Lines Matching full:rule

118 	bool			subnet_apply; /* Apply rule on whole subnet. */
133 	struct ip_rule *rule;
135 	while ((rule = TAILQ_FIRST(head)) != NULL) {
136 		TAILQ_REMOVE(head, rule, r_entries);
137 		free(rule, M_IPACL);
159 parse_rule_element(char *element, struct ip_rule *rule)
171 	rule->jid = strtol(tok, &p, 10);
177 	rule->allow = strtol(tok, &p, 10);
184 	strlcpy(rule->if_name, tok, strlen(tok) + 1);
188 	rule->af = (strcmp(tok, "AF_INET") == 0) ? AF_INET :
190 	if (rule->af == -1)
195 	if (inet_pton(rule->af, tok, rule->addr.addr32) != 1)
205 		rule->subnet_apply = false;
207 		rule->subnet_apply = true;
208 		switch (rule->af) {
215 				rule->mask.addr32[0] = htonl(0);
217 				rule->mask.addr32[0] =
219 			rule->addr.addr32[0] &= rule->mask.addr32[0];
228 				rule->mask.addr8[i] = prefix >= 8 ? 0xFF :
231 				rule->addr.addr8[i] &= rule->mask.addr8[i];
240  * Format of Rule- jid,allow,interface_name,addr_family,ip_addr/subnet_mask
320 	struct ip_rule *rule;
333 	 * a set of IP addresses, the rule that is defined later in the list
334 	 * determines the outcome, disregarding any previous rule for that IP
336 	 * Walk the policy rules list in reverse order until rule applicable
339 	TAILQ_FOREACH_REVERSE(rule, &rule_head, rulehead, r_entries) {
340 		/* Skip if current rule applies to different jail. */
341 		if (cred->cr_prison->pr_id != rule->jid)
344 		if (strcmp(rule->if_name, "\0") &&
345 		    strcmp(rule->if_name, if_name(ifp)))
348 		switch (rule->af) {
351 			if (rule->subnet_apply) {
352 				if (rule->addr.v4.s_addr !=
353 				    (ip_addr->v4.s_addr & rule->mask.v4.s_addr))
356 				if (ip_addr->v4.s_addr != rule->addr.v4.s_addr)
362 			if (rule->subnet_apply) {
365 					if (rule->addr.v6.s6_addr[i] !=
367 					    rule->mask.v6.s6_addr[i])) {
374 				if (bcmp(&rule->addr, ip_addr,
381 		if (rule->allow)