Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/ipfw/ip_fw2.c
| Show First 20 Lines • Show All 124 Lines • ▼ Show 20 Lines | |||||
| VNET_DEFINE(int, autoinc_step); | VNET_DEFINE(int, autoinc_step); | ||||
| VNET_DEFINE(int, fw_one_pass) = 1; | VNET_DEFINE(int, fw_one_pass) = 1; | ||||
| VNET_DEFINE(unsigned int, fw_tables_max); | VNET_DEFINE(unsigned int, fw_tables_max); | ||||
| VNET_DEFINE(unsigned int, fw_tables_sets) = 0; /* Don't use set-aware tables */ | VNET_DEFINE(unsigned int, fw_tables_sets) = 0; /* Don't use set-aware tables */ | ||||
| /* Use 128 tables by default */ | /* Use 128 tables by default */ | ||||
| static unsigned int default_fw_tables = IPFW_TABLES_DEFAULT; | static unsigned int default_fw_tables = IPFW_TABLES_DEFAULT; | ||||
| /* Keep hash as small as possible */ | |||||
| int fw_nat_hash = 1; | |||||
| #ifndef LINEAR_SKIPTO | #ifndef LINEAR_SKIPTO | ||||
| static int jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, | static int jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, | ||||
| int tablearg, int jump_backwards); | int tablearg, int jump_backwards); | ||||
| #define JUMP(ch, f, num, targ, back) jump_fast(ch, f, num, targ, back) | #define JUMP(ch, f, num, targ, back) jump_fast(ch, f, num, targ, back) | ||||
| #else | #else | ||||
| static int jump_linear(struct ip_fw_chain *chain, struct ip_fw *f, int num, | static int jump_linear(struct ip_fw_chain *chain, struct ip_fw *f, int num, | ||||
| int tablearg, int jump_backwards); | int tablearg, int jump_backwards); | ||||
| #define JUMP(ch, f, num, targ, back) jump_linear(ch, f, num, targ, back) | #define JUMP(ch, f, num, targ, back) jump_linear(ch, f, num, targ, back) | ||||
| Show All 20 Lines | |||||
| VNET_DEFINE(struct ip_fw_chain, layer3_chain); | VNET_DEFINE(struct ip_fw_chain, layer3_chain); | ||||
| /* ipfw_vnet_ready controls when we are open for business */ | /* ipfw_vnet_ready controls when we are open for business */ | ||||
| VNET_DEFINE(int, ipfw_vnet_ready) = 0; | VNET_DEFINE(int, ipfw_vnet_ready) = 0; | ||||
| VNET_DEFINE(int, ipfw_nat_ready) = 0; | VNET_DEFINE(int, ipfw_nat_ready) = 0; | ||||
| ipfw_nat_t *ipfw_nat_ptr = NULL; | ipfw_nat_t *ipfw_nat_ptr = NULL; | ||||
| struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); | struct cfg_nat *(*lookup_nat_ptr)(struct nat_lists *, int); | ||||
| ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; | ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; | ||||
| ipfw_nat_cfg_t *ipfw_nat_del_ptr; | ipfw_nat_cfg_t *ipfw_nat_del_ptr; | ||||
| ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; | ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; | ||||
| ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; | ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; | ||||
| #ifdef SYSCTL_NODE | #ifdef SYSCTL_NODE | ||||
| uint32_t dummy_def = IPFW_DEFAULT_RULE; | uint32_t dummy_def = IPFW_DEFAULT_RULE; | ||||
| static int sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS); | static int sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS); | ||||
| Show All 26 Lines | SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, tables_sets, | ||||
| "Use per-set namespace for tables"); | "Use per-set namespace for tables"); | ||||
| SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN, | SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN, | ||||
| &default_to_accept, 0, | &default_to_accept, 0, | ||||
| "Make the default rule accept all packets."); | "Make the default rule accept all packets."); | ||||
| TUNABLE_INT("net.inet.ip.fw.tables_max", (int *)&default_fw_tables); | TUNABLE_INT("net.inet.ip.fw.tables_max", (int *)&default_fw_tables); | ||||
| SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, | SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, | ||||
| CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0, | CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0, | ||||
| "Number of static rules"); | "Number of static rules"); | ||||
| SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, nat_hash, CTLFLAG_RDTUN, | |||||
| &fw_nat_hash, 0, | |||||
| "Size of hash table for NAT instances."); | |||||
| #ifdef INET6 | #ifdef INET6 | ||||
| SYSCTL_DECL(_net_inet6_ip6); | SYSCTL_DECL(_net_inet6_ip6); | ||||
| SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); | SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); | ||||
| SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, | SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, | ||||
| CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE, | CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE, | ||||
| &VNET_NAME(fw_deny_unknown_exthdrs), 0, | &VNET_NAME(fw_deny_unknown_exthdrs), 0, | ||||
| "Deny packets with unknown IPv6 Extension Headers"); | "Deny packets with unknown IPv6 Extension Headers"); | ||||
| ▲ Show 20 Lines • Show All 3,102 Lines • ▼ Show 20 Lines | #endif | ||||
| else | else | ||||
| printf("limited to %d packets/entry by default\n", | printf("limited to %d packets/entry by default\n", | ||||
| V_verbose_limit); | V_verbose_limit); | ||||
| /* Check user-supplied table count for validness */ | /* Check user-supplied table count for validness */ | ||||
| if (default_fw_tables > IPFW_TABLES_MAX) | if (default_fw_tables > IPFW_TABLES_MAX) | ||||
| default_fw_tables = IPFW_TABLES_MAX; | default_fw_tables = IPFW_TABLES_MAX; | ||||
| if (fw_nat_hash < 1) | |||||
| fw_nat_hash = 1; | |||||
| ipfw_init_sopt_handler(); | ipfw_init_sopt_handler(); | ||||
| ipfw_init_obj_rewriter(); | ipfw_init_obj_rewriter(); | ||||
| ipfw_iface_init(); | ipfw_iface_init(); | ||||
| return (error); | return (error); | ||||
| } | } | ||||
| /* | /* | ||||
| * Called for the removal of the last instance only on module unload. | * Called for the removal of the last instance only on module unload. | ||||
| Show All 26 Lines | vnet_ipfw_init(const void *unused) | ||||
| /* First set up some values that are compile time options */ | /* First set up some values that are compile time options */ | ||||
| V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ | V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ | ||||
| V_fw_deny_unknown_exthdrs = 1; | V_fw_deny_unknown_exthdrs = 1; | ||||
| #ifdef IPFIREWALL_VERBOSE | #ifdef IPFIREWALL_VERBOSE | ||||
| V_fw_verbose = 1; | V_fw_verbose = 1; | ||||
| #endif | #endif | ||||
| #ifdef IPFIREWALL_VERBOSE_LIMIT | #ifdef IPFIREWALL_VERBOSE_LIMIT | ||||
| V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT; | V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT; | ||||
| #endif | |||||
| #ifdef IPFIREWALL_NAT | |||||
| LIST_INIT(&chain->nat); | |||||
| #endif | #endif | ||||
donner: Module specific initialization moved into the module. Zeroized memory at initialization is… | |||||
| /* Init shared services hash table */ | /* Init shared services hash table */ | ||||
| ipfw_init_srv(chain); | ipfw_init_srv(chain); | ||||
| ipfw_init_counters(); | ipfw_init_counters(); | ||||
| /* Set initial number of tables */ | /* Set initial number of tables */ | ||||
| V_fw_tables_max = default_fw_tables; | V_fw_tables_max = default_fw_tables; | ||||
| error = ipfw_init_tables(chain, first); | error = ipfw_init_tables(chain, first); | ||||
| ▲ Show 20 Lines • Show All 169 Lines • Show Last 20 Lines | |||||
Module specific initialization moved into the module. Zeroized memory at initialization is sufficient to avoid erroneous behavior.