+
+/****************
+ * Stuff that must be initialized for every instance
+ * (including the first of course).
+ */
+static int
+vnet_ipfw_init(const void *unused)
+{
+ int error;
+ struct ip_fw default_rule;
+
+ /* First set up some values that are compile time options */
+#ifdef IPFIREWALL_VERBOSE
+ V_fw_verbose = 1;
+#endif
+#ifdef IPFIREWALL_VERBOSE_LIMIT
+ V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
+#endif
+
+ error = init_tables(&V_layer3_chain);
+ if (error) {
+ panic("init_tables"); /* XXX Marko fix this ! */
+ }
+#ifdef IPFIREWALL_NAT
+ LIST_INIT(&V_layer3_chain.nat);
+#endif
+
+ V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
+
+ V_ipfw_dyn_v = NULL;
+ V_dyn_buckets = 256; /* must be power of 2 */
+ V_curr_dyn_buckets = 256; /* must be power of 2 */
+
+ V_dyn_ack_lifetime = 300;
+ V_dyn_syn_lifetime = 20;
+ V_dyn_fin_lifetime = 1;
+ V_dyn_rst_lifetime = 1;
+ V_dyn_udp_lifetime = 10;
+ V_dyn_short_lifetime = 5;
+
+ V_dyn_keepalive_interval = 20;
+ V_dyn_keepalive_period = 5;
+ V_dyn_keepalive = 1; /* do send keepalives */
+
+ V_dyn_max = 4096; /* max # of dynamic rules */
+
+ V_fw_deny_unknown_exthdrs = 1;
+
+ V_layer3_chain.rules = NULL;
+ IPFW_LOCK_INIT(&V_layer3_chain);
+ callout_init(&V_ipfw_timeout, CALLOUT_MPSAFE);
+
+ set_skipto_table(&V_layer3_chain);
+
+ bzero(&default_rule, sizeof default_rule);
+ default_rule.act_ofs = 0;
+ default_rule.rulenum = IPFW_DEFAULT_RULE;
+ default_rule.cmd_len = 1;
+ default_rule.set = RESVD_SET;
+ default_rule.cmd[0].len = 1;
+ default_rule.cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY;
+ error = add_rule(&V_layer3_chain, &default_rule);
+
+ if (error != 0) {
+ printf("ipfw2: error %u initializing default rule "
+ "(support disabled)\n", error);
+ IPFW_LOCK_DESTROY(&V_layer3_chain);
+ printf("leaving ipfw_iattach (1) with error %d\n", error);
+ return (error);
+ }
+
+ V_layer3_chain.default_rule = V_layer3_chain.rules;
+
+ /* curvnet is NULL in the !VIMAGE case */
+ callout_reset(&V_ipfw_timeout, hz, ipfw_tick, curvnet);
+
+ /* First set up some values that are compile time options */
+ V_ipfw_vnet_ready = 1; /* Open for business */
+
+ /*
+ * Hook the sockopt handler, and the layer2 (V_ip_fw_chk_ptr)
+ * and pfil hooks for ipv4 and ipv6. Even if the latter two fail
+ * we still keep the module alive because the sockopt and
+ * layer2 paths are still useful.
+ * ipfw[6]_hook return 0 on success, ENOENT on failure,
+ * so we can ignore the exact return value and just set a flag.
+ *
+ * Note that V_fw[6]_enable are manipulated by a SYSCTL_PROC so
+ * changes in the underlying (per-vnet) variables trigger
+ * immediate hook()/unhook() calls.
+ * In layer2 we have the same behaviour, except that V_ether_ipfw
+ * is checked on each packet because there are no pfil hooks.
+ */
+ V_ip_fw_ctl_ptr = ipfw_ctl;
+ V_ip_fw_chk_ptr = ipfw_chk;
+#ifndef linux
+ if (V_fw_enable && ipfw_hook() != 0) {
+ error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
+ printf("ipfw_hook() error\n");
+ }
+#ifdef INET6
+ if (V_fw6_enable && ipfw6_hook() != 0) {
+ error = ENOENT;
+ printf("ipfw6_hook() error\n");
+ }
+#endif
+#endif /* !linux */
+ return (error);
+}