PERFORCE change 150734 for review

Wed Oct 1 00:00:34 UTC 2008

http://perforce.freebsd.org/chv.cgi?CH=150734

Change 150734 by julian at julian_trafmon1 on 2008/09/30 23:59:56

	slight mismerges and ommisions

Affected files ...

.. //depot/projects/vimage/src/sys/netinet/ip_fw.h#18 edit
.. //depot/projects/vimage/src/sys/netinet/ip_fw2.c#47 edit

Differences ...

==== //depot/projects/vimage/src/sys/netinet/ip_fw.h#18 (text+ko) ====

@@ -564,6 +564,34 @@
  */
 #ifdef _KERNEL
 
+/*
+ * Data structure to cache our ucred related
+ * information. This structure only gets used if
+ * the user specified UID/GID based constraints in
+ * a firewall rule.
+ */
+struct ip_fw_ugid {
+	gid_t		fw_groups[NGROUPS];
+	int		fw_ngroups;
+	uid_t		fw_uid;
+	int		fw_prid;
+};
+
+#define	IPFW_TABLES_MAX		128
+struct ip_fw_chain {
+	struct ip_fw	*rules;		/* list of rules */
+	struct ip_fw	*reap;		/* list of rules to reap */
+	LIST_HEAD(, cfg_nat) nat;	/* list of nat entries */
+	struct radix_node_head *tables[IPFW_TABLES_MAX];
+	struct rwlock	rwmtx;
+};
+
+struct table_entry {
+	struct radix_node	rn[2];
+	struct sockaddr_in	addr, mask;
+	u_int32_t		value;
+};
+
 /* Return values from ipfw_chk() */
 enum {
 	IP_FW_PASS = 0,
@@ -648,14 +676,6 @@
 extern	ip_fw_chk_t	*ip_fw_chk_ptr;
 #define	IPFW_LOADED	(ip_fw_chk_ptr != NULL)
 
-struct ip_fw_chain {
-	struct ip_fw	*rules;		/* list of rules */
-	struct ip_fw	*reap;		/* list of rules to reap */
-	LIST_HEAD(, cfg_nat) nat;       /* list of nat entries */
-	struct radix_node_head *tables[IPFW_TABLES_MAX];
-	struct rwlock	rwmtx;
-};
-
 #ifdef IPFW_INTERNAL
 
 #define	IPFW_LOCK_INIT(_chain) \
@@ -714,6 +734,7 @@
 	u_int64_t _norule_counter;
 	struct callout _ipfw_timeout;
 	eventhandler_tag _ifaddr_event_tag;
+	struct ip_fw_ugid _fw_ugid_cache;
 };
 #endif
 
@@ -753,7 +774,9 @@
 #define	V_dyn_max		VNET_IPFW(dyn_max)
 #define	V_norule_counter	VNET_IPFW(norule_counter)
 #define	V_ipfw_timeout		VNET_IPFW(ipfw_timeout)
+#define	V_ipfw_timeout		VNET_IPFW(ipfw_timeout)
 #define	V_ifaddr_event_tag	VNET_IPFW(ifaddr_event_tag)
+#define	V_fw_ugid_cache		VNET_IPFW(fw_ugid_cache)
 
 #endif /* _KERNEL */
 #endif /* _IPFW2_H */

==== //depot/projects/vimage/src/sys/netinet/ip_fw2.c#47 (text+ko) ====

@@ -74,7 +74,6 @@
 
 #define	IPFW_INTERNAL	/* Access to protected data structures in ip_fw.h. */
 
-#include <netinet/vinet.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
@@ -94,6 +93,7 @@
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
 #include <netinet/sctp.h>
+#include <netinet/vinet.h>
 #include <netgraph/ng_ipfw.h>
 
 #include <altq/if_altq.h>
@@ -2162,7 +2162,7 @@
 	 * these types of constraints, as well as decrease contention
 	 * on pcb related locks.
 	 */
-#if 0
+#ifndef VIMAGE 
 	struct ip_fw_ugid fw_ugid_cache;	/* XXX Marko revisit this */
 #endif
 	int ugid_lookup = 0;
@@ -2623,7 +2623,8 @@
 						    (ipfw_insn_u32 *)cmd,
 						    proto, oif,
 						    dst_ip, dst_port,
-						    src_ip, src_port, &fw_ugid_cache,
+						    src_ip, src_port,
+						    &V_fw_ugid_cache,
 						    &ugid_lookup, args->inp);
 				break;
 
