PERFORCE change 144319 for review

Sun Jun 29 23:46:50 UTC 2008

http://perforce.freebsd.org/chv.cgi?CH=144319

Change 144319 by julian at julian_trafmon1 on 2008/06/29 23:46:11

	attempt to integrate the changed version

Affected files ...

.. //depot/projects/vimage-commit3/src/sys/netinet/ip_fw.h#3 integrate

Differences ...

==== //depot/projects/vimage-commit3/src/sys/netinet/ip_fw.h#3 (text+ko) ====

@@ -28,6 +28,9 @@
 #ifndef _IPFW2_H
 #define _IPFW2_H
 
+#include <sys/rwlock.h>
+#include <net/radix.h>
+
 /*
  * The kernel representation of ipfw rules is made of a list of
  * 'instructions' (for all practical purposes equivalent to BPF
@@ -549,7 +552,40 @@
  * Main firewall chains definitions and global var's definitions.
  */
 #ifdef _KERNEL
+#ifdef NOTYET /* still in ip_fw2.c */
+
+/*
+ * Data structure to cache our ucred related
+ * information. This structure only gets used if
+ * the user specified UID/GID based constraints in
+ * a firewall rule.
+ */
+struct ip_fw_ugid {
+	gid_t		fw_groups[NGROUPS];
+	int		fw_ngroups;
+	uid_t		fw_uid;
+	int		fw_prid;
+};
+#endif
+
+
+#define	IPFW_TABLES_MAX		128
+struct ip_fw_chain {
+	struct ip_fw	*rules;		/* list of rules */
+	struct ip_fw	*reap;		/* list of rules to reap */
+	LIST_HEAD(, cfg_nat) nat;	/* list of nat entries */
+	struct radix_node_head *tables[IPFW_TABLES_MAX];
+	struct rwlock	rwmtx;
+};
 
+#ifdef NOTYET /* still in ip_fw2.c */
+struct table_entry {
+	struct radix_node	rn[2];
+	struct sockaddr_in	addr, mask;
+	u_int32_t		value;
+};
+#endif
+
 /* Return values from ipfw_chk() */
 enum {
 	IP_FW_PASS = 0,
@@ -616,14 +652,18 @@
 
 int ipfw_init(void);
 void ipfw_destroy(void);
+void ipfw_nat_destroy(void);
 
 typedef int ip_fw_ctl_t(struct sockopt *);
 extern ip_fw_ctl_t *ip_fw_ctl_ptr;
+
+#ifndef VIMAGE
 extern int fw_one_pass;
 extern int fw_enable;
 #ifdef INET6
 extern int fw6_enable;
 #endif
+#endif
 
 /* For kernel ipfw_ether and ipfw_bridge. */
 typedef	int ip_fw_chk_t(struct ip_fw_args *args);
@@ -632,14 +672,6 @@
 
 #ifdef IPFW_INTERNAL
 
-#define	IPFW_TABLES_MAX		128
-struct ip_fw_chain {
-	struct ip_fw	*rules;		/* list of rules */
-	struct ip_fw	*reap;		/* list of rules to reap */
-	LIST_HEAD(, cfg_nat) nat;       /* list of nat entries */
-	struct radix_node_head *tables[IPFW_TABLES_MAX];
-	struct rwlock	rwmtx;
-};
 #define	IPFW_LOCK_INIT(_chain) \
 	rw_init(&(_chain)->rwmtx, "IPFW static rules")
 #define	IPFW_LOCK_DESTROY(_chain)	rw_destroy(&(_chain)->rwmtx)
@@ -663,10 +695,52 @@
 #endif
 
 /*
+ * Stack virtualization support.
+ */
+#ifdef VIMAGE
+struct vnet_ipfw {
+	int	_fw_one_pass;
+	int	_fw_enable;
+	int	_fw6_enable;
+
+	u_int32_t _set_disable;
+	int	_fw_deny_unknown_exthdrs;
+	int	_fw_verbose;
+	int	_verbose_limit;
+	int	_fw_debug;
+	int	_autoinc_step;
+
+	ipfw_dyn_rule **_ipfw_dyn_v;
+	struct ip_fw_chain _layer3_chain;
+	u_int32_t _dyn_buckets;
+	u_int32_t _curr_dyn_buckets;
+
+	u_int32_t _dyn_ack_lifetime;
+	u_int32_t _dyn_syn_lifetime;
+	u_int32_t _dyn_fin_lifetime;
+	u_int32_t _dyn_rst_lifetime;
+	u_int32_t _dyn_udp_lifetime;
+	u_int32_t _dyn_short_lifetime;
+	u_int32_t _dyn_keepalive_interval;
+	u_int32_t _dyn_keepalive_period;
+	u_int32_t _dyn_keepalive;
+	u_int32_t _static_count;
+	u_int32_t _static_len;
+	u_int32_t _dyn_count;
+	u_int32_t _dyn_max;
+
+	u_int64_t _norule_counter;
+
+	struct callout _ipfw_timeout;
+};
+#endif
+
+/*
  * Symbol translation macros
  */
 
-#define INIT_VNET_IPFW(vnet)	int vnet_ipfw;
+#define INIT_VNET_IPFW(vnet) \
+	INIT_FROM_VNET(vnet, VNET_MOD_IPFW, struct vnet_ipfw, vnet_ipfw)
  
 #define VNET_IPFW(sym)		VSYM(vnet_ipfw, sym)
  
