hash, sz, &flow_hash.idx); - ipfw_add_table_algo(ch, &cidr_kfib, sz, &cidr_kfib.idx); + ipfw_add_table_algo(ch, &addr_kfib, sz, &addr_kfib.idx); } void ipfw_table_algo_destroy(struct ip_fw_chain *ch) { - ipfw_del_table_algo(ch, cidr_radix.idx); - ipfw_del_table_algo(ch, cidr_hash.idx); + ipfw_del_table_algo(ch, addr_radix.idx); + ipfw_del_table_algo(ch, addr_hash.idx); ipfw_del_table_algo(ch, iface_idx.idx); ipfw_del_table_algo(ch, number_array.idx); ipfw_del_table_algo(ch, flow_hash.idx); - ipfw_del_table_algo(ch, cidr_kfib.idx); + ipfw_del_table_algo(ch, addr_kfib.idx); } |