summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw/tables.c
Commit message (Collapse)AuthorAgeFilesLines
* Merge remote-tracking branch 'origin/stable/11' into devel-11Luiz Souza2017-12-141-0/+2
|\
| * MFC r324592:ae2017-10-201-0/+2
| | | | | | | | | | | | | | | | | | Return 'errno' value from the table_do_modify_record(), it is expected by table_modify_record(). This makes quiet operations with tables really quiet. PR: 222953
* | Add support for the classic pfSense 'mixed' tables.Luiz Souza2017-07-201-2/+16
| | | | | | | | The mixed tables are used to match against the IP[4|6] and the MAC address of the peer.
* | Merge remote-tracking branch 'origin/stable/11' into devel-11Luiz Souza2017-07-171-10/+6
|\ \ | |/
| * MFC r318400:ae2017-05-241-10/+6
| | | | | | | | | | | | Allow zero port specification in table entries with type flow. PR: 217620
* | Add the timestamp of the last match, packet and byte counters to tableLuiz Souza2017-07-151-5/+67
| | | | | | | | | | | | | | | | | | | | entries with a new ipfw table command to zero the counters. Each table type implementation needs to be modified to add the support to this feature and the FIB backend is the only one that was not modified (because the backend does not have any local storage). (cherry picked from commit 3b06c382c8a2e04b7a64291bfb6b0ca0e5dd8dca)
* | Use , to separate MAC address pair items. IPFW is already designed to deal ↵Renato Botelho2017-07-141-1/+1
| | | | | | | | | | | | with it (cherry picked from commit 0d3cbb5e2bf083c4bb6ffdcfb53cedd5e15e2171)
* | Remove unnecessary assignment.Luiz Otavio O Souza2017-07-141-1/+0
| | | | | | | | | | | | No functional change. (cherry picked from commit 1e13e38a63405244521a942302c003054506cc4d)
* | Add ipfw support to MAC address tables.Luiz Otavio O Souza2017-07-141-0/+48
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The l2 filter implementation on ipfw works with MAC address pairs as it happens on wire (first destination and then source). The table entries works in the same way, but the MAC address pair has to be passed in a single argument: $ ipfw table create l2 type mac $ ipfw table add "00:01:02:03:04:05 0a:0b:0c:0d:0e:0f" added: 00:01:02:03:04:05 0a:0b:0c:0d:0e:0f 0 $ ipfw table add "00:01:02:03:04:05 any" added: 00:01:02:03:04:05 any 0 $ ipfw table l2 add "any 0a:0b:0c:0d:0e:0f" added: any 0a:0b:0c:0d:0e:0f 0 The MAC tables can also hold an optinal value used to implement additional features (skipto, fib, pipe, tag, nat, ...). $ ipfw table l2 add "00:01:02:03:04:05 0a:0b:0c:0d:0e:ff" 1234 added: 00:01:02:03:04:05 0a:0b:0c:0d:0e:ff 1234 $ ipfw table l2 list --- table(l2), set(0) --- 00:01:02:03:04:05 0a:0b:0c:0d:0e:0f 0 any 0a:0b:0c:0d:0e:0f 0 00:01:02:03:04:05 any 0 00:01:02:03:04:05 0a:0b:0c:0d:0e:ff 1234 Rule example: $ ipfw add pass MAC 1:2:3:4:5:6 2:3:4:5:6:7 via igb0 00100 allow ip from any to any MAC 01:02:03:04:05:06 02:03:04:05:06:07 via igb0 $ ipfw add pass MAC table\(l2\) via igb0 00000 allow ip from any to any MAC table(l2) via igb0 $ ipfw list 00100 allow ip from any to any MAC 01:02:03:04:05:06 02:03:04:05:06:07 via igb0 00200 allow ip from any to any MAC table(l2) via igb0 00300 allow ip from any to any 65535 deny ip from any to any (cherry picked from commit 1fc9408b335ef6e8863019212c12a4bc99ed8e75)
* MFC r317666:ae2017-05-101-5/+6
| | | | | | Add sets support for ipfw table info/list/flush commands. PR: 212668
* MFC r317682:ae2017-05-101-8/+34
| | | | | | Add `ipfw table all destroy` support. PR: 212669
* MFC r304041:ae2017-04-031-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move logging via BPF support into separate file. * make interface cloner VNET-aware; * simplify cloner code and use if_clone_simple(); * migrate LOGIF_LOCK() to rmlock; * add ipfw_bpf_mtap2() function to pass mbuf to BPF; * introduce new additional ipfwlog0 pseudo interface. It differs from ipfw0 by DLT type used in bpfattach. This interface is intended to used by ipfw modules to dump packets with additional info attached. Currently pflog format is used. ipfw_bpf_mtap2() function uses second argument to determine which interface use for dumping. If dlen is equal to ETHER_HDR_LEN it uses old ipfw0 interface, if dlen is equal to PFLOG_HDRLEN - ipfwlog0 will be used. Obtained from: Yandex LLC Sponsored by: Yandex LLC MFC r304043: Add three helper function to manage tables from external modules. ipfw_objhash_lookup_table_kidx does lookup kernel index of table; ipfw_ref_table/ipfw_unref_table takes and releases reference to table. Obtained from: Yandex LLC Sponsored by: Yandex LLC MFC r304046, 304108: Add ipfw_nat64 module that implements stateless and stateful NAT64. The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434 MFC r304048: Replace __noinline with special debug macro NAT64NOINLINE. MFC r304061: Use %ju to print unsigned 64-bit value. MFC r304076: Make statistics nat64lsn, nat64stl an nptv6 output netstat-like: "@value @description" and fix build due to -Wformat errors. MFC r304378 (by bz): Try to fix gcc compilation errors (which are right). nat64_getlasthdr() returns an int, which can be -1 in case of error, storing the result in an uint8_t and then comparing to < 0 is not helpful. Do what is done in the rest of the code and make proto an int here as well. MFC r309187: Fix ICMPv6 Time Exceeded error message translation. MFC r314718: Use new ipfw_lookup_table() in the nat64 too. MFC r315204,315233: Use memset with structure size.
* MFC r303615:ae2016-08-041-5/+17
| | | | | | | | | | | | | | An old tables implementation had all tables preallocated, so when user did `ipfw table N flush` it always worked, but now when table N doesn't exist the kernel returns ESRCH error. This isn't fatal error for flush and destroy commands. Do not call err(3) when errno is equal to ESRCH. Also warn only when quiet mode isn't enabled. This fixes a regression in behavior, when old rules are loaded from file. Also use correct value for switch in the table_swap(). Reported by: Kevin Oberman Approved by: re (kib)
* Hide warning about non-existent lookup tables and informational messagesae2016-07-021-5/+4
| | | | | | | about modified table entry when quied mode enabled. Approved by: re (hrs) Obtained from: Yandex LLC
* Add External Actions KPI to ipfw(9).ae2016-04-141-33/+6
| | | | | | | | | | | | | It allows implementing loadable kernel modules with new actions and without needing to modify kernel headers and ipfw(8). The module registers its action handler and keyword string, that will be used as action name. Using generic syntax user can add rules with this action. Also ipfw(8) can be easily modified to extend basic syntax for external actions, that become a part base system. Sample modules will coming soon. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Fix a ton of speelling errorseadler2015-10-211-5/+5
| | | | | | | arc lint is helpful Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com Differential Revision: https://reviews.freebsd.org/D3337
* Code cleanup unused-but-set-variable spotted by gcc.araujo2015-08-251-7/+1
| | | | | | Reviewed by: melifaro Approved by: bapt (mentor) Differential Revision: D3473
* sbin/ipfw fix typo: info -> intofeld2015-08-101-1/+1
| | | | | | | | example: DEPRECATED: inserting data into non-existent table sshguard. (auto-created) Approved by: bdrewery
* Bring back support for checking tables via "ipfw -n".melifaro2015-05-191-18/+80
| | | | | | | | | | | | | | | | Currently we have different table key types which can easily interfere with each other (numbers and IPv4 address, interface names and hostnames, flows and hostnames/addresses). This conflicts are solved by [auto-]creating _typed_ tables, so after table is created, only keys of given type can be inserted to that table. ipfw(8) consults with kernel about key/value type for particular table so it knows key/value interpretation. However, we have 2 cases (adding entries to non-existing table and parsing configuration file via `ipfw -n`) when kernel is unable to provide us table info we need. Fix the latter case by partially importing old `table_fill_xentry()` parse function responsible for guessing key type. Sponsored by: Yandex LLC
* Correctly print valtype for empty bitmask.melifaro2015-05-061-0/+1
|
* Generalize object reference handling in ipfw rules.melifaro2015-04-261-67/+0
| | | | No ABI changes.
* Fix `ipfw fwd tablearg'. Use dedicated field nh4 in struct table_valueae2015-03-131-8/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | to obtain IPv4 next hop address in tablearg case. Add `fwd tablearg' support for IPv6. ipfw(8) uses INADDR_ANY as next hop address in O_FORWARD_IP opcode for specifying tablearg case. For IPv6 we still use this opcode, but when packet identified as IPv6 packet, we obtain next hop address from dedicated field nh6 in struct table_value. Replace hopstore field in struct ip_fw_args with anonymous union and add hopstore6 field. Use this field to copy tablearg value for IPv6. Replace spare1 field in struct table_value with zoneid. Use it to keep scope zone id for link-local IPv6 addresses. Since spare1 was used internally, replace spare0 array with two variables spare0 and spare1. Use getaddrinfo(3)/getnameinfo(3) functions for parsing and formatting IPv6 addresses in table_value. Use zoneid field in struct table_value to store sin6_scope_id value. Since the kernel still uses embedded scope zone id to represent link-local addresses, convert next_hop6 address into this form before return from pfil processing. This also fixes in6_localip() check for link-local addresses. Differential Revision: https://reviews.freebsd.org/D2015 Obtained from: Yandex LLC Sponsored by: Yandex LLC
* * Fix table sets handling.melifaro2014-10-171-1/+1
| | | | | | * Simplify formatting. Suggested by: luigi
* Partially fix build on !amd64melifaro2014-10-101-2/+2
| | | | Pointed by: bz
* * Fix use-after-free in table printing code.melifaro2014-10-091-5/+6
| | | | * Fix showing human-readable error in table cmds code.
* Fix GCC wardnings.melifaro2014-10-041-3/+4
|
* Change copyrights to the proper one.melifaro2014-09-051-7/+3
|
* Use per-function errno handling instead of global one.melifaro2014-09-051-30/+22
| | | | Requested by: luigi
* Add support for multi-field values inside ipfw tables.melifaro2014-08-311-125/+365
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
* Make room for multi-type values in struct tentry.melifaro2014-08-151-4/+4
|
* Replace "cidr" table type with "addr" type.melifaro2014-08-141-9/+8
| | | | Suggested by: luigi
* * Document internal commands.melifaro2014-08-141-4/+6
| | | | | * Do not require/set default table type if algo name is specified. * Add TA_FLAG_READONLY option for algorithms.
* * Do not crash on incorrect "flow" type inputs.melifaro2014-08-131-5/+16
| | | | * Do not auto-create tables for operations other than add.
* * Update table_handler cmd listmelifaro2014-08-121-16/+25
| | | | * Implement partial cmd matching inside table handler.
* * Add the abilify to lock/unlock given table from changes.melifaro2014-08-111-5/+37
| | | | | | | | | | | | | | | | | | | | | | | | | Example: # ipfw table si lock # ipfw table si info +++ table(si), set(0) +++ kindex: 0, type: cidr, locked valtype: number, references: 0 algorithm: cidr:radix items: 0, size: 288 # ipfw table si add 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Adding record failed: table is locked # ipfw table si unlock # ipfw table si add 4.5.6.7 added: 4.5.6.7/32 0 # ipfw table si lock # ipfw table si delete 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Deleting record failed: table is locked # ipfw table si unlock # ipfw table si delete 4.5.6.7 deleted: 4.5.6.7/32 0
* * Add support for batched add/delete for ipfw tablesmelifaro2014-08-111-43/+183
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add support for atomic batches add (all or none). * Fix panic on deleting non-existing entry in radix algo. Examples: # si is empty # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 added: 1.1.1.1/32 1111 added: 2.2.2.2/32 2222 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 4444 ipfw: Adding record failed: record already exists ^^^^^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444 # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 5.5.5.5/32 5555 added(reverted): 3.3.3.3/32 3333 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 5555 ipfw: Adding record failed: record already exists ^^^^^ Returns error and reverts added records # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444
* Kernel changes:melifaro2014-08-081-14/+23
| | | | | | | | | * Fix buffer calculation for table dumps * Fix IPv6 radix entiries addition broken in r269371. Userland changes: * Fix bug in retrieving statric ruleset * Fix several bugs in retrieving table list
* * Add IP_FW_TABLE_XMODIFY opcodemelifaro2014-08-081-10/+125
| | | | | | | | | | | | | | | * Since there seems to be lack of consensus on strict value typing, remove non-default value types. Use userland-only "value format type" to print values. Kernel changes: * Add IP_FW_XMODIFY to permit table run-time modifications. Currently we support changing limit and value format type. Userland changes: * Support IP_FW_XMODIFY opcode. * Support specifying value format type (ftype) in tablble create/modify req * Fine-print value type/value format type.
* Remove IP_FW_TABLES_XGETSIZE opcode.melifaro2014-08-081-21/+26
| | | | It is superseded by IP_FW_TABLES_XLIST.
* Implement atomic ipfw table swap.melifaro2014-08-031-1/+49
| | | | | | | | | | Kernel changes: * Add opcode IP_FW_TABLE_XSWAP * Add support for swapping 2 tables with the same type/ftype/vtype. * Make skipto cache init after ipfw locks init. Userland changes: * Add "table X swap Y" command.
* * Move "talist" and "iflist" cmds into newly-create "internal" ipfw(8) cmd.melifaro2014-08-031-3/+11
| | | | | * Add "table X detail" cmd and show detailed algo info there instead of "info".
* Show algorithm-specific data in "table info" output.melifaro2014-08-031-0/+94
|
* * Permit limiting number of items in table.melifaro2014-08-011-7/+35
| | | | | | | | | | | | | Kernel changes: * Add TEI_FLAGS_DONTADD entry flag to indicate that insert is not possible * Support given flag in all algorithms * Add "limit" field to ipfw_xtable_info * Add actual limiting code into add_table_entry() Userland changes: * Add "limit" option as "create" table sub-option. Limit modification is currently impossible. * Print human-readable errors in table enry addition/deletion code.
* * Add new "flow" table type to support N=1..5-tuple lookupsmelifaro2014-07-311-38/+258
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add "flow:hash" algorithm Kernel changes: * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups * Add IPFW_TABLE_FLOW table type * Add "struct tflow_entry" as strage for 6-tuple flows * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table. Additionally, we store mask of fields we need to compare in each instance/ * Increase ipfw_obj_tentry size by adding struct tflow_entry * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info * Increase algoname length: 32 -> 64 (algo options passed there as string) * Assume every table type can be customized by flags, use u8 to store "tflags" field. * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback. * Fix bug in cidr:chash resize procedure. Userland changes: * add "flow table(NAME)" syntax to support n-tuple checking tables. * make fill_flags() separate function to ease working with _s_x arrays * change "table info" output to reflect longer "type" fields Syntax: ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] Examples: 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 0:03 [2] zfscurr0# ipfw show 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 617 59416 allow ip from any to any 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 Trying 78.46.89.105... .. 0:04 [2] zfscurr0# ipfw show 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 682 66733 allow ip from any to any
* Improve "ipfw talist" readability.melifaro2014-07-301-2/+2
|
* * Add number:array algorithm lookup method.melifaro2014-07-301-2/+12
| | | | | | | | | | | | | Kernel changes: * s/IPFW_TABLE_U32/IPFW_TABLE_NUMBER/ * Force "lookup <port|uid|gid|jid>" to be IPFW_TABLE_NUMBER * Support "lookup" method for number tables * Add number:array algorihm (i32 as key, auto-growing). Userland changes: * Support named tables in "lookup <tag> Table" * Fix handling of "table(NAME,val)" case * Support printing "number" table data.
* * Dump available table algorithms via "ipfw talist" cmd.melifaro2014-07-291-3/+57
| | | | | | | | | | | Kernel changes: * Add type/refcount fields to table algo instances. * Add IP_FW_TABLES_ALIST opcode to export available algorihms to userland. Userland changes: * Fix cores on empty input inside "ipfw table" handler. * Add "ipfw talist" cmd to print availabled kernel algorithms. * Change "table info" output to reflect long algorithm config lines.
* * Add generic ipfw interface tracking APImelifaro2014-07-281-9/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting
* * Require explicit table creation before use on kernel side.melifaro2014-07-261-4/+27
| | | | | | | | | | | | | | | | | | | | | | | * Add resize callbacks for upcoming table-based algorithms. Kernel changes: * s/ipfw_modify_table/ipfw_manage_table_ent/ * Simplify add_table_entry(): make table creation a separate piece of code. Do not perform creation if not in "compat" mode. * Add ability to perform modification of algorithm state (like table resize). The following callbacks were added: - prepare_mod (allocate new state, without locks) - fill_mod (UH_WLOCK, copy old state to new one) - modify (UH_WLOCK + WLOCK, switch state) - flush_mod (no locks, flushes allocated data) Given callbacks are called if table modification has been requested by add or delete callbacks. Additional u64 tc->'flags' field was added to pass these requests. * Change add/del table ent format: permit adding/removing multiple entries at once (only 1 supported at the moment). Userland changes: * Auto-create tables with warning
* * Add "lookup" table functionality to permit userland entry lookups.melifaro2014-07-061-97/+153
| | | | | | | | | | | | | | | | | | | | | * Bump table dump format preserving old ABI. Kernel size: * Add IP_FW_TABLE_XFIND to handle "lookup" request from userland. * Add ta_find_tentry() algorithm callbacks/handlers to support lookups. * Fully switch to ipfw_obj_tentry for various table dumps: algorithms are now required to support the latest (ipfw_obj_tentry) entry dump format, the rest is handled by generic dump code. IP_FW_TABLE_XLIST opcode version bumped (0 -> 1). * Eliminate legacy ta_dump_entry algo handler: dump_table_entry() converts data from current to legacy format. Userland side: * Add "lookup" table parameter. * Change the way table type is guessed: call table_get_info() first, and check value for IPv4/IPv6 type IFF table does not exist. * Fix table_get_list(): do more tries if supplied buffer is not enough. * Sparate table_show_entry() from table_show_list().
OpenPOWER on IntegriCloud