Lines Matching full:rule
34 * Control socket and rule management routines for ipfw.
80 static int check_ipfw_rule1(struct ip_fw_rule *rule, int size,
82 static int check_ipfw_rule0(struct ip_fw_rule0 *rule, int size,
158 set_legacy_obj_kidx(struct ip_fw_chain *ch, struct ip_fw_rule0 *rule);
161 static int ref_rule_objects(struct ip_fw_chain *ch, struct ip_fw *rule,
165 static void unref_rule_objects(struct ip_fw_chain *chain, struct ip_fw *rule);
203 struct ip_fw *rule; in ipfw_alloc_rule() local
205 rule = malloc(rulesize, M_IPFW, M_WAITOK | M_ZERO); in ipfw_alloc_rule()
206 rule->cntr = uma_zalloc_pcpu(V_ipfw_cntr_zone, M_WAITOK | M_ZERO); in ipfw_alloc_rule()
207 rule->refcnt = 1; in ipfw_alloc_rule()
209 return (rule); in ipfw_alloc_rule()
213 ipfw_free_rule(struct ip_fw *rule) in ipfw_free_rule() argument
222 if (rule->refcnt > 1) in ipfw_free_rule()
224 uma_zfree_pcpu(V_ipfw_cntr_zone, rule->cntr); in ipfw_free_rule()
225 free(rule, M_IPFW); in ipfw_free_rule()
229 * Find the smallest rule >= key, id.
254 * Builds skipto cache on rule set @map.
273 /* Use the same rule index until i < rulenum */ in update_skipto_cache()
276 /* Find next rule with num > i */ in update_skipto_cache()
312 * for example, on first skipto rule, so we need to in ipfw_init_skipto_cache()
432 * Copies rule @urule from v1 userland format (current).
460 * Export rule into v1 format (Current).
501 * Copies rule @urule from FreeBSD8 userland format (v0)
595 * Copies rule @krule from kernel to FreeBSD8 userland format (v0)
681 * Add new rule(s) to the list possibly creating rule number for each.
701 * Rule has some object opcodes. in commit_rules()
708 * rewrite failed, state for current rule in commit_rules()
769 /* duplicate remaining part, we always have the default rule */ in commit_rules()
773 /* Compute rule number and write it back */ in commit_rules()
778 /* Save number to userland rule */ in commit_rules()
794 ipfw_add_protected_rule(struct ip_fw_chain *chain, struct ip_fw *rule, in ipfw_add_protected_rule() argument
805 map[chain->n_rules] = rule; in ipfw_add_protected_rule()
806 rule->rulenum = IPFW_DEFAULT_RULE; in ipfw_add_protected_rule()
807 rule->set = RESVD_SET; in ipfw_add_protected_rule()
808 rule->id = chain->id + 1; in ipfw_add_protected_rule()
809 /* We add rule in the end of chain, no need to update skipto cache */ in ipfw_add_protected_rule()
811 chain->static_len += RULEUSIZE0(rule); in ipfw_add_protected_rule()
818 * Adds @rule to the list of rules to reap
822 struct ip_fw *rule) in ipfw_reap_add() argument
827 /* Unlink rule from everywhere */ in ipfw_reap_add()
828 unref_rule_objects(chain, rule); in ipfw_reap_add()
830 rule->next = *head; in ipfw_reap_add()
831 *head = rule; in ipfw_reap_add()
842 struct ip_fw *rule; in ipfw_reap_rules() local
844 while ((rule = head) != NULL) { in ipfw_reap_rules()
846 ipfw_free_rule(rule); in ipfw_reap_rules()
854 * default ::= (rule->rulenum == IPFW_DEFAULT_RULE)
855 * // the default rule is always protected
857 * reserved ::= (cmd == 0 && n == 0 && rule->set == RESVD_SET)
860 * match_set ::= (cmd == 0 || rule->set == set)
863 * match_number ::= (cmd == 1 || n == 0 || n == rule->rulenum)
868 ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt) in ipfw_match_range() argument
871 /* Don't match default rule for modification queries */ in ipfw_match_range()
872 if (rule->rulenum == IPFW_DEFAULT_RULE && in ipfw_match_range()
877 if ((rt->flags & IPFW_RCFLAG_ALL) != 0 && rule->set == RESVD_SET) in ipfw_match_range()
881 if ((rt->flags & IPFW_RCFLAG_SET) != 0 && rule->set != rt->set) in ipfw_match_range()
885 (rule->rulenum < rt->start_rule || rule->rulenum > rt->end_rule)) in ipfw_match_range()
1007 struct ip_fw *reap, *rule, **map; in delete_range() local
1054 rule = chain->map[i]; in delete_range()
1055 if (ipfw_match_range(rule, rt) == 0) { in delete_range()
1056 map[ofs++] = rule; in delete_range()
1061 if (ipfw_is_dyn_rule(rule) != 0) in delete_range()
1076 rule = map[i]; in delete_range()
1077 if (ipfw_match_range(rule, rt) == 0) in delete_range()
1079 chain->static_len -= RULEUSIZE0(rule); in delete_range()
1080 ipfw_reap_add(chain, &reap, rule); in delete_range()
1095 struct ip_fw *rule; in move_objects() local
1104 rule = ch->map[i]; in move_objects()
1105 if (ipfw_match_range(rule, rt) == 0) in move_objects()
1107 if (rule->set == rt->new_set) /* nothing to do */ in move_objects()
1110 for (l = rule->cmd_len, cmdlen = 0, cmd = rule->cmd; in move_objects()
1131 rule = ch->map[i]; in move_objects()
1132 if (ipfw_match_range(rule, rt) == 0) in move_objects()
1134 if (rule->set == rt->new_set) /* nothing to do */ in move_objects()
1137 for (l = rule->cmd_len, cmdlen = 0, cmd = rule->cmd; in move_objects()
1150 rule = ch->map[i]; in move_objects()
1151 if (ipfw_match_range(rule, rt) == 0) in move_objects()
1153 if (rule->set == rt->new_set) /* nothing to do */ in move_objects()
1156 for (l = rule->cmd_len, cmdlen = 0, cmd = rule->cmd; in move_objects()
1176 * Changes set of given rule rannge @rt
1184 struct ip_fw *rule; in move_range() local
1193 * by given rule subset only. Otherwise, we can't move in move_range()
1203 rule = chain->map[i]; in move_range()
1204 if (ipfw_match_range(rule, rt) == 0) in move_range()
1206 rule->set = rt->new_set; in move_range()
1215 * Returns pointer to action instruction, skips all possible rule
1219 ipfw_get_action(struct ip_fw *rule) in ipfw_get_action() argument
1224 cmd = ACTION_PTR(rule); in ipfw_get_action()
1225 l = rule->cmd_len - rule->act_ofs; in ipfw_get_action()
1239 panic("%s: rule (%p) has not action opcode", __func__, rule); in ipfw_get_action()
1244 * Clear counters for a specific rule.
1249 clear_counters(struct ip_fw *rule, int log_only) in clear_counters() argument
1251 ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule); in clear_counters()
1254 IPFW_ZERO_RULE_COUNTER(rule); in clear_counters()
1267 struct ip_fw *rule; in clear_range() local
1276 rule = chain->map[i]; in clear_range()
1277 if (ipfw_match_range(rule, rt) == 0) in clear_range()
1279 clear_counters(rule, log_only); in clear_range()
1363 * Clear rule accounting data matching specified parameters
1427 struct ip_fw *rule; in swap_sets() local
1452 rule = chain->map[i]; in swap_sets()
1453 if (rule->set == (uint8_t)rt->set) in swap_sets()
1454 rule->set = (uint8_t)rt->new_set; in swap_sets()
1455 else if (rule->set == (uint8_t)rt->new_set && mv == 0) in swap_sets()
1456 rule->set = (uint8_t)rt->set; in swap_sets()
1515 * The argument is an uint32_t. The low 16 bit are the rule or set number;
1528 uint32_t num; /* rule number or old_set */ in del_entry()
1606 * The argument `arg' is an u_int32_t. The low 16 bit are the rule number,
1610 * Specified rule number is zero if we want to clear all entries.
1616 struct ip_fw *rule; in zero_entry() local
1633 rule = chain->map[i]; in zero_entry()
1635 if (cmd == 1 && rule->set != set) in zero_entry()
1637 clear_counters(rule, log_only); in zero_entry()
1644 rule = chain->map[i]; in zero_entry()
1645 if (rule->rulenum == rulenum) { in zero_entry()
1646 if (cmd == 0 || rule->set == set) in zero_entry()
1647 clear_counters(rule, log_only); in zero_entry()
1650 if (rule->rulenum > rulenum) in zero_entry()
1673 * Check rule head in FreeBSD11 format
1677 check_ipfw_rule1(struct ip_fw_rule *rule, int size, in check_ipfw_rule1() argument
1682 if (size < sizeof(*rule)) { in check_ipfw_rule1()
1683 printf("ipfw: rule too short\n"); in check_ipfw_rule1()
1688 l = roundup2(RULESIZE(rule), sizeof(uint64_t)); in check_ipfw_rule1()
1693 if (rule->act_ofs >= rule->cmd_len) { in check_ipfw_rule1()
1695 rule->act_ofs, rule->cmd_len - 1); in check_ipfw_rule1()
1699 if (rule->rulenum > IPFW_DEFAULT_RULE - 1) in check_ipfw_rule1()
1702 return (check_ipfw_rule_body(rule->cmd, rule->cmd_len, ci)); in check_ipfw_rule1()
1706 * Check rule head in FreeBSD8 format
1710 check_ipfw_rule0(struct ip_fw_rule0 *rule, int size, in check_ipfw_rule0() argument
1715 if (size < sizeof(*rule)) { in check_ipfw_rule0()
1716 printf("ipfw: rule too short\n"); in check_ipfw_rule0()
1721 l = sizeof(*rule) + rule->cmd_len * 4 - 4; in check_ipfw_rule0()
1726 if (rule->act_ofs >= rule->cmd_len) { in check_ipfw_rule0()
1728 rule->act_ofs, rule->cmd_len - 1); in check_ipfw_rule0()
1732 if (rule->rulenum > IPFW_DEFAULT_RULE - 1) in check_ipfw_rule0()
1735 return (check_ipfw_rule_body(rule->cmd, rule->cmd_len, ci)); in check_ipfw_rule0()
2117 struct ip_fw7 *next_rule; /* ptr to next [skipto] rule */
2122 uint16_t rulenum; /* rule number */
2123 uint8_t set; /* rule set (0..31) */
2126 // uint32_t id; /* rule id, only in v.8 */
2135 static int convert_rule_to_7(struct ip_fw_rule0 *rule);
2136 static int convert_rule_to_8(struct ip_fw_rule0 *rule);
2139 #define RULESIZE7(rule) (sizeof(struct ip_fw7) + \ argument
2140 ((struct ip_fw7 *)(rule))->cmd_len * 4 - 4)
2153 struct ip_fw *rule; in ipfw_getrules() local
2164 rule = chain->map[i]; in ipfw_getrules()
2167 /* Convert rule to FreeBSd 7.2 format */ in ipfw_getrules()
2168 l = RULESIZE7(rule); in ipfw_getrules()
2170 bcopy(rule, bp, l + sizeof(uint32_t)); in ipfw_getrules()
2181 * Why do we do this on EVERY rule? in ipfw_getrules()
2190 continue; /* go to next rule */ in ipfw_getrules()
2193 l = RULEUSIZE0(rule); in ipfw_getrules()
2199 export_rule0(rule, dst, l); in ipfw_getrules()
2205 * Why do we do this on EVERY rule? in ipfw_getrules()
2221 printf("Stop on rule %d. Fail to convert table\n", in ipfw_getrules()
2222 rule->rulenum); in ipfw_getrules()
2234 uint32_t b; /* start rule */
2235 uint32_t e; /* end rule */
2376 * Marks every object index used in @rule with bit in @bmask.
2381 mark_rule_objects(struct ip_fw_chain *ch, struct ip_fw *rule, in mark_rule_objects() argument
2390 l = rule->cmd_len; in mark_rule_objects()
2391 cmd = rule->cmd; in mark_rule_objects()
2428 struct ip_fw *rule; in dump_config() local
2469 rule = chain->map[i]; in dump_config()
2470 da.rsize += RULEUSIZE1(rule) + sizeof(ipfw_obj_tlv); in dump_config()
2473 mark_rule_objects(chain, rule, &da); in dump_config()
2547 * Creates non-existent objects referenced by rule.
2608 set_legacy_obj_kidx(struct ip_fw_chain *ch, struct ip_fw_rule0 *rule) in set_legacy_obj_kidx() argument
2621 l = rule->cmd_len; in set_legacy_obj_kidx()
2622 cmd = rule->cmd; in set_legacy_obj_kidx()
2657 * Unreferences all already-referenced objects in given @cmd rule,
2660 * Used to rollback partially converted rule on error.
2688 * Remove references from every object used in @rule.
2689 * Used at rule removal code.
2692 unref_rule_objects(struct ip_fw_chain *ch, struct ip_fw *rule) in unref_rule_objects() argument
2703 l = rule->cmd_len; in unref_rule_objects()
2704 cmd = rule->cmd; in unref_rule_objects()
2780 * Finds and bumps refcount for objects referenced by given @rule.
2787 ref_rule_objects(struct ip_fw_chain *ch, struct ip_fw *rule, in ref_rule_objects() argument
2795 l = rule->cmd_len; in ref_rule_objects()
2796 cmd = rule->cmd; in ref_rule_objects()
2815 pidx->off = rule->cmd_len - l; in ref_rule_objects()
2822 unref_oib_objects(ch, rule->cmd, oib, pidx); in ref_rule_objects()
2830 error = create_objects_compat(ch, rule->cmd, oib, pidx, ti); in ref_rule_objects()
2868 /* Use set rule is assigned to. */ in rewrite_rule_uidx()
3013 /* Allocate state for each rule or use stack */ in add_rules()
3023 * Check each rule for validness. in add_rules()
3809 struct ip_fw_rule0 *rule; in ipfw_ctl() local
3837 * followed by a possibly empty list of dynamic rule. in ipfw_ctl()
3838 * The last dynamic rule has NULL in the "next" field. in ipfw_ctl()
3841 * amount of data returned to the user. The rule set may in ipfw_ctl()
3869 error = del_entry(chain, 0); /* special case, rule=0, cmd=0 means all */ in ipfw_ctl()
3873 rule = malloc(RULE_MAXSIZE, M_TEMP, M_WAITOK); in ipfw_ctl()
3874 error = sooptcopyin(sopt, rule, RULE_MAXSIZE, in ipfw_ctl()
3889 if (size == RULESIZE7(rule)) { in ipfw_ctl()
3891 error = convert_rule_to_8(rule); in ipfw_ctl()
3893 free(rule, M_TEMP); in ipfw_ctl()
3896 size = RULESIZE(rule); in ipfw_ctl()
3900 error = check_ipfw_rule0(rule, size, &ci); in ipfw_ctl()
3904 krule = ipfw_alloc_rule(chain, RULEKSIZE0(rule)); in ipfw_ctl()
3905 ci.urule = (caddr_t)rule; in ipfw_ctl()
3913 error = convert_rule_to_7(rule); in ipfw_ctl()
3914 size = RULESIZE7(rule); in ipfw_ctl()
3916 free(rule, M_TEMP); in ipfw_ctl()
3920 error = sooptcopyout(sopt, rule, size); in ipfw_ctl()
3923 free(rule, M_TEMP); in ipfw_ctl()
3932 * delete single rule or set of rules, in ipfw_ctl()
3958 case IP_FW_RESETLOG: /* argument is an u_int_32, the rule number */ in ipfw_ctl()
4119 convert_rule_to_7(struct ip_fw_rule0 *rule) in convert_rule_to_7() argument
4121 /* Used to modify original rule */ in convert_rule_to_7()
4122 struct ip_fw7 *rule7 = (struct ip_fw7 *)rule; in convert_rule_to_7()
4123 /* copy of original rule, version 8 */ in convert_rule_to_7()
4134 bcopy(rule, tmp, RULE_MAXSIZE); in convert_rule_to_7()
4173 convert_rule_to_8(struct ip_fw_rule0 *rule) in convert_rule_to_8() argument
4175 /* Used to modify original rule */ in convert_rule_to_8()
4176 struct ip_fw7 *rule7 = (struct ip_fw7 *) rule; in convert_rule_to_8()
4182 /* Copy of original rule */ in convert_rule_to_8()
4190 for (ll = tmp->cmd_len, ccmd = tmp->cmd, dst = rule->cmd ; in convert_rule_to_8()
4209 rule->_pad = tmp->_pad; in convert_rule_to_8()
4210 rule->set = tmp->set; in convert_rule_to_8()
4211 rule->rulenum = tmp->rulenum; in convert_rule_to_8()
4212 rule->cmd_len = tmp->cmd_len; in convert_rule_to_8()
4213 rule->act_ofs = tmp->act_ofs; in convert_rule_to_8()
4214 rule->next_rule = (struct ip_fw *)tmp->next_rule; in convert_rule_to_8()
4215 rule->cmd_len = tmp->cmd_len; in convert_rule_to_8()
4216 rule->id = 0; /* XXX see if is ok = 0 */ in convert_rule_to_8()
4217 rule->pcnt = tmp->pcnt; in convert_rule_to_8()
4218 rule->bcnt = tmp->bcnt; in convert_rule_to_8()
4219 rule->timestamp = tmp->timestamp; in convert_rule_to_8()