Change Details

General changes: * struct ipfw_dyn_info added. It keeps all needed for ipfw_chk and for dynamic states implementation information. * lookup and install states functions changed. Now all internal locking in the dynamic states implementation is hidden from ipfw_chk(). * ipfw_dyn_rule now becomes obsolete. Currently it used to pass information from kernel to userland only. * ipfw_send_pkt() moved from ip_fw_dynamic into ip_fw2. It will be reworked later. Now ip_fw_dynamic2 has its own functions to send keep-alivies. * Added ipfw_add_protected_rule() that creates default_rule. It also used to create "dynamic states default rule". * Some fixes to range matching: use UINT32_MAX to match all rules with the same rulenum. Dynamic states implementation: * IPv4 and IPv6 states now described by different structures dyn_ipv4_state and dyn_ipv6_state; * IPv6 scope zones support is added; * states are linked with "entry" field using CK_SLIST. This allows lockless lookup and protected by mutex modifications. * the "expired" SLIST field is used for states expiring. * struct dyn_data is used to keep generic information for both IPv4 and IPv6; * struct dyn_parent is used to keep O_LIMIT_PARENT information; * IPv4 and IPv6 states are in different hash tables; * Also O_LIMIT_PARENT states now are kept separately from O_LIMIT and O_KEEP_STATE states. * per-cpu dyn_hp pointers are used to implement hazard pointers and they prevent freeing states that are locklessly used by lookup threads. * mutexes to protect modification of lists in hash tables now kept in separate arrays; * each hash table has two arrays of "bucket version" for add and delete operations. These arrays are used for some speedups and protections. * dyn_update_tcp_state() added. Updating algorithm for this functions is modified. * Separate lookup and install functions added for IPv4 and IPv6 states and for parent states.

General changes: * struct ipfw_dyn_info added. It keeps all needed for ipfw_chk and for dynamic states implementation information. * lookup and install states functions changed. Now all internal locking in the dynamic states implementation is hidden from ipfw_chk(). * ipfw_dyn_rule now becomes obsolete. Currently it used to pass information from kernel to userland only. * ipfw_send_pkt() moved from ip_fw_dynamic into ip_fw2. It will be reworked later. Now ip_fw_dynamic2 has its own functions to send keep-alivies. * Added ipfw_add_protected_rule() that creates default_rule. It also used to create "dynamic states default rule". * Some fixes to range matching: use UINT32_MAX to match all rules with the same rulenum. Dynamic states implementation: * IPv4 and IPv6 states now described by different structures dyn_ipv4_state and dyn_ipv6_state; * IPv6 scope zones support is added; * states are linked with "entry" field using CK_SLIST. This allows lockless lookup and protected by mutex modifications. * the "expired" SLIST field is used for states expiring. * struct dyn_data is used to keep generic information for both IPv4 and IPv6; * struct dyn_parent is used to keep O_LIMIT_PARENT information; * IPv4 and IPv6 states are in different hash tables; * Also O_LIMIT_PARENT states now are kept separately from O_LIMIT and O_KEEP_STATE states. * per-cpu dyn_hp pointers are used to implement hazard pointers and they prevent freeing states that are locklessly used by lookup threads. * mutexes to protect modification of lists in hash tables now kept in separate arrays; * each hash table has two arrays of "bucket version" for add and delete operations. These arrays are used for some speedups and protections. * dyn_update_tcp_state() added. Updating algorithm for this functions is modified. * Separate lookup and install functions added for IPv4 and IPv6 states and for parent states.

General changes: * struct ipfw_dyn_info added. It keeps all needed for ipfw_chk and for dynamic states implementation information. * lookup and install states functions changed. Now all internal locking in the dynamic states implementation is hidden from ipfw_chk(). * ipfw_dyn_rule now becomes obsolete. Currently it used to pass information from kernel to userland only. * ipfw_send_pkt() moved from ip_fw_dynamic into ip_fw2. It will be reworked later. Now ip_fw_dynamic2 has its own functions to send keep-alivies. * Added ipfw_add_protected_rule() that creates default_rule. It also used to create "dynamic states default rule". * Some fixes to range matching: use UINT32_MAX to match all rules with the same rulenum. Dynamic states implementation: * IPv4 and IPv6 states now described by different structures dyn_ipv4_state and dyn_ipv6_state; * IPv6 scope zones support is added; * states are linked with "entry" field using CK_SLIST. This allows lockless lookup and protected by mutex modifications. * the "expired" SLIST field is used for states expiring. * struct dyn_data is used to keep generic information for both IPv4 and IPv6; * struct dyn_parent is used to keep O_LIMIT_PARENT information; * IPv4 and IPv6 states are in different hash tables; * Also O_LIMIT_PARENT states now are kept separately from O_LIMIT and O_KEEP_STATE states. * per-cpu dyn_hp pointers are used to implement hazard pointers and they prevent freeing states that are locklessly used by lookup threads. * mutexes to protect modification of lists in hash tables now kept in separate arrays; * each hash table has two arrays of "bucket version" for add and delete operations. These arrays are used for some speedups and protections. * dyn_update_tcp_state() added. Updating algorithm for this functions is modified. * Separate lookup and install functions added for IPv4 and IPv6 states and for parent states.