From d9dfac9f45d8211c085077869a18bbb7761f562b Mon Sep 17 00:00:00 2001 From: luigi Date: Fri, 4 Jul 2003 21:39:51 +0000 Subject: Correct some comments, add opcode O_IPSEC to match packets coming out of an ipsec tunnel. --- sys/netinet/ip_fw.h | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'sys/netinet/ip_fw.h') diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 3aa2799..e21b873 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -100,8 +100,9 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_KEEP_STATE, /* none */ O_LIMIT, /* ipfw_insn_limit */ O_LIMIT_PARENT, /* dyn_type, not an opcode. */ + /* - * these are really 'actions', and must be last in the list. + * These are really 'actions'. */ O_LOG, /* ipfw_insn_log */ @@ -119,6 +120,12 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_TEE, /* arg1=port number */ O_FORWARD_IP, /* fwd sockaddr */ O_FORWARD_MAC, /* fwd mac */ + + /* + * More opcodes. + */ + O_IPSEC, /* has ipsec history */ + O_LAST_OPCODE /* not an opcode! */ }; @@ -193,7 +200,7 @@ typedef struct _ipfw_insn_ip { } ipfw_insn_ip; /* - * This is used to forward to a given address (ip) + * This is used to forward to a given address (ip). */ typedef struct _ipfw_insn_sa { ipfw_insn o; @@ -210,7 +217,7 @@ typedef struct _ipfw_insn_mac { } ipfw_insn_mac; /* - * This is used for interface match rules (recv xx, xmit xx) + * This is used for interface match rules (recv xx, xmit xx). */ typedef struct _ipfw_insn_if { ipfw_insn o; @@ -250,7 +257,7 @@ typedef struct _ipfw_insn_limit { } ipfw_insn_limit; /* - * This is used for log instructions + * This is used for log instructions. */ typedef struct _ipfw_insn_log { ipfw_insn o; @@ -286,9 +293,8 @@ typedef struct _ipfw_insn_log { struct ip_fw { struct ip_fw *next; /* linked list of rules */ struct ip_fw *next_rule; /* ptr to next [skipto] rule */ -#if 0 /* passed up using 'next_rule' */ - u_int32_t set_disable; /* disabled sets (for userland) */ -#endif + /* 'next_rule' is used to pass up 'set_disable' status */ + u_int16_t act_ofs; /* offset of action in 32-bit units */ u_int16_t cmd_len; /* # of 32-bit words in cmd */ u_int16_t rulenum; /* rule number */ @@ -323,13 +329,15 @@ struct ipfw_flow_id { }; /* - * dynamic ipfw rule + * Dynamic ipfw rule. */ typedef struct _ipfw_dyn_rule ipfw_dyn_rule; struct _ipfw_dyn_rule { ipfw_dyn_rule *next; /* linked list of rules. */ struct ip_fw *rule; /* pointer to rule */ + /* 'rule' is used to pass up the rule number (from the parent) */ + ipfw_dyn_rule *parent; /* pointer to parent rule */ u_int64_t pcnt; /* packet match counter */ u_int64_t bcnt; /* byte match counter */ @@ -344,9 +352,6 @@ struct _ipfw_dyn_rule { /* to generate keepalives) */ u_int16_t dyn_type; /* rule type */ u_int16_t count; /* refcount */ -#if 0 /* passed up with 'rule' */ - u_int16_t rulenum; /* rule number (for userland) */ -#endif }; /* @@ -378,7 +383,7 @@ struct _ipfw_dyn_rule { #define IP_FW_PORT_DENY_FLAG 0x40000 /* - * arguments for calling ipfw_chk() and dummynet_io(). We put them + * Arguments for calling ipfw_chk() and dummynet_io(). We put them * all into a structure because this way it is easier and more * efficient to pass variables around and extend the interface. */ -- cgit v1.1