Minor fixes: use tabs instead of spaces.
# To build on system with non standard Kernel sources or userland files,
# you should run this with
#
# To build on system with non standard Kernel sources or userland files,
# you should run this with
#
-# make KERNELPATH=/path/to/linux-2.x.y.z USRDIR=/path/to/usr
+# make KERNELPATH=/path/to/linux-2.x.y.z USRDIR=/path/to/usr
#
# We assume that $(USRDIR) contains include/ and lib/ used to build userland.
#
# We assume that $(USRDIR) contains include/ and lib/ used to build userland.
# O_TARGET the link target, for openwrt
# EXTRA_CFLAGS as the name says... in openwrt
# EXTRA_CFLAGS is used in 2.6.22 module kernel compilation too
# O_TARGET the link target, for openwrt
# EXTRA_CFLAGS as the name says... in openwrt
# EXTRA_CFLAGS is used in 2.6.22 module kernel compilation too
-# KERNELPATH the path to the kernel sources or headers
+# KERNELPATH the path to the kernel sources or headers
#
# Not sure about this (the name might be reserved)
# ipfw-cflags our flags for building the module
#
# Other variables are only private and can be renamed. They include:
#
#
# Not sure about this (the name might be reserved)
# ipfw-cflags our flags for building the module
#
# Other variables are only private and can be renamed. They include:
#
-# VER linux version we are building for (2.4 2.6 or openwrt)
+# VER linux version we are building for (2.4 2.6 or openwrt)
#---
$(warning including dummynet/Makefile)
#---
$(warning including dummynet/Makefile)
ipfw-cflags += -DIPFIREWALL_DEFAULT_TO_ACCEPT -DTRACE
# _BSD_SOURCE enables __FAVOR_BSD (udp/tcp bsd structs instead of posix)
ipfw-cflags += -D_BSD_SOURCE
ipfw-cflags += -DIPFIREWALL_DEFAULT_TO_ACCEPT -DTRACE
# _BSD_SOURCE enables __FAVOR_BSD (udp/tcp bsd structs instead of posix)
ipfw-cflags += -D_BSD_SOURCE
-ipfw-cflags += -DKERNEL_MODULE # build linux kernel module
+ipfw-cflags += -DKERNEL_MODULE # build linux kernel module
# the two header trees for empty and override files
ipfw-cflags += -I $(M)/include_e -I $(M)/include
# the two header trees for empty and override files
ipfw-cflags += -I $(M)/include_e -I $(M)/include
-ipfw-cflags += -include $(M)/../glue.h # headers
+ipfw-cflags += -include $(M)/../glue.h # headers
$(warning "---- Building dummynet kernel module for Version $(VER)")
# We have three sections for OpenWrt, Linux 2.4 and Linux 2.6
$(warning "---- Building dummynet kernel module for Version $(VER)")
# We have three sections for OpenWrt, Linux 2.4 and Linux 2.6
ccflags-y += -O1 -DLINUX_24
CFLAGS = -DMODULE -D__KERNEL__ -nostdinc \
ccflags-y += -O1 -DLINUX_24
CFLAGS = -DMODULE -D__KERNEL__ -nostdinc \
- -isystem ${KERNELPATH}/include -isystem $(MYGCC_INCLUDE) ${ccflags-y}
+ -isystem ${KERNELPATH}/include -isystem $(MYGCC_INCLUDE) ${ccflags-y}
# The Main target
all: mod24
# The Main target
all: mod24
/*
* XXX On zeroshell (2.6.25.17) we get a load error
/*
* XXX On zeroshell (2.6.25.17) we get a load error
- * __you_cannot_kmalloc_that_much
+ * __you_cannot_kmalloc_that_much
* which is triggered when kmalloc() is called with a large
* compile-time constant argument (include/linux/slab_def.h)
*
* which is triggered when kmalloc() is called with a large
* compile-time constant argument (include/linux/slab_def.h)
*
pkt = dn_tag_get(m);
pkt->dn_dir = DN_TO_DROP;
}
pkt = dn_tag_get(m);
pkt->dn_dir = DN_TO_DROP;
}
- dummynet_send(m); /* drop the packet */
+ dummynet_send(m); /* drop the packet */
*m0 = NULL;
return ((fs && (fs->flags_fs & DN_NOERROR)) ? 0 : ENOBUFS);
}
*m0 = NULL;
return ((fs && (fs->flags_fs & DN_NOERROR)) ? 0 : ENOBUFS);
}
netisr_dispatch(-1, _m); \
} while (0)
#else
netisr_dispatch(-1, _m); \
} while (0)
#else
-#define DN_FREE_PKT(_m) do { \
+#define DN_FREE_PKT(_m) do { \
m_freem(_m); \
} while (0)
#endif
m_freem(_m); \
} while (0)
#endif
switch (sopt->sopt_name) {
default :
printf("dummynet: -- unknown option %d", sopt->sopt_name);
switch (sopt->sopt_name) {
default :
printf("dummynet: -- unknown option %d", sopt->sopt_name);
break ;
case IP_DUMMYNET_GET :
break ;
case IP_DUMMYNET_GET :
match = (ugp->fw_groups[1] == (uid_t)insn->d[0]);
else if (insn->o.opcode == O_GID)
match = (ugp->fw_groups[0] == (uid_t)insn->d[0]);
match = (ugp->fw_groups[1] == (uid_t)insn->d[0]);
else if (insn->o.opcode == O_GID)
match = (ugp->fw_groups[0] == (uid_t)insn->d[0]);
return match;
#else /* FreeBSD */
return match;
#else /* FreeBSD */
(ipfw_insn_limit *)cmd, args, tablearg)) {
retval = IP_FW_DENY;
/* was goto done; */ /* error/limit violation */
(ipfw_insn_limit *)cmd, args, tablearg)) {
retval = IP_FW_DENY;
/* was goto done; */ /* error/limit violation */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
l = f->cmd_len - f->act_ofs;
IPFW_DYN_UNLOCK();
/* previously was goto check_body; */
l = f->cmd_len - f->act_ofs;
IPFW_DYN_UNLOCK();
/* previously was goto check_body; */
- cmdlen = 0; /* make null for() changes */
- match = 1; /* do not break to the external loop */
+ cmdlen = 0; /* make null for() changes */
+ match = 1; /* do not break to the external loop */
case O_ACCEPT:
retval = 0; /* accept */
/* was goto done; */
case O_ACCEPT:
retval = 0; /* accept */
/* was goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
args->cookie = cmd->arg1;
retval = IP_FW_DUMMYNET;
/* was goto done; */
args->cookie = cmd->arg1;
retval = IP_FW_DUMMYNET;
/* was goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
retval = (cmd->opcode == O_DIVERT) ?
IP_FW_DIVERT : IP_FW_TEE;
/* was goto done; */
retval = (cmd->opcode == O_DIVERT) ?
IP_FW_DIVERT : IP_FW_TEE;
/* was goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
f->timestamp = time_uptime;
if (cmd->opcode == O_COUNT) {
/* was goto next_rule; */
f->timestamp = time_uptime;
if (cmd->opcode == O_COUNT) {
/* was goto next_rule; */
- l = 0; /* exit the inner loop */
- match = 1; /* do not break the loop */
+ l = 0; /* exit the inner loop */
+ match = 1; /* do not break the loop */
break;
}
/* handle skipto */
break;
}
/* handle skipto */
while (f && (set_disable & (1 << f->set)))
f = f->next;
/* prepare to re-enter the inner loop. */
while (f && (set_disable & (1 << f->set)))
f = f->next;
/* prepare to re-enter the inner loop. */
- if (f) { /* better safe than sorry */
+ if (f) { /* better safe than sorry */
l = f->cmd_len;
cmd = f->cmd;
} else {
l = f->cmd_len;
cmd = f->cmd;
} else {
- l = 0; /* this will break the inner loop */
+ l = 0; /* this will break the inner loop */
- cmdlen = 0; /* reset loop condition */
+ cmdlen = 0; /* reset loop condition */
- match = 1; /* do not break the loop */
+ match = 1; /* do not break the loop */
case O_DENY:
retval = IP_FW_DENY;
/* goto done; */
case O_DENY:
retval = IP_FW_DENY;
/* goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
break;
case O_FORWARD_IP: {
break;
case O_FORWARD_IP: {
- }
- /* goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
- break;
+ }
+ /* goto done; */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
+ break;
case O_NETGRAPH:
case O_NGTEE:
case O_NETGRAPH:
case O_NGTEE:
retval = (cmd->opcode == O_NETGRAPH) ?
IP_FW_NETGRAPH : IP_FW_NGTEE;
/* goto done; */
retval = (cmd->opcode == O_NETGRAPH) ?
IP_FW_NETGRAPH : IP_FW_NGTEE;
/* goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
if (t == NULL) {
retval = IP_FW_DENY;
/* goto done; */
if (t == NULL) {
retval = IP_FW_DENY;
/* goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
break;
}
if (cmd->arg1 != IP_FW_TABLEARG)
break;
}
if (cmd->arg1 != IP_FW_TABLEARG)
} else
retval = IP_FW_DENY;
/* goto done; */
} else
retval = IP_FW_DENY;
/* goto done; */
- l = 0; /* break the inner loop */
- done = 1; /* break the external loop */
+ l = 0; /* break the inner loop */
+ done = 1; /* break the external loop */
-/* next_rule:; */ /* try next rule */
+/* next_rule:; */ /* try next rule */
} /* end of outer for, scan rules */
if (done) {
} /* end of outer for, scan rules */
if (done) {
int i;
time_t boot_seconds;
int i;
time_t boot_seconds;
- boot_seconds = boottime.tv_sec;
+ boot_seconds = boottime.tv_sec;
/* XXX this can take a long time and locking will block packet flow */
IPFW_RLOCK(chain);
/* XXX this can take a long time and locking will block packet flow */
IPFW_RLOCK(chain);
char *bp = buf;
char *ep = bp + space;
int i;
char *bp = buf;
char *ep = bp + space;
int i;
printf("dynrules requested\n");
boot_seconds = boottime.tv_sec;
printf("dynrules requested\n");
boot_seconds = boottime.tv_sec;
0 : dst->expire - time_uptime ;
bp += sizeof(ipfw_dyn_rule);
} else {
0 : dst->expire - time_uptime ;
bp += sizeof(ipfw_dyn_rule);
} else {
- p = NULL; /* break the loop */
+ p = NULL; /* break the loop */
i = curr_dyn_buckets;
}
}
i = curr_dyn_buckets;
}
}
mods[i].mod->evhand(NULL, MOD_UNLOAD, mods[i].mod->priv);
}
}
mods[i].mod->evhand(NULL, MOD_UNLOAD, mods[i].mod->priv);
}
}
-/*--- end of module bindinghelper functions ---*/
+/*--- end of module binding helper functions ---*/
* - the hook names change between macros (NF_IP*) and enum NF_INET_*
*
* - the second argument to the netfilter hook is
* - the hook names change between macros (NF_IP*) and enum NF_INET_*
*
* - the second argument to the netfilter hook is
- * struct sk_buff ** in kernels <= 2.6.22
- * struct sk_buff * in kernels > 2.6.22
+ * struct sk_buff ** in kernels <= 2.6.22
+ * struct sk_buff * in kernels > 2.6.22
*
* - NF_STOP is not defined before 2.6 so we remap it to NF_ACCEPT
*
* - the packet descriptor passed to the queue handler is
*
* - NF_STOP is not defined before 2.6 so we remap it to NF_ACCEPT
*
* - the packet descriptor passed to the queue handler is
- * struct nf_info in kernels <= 2.6.24
- * struct nf_queue_entry in kernels <= 2.6.24
+ * struct nf_info in kernels <= 2.6.24
+ * struct nf_queue_entry in kernels <= 2.6.24
*
* - the arguments to the queue handler also change;
*/
*
* - the arguments to the queue handler also change;
*/
/*
* declare hook to grab packets from the netfilter interface.
* The NF_* names change in different versions of linux, in some
/*
* declare hook to grab packets from the netfilter interface.
* The NF_* names change in different versions of linux, in some
*
* The chain is the following
* sk_buff* sock* socket* file*
*
* The chain is the following
* sk_buff* sock* socket* file*
- * skb -> sk ->sk_socket->file ->f_owner ->pid
- * skb -> sk ->sk_socket->file ->f_uid (direct)
- * skb -> sk ->sk_socket->file ->f_cred->fsuid (2.6.29+)
+ * skb -> sk ->sk_socket->file ->f_owner ->pid
+ * skb -> sk ->sk_socket->file ->f_uid (direct)
+ * skb -> sk ->sk_socket->file ->f_cred->fsuid (2.6.29+)
- * linux/skbuff.h struct skbuff
- * net/sock.h struct sock
- * linux/net.h struct socket
- * linux/fs.h struct file
+ * linux/skbuff.h struct skbuff
+ * net/sock.h struct sock
+ * linux/net.h struct socket
+ * linux/fs.h struct file
*
* With vserver we may have sk->sk_xid and sk->sk_nid that
* which we store in fw_groups[1] (matches O_JAIL) and fw_groups[2]
*
* With vserver we may have sk->sk_xid and sk->sk_nid that
* which we store in fw_groups[1] (matches O_JAIL) and fw_groups[2]
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
/* there is no dev_net() on 2.6.25 */
#define _OPT_NET_ARG (skb->dev->nd_net),
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
/* there is no dev_net() on 2.6.25 */
#define _OPT_NET_ARG (skb->dev->nd_net),
-#else /* 2.6.26 and above */
+#else /* 2.6.26 and above */
#define _OPT_NET_ARG dev_net(skb->dev),
#endif
#endif
#define _OPT_NET_ARG dev_net(skb->dev),
#endif
#endif
int profhz; /* profiling clock frequency */
};
int profhz; /* profiling clock frequency */
};
* linux does not have a reentrant version of qsort,
* so we the FreeBSD stdlib version.
*/
* linux does not have a reentrant version of qsort,
* so we the FreeBSD stdlib version.
*/
%{_mandir}/man8/ipfw.8*
%changelog
%{_mandir}/man8/ipfw.8*
%changelog
+* Thu Nov 26 2009 Marta Carbone <marta.carbone@iet.unipi.it> - ipfw-0.9-6
+- completely move netconfig checks into the backend
+
* Mon Nov 09 2009 Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr> - ipfw-0.9-5
- additional features on matching packets, including uid match
* Mon Nov 09 2009 Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr> - ipfw-0.9-5
- additional features on matching packets, including uid match
%{_sysconfdir}/cron.d/ipfw.cron
%changelog
%{_sysconfdir}/cron.d/ipfw.cron
%changelog
+* Thu Nov 26 2009 Marta Carbone <marta.carbone@iet.unipi.it> - ipfw-0.9-6
+- removed goto into the main ipfw switch, enabled slice_id matching
+
* Mon Nov 09 2009 Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr> - ipfw-0.9-5
- additional features on matching packets, including uid match
* Mon Nov 09 2009 Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr> - ipfw-0.9-5
- additional features on matching packets, including uid match
git://git.onelab.eu / ipfw.git / commitdiff