/*
- * Copyright (c) 2004-2007 Apple Inc. All rights reserved.
+ * Copyright (c) 2004-2012 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
- *
+ *
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/* IPFW2 Backward Compatibility */
{ "rst", TH_RST },
{ "urg", TH_URG },
{ "tcp flag", 0 },
- { NULL, 0 }
+ { NULL, 0 }
};
static struct _s_x f_tcpopts[] = {
- { "mss", IP_FW_TCPOPT_MSS },
- { "maxseg", IP_FW_TCPOPT_MSS },
- { "window", IP_FW_TCPOPT_WINDOW },
- { "sack", IP_FW_TCPOPT_SACK },
- { "ts", IP_FW_TCPOPT_TS },
- { "timestamp", IP_FW_TCPOPT_TS },
- { "cc", IP_FW_TCPOPT_CC },
- { "tcp option", 0 },
- { NULL, 0 }
+ { "mss", IP_FW_TCPOPT_MSS },
+ { "maxseg", IP_FW_TCPOPT_MSS },
+ { "window", IP_FW_TCPOPT_WINDOW },
+ { "sack", IP_FW_TCPOPT_SACK },
+ { "ts", IP_FW_TCPOPT_TS },
+ { "timestamp", IP_FW_TCPOPT_TS },
+ { "cc", IP_FW_TCPOPT_CC },
+ { "tcp option", 0 },
+ { NULL, 0 }
};
* (though in fact only the low 5 bits are significant).
*/
static struct _s_x f_ipopts[] = {
- { "ssrr", IP_FW_IPOPT_SSRR},
- { "lsrr", IP_FW_IPOPT_LSRR},
- { "rr", IP_FW_IPOPT_RR},
- { "ts", IP_FW_IPOPT_TS},
- { "ip option", 0 },
- { NULL, 0 }
+ { "ssrr", IP_FW_IPOPT_SSRR},
+ { "lsrr", IP_FW_IPOPT_LSRR},
+ { "rr", IP_FW_IPOPT_RR},
+ { "ts", IP_FW_IPOPT_TS},
+ { "ip option", 0 },
+ { NULL, 0 }
};
static struct _s_x f_iptos[] = {
- { "lowdelay", IPTOS_LOWDELAY},
- { "throughput", IPTOS_THROUGHPUT},
+ { "lowdelay", IPTOS_LOWDELAY},
+ { "throughput", IPTOS_THROUGHPUT},
{ "reliability", IPTOS_RELIABILITY},
- { "mincost", IPTOS_MINCOST},
- { "congestion", IPTOS_CE},
+ { "mincost", IPTOS_MINCOST},
+ { "congestion", IPTOS_CE},
{ "ecntransport", IPTOS_ECT},
{ "ip tos option", 0},
- { NULL, 0 }
+ { NULL, 0 }
};
static struct _s_x limit_masks[] = {
- {"all", DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT},
- {"src-addr", DYN_SRC_ADDR},
- {"src-port", DYN_SRC_PORT},
- {"dst-addr", DYN_DST_ADDR},
- {"dst-port", DYN_DST_PORT},
- {NULL, 0}
+ {"all", DYN_SRC_ADDR | DYN_SRC_PORT | DYN_DST_ADDR | DYN_DST_PORT},
+ {"src-addr", DYN_SRC_ADDR},
+ {"src-port", DYN_SRC_PORT},
+ {"dst-addr", DYN_DST_ADDR},
+ {"dst-port", DYN_DST_PORT},
+ {NULL, 0}
};
#endif /* !FW2_DEBUG_VERBOSE */
{
/* print action */
switch (flags & IP_FW_F_COMMAND_COMPAT) {
- case IP_FW_F_ACCEPT_COMPAT:
- printf("IP_FW_F_ACCEPT_COMPAT\n");
- break;
- case IP_FW_F_COUNT_COMPAT:
- printf("IP_FW_F_COUNT_COMPAT\n");
- break;
- case IP_FW_F_PIPE_COMPAT:
- printf("IP_FW_F_PIPE_COMPAT\n");
- break;
- case IP_FW_F_QUEUE_COMPAT:
- printf("IP_FW_F_QUEUE_COMPAT\n");
- break;
- case IP_FW_F_SKIPTO_COMPAT:
- printf("IP_FW_F_SKIPTO_COMPAT\n");
- break;
- case IP_FW_F_DIVERT_COMPAT:
- printf("IP_FW_F_DIVERT_COMPAT\n");
- break;
- case IP_FW_F_TEE_COMPAT:
- printf("IP_FW_F_TEE_COMPAT\n");
- break;
- case IP_FW_F_FWD_COMPAT:
- printf("IP_FW_F_FWD_COMPAT\n");
- break;
- case IP_FW_F_DENY_COMPAT:
- printf("IP_FW_F_DENY_COMPAT\n");
- break;
- case IP_FW_F_REJECT_COMPAT:
- printf("IP_FW_F_REJECT_COMPAT\n");
- break;
- case IP_FW_F_CHECK_S_COMPAT:
- printf("IP_FW_F_CHECK_S_COMPAT\n");
- break;
- default:
- printf("No action given\n");
- break;
+ case IP_FW_F_ACCEPT_COMPAT:
+ printf("IP_FW_F_ACCEPT_COMPAT\n");
+ break;
+ case IP_FW_F_COUNT_COMPAT:
+ printf("IP_FW_F_COUNT_COMPAT\n");
+ break;
+ case IP_FW_F_PIPE_COMPAT:
+ printf("IP_FW_F_PIPE_COMPAT\n");
+ break;
+ case IP_FW_F_QUEUE_COMPAT:
+ printf("IP_FW_F_QUEUE_COMPAT\n");
+ break;
+ case IP_FW_F_SKIPTO_COMPAT:
+ printf("IP_FW_F_SKIPTO_COMPAT\n");
+ break;
+ case IP_FW_F_DIVERT_COMPAT:
+ printf("IP_FW_F_DIVERT_COMPAT\n");
+ break;
+ case IP_FW_F_TEE_COMPAT:
+ printf("IP_FW_F_TEE_COMPAT\n");
+ break;
+ case IP_FW_F_FWD_COMPAT:
+ printf("IP_FW_F_FWD_COMPAT\n");
+ break;
+ case IP_FW_F_DENY_COMPAT:
+ printf("IP_FW_F_DENY_COMPAT\n");
+ break;
+ case IP_FW_F_REJECT_COMPAT:
+ printf("IP_FW_F_REJECT_COMPAT\n");
+ break;
+ case IP_FW_F_CHECK_S_COMPAT:
+ printf("IP_FW_F_CHECK_S_COMPAT\n");
+ break;
+ default:
+ printf("No action given\n");
+ break;
}
/* print commands */
print_fw_version(u_int32_t api_version)
{
switch (api_version) {
- case IP_FW_VERSION_0:
- printf("Version: %s\n", VERSION_ZERO_STR);
- break;
- case IP_FW_VERSION_1:
- printf("Version: %s\n", VERSION_ONE_STR);
- break;
- case IP_FW_CURRENT_API_VERSION:
- printf("Version: %s\n", CURRENT_API_VERSION_STR);
- break;
- case IP_FW_VERSION_NONE:
- printf("Version: %s\n", NO_VERSION_STR);
- break;
- default:
- printf("Unrecognized version\n");
- break;
+ case IP_FW_VERSION_0:
+ printf("Version: %s\n", VERSION_ZERO_STR);
+ break;
+ case IP_FW_VERSION_1:
+ printf("Version: %s\n", VERSION_ONE_STR);
+ break;
+ case IP_FW_CURRENT_API_VERSION:
+ printf("Version: %s\n", CURRENT_API_VERSION_STR);
+ break;
+ case IP_FW_VERSION_NONE:
+ printf("Version: %s\n", NO_VERSION_STR);
+ break;
+ default:
+ printf("Unrecognized version\n");
+ break;
}
}
print_icmptypes(ipfw_insn_u32 *cmd)
{
int i;
- char sep= ' ';
+ char sep = ' ';
printf(" icmptypes");
for (i = 0; i < 32; i++) {
- if ( (cmd->d[0] & (1 << (i))) == 0)
+ if ((cmd->d[0] & (1 << (i))) == 0) {
continue;
+ }
printf("%c%d", sep, i);
sep = ',';
}
}
printf(" %s ", name);
- for (i=0; list[i].x != 0; i++) {
+ for (i = 0; list[i].x != 0; i++) {
if (set & list[i].x) {
set &= ~list[i].x;
printf("%s%s", comma, list[i].s);
{
int i, n;
- for (i=0; i<len ; i++)
- if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
+ for (i = 0; i < len; i++) {
+ if ((p[i / 8] & (1 << (7 - (i % 8)))) == 0) { /* first bit unset */
break;
- for (n=i+1; n < len; n++)
- if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
+ }
+ }
+ for (n = i + 1; n < len; n++) {
+ if ((p[n / 8] & (1 << (7 - (n % 8)))) != 0) {
return -1; /* mask not contiguous */
+ }
+ }
return i;
}
* addr/mask pairs have len = (2n+1). We convert len to n so we
* use that to count the number of entries.
*/
- for (len = len / 2; len > 0; len--, a += 2) {
- int mb = /* mask length */
- (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
- 32 : contigmask((uint8_t *)&(a[1]), 32);
- if (mb == 0) { /* any */
- printf("any");
- } else { /* numeric IP followed by some kind of mask */
- printf("%s", inet_ntop(AF_INET, &a[0], ipv4str, sizeof(ipv4str)));
- if (mb < 0)
- printf(":%s", inet_ntop(AF_INET, &a[1], ipv4str, sizeof(ipv4str)));
- else if (mb < 32)
- printf("/%d", mb);
- }
- if (len > 1)
- printf(",");
- }
+ for (len = len / 2; len > 0; len--, a += 2) {
+ int mb = /* mask length */
+ (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
+ 32 : contigmask((uint8_t *)&(a[1]), 32);
+ if (mb == 0) { /* any */
+ printf("any");
+ } else { /* numeric IP followed by some kind of mask */
+ printf("%s", inet_ntop(AF_INET, &a[0], ipv4str, sizeof(ipv4str)));
+ if (mb < 0) {
+ printf(":%s", inet_ntop(AF_INET, &a[1], ipv4str, sizeof(ipv4str)));
+ } else if (mb < 32) {
+ printf("/%d", mb);
+ }
+ }
+ if (len > 1) {
+ printf(",");
+ }
+ }
}
/*
{
int l = contigmask(mask, 48);
- if (l == 0)
+ if (l == 0) {
printf(" any");
- else {
+ } else {
printf(" %02x:%02x:%02x:%02x:%02x:%02x",
addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
- if (l == -1)
+ if (l == -1) {
printf("&%02x:%02x:%02x:%02x:%02x:%02x",
mask[0], mask[1], mask[2],
mask[3], mask[4], mask[5]);
- else if (l < 48)
+ } else if (l < 48) {
printf("/%d", l);
+ }
}
}
static void
ipfw_print_vers2_struct(struct ip_fw *vers2_rule)
{
- int l;
- ipfw_insn *cmd;
- ipfw_insn_log *logptr = NULL;
- char ipv4str[MAX_IPv4_STR_LEN];
-
+ int l;
+ ipfw_insn *cmd;
+ ipfw_insn_log *logptr = NULL;
+ char ipv4str[MAX_IPv4_STR_LEN];
+
print_fw_version(vers2_rule->version);
printf("act_ofs: %d\n", vers2_rule->act_ofs);
printf("pcnt: %llu\n", vers2_rule->pcnt);
printf("bcnt: %llu\n", vers2_rule->bcnt);
printf("timestamp: %d\n", vers2_rule->timestamp);
-
+
/*
* first print actions
*/
for (l = vers2_rule->cmd_len - vers2_rule->act_ofs, cmd = ACTION_PTR(vers2_rule);
- l > 0 ; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
- switch(cmd->opcode) {
- case O_CHECK_STATE:
- printf("check-state");
- break;
-
- case O_ACCEPT:
- printf("allow");
- break;
-
- case O_COUNT:
- printf("count");
- break;
-
- case O_DENY:
- printf("deny");
- break;
-
- case O_REJECT:
- if (cmd->arg1 == ICMP_REJECT_RST)
- printf("reset");
- else if (cmd->arg1 == ICMP_UNREACH_HOST)
- printf("reject");
- else
- printf("unreach %u", cmd->arg1);
- break;
-
- case O_SKIPTO:
- printf("skipto %u", cmd->arg1);
- break;
-
- case O_PIPE:
- printf("pipe %u", cmd->arg1);
- break;
-
- case O_QUEUE:
- printf("queue %u", cmd->arg1);
- break;
-
- case O_DIVERT:
- printf("divert %u", cmd->arg1);
- break;
-
- case O_TEE:
- printf("tee %u", cmd->arg1);
- break;
-
- case O_FORWARD_IP:
- {
- ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
-
- printf("fwd %s",
- inet_ntop(AF_INET, &s->sa.sin_addr, ipv4str,
- sizeof(ipv4str)));
- if (s->sa.sin_port)
- printf(",%d", s->sa.sin_port);
- break;
+ l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
+ switch (cmd->opcode) {
+ case O_CHECK_STATE:
+ printf("check-state");
+ break;
+
+ case O_ACCEPT:
+ printf("allow");
+ break;
+
+ case O_COUNT:
+ printf("count");
+ break;
+
+ case O_DENY:
+ printf("deny");
+ break;
+
+ case O_REJECT:
+ if (cmd->arg1 == ICMP_REJECT_RST) {
+ printf("reset");
+ } else if (cmd->arg1 == ICMP_UNREACH_HOST) {
+ printf("reject");
+ } else {
+ printf("unreach %u", cmd->arg1);
}
-
- case O_LOG: /* O_LOG is printed last */
- logptr = (ipfw_insn_log *)cmd;
- break;
-
- default:
- printf("** unrecognized action %d len %d",
- cmd->opcode, cmd->len);
+ break;
+
+ case O_SKIPTO:
+ printf("skipto %u", cmd->arg1);
+ break;
+
+ case O_PIPE:
+ printf("pipe %u", cmd->arg1);
+ break;
+
+ case O_QUEUE:
+ printf("queue %u", cmd->arg1);
+ break;
+
+ case O_DIVERT:
+ printf("divert %u", cmd->arg1);
+ break;
+
+ case O_TEE:
+ printf("tee %u", cmd->arg1);
+ break;
+
+ case O_FORWARD_IP:
+ {
+ ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
+
+ printf("fwd %s",
+ inet_ntop(AF_INET, &s->sa.sin_addr, ipv4str,
+ sizeof(ipv4str)));
+ if (s->sa.sin_port) {
+ printf(",%d", s->sa.sin_port);
+ }
+ break;
+ }
+
+ case O_LOG: /* O_LOG is printed last */
+ logptr = (ipfw_insn_log *)cmd;
+ break;
+
+ default:
+ printf("** unrecognized action %d len %d",
+ cmd->opcode, cmd->len);
}
}
if (logptr) {
- if (logptr->max_log > 0)
+ if (logptr->max_log > 0) {
printf(" log logamount %d", logptr->max_log);
- else
+ } else {
printf(" log");
+ }
}
/*
* then print the body.
*/
- for (l = vers2_rule->act_ofs, cmd = vers2_rule->cmd ;
- l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
+ for (l = vers2_rule->act_ofs, cmd = vers2_rule->cmd;
+ l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
/* useful alias */
ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
- switch(cmd->opcode) {
- case O_PROB:
- break; /* done already */
-
- case O_PROBE_STATE:
- break; /* no need to print anything here */
-
- case O_MACADDR2:
- {
- ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
-
- if (cmd->len & F_NOT)
- printf(" not");
- printf(" MAC");
- print_mac(m->addr, m->mask);
- print_mac(m->addr + 6, m->mask + 6);
- printf("\n");
- break;
+ switch (cmd->opcode) {
+ case O_PROB:
+ break; /* done already */
+
+ case O_PROBE_STATE:
+ break; /* no need to print anything here */
+
+ case O_MACADDR2:
+ {
+ ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
+
+ if (cmd->len & F_NOT) {
+ printf(" not");
}
- case O_MAC_TYPE:
- {
- uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
- int i;
-
- for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
- printf("0x%04x", p[0]);
- if (p[0] != p[1]) {
- printf("-");
- printf("0x%04x", p[1]);
- }
- printf(",");
+ printf(" MAC");
+ print_mac(m->addr, m->mask);
+ print_mac(m->addr + 6, m->mask + 6);
+ printf("\n");
+ break;
+ }
+ case O_MAC_TYPE:
+ {
+ uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
+ printf("0x%04x", p[0]);
+ if (p[0] != p[1]) {
+ printf("-");
+ printf("0x%04x", p[1]);
}
- break;
+ printf(",");
+ }
+ break;
+ }
+ case O_IP_SRC:
+ case O_IP_SRC_MASK:
+ case O_IP_SRC_ME:
+ print_ip((ipfw_insn_ip *)cmd);
+ break;
+
+ case O_IP_DST:
+ case O_IP_DST_MASK:
+ case O_IP_DST_ME:
+ print_ip((ipfw_insn_ip *)cmd);
+ break;
+
+ case O_IP_DSTPORT:
+ case O_IP_SRCPORT:
+ {
+ uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
+ printf("0x%04x", p[0]);
+ if (p[0] != p[1]) {
+ printf("-");
+ printf("0x%04x", p[1]);
+ }
+ printf(",");
+ }
+ break;
+ }
+ case O_PROTO:
+ {
+ printf("O_PROTO");
+
+ if (cmd->len & F_NOT) {
+ printf(" not");
+ }
+
+ printf(" %u", cmd->arg1);
+
+ break;
+ }
+
+ default: /*options ... */
+ {
+ if (cmd->len & F_NOT && cmd->opcode != O_IN) {
+ printf(" not");
}
- case O_IP_SRC:
- case O_IP_SRC_MASK:
- case O_IP_SRC_ME:
- print_ip((ipfw_insn_ip *)cmd);
+ switch (cmd->opcode) {
+ case O_FRAG:
+ printf("O_FRAG");
break;
-
- case O_IP_DST:
- case O_IP_DST_MASK:
- case O_IP_DST_ME:
- print_ip((ipfw_insn_ip *)cmd);
+
+ case O_IN:
+ printf(cmd->len & F_NOT ? " out" : " O_IN");
break;
-
- case O_IP_DSTPORT:
- case O_IP_SRCPORT:
- {
- uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
- int i;
-
- for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
- printf("0x%04x", p[0]);
- if (p[0] != p[1]) {
- printf("-");
- printf("0x%04x", p[1]);
- }
- printf(",");
- }
+
+ case O_LAYER2:
+ printf(" O_LAYER2");
break;
- }
- case O_PROTO:
+ case O_XMIT:
+ case O_RECV:
+ case O_VIA:
{
- printf("O_PROTO");
-
- if (cmd->len & F_NOT)
- printf(" not");
-
- printf(" %u", cmd->arg1);
-
- break;
+ char const *s;
+ ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
+
+ if (cmd->opcode == O_XMIT) {
+ s = "O_XMIT";
+ } else if (cmd->opcode == O_RECV) {
+ s = "O_RECV";
+ } else { /* if (cmd->opcode == O_VIA) */
+ s = "O_VIA";
+ }
+ if (cmdif->name[0] == '\0') {
+ printf(" %s %s", s,
+ inet_ntop(AF_INET, &cmdif->p.ip, ipv4str,
+ sizeof(ipv4str)));
+ } else if (cmdif->p.unit == -1) {
+ printf(" %s %s*", s, cmdif->name);
+ } else {
+ printf(" %s %s%d", s, cmdif->name,
+ cmdif->p.unit);
+ }
}
-
- default: /*options ... */
- {
- if (cmd->len & F_NOT && cmd->opcode != O_IN)
- printf(" not");
- switch(cmd->opcode) {
- case O_FRAG:
- printf("O_FRAG");
- break;
-
- case O_IN:
- printf(cmd->len & F_NOT ? " out" : " O_IN");
- break;
-
- case O_LAYER2:
- printf(" O_LAYER2");
- break;
- case O_XMIT:
- case O_RECV:
- case O_VIA:
- {
- char const *s;
- ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
-
- if (cmd->opcode == O_XMIT)
- s = "O_XMIT";
- else if (cmd->opcode == O_RECV)
- s = "O_RECV";
- else /* if (cmd->opcode == O_VIA) */
- s = "O_VIA";
- if (cmdif->name[0] == '\0') {
- printf(" %s %s", s,
- inet_ntop(AF_INET, &cmdif->p.ip, ipv4str,
- sizeof(ipv4str)));
+ break;
+
+ case O_IPID:
+ if (F_LEN(cmd) == 1) {
+ printf(" ipid %u", cmd->arg1 );
+ } else {
+ uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
+ printf("0x%04x", p[0]);
+ if (p[0] != p[1]) {
+ printf("-");
+ printf("0x%04x", p[1]);
}
- else if (cmdif->p.unit == -1)
- printf(" %s %s*", s, cmdif->name);
- else
- printf(" %s %s%d", s, cmdif->name,
- cmdif->p.unit);
+ printf(",");
}
- break;
-
- case O_IPID:
- if (F_LEN(cmd) == 1)
- printf(" ipid %u", cmd->arg1 );
- else {
- uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
- int i;
-
- for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
- printf("0x%04x", p[0]);
- if (p[0] != p[1]) {
- printf("-");
- printf("0x%04x", p[1]);
- }
- printf(",");
- }
- }
-
- break;
-
- case O_IPTTL:
- if (F_LEN(cmd) == 1)
- printf(" ipttl %u", cmd->arg1 );
- else {
- uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
- int i;
-
- for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
- printf("0x%04x", p[0]);
- if (p[0] != p[1]) {
- printf("-");
- printf("0x%04x", p[1]);
- }
- printf(",");
- }
+ }
+
+ break;
+
+ case O_IPTTL:
+ if (F_LEN(cmd) == 1) {
+ printf(" ipttl %u", cmd->arg1 );
+ } else {
+ uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
+ printf("0x%04x", p[0]);
+ if (p[0] != p[1]) {
+ printf("-");
+ printf("0x%04x", p[1]);
}
-
- break;
-
- case O_IPVER:
- printf(" ipver %u", cmd->arg1 );
- break;
-
- case O_IPPRECEDENCE:
- printf(" ipprecedence %u", (cmd->arg1) >> 5 );
- break;
-
- case O_IPLEN:
- if (F_LEN(cmd) == 1)
- printf(" iplen %u", cmd->arg1 );
- else {
- uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
- int i;
-
- for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
- printf("0x%04x", p[0]);
- if (p[0] != p[1]) {
- printf("-");
- printf("0x%04x", p[1]);
- }
- printf(",");
- }
+ printf(",");
+ }
+ }
+
+ break;
+
+ case O_IPVER:
+ printf(" ipver %u", cmd->arg1 );
+ break;
+
+ case O_IPPRECEDENCE:
+ printf(" ipprecedence %u", (cmd->arg1) >> 5 );
+ break;
+
+ case O_IPLEN:
+ if (F_LEN(cmd) == 1) {
+ printf(" iplen %u", cmd->arg1 );
+ } else {
+ uint16_t *p = ((ipfw_insn_u16 *)cmd)->ports;
+ int i;
+
+ for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
+ printf("0x%04x", p[0]);
+ if (p[0] != p[1]) {
+ printf("-");
+ printf("0x%04x", p[1]);
}
-
- break;
-
- case O_IPOPT:
- print_flags("ipoptions", cmd, f_ipopts);
- break;
-
- case O_IPTOS:
- print_flags("iptos", cmd, f_iptos);
- break;
-
- case O_ICMPTYPE:
- print_icmptypes((ipfw_insn_u32 *)cmd);
- break;
-
- case O_ESTAB:
- printf(" established");
- break;
-
- case O_TCPFLAGS:
- print_flags("tcpflags", cmd, f_tcpflags);
- break;
-
- case O_TCPOPTS:
- print_flags("tcpoptions", cmd, f_tcpopts);
- break;
-
- case O_TCPWIN:
- printf(" tcpwin %d", ntohs(cmd->arg1));
- break;
-
- case O_TCPACK:
- printf(" tcpack %u", ntohl(cmd32->d[0]));
- break;
-
- case O_TCPSEQ:
- printf(" tcpseq %u", ntohl(cmd32->d[0]));
- break;
-
- case O_UID:
- printf(" uid %u", cmd32->d[0]);
- break;
-
- case O_GID:
- printf(" gid %u", cmd32->d[0]);
- break;
-
- case O_VERREVPATH:
- printf(" verrevpath");
- break;
-
- case O_IPSEC:
- printf(" ipsec");
- break;
-
- case O_NOP:
- break;
-
- case O_KEEP_STATE:
- printf(" keep-state");
- break;
-
- case O_LIMIT:
- {
- struct _s_x *p = limit_masks;
- ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
- uint8_t x = c->limit_mask;
- char const *comma = " ";
-
- printf(" limit");
- for (; p->x != 0 ; p++)
- if ((x & p->x) == p->x) {
- x &= ~p->x;
- printf("%s%s", comma, p->s);
- comma = ",";
- }
- printf(" %d", c->conn_limit);
-
- break;
+ printf(",");
+ }
+ }
+
+ break;
+
+ case O_IPOPT:
+ print_flags("ipoptions", cmd, f_ipopts);
+ break;
+
+ case O_IPTOS:
+ print_flags("iptos", cmd, f_iptos);
+ break;
+
+ case O_ICMPTYPE:
+ print_icmptypes((ipfw_insn_u32 *)cmd);
+ break;
+
+ case O_ESTAB:
+ printf(" established");
+ break;
+
+ case O_TCPFLAGS:
+ print_flags("tcpflags", cmd, f_tcpflags);
+ break;
+
+ case O_TCPOPTS:
+ print_flags("tcpoptions", cmd, f_tcpopts);
+ break;
+
+ case O_TCPWIN:
+ printf(" tcpwin %d", ntohs(cmd->arg1));
+ break;
+
+ case O_TCPACK:
+ printf(" tcpack %u", ntohl(cmd32->d[0]));
+ break;
+
+ case O_TCPSEQ:
+ printf(" tcpseq %u", ntohl(cmd32->d[0]));
+ break;
+
+ case O_UID:
+ printf(" uid %u", cmd32->d[0]);
+ break;
+
+ case O_GID:
+ printf(" gid %u", cmd32->d[0]);
+ break;
+
+ case O_VERREVPATH:
+ printf(" verrevpath");
+ break;
+
+ case O_IPSEC:
+ printf(" ipsec");
+ break;
+
+ case O_NOP:
+ break;
+
+ case O_KEEP_STATE:
+ printf(" keep-state");
+ break;
+
+ case O_LIMIT:
+ {
+ struct _s_x *p = limit_masks;
+ ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
+ uint8_t x = c->limit_mask;
+ char const *comma = " ";
+
+ printf(" limit");
+ for (; p->x != 0; p++) {
+ if ((x & p->x) == p->x) {
+ x &= ~p->x;
+ printf("%s%s", comma, p->s);
+ comma = ",";
}
-
- default:
- printf(" [opcode %d len %d]",
- cmd->opcode, cmd->len);
- } /* switch */
- } /* default */
+ }
+ printf(" %d", c->conn_limit);
+
+ break;
+ }
+
+ default:
+ printf(" [opcode %d len %d]",
+ cmd->opcode, cmd->len);
+ } /* switch */
+ } /* default */
} /* switch */
} /* for */
}
static u_int32_t
-fill_compat_tcpflags(u_int32_t flags) {
- u_int32_t flags_compat = 0;
-
- if (flags & TH_FIN)
+fill_compat_tcpflags(u_int32_t flags)
+{
+ u_int32_t flags_compat = 0;
+
+ if (flags & TH_FIN) {
flags_compat |= IP_FW_TCPF_FIN_COMPAT;
- if (flags & TH_SYN)
+ }
+ if (flags & TH_SYN) {
flags_compat |= IP_FW_TCPF_SYN_COMPAT;
- if (flags & TH_RST)
+ }
+ if (flags & TH_RST) {
flags_compat |= IP_FW_TCPF_RST_COMPAT;
- if (flags & TH_PUSH)
+ }
+ if (flags & TH_PUSH) {
flags_compat |= IP_FW_TCPF_PSH_COMPAT;
- if (flags & TH_ACK)
+ }
+ if (flags & TH_ACK) {
flags_compat |= IP_FW_TCPF_ACK_COMPAT;
- if (flags & TH_URG)
+ }
+ if (flags & TH_URG) {
flags_compat |= IP_FW_TCPF_URG_COMPAT;
-
+ }
+
return flags_compat;
}
/* ********************************************
- * *********** Convert from Latest ************
- * ********************************************/
+* *********** Convert from Latest ************
+* ********************************************/
/*
* Things we're actively ignoring:
static void
ipfw_map_from_cmds_32(struct ip_fw_32 *curr_rule, struct ip_fw_compat_32 *compat_rule)
{
- int l;
- ipfw_insn *cmd;
+ int l;
+ ipfw_insn *cmd;
- for (l = curr_rule->act_ofs, cmd = curr_rule->cmd ;
- l > 0 ;
- l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
+ for (l = curr_rule->act_ofs, cmd = curr_rule->cmd;
+ l > 0;
+ l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
/* useful alias */
ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
switch (cmd->opcode) {
- case O_PROTO:
- /* protocol */
- compat_rule->fw_prot = cmd->arg1;
- break;
-
- case O_IP_SRC_ME:
- compat_rule->fw_flg |= IP_FW_F_SME_COMPAT;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
- }
- break;
-
- case O_IP_SRC_MASK:
- {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- compat_rule->fw_src = ip->addr;
- compat_rule->fw_smsk = ip->mask;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
- }
- break;
- }
-
- case O_IP_SRC:
- /* one IP */
- /* source -
- * for now we only deal with one address
- * per rule and ignore sets of addresses
- */
- compat_rule->fw_src.s_addr = cmd32->d[0];
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
- }
- break;
-
- case O_IP_SRCPORT:
- {
- /* source ports */
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i, j;
-
- /* copy list of ports */
- for (i = F_LEN(cmd) - 1, j = 0; i > 0; i--, j++, p += 2) {
- if (p[0] != p[1]) {
- /* this is a range */
- compat_rule->fw_flg |= IP_FW_F_SRNG_COMPAT;
- compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
- compat_rule->fw_uar_compat.fw_pts[j] = p[1];
- } else {
- compat_rule->fw_uar_compat.fw_pts[j] = p[0];
- }
- }
- IP_FW_SETNSRCP_COMPAT(compat_rule, j);
-
- break;
- }
+ case O_PROTO:
+ /* protocol */
+ compat_rule->fw_prot = cmd->arg1;
+ break;
- case O_IP_DST_ME:
- /* destination */
- compat_rule->fw_flg |= IP_FW_F_DME_COMPAT;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
- }
- break;
+ case O_IP_SRC_ME:
+ compat_rule->fw_flg |= IP_FW_F_SME_COMPAT;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
+ }
+ break;
- case O_IP_DST_MASK:
- {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- compat_rule->fw_dst = ip->addr;
- compat_rule->fw_dmsk = ip->mask;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
- }
- break;
+ case O_IP_SRC_MASK:
+ {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ compat_rule->fw_src = ip->addr;
+ compat_rule->fw_smsk = ip->mask;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
}
- case O_IP_DST:
- /* one IP */
- /* dest -
- * for now we only deal with one address
- * per rule, and ignore sets of addresses
- */
- compat_rule->fw_dst.s_addr = cmd32->d[0];
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
- }
- break;
-
- case O_IP_DSTPORT:
- {
- /* dest. ports */
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i,
- j = IP_FW_GETNSRCP_COMPAT(compat_rule);
-
- /* copy list of ports */
- for (i = F_LEN(cmd) - 1; i > 0; i--, j++, p += 2) {
- if (p[0] != p[1]) {
- /* this is a range */
- compat_rule->fw_flg |= IP_FW_F_DRNG_COMPAT;
- compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
- compat_rule->fw_uar_compat.fw_pts[j] = p[1];
- } else {
- compat_rule->fw_uar_compat.fw_pts[j] = p[0];
- }
- }
- IP_FW_SETNDSTP_COMPAT(compat_rule, (j - IP_FW_GETNSRCP_COMPAT(compat_rule)));
-
- break;
+ break;
+ }
+
+ case O_IP_SRC:
+ /* one IP */
+ /* source -
+ * for now we only deal with one address
+ * per rule and ignore sets of addresses
+ */
+ compat_rule->fw_src.s_addr = cmd32->d[0];
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
}
-
- case O_LOG:
- {
- ipfw_insn_log *c = (ipfw_insn_log *)cmd;
-
- compat_rule->fw_flg |= IP_FW_F_PRN_COMPAT;
- compat_rule->fw_logamount = c->max_log;
- break;
- }
- case O_UID:
- compat_rule->fw_flg |= IP_FW_F_UID_COMPAT;
- compat_rule->fw_uid = cmd32->d[0];
- break;
-
- case O_IN:
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_OUT_COMPAT;
- } else {
- compat_rule->fw_flg |= IP_FW_F_IN_COMPAT;
- }
- break;
-
- case O_KEEP_STATE:
- compat_rule->fw_flg |= IP_FW_F_KEEP_S_COMPAT;
- break;
+ break;
- case O_LAYER2:
- compat_rule->fw_flg |= IP_FW_BRIDGED_COMPAT;
- break;
-
- case O_XMIT:
- {
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu;
-
- if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
- /* any */
- compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
- ifu.fu_via_ip.s_addr = 0;
- }
- else if (ifcmd->p.ip.s_addr != 0) {
- compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
- ifu.fu_via_ip = ifcmd->p.ip;
+ case O_IP_SRCPORT:
+ {
+ /* source ports */
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i, j;
+
+ /* copy list of ports */
+ for (i = F_LEN(cmd) - 1, j = 0; i > 0; i--, j++, p += 2) {
+ if (p[0] != p[1]) {
+ /* this is a range */
+ compat_rule->fw_flg |= IP_FW_F_SRNG_COMPAT;
+ compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
+ compat_rule->fw_uar_compat.fw_pts[j] = p[1];
} else {
- compat_rule->fw_flg |= IP_FW_F_OIFNAME_COMPAT;
- strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
- ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ compat_rule->fw_uar_compat.fw_pts[j] = p[0];
}
- compat_rule->fw_out_if = ifu;
-
- break;
}
-
- case O_RECV:
- {
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu;
-
- if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
- /* any */
- compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
- ifu.fu_via_ip.s_addr = 0;
- }
- else if (ifcmd->p.ip.s_addr != 0) {
- compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
- ifu.fu_via_ip = ifcmd->p.ip;
- } else {
- compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
- strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
- ifu.fu_via_if_compat.unit = ifcmd->p.unit;
- }
- compat_rule->fw_in_if = ifu;
-
- break;
+ IP_FW_SETNSRCP_COMPAT(compat_rule, j);
+
+ break;
+ }
+
+ case O_IP_DST_ME:
+ /* destination */
+ compat_rule->fw_flg |= IP_FW_F_DME_COMPAT;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
}
-
- case O_VIA:
- {
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu;
-
- if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
- /* any */
- ifu.fu_via_ip.s_addr = 0;
- }
- else if (ifcmd->name[0] != '\0') {
- compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
- strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
- ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ break;
+
+ case O_IP_DST_MASK:
+ {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ compat_rule->fw_dst = ip->addr;
+ compat_rule->fw_dmsk = ip->mask;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
+ }
+ break;
+ }
+ case O_IP_DST:
+ /* one IP */
+ /* dest -
+ * for now we only deal with one address
+ * per rule, and ignore sets of addresses
+ */
+ compat_rule->fw_dst.s_addr = cmd32->d[0];
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
+ }
+ break;
+
+ case O_IP_DSTPORT:
+ {
+ /* dest. ports */
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i,
+ j = IP_FW_GETNSRCP_COMPAT(compat_rule);
+
+ /* copy list of ports */
+ for (i = F_LEN(cmd) - 1; i > 0; i--, j++, p += 2) {
+ if (p[0] != p[1]) {
+ /* this is a range */
+ compat_rule->fw_flg |= IP_FW_F_DRNG_COMPAT;
+ compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
+ compat_rule->fw_uar_compat.fw_pts[j] = p[1];
} else {
- ifu.fu_via_ip = ifcmd->p.ip;
+ compat_rule->fw_uar_compat.fw_pts[j] = p[0];
}
- compat_rule->fw_flg |= IF_FW_F_VIAHACK_COMPAT;
- compat_rule->fw_out_if = compat_rule->fw_in_if = ifu;
-
- break;
}
+ IP_FW_SETNDSTP_COMPAT(compat_rule, (j - IP_FW_GETNSRCP_COMPAT(compat_rule)));
- case O_FRAG:
- compat_rule->fw_flg |= IP_FW_F_FRAG_COMPAT;
- break;
-
- case O_IPOPT:
- /* IP options */
- compat_rule->fw_ipopt = (cmd->arg1 & 0xff);
- compat_rule->fw_ipnopt = ((cmd->arg1 >> 8) & 0xff);
- break;
-
- case O_TCPFLAGS:
- /* check for "setup" */
- if ((cmd->arg1 & 0xff) == TH_SYN &&
- ((cmd->arg1 >> 8) & 0xff) == TH_ACK) {
- compat_rule->fw_tcpf = IP_FW_TCPF_SYN_COMPAT;
- compat_rule->fw_tcpnf = IP_FW_TCPF_ACK_COMPAT;
- }
- else {
- compat_rule->fw_tcpf = fill_compat_tcpflags(cmd->arg1 & 0xff);
- compat_rule->fw_tcpnf = fill_compat_tcpflags((cmd->arg1 >> 8) & 0xff);
- }
- break;
-
- case O_TCPOPTS:
- /* TCP options */
- compat_rule->fw_tcpopt = (cmd->arg1 & 0xff);
- compat_rule->fw_tcpnopt = ((cmd->arg1 >> 8) & 0xff);
- break;
-
- case O_ESTAB:
- compat_rule->fw_ipflg |= IP_FW_IF_TCPEST_COMPAT;
- break;
-
- case O_ICMPTYPE:
- {
- /* ICMP */
- /* XXX: check this */
- int i, type;
-
- compat_rule->fw_flg |= IP_FW_F_ICMPBIT_COMPAT;
- for (i = 0; i < sizeof(uint32_t) ; i++) {
- type = cmd32->d[0] & i;
-
- compat_rule->fw_uar_compat.fw_icmptypes[type / (sizeof(unsigned) * 8)] |=
- 1 << (type % (sizeof(unsigned) * 8));
- }
- break;
+ break;
+ }
+
+ case O_LOG:
+ {
+ ipfw_insn_log *c = (ipfw_insn_log *)cmd;
+
+ compat_rule->fw_flg |= IP_FW_F_PRN_COMPAT;
+ compat_rule->fw_logamount = c->max_log;
+ break;
+ }
+ case O_UID:
+ compat_rule->fw_flg |= IP_FW_F_UID_COMPAT;
+ compat_rule->fw_uid = cmd32->d[0];
+ break;
+
+ case O_IN:
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_OUT_COMPAT;
+ } else {
+ compat_rule->fw_flg |= IP_FW_F_IN_COMPAT;
}
- default:
- break;
+ break;
+
+ case O_KEEP_STATE:
+ compat_rule->fw_flg |= IP_FW_F_KEEP_S_COMPAT;
+ break;
+
+ case O_LAYER2:
+ compat_rule->fw_flg |= IP_FW_BRIDGED_COMPAT;
+ break;
+
+ case O_XMIT:
+ {
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu;
+
+ if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
+ /* any */
+ compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
+ ifu.fu_via_ip.s_addr = 0;
+ } else if (ifcmd->p.ip.s_addr != 0) {
+ compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
+ ifu.fu_via_ip = ifcmd->p.ip;
+ } else {
+ compat_rule->fw_flg |= IP_FW_F_OIFNAME_COMPAT;
+ strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
+ ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ }
+ compat_rule->fw_out_if = ifu;
+
+ break;
+ }
+
+ case O_RECV:
+ {
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu;
+
+ if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
+ /* any */
+ compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
+ ifu.fu_via_ip.s_addr = 0;
+ } else if (ifcmd->p.ip.s_addr != 0) {
+ compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
+ ifu.fu_via_ip = ifcmd->p.ip;
+ } else {
+ compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
+ strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
+ ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ }
+ compat_rule->fw_in_if = ifu;
+
+ break;
+ }
+
+ case O_VIA:
+ {
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu;
+
+ if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
+ /* any */
+ ifu.fu_via_ip.s_addr = 0;
+ } else if (ifcmd->name[0] != '\0') {
+ compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
+ strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
+ ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ } else {
+ ifu.fu_via_ip = ifcmd->p.ip;
+ }
+ compat_rule->fw_flg |= IF_FW_F_VIAHACK_COMPAT;
+ compat_rule->fw_out_if = compat_rule->fw_in_if = ifu;
+
+ break;
+ }
+
+ case O_FRAG:
+ compat_rule->fw_flg |= IP_FW_F_FRAG_COMPAT;
+ break;
+
+ case O_IPOPT:
+ /* IP options */
+ compat_rule->fw_ipopt = (cmd->arg1 & 0xff);
+ compat_rule->fw_ipnopt = ((cmd->arg1 >> 8) & 0xff);
+ break;
+
+ case O_TCPFLAGS:
+ /* check for "setup" */
+ if ((cmd->arg1 & 0xff) == TH_SYN &&
+ ((cmd->arg1 >> 8) & 0xff) == TH_ACK) {
+ compat_rule->fw_tcpf = IP_FW_TCPF_SYN_COMPAT;
+ compat_rule->fw_tcpnf = IP_FW_TCPF_ACK_COMPAT;
+ } else {
+ compat_rule->fw_tcpf = fill_compat_tcpflags(cmd->arg1 & 0xff);
+ compat_rule->fw_tcpnf = fill_compat_tcpflags((cmd->arg1 >> 8) & 0xff);
+ }
+ break;
+
+ case O_TCPOPTS:
+ /* TCP options */
+ compat_rule->fw_tcpopt = (cmd->arg1 & 0xff);
+ compat_rule->fw_tcpnopt = ((cmd->arg1 >> 8) & 0xff);
+ break;
+
+ case O_ESTAB:
+ compat_rule->fw_ipflg |= IP_FW_IF_TCPEST_COMPAT;
+ break;
+
+ case O_ICMPTYPE:
+ {
+ /* ICMP */
+ /* XXX: check this */
+ int i, type;
+
+ compat_rule->fw_flg |= IP_FW_F_ICMPBIT_COMPAT;
+ for (i = 0; i < sizeof(uint32_t); i++) {
+ type = cmd32->d[0] & i;
+
+ compat_rule->fw_uar_compat.fw_icmptypes[type / (sizeof(unsigned) * 8)] |=
+ 1 << (type % (sizeof(unsigned) * 8));
+ }
+ break;
+ }
+ default:
+ break;
} /* switch */
} /* for */
}
static void
ipfw_map_from_cmds_64(struct ip_fw_64 *curr_rule, struct ip_fw_compat_64 *compat_rule)
{
- int l;
- ipfw_insn *cmd;
- for (l = curr_rule->act_ofs, cmd = curr_rule->cmd ;
- l > 0 ;
- l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
+ int l;
+ ipfw_insn *cmd;
+ for (l = curr_rule->act_ofs, cmd = curr_rule->cmd;
+ l > 0;
+ l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
/* useful alias */
ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
switch (cmd->opcode) {
- case O_PROTO:
- /* protocol */
- compat_rule->fw_prot = cmd->arg1;
- break;
-
- case O_IP_SRC_ME:
- compat_rule->fw_flg |= IP_FW_F_SME_COMPAT;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
- }
- break;
-
- case O_IP_SRC_MASK:
- {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- compat_rule->fw_src = ip->addr;
- compat_rule->fw_smsk = ip->mask;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
- }
- break;
+ case O_PROTO:
+ /* protocol */
+ compat_rule->fw_prot = cmd->arg1;
+ break;
+
+ case O_IP_SRC_ME:
+ compat_rule->fw_flg |= IP_FW_F_SME_COMPAT;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
}
-
- case O_IP_SRC:
- /* one IP */
- /* source -
- * for now we only deal with one address
- * per rule and ignore sets of addresses
- */
- compat_rule->fw_src.s_addr = cmd32->d[0];
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
- }
- break;
-
- case O_IP_SRCPORT:
- {
- /* source ports */
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i, j;
-
- /* copy list of ports */
- for (i = F_LEN(cmd) - 1, j = 0; i > 0; i--, j++, p += 2) {
- if (p[0] != p[1]) {
- /* this is a range */
- compat_rule->fw_flg |= IP_FW_F_SRNG_COMPAT;
- compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
- compat_rule->fw_uar_compat.fw_pts[j] = p[1];
- } else {
- compat_rule->fw_uar_compat.fw_pts[j] = p[0];
- }
+ break;
+
+ case O_IP_SRC_MASK:
+ {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ compat_rule->fw_src = ip->addr;
+ compat_rule->fw_smsk = ip->mask;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
+ }
+ break;
+ }
+
+ case O_IP_SRC:
+ /* one IP */
+ /* source -
+ * for now we only deal with one address
+ * per rule and ignore sets of addresses
+ */
+ compat_rule->fw_src.s_addr = cmd32->d[0];
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVSRC_COMPAT;
+ }
+ break;
+
+ case O_IP_SRCPORT:
+ {
+ /* source ports */
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i, j;
+
+ /* copy list of ports */
+ for (i = F_LEN(cmd) - 1, j = 0; i > 0; i--, j++, p += 2) {
+ if (p[0] != p[1]) {
+ /* this is a range */
+ compat_rule->fw_flg |= IP_FW_F_SRNG_COMPAT;
+ compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
+ compat_rule->fw_uar_compat.fw_pts[j] = p[1];
+ } else {
+ compat_rule->fw_uar_compat.fw_pts[j] = p[0];
}
- IP_FW_SETNSRCP_COMPAT(compat_rule, j);
-
- break;
}
+ IP_FW_SETNSRCP_COMPAT(compat_rule, j);
+
+ break;
+ }
- case O_IP_DST_ME:
+ case O_IP_DST_ME:
/* destination */
- compat_rule->fw_flg |= IP_FW_F_DME_COMPAT;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
- }
- break;
+ compat_rule->fw_flg |= IP_FW_F_DME_COMPAT;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
+ }
+ break;
- case O_IP_DST_MASK:
- {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- compat_rule->fw_dst = ip->addr;
- compat_rule->fw_dmsk = ip->mask;
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
- }
- break;
+ case O_IP_DST_MASK:
+ {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ compat_rule->fw_dst = ip->addr;
+ compat_rule->fw_dmsk = ip->mask;
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
}
- case O_IP_DST:
- /* one IP */
- /* dest -
- * for now we only deal with one address
- * per rule, and ignore sets of addresses
- */
- compat_rule->fw_dst.s_addr = cmd32->d[0];
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
- }
- break;
-
- case O_IP_DSTPORT:
- {
- /* dest. ports */
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i,
- j = IP_FW_GETNSRCP_COMPAT(compat_rule);
-
- /* copy list of ports */
- for (i = F_LEN(cmd) - 1; i > 0; i--, j++, p += 2) {
- if (p[0] != p[1]) {
- /* this is a range */
- compat_rule->fw_flg |= IP_FW_F_DRNG_COMPAT;
- compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
- compat_rule->fw_uar_compat.fw_pts[j] = p[1];
- } else {
- compat_rule->fw_uar_compat.fw_pts[j] = p[0];
- }
- }
- IP_FW_SETNDSTP_COMPAT(compat_rule, (j - IP_FW_GETNSRCP_COMPAT(compat_rule)));
-
- break;
+ break;
+ }
+ case O_IP_DST:
+ /* one IP */
+ /* dest -
+ * for now we only deal with one address
+ * per rule, and ignore sets of addresses
+ */
+ compat_rule->fw_dst.s_addr = cmd32->d[0];
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_INVDST_COMPAT;
}
-
- case O_LOG:
- {
- ipfw_insn_log *c = (ipfw_insn_log *)cmd;
-
- compat_rule->fw_flg |= IP_FW_F_PRN_COMPAT;
- compat_rule->fw_logamount = c->max_log;
- break;
- }
- case O_UID:
- compat_rule->fw_flg |= IP_FW_F_UID_COMPAT;
- compat_rule->fw_uid = cmd32->d[0];
- break;
-
- case O_IN:
- if (cmd->len & F_NOT) {
- compat_rule->fw_flg |= IP_FW_F_OUT_COMPAT;
- } else {
- compat_rule->fw_flg |= IP_FW_F_IN_COMPAT;
- }
- break;
-
- case O_KEEP_STATE:
- compat_rule->fw_flg |= IP_FW_F_KEEP_S_COMPAT;
- break;
+ break;
- case O_LAYER2:
- compat_rule->fw_flg |= IP_FW_BRIDGED_COMPAT;
- break;
-
- case O_XMIT:
- {
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu;
-
- if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
- /* any */
- compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
- ifu.fu_via_ip.s_addr = 0;
- }
- else if (ifcmd->p.ip.s_addr != 0) {
- compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
- ifu.fu_via_ip = ifcmd->p.ip;
+ case O_IP_DSTPORT:
+ {
+ /* dest. ports */
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i,
+ j = IP_FW_GETNSRCP_COMPAT(compat_rule);
+
+ /* copy list of ports */
+ for (i = F_LEN(cmd) - 1; i > 0; i--, j++, p += 2) {
+ if (p[0] != p[1]) {
+ /* this is a range */
+ compat_rule->fw_flg |= IP_FW_F_DRNG_COMPAT;
+ compat_rule->fw_uar_compat.fw_pts[j++] = p[0];
+ compat_rule->fw_uar_compat.fw_pts[j] = p[1];
} else {
- compat_rule->fw_flg |= IP_FW_F_OIFNAME_COMPAT;
- strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
- ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ compat_rule->fw_uar_compat.fw_pts[j] = p[0];
}
- compat_rule->fw_out_if = ifu;
-
- break;
}
-
- case O_RECV:
- {
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu;
-
- if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
- /* any */
- compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
- ifu.fu_via_ip.s_addr = 0;
- }
- else if (ifcmd->p.ip.s_addr != 0) {
- compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
- ifu.fu_via_ip = ifcmd->p.ip;
- } else {
- compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
- strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
- ifu.fu_via_if_compat.unit = ifcmd->p.unit;
- }
- compat_rule->fw_in_if = ifu;
-
- break;
+ IP_FW_SETNDSTP_COMPAT(compat_rule, (j - IP_FW_GETNSRCP_COMPAT(compat_rule)));
+
+ break;
+ }
+
+ case O_LOG:
+ {
+ ipfw_insn_log *c = (ipfw_insn_log *)cmd;
+
+ compat_rule->fw_flg |= IP_FW_F_PRN_COMPAT;
+ compat_rule->fw_logamount = c->max_log;
+ break;
+ }
+ case O_UID:
+ compat_rule->fw_flg |= IP_FW_F_UID_COMPAT;
+ compat_rule->fw_uid = cmd32->d[0];
+ break;
+
+ case O_IN:
+ if (cmd->len & F_NOT) {
+ compat_rule->fw_flg |= IP_FW_F_OUT_COMPAT;
+ } else {
+ compat_rule->fw_flg |= IP_FW_F_IN_COMPAT;
}
-
- case O_VIA:
- {
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu;
-
- if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
- /* any */
- ifu.fu_via_ip.s_addr = 0;
- }
- else if (ifcmd->name[0] != '\0') {
- compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
- strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
- ifu.fu_via_if_compat.unit = ifcmd->p.unit;
- } else {
- ifu.fu_via_ip = ifcmd->p.ip;
- }
- compat_rule->fw_flg |= IF_FW_F_VIAHACK_COMPAT;
- compat_rule->fw_out_if = compat_rule->fw_in_if = ifu;
-
- break;
+ break;
+
+ case O_KEEP_STATE:
+ compat_rule->fw_flg |= IP_FW_F_KEEP_S_COMPAT;
+ break;
+
+ case O_LAYER2:
+ compat_rule->fw_flg |= IP_FW_BRIDGED_COMPAT;
+ break;
+
+ case O_XMIT:
+ {
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu;
+
+ if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
+ /* any */
+ compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
+ ifu.fu_via_ip.s_addr = 0;
+ } else if (ifcmd->p.ip.s_addr != 0) {
+ compat_rule->fw_flg |= IP_FW_F_OIFACE_COMPAT;
+ ifu.fu_via_ip = ifcmd->p.ip;
+ } else {
+ compat_rule->fw_flg |= IP_FW_F_OIFNAME_COMPAT;
+ strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
+ ifu.fu_via_if_compat.unit = ifcmd->p.unit;
}
+ compat_rule->fw_out_if = ifu;
- case O_FRAG:
- compat_rule->fw_flg |= IP_FW_F_FRAG_COMPAT;
- break;
-
- case O_IPOPT:
- /* IP options */
- compat_rule->fw_ipopt = (cmd->arg1 & 0xff);
- compat_rule->fw_ipnopt = ((cmd->arg1 >> 8) & 0xff);
- break;
-
- case O_TCPFLAGS:
- /* check for "setup" */
- if ((cmd->arg1 & 0xff) == TH_SYN &&
- ((cmd->arg1 >> 8) & 0xff) == TH_ACK) {
- compat_rule->fw_tcpf = IP_FW_TCPF_SYN_COMPAT;
- compat_rule->fw_tcpnf = IP_FW_TCPF_ACK_COMPAT;
- }
- else {
- compat_rule->fw_tcpf = fill_compat_tcpflags(cmd->arg1 & 0xff);
- compat_rule->fw_tcpnf = fill_compat_tcpflags((cmd->arg1 >> 8) & 0xff);
- }
- break;
-
- case O_TCPOPTS:
- /* TCP options */
- compat_rule->fw_tcpopt = (cmd->arg1 & 0xff);
- compat_rule->fw_tcpnopt = ((cmd->arg1 >> 8) & 0xff);
- break;
-
- case O_ESTAB:
- compat_rule->fw_ipflg |= IP_FW_IF_TCPEST_COMPAT;
- break;
-
- case O_ICMPTYPE:
- {
- /* ICMP */
- /* XXX: check this */
- int i, type;
-
- compat_rule->fw_flg |= IP_FW_F_ICMPBIT_COMPAT;
- for (i = 0; i < sizeof(uint32_t) ; i++) {
- type = cmd32->d[0] & i;
-
- compat_rule->fw_uar_compat.fw_icmptypes[type / (sizeof(unsigned) * 8)] |=
- 1 << (type % (sizeof(unsigned) * 8));
- }
- break;
+ break;
+ }
+
+ case O_RECV:
+ {
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu;
+
+ if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
+ /* any */
+ compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
+ ifu.fu_via_ip.s_addr = 0;
+ } else if (ifcmd->p.ip.s_addr != 0) {
+ compat_rule->fw_flg |= IP_FW_F_IIFACE_COMPAT;
+ ifu.fu_via_ip = ifcmd->p.ip;
+ } else {
+ compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
+ strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
+ ifu.fu_via_if_compat.unit = ifcmd->p.unit;
}
- default:
- break;
+ compat_rule->fw_in_if = ifu;
+
+ break;
+ }
+
+ case O_VIA:
+ {
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu;
+
+ if ((ifcmd->o.len == 0) && (ifcmd->name[0] == '\0')) {
+ /* any */
+ ifu.fu_via_ip.s_addr = 0;
+ } else if (ifcmd->name[0] != '\0') {
+ compat_rule->fw_flg |= IP_FW_F_IIFNAME_COMPAT;
+ strncpy(ifu.fu_via_if_compat.name, ifcmd->name, sizeof(ifu.fu_via_if_compat.name));
+ ifu.fu_via_if_compat.unit = ifcmd->p.unit;
+ } else {
+ ifu.fu_via_ip = ifcmd->p.ip;
+ }
+ compat_rule->fw_flg |= IF_FW_F_VIAHACK_COMPAT;
+ compat_rule->fw_out_if = compat_rule->fw_in_if = ifu;
+
+ break;
+ }
+
+ case O_FRAG:
+ compat_rule->fw_flg |= IP_FW_F_FRAG_COMPAT;
+ break;
+
+ case O_IPOPT:
+ /* IP options */
+ compat_rule->fw_ipopt = (cmd->arg1 & 0xff);
+ compat_rule->fw_ipnopt = ((cmd->arg1 >> 8) & 0xff);
+ break;
+
+ case O_TCPFLAGS:
+ /* check for "setup" */
+ if ((cmd->arg1 & 0xff) == TH_SYN &&
+ ((cmd->arg1 >> 8) & 0xff) == TH_ACK) {
+ compat_rule->fw_tcpf = IP_FW_TCPF_SYN_COMPAT;
+ compat_rule->fw_tcpnf = IP_FW_TCPF_ACK_COMPAT;
+ } else {
+ compat_rule->fw_tcpf = fill_compat_tcpflags(cmd->arg1 & 0xff);
+ compat_rule->fw_tcpnf = fill_compat_tcpflags((cmd->arg1 >> 8) & 0xff);
+ }
+ break;
+
+ case O_TCPOPTS:
+ /* TCP options */
+ compat_rule->fw_tcpopt = (cmd->arg1 & 0xff);
+ compat_rule->fw_tcpnopt = ((cmd->arg1 >> 8) & 0xff);
+ break;
+
+ case O_ESTAB:
+ compat_rule->fw_ipflg |= IP_FW_IF_TCPEST_COMPAT;
+ break;
+
+ case O_ICMPTYPE:
+ {
+ /* ICMP */
+ /* XXX: check this */
+ int i, type;
+
+ compat_rule->fw_flg |= IP_FW_F_ICMPBIT_COMPAT;
+ for (i = 0; i < sizeof(uint32_t); i++) {
+ type = cmd32->d[0] & i;
+
+ compat_rule->fw_uar_compat.fw_icmptypes[type / (sizeof(unsigned) * 8)] |=
+ 1 << (type % (sizeof(unsigned) * 8));
+ }
+ break;
+ }
+ default:
+ break;
} /* switch */
} /* for */
}
ipfw_map_from_actions_32(struct ip_fw_32 *curr_rule, struct ip_fw_compat_32 *compat_rule)
{
int l;
- ipfw_insn *cmd;
-
+ ipfw_insn *cmd;
+
for (l = curr_rule->cmd_len - curr_rule->act_ofs, cmd = ACTION_PTR(curr_rule);
- l > 0 ;
- l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
+ l > 0;
+ l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
switch (cmd->opcode) {
- case O_ACCEPT:
- compat_rule->fw_flg |= IP_FW_F_ACCEPT_COMPAT;
- break;
- case O_COUNT:
- compat_rule->fw_flg |= IP_FW_F_COUNT_COMPAT;
- break;
- case O_PIPE:
- compat_rule->fw_flg |= IP_FW_F_PIPE_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_QUEUE:
- compat_rule->fw_flg |= IP_FW_F_QUEUE_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_SKIPTO:
- compat_rule->fw_flg |= IP_FW_F_SKIPTO_COMPAT;
- compat_rule->fw_skipto_rule_compat = cmd->arg1;
- break;
- case O_DIVERT:
- compat_rule->fw_flg |= IP_FW_F_DIVERT_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_TEE:
- compat_rule->fw_flg |= IP_FW_F_TEE_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_FORWARD_IP:
- {
- ipfw_insn_sa *p = (ipfw_insn_sa *)cmd;
-
- compat_rule->fw_flg |= IP_FW_F_FWD_COMPAT;
- compat_rule->fw_fwd_ip_compat.sin_len = p->sa.sin_len;
- compat_rule->fw_fwd_ip_compat.sin_family = p->sa.sin_family;
- compat_rule->fw_fwd_ip_compat.sin_port = p->sa.sin_port;
- compat_rule->fw_fwd_ip_compat.sin_addr = p->sa.sin_addr;
+ case O_ACCEPT:
+ compat_rule->fw_flg |= IP_FW_F_ACCEPT_COMPAT;
+ break;
+ case O_COUNT:
+ compat_rule->fw_flg |= IP_FW_F_COUNT_COMPAT;
+ break;
+ case O_PIPE:
+ compat_rule->fw_flg |= IP_FW_F_PIPE_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_QUEUE:
+ compat_rule->fw_flg |= IP_FW_F_QUEUE_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_SKIPTO:
+ compat_rule->fw_flg |= IP_FW_F_SKIPTO_COMPAT;
+ compat_rule->fw_skipto_rule_compat = cmd->arg1;
+ break;
+ case O_DIVERT:
+ compat_rule->fw_flg |= IP_FW_F_DIVERT_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_TEE:
+ compat_rule->fw_flg |= IP_FW_F_TEE_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_FORWARD_IP:
+ {
+ ipfw_insn_sa *p = (ipfw_insn_sa *)cmd;
- break;
- }
- case O_DENY:
- compat_rule->fw_flg |= IP_FW_F_DENY_COMPAT;
- break;
- case O_REJECT:
- compat_rule->fw_flg |= IP_FW_F_REJECT_COMPAT;
- compat_rule->fw_reject_code_compat = cmd->arg1;
- break;
- case O_CHECK_STATE:
- compat_rule->fw_flg |= IP_FW_F_CHECK_S_COMPAT;
- break;
- default:
- break;
+ compat_rule->fw_flg |= IP_FW_F_FWD_COMPAT;
+ compat_rule->fw_fwd_ip_compat.sin_len = p->sa.sin_len;
+ compat_rule->fw_fwd_ip_compat.sin_family = p->sa.sin_family;
+ compat_rule->fw_fwd_ip_compat.sin_port = p->sa.sin_port;
+ compat_rule->fw_fwd_ip_compat.sin_addr = p->sa.sin_addr;
+
+ break;
+ }
+ case O_DENY:
+ compat_rule->fw_flg |= IP_FW_F_DENY_COMPAT;
+ break;
+ case O_REJECT:
+ compat_rule->fw_flg |= IP_FW_F_REJECT_COMPAT;
+ compat_rule->fw_reject_code_compat = cmd->arg1;
+ break;
+ case O_CHECK_STATE:
+ compat_rule->fw_flg |= IP_FW_F_CHECK_S_COMPAT;
+ break;
+ default:
+ break;
}
}
}
ipfw_map_from_actions_64(struct ip_fw_64 *curr_rule, struct ip_fw_compat_64 *compat_rule)
{
int l;
- ipfw_insn *cmd;
+ ipfw_insn *cmd;
for (l = curr_rule->cmd_len - curr_rule->act_ofs, cmd = ACTION_PTR(curr_rule);
- l > 0 ;
- l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
+ l > 0;
+ l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
switch (cmd->opcode) {
- case O_ACCEPT:
- compat_rule->fw_flg |= IP_FW_F_ACCEPT_COMPAT;
- break;
- case O_COUNT:
- compat_rule->fw_flg |= IP_FW_F_COUNT_COMPAT;
- break;
- case O_PIPE:
- compat_rule->fw_flg |= IP_FW_F_PIPE_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_QUEUE:
- compat_rule->fw_flg |= IP_FW_F_QUEUE_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_SKIPTO:
- compat_rule->fw_flg |= IP_FW_F_SKIPTO_COMPAT;
- compat_rule->fw_skipto_rule_compat = cmd->arg1;
- break;
- case O_DIVERT:
- compat_rule->fw_flg |= IP_FW_F_DIVERT_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_TEE:
- compat_rule->fw_flg |= IP_FW_F_TEE_COMPAT;
- compat_rule->fw_divert_port_compat = cmd->arg1;
- break;
- case O_FORWARD_IP:
- {
- ipfw_insn_sa *p = (ipfw_insn_sa *)cmd;
-
- compat_rule->fw_flg |= IP_FW_F_FWD_COMPAT;
- compat_rule->fw_fwd_ip_compat.sin_len = p->sa.sin_len;
- compat_rule->fw_fwd_ip_compat.sin_family = p->sa.sin_family;
- compat_rule->fw_fwd_ip_compat.sin_port = p->sa.sin_port;
- compat_rule->fw_fwd_ip_compat.sin_addr = p->sa.sin_addr;
+ case O_ACCEPT:
+ compat_rule->fw_flg |= IP_FW_F_ACCEPT_COMPAT;
+ break;
+ case O_COUNT:
+ compat_rule->fw_flg |= IP_FW_F_COUNT_COMPAT;
+ break;
+ case O_PIPE:
+ compat_rule->fw_flg |= IP_FW_F_PIPE_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_QUEUE:
+ compat_rule->fw_flg |= IP_FW_F_QUEUE_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_SKIPTO:
+ compat_rule->fw_flg |= IP_FW_F_SKIPTO_COMPAT;
+ compat_rule->fw_skipto_rule_compat = cmd->arg1;
+ break;
+ case O_DIVERT:
+ compat_rule->fw_flg |= IP_FW_F_DIVERT_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_TEE:
+ compat_rule->fw_flg |= IP_FW_F_TEE_COMPAT;
+ compat_rule->fw_divert_port_compat = cmd->arg1;
+ break;
+ case O_FORWARD_IP:
+ {
+ ipfw_insn_sa *p = (ipfw_insn_sa *)cmd;
- break;
- }
- case O_DENY:
- compat_rule->fw_flg |= IP_FW_F_DENY_COMPAT;
- break;
- case O_REJECT:
- compat_rule->fw_flg |= IP_FW_F_REJECT_COMPAT;
- compat_rule->fw_reject_code_compat = cmd->arg1;
- break;
- case O_CHECK_STATE:
- compat_rule->fw_flg |= IP_FW_F_CHECK_S_COMPAT;
- break;
- default:
- break;
+ compat_rule->fw_flg |= IP_FW_F_FWD_COMPAT;
+ compat_rule->fw_fwd_ip_compat.sin_len = p->sa.sin_len;
+ compat_rule->fw_fwd_ip_compat.sin_family = p->sa.sin_family;
+ compat_rule->fw_fwd_ip_compat.sin_port = p->sa.sin_port;
+ compat_rule->fw_fwd_ip_compat.sin_addr = p->sa.sin_addr;
+
+ break;
+ }
+ case O_DENY:
+ compat_rule->fw_flg |= IP_FW_F_DENY_COMPAT;
+ break;
+ case O_REJECT:
+ compat_rule->fw_flg |= IP_FW_F_REJECT_COMPAT;
+ compat_rule->fw_reject_code_compat = cmd->arg1;
+ break;
+ case O_CHECK_STATE:
+ compat_rule->fw_flg |= IP_FW_F_CHECK_S_COMPAT;
+ break;
+ default:
+ break;
}
}
}
static void
ipfw_version_latest_to_one_32(struct ip_fw_32 *curr_rule, struct ip_fw_compat_32 *rule_vers1)
{
- if (!rule_vers1)
+ if (!rule_vers1) {
return;
-
- bzero(rule_vers1, sizeof(struct ip_fw_compat));
-
+ }
+
+ bzero(rule_vers1, sizeof(struct ip_fw_compat_32));
+
rule_vers1->version = IP_FW_VERSION_1;
- rule_vers1->context = CAST_DOWN_EXPLICIT(user32_addr_t,curr_rule->context);
+ rule_vers1->context = CAST_DOWN_EXPLICIT(user32_addr_t, curr_rule->context);
rule_vers1->fw_number = curr_rule->rulenum;
rule_vers1->fw_pcnt = curr_rule->pcnt;
rule_vers1->fw_bcnt = curr_rule->bcnt;
rule_vers1->timestamp = curr_rule->timestamp;
-
+
/* convert actions */
ipfw_map_from_actions_32(curr_rule, rule_vers1);
/* convert commands */
ipfw_map_from_cmds_32(curr_rule, rule_vers1);
-
+
#if FW2_DEBUG_VERBOSE
ipfw_print_vers1_struct_32(rule_vers1);
#endif
static void
ipfw_version_latest_to_one_64(struct ip_fw_64 *curr_rule, struct ip_fw_compat_64 *rule_vers1)
{
- if (!rule_vers1)
+ if (!rule_vers1) {
return;
-
- bzero(rule_vers1, sizeof(struct ip_fw_compat));
-
+ }
+
+ bzero(rule_vers1, sizeof(struct ip_fw_compat_64));
+
rule_vers1->version = IP_FW_VERSION_1;
rule_vers1->context = CAST_DOWN_EXPLICIT(__uint64_t, curr_rule->context);
rule_vers1->fw_number = curr_rule->rulenum;
rule_vers1->fw_pcnt = curr_rule->pcnt;
rule_vers1->fw_bcnt = curr_rule->bcnt;
rule_vers1->timestamp = curr_rule->timestamp;
-
+
/* convert actions */
ipfw_map_from_actions_64(curr_rule, rule_vers1);
/* convert commands */
ipfw_map_from_cmds_64(curr_rule, rule_vers1);
-
+
#if FW2_DEBUG_VERBOSE
ipfw_print_vers1_struct_64(rule_vers1);
#endif
static void
ipfw_version_latest_to_zero(struct ip_fw *curr_rule, struct ip_old_fw *rule_vers0, int is64user)
{
-
- if ( is64user ){
- struct ip_fw_compat_64 rule_vers1;
+ if (is64user) {
+ struct ip_fw_compat_64 rule_vers1;
ipfw_version_latest_to_one_64((struct ip_fw_64*)curr_rule, &rule_vers1);
bzero(rule_vers0, sizeof(struct ip_old_fw));
bcopy(&rule_vers1.fw_uar_compat, &rule_vers0->fw_uar, sizeof(rule_vers1.fw_uar_compat));
rule_vers0->pipe_ptr = CAST_DOWN_EXPLICIT(void*, rule_vers1.pipe_ptr);
rule_vers0->next_rule_ptr = CAST_DOWN_EXPLICIT(void*, rule_vers1.next_rule_ptr);
- if (rule_vers1.fw_ipflg & IP_FW_IF_TCPEST_COMPAT) rule_vers0->fw_tcpf |= IP_OLD_FW_TCPF_ESTAB;
- }
- else {
- struct ip_fw_compat_32 rule_vers1;
- ipfw_version_latest_to_one_32( (struct ip_fw_32*)curr_rule, &rule_vers1);
+ if (rule_vers1.fw_ipflg & IP_FW_IF_TCPEST_COMPAT) {
+ rule_vers0->fw_tcpf |= IP_OLD_FW_TCPF_ESTAB;
+ }
+ } else {
+ struct ip_fw_compat_32 rule_vers1;
+ ipfw_version_latest_to_one_32((struct ip_fw_32*)curr_rule, &rule_vers1);
bzero(rule_vers0, sizeof(struct ip_old_fw));
bcopy(&rule_vers1.fw_uar_compat, &rule_vers0->fw_uar, sizeof(rule_vers1.fw_uar_compat));
bcopy(&rule_vers1.fw_in_if, &rule_vers0->fw_in_if, sizeof(rule_vers1.fw_in_if));
rule_vers0->pipe_ptr = CAST_DOWN_EXPLICIT(void*, rule_vers1.pipe_ptr);
rule_vers0->next_rule_ptr = CAST_DOWN_EXPLICIT(void*, rule_vers1.next_rule_ptr);
- if (rule_vers1.fw_ipflg & IP_FW_IF_TCPEST_COMPAT) rule_vers0->fw_tcpf |= IP_OLD_FW_TCPF_ESTAB;
+ if (rule_vers1.fw_ipflg & IP_FW_IF_TCPEST_COMPAT) {
+ rule_vers0->fw_tcpf |= IP_OLD_FW_TCPF_ESTAB;
+ }
}
-
}
void
ipfw_convert_from_latest(struct ip_fw *curr_rule, void *old_rule, u_int32_t api_version, int is64user)
{
switch (api_version) {
- case IP_FW_VERSION_0:
- {
- struct ip_old_fw *rule_vers0 = old_rule;
-
- ipfw_version_latest_to_zero(curr_rule, rule_vers0, is64user);
- break;
- }
- case IP_FW_VERSION_1:
- {
- if ( is64user )
- ipfw_version_latest_to_one_64((struct ip_fw_64*)curr_rule, (struct ip_fw_compat_64 *)old_rule);
- else
- ipfw_version_latest_to_one_32((struct ip_fw_32*)curr_rule, (struct ip_fw_compat_32 *)old_rule);
+ case IP_FW_VERSION_0:
+ {
+ struct ip_old_fw *rule_vers0 = old_rule;
- break;
+ ipfw_version_latest_to_zero(curr_rule, rule_vers0, is64user);
+ break;
+ }
+ case IP_FW_VERSION_1:
+ {
+ if (is64user) {
+ ipfw_version_latest_to_one_64((struct ip_fw_64*)curr_rule, (struct ip_fw_compat_64 *)old_rule);
+ } else {
+ ipfw_version_latest_to_one_32((struct ip_fw_32*)curr_rule, (struct ip_fw_compat_32 *)old_rule);
}
- case IP_FW_CURRENT_API_VERSION:
- /* ipfw2 for now, don't need to do anything */
- break;
-
- default:
- /* unknown version */
- break;
+
+ break;
+ }
+ case IP_FW_CURRENT_API_VERSION:
+ /* ipfw2 for now, don't need to do anything */
+ break;
+
+ default:
+ /* unknown version */
+ break;
}
}
/* ********************************************
- * *********** Convert to Latest **************
- * ********************************************/
+* *********** Convert to Latest **************
+* ********************************************/
/* from ip_fw.c */
static int
{
/* Check for invalid flag bits */
if ((frwl->fw_flg & ~IP_FW_F_MASK_COMPAT) != 0) {
- /*
- printf(("%s undefined flag bits set (flags=%x)\n",
- err_prefix, frwl->fw_flg));
- */
- return (EINVAL);
+ /*
+ * printf(("%s undefined flag bits set (flags=%x)\n",
+ * err_prefix, frwl->fw_flg));
+ */
+ return EINVAL;
}
if (frwl->fw_flg == IP_FW_F_CHECK_S_COMPAT) {
/* check-state */
- return 0 ;
+ return 0;
}
/* Must apply to incoming or outgoing (or both) */
if (!(frwl->fw_flg & (IP_FW_F_IN_COMPAT | IP_FW_F_OUT_COMPAT))) {
/*
- printf(("%s neither in nor out\n", err_prefix));
- */
- return (EINVAL);
+ * printf(("%s neither in nor out\n", err_prefix));
+ */
+ return EINVAL;
}
/* Empty interface name is no good */
if (((frwl->fw_flg & IP_FW_F_IIFNAME_COMPAT)
- && !*frwl->fw_in_if.fu_via_if_compat.name)
+ && !*frwl->fw_in_if.fu_via_if_compat.name)
|| ((frwl->fw_flg & IP_FW_F_OIFNAME_COMPAT)
- && !*frwl->fw_out_if.fu_via_if_compat.name)) {
+ && !*frwl->fw_out_if.fu_via_if_compat.name)) {
/*
- printf(("%s empty interface name\n", err_prefix));
- */
- return (EINVAL);
+ * printf(("%s empty interface name\n", err_prefix));
+ */
+ return EINVAL;
}
/* Sanity check interface matching */
if ((frwl->fw_flg & IF_FW_F_VIAHACK_COMPAT) == IF_FW_F_VIAHACK_COMPAT) {
- ; /* allow "via" backwards compatibility */
+ ; /* allow "via" backwards compatibility */
} else if ((frwl->fw_flg & IP_FW_F_IN_COMPAT)
&& (frwl->fw_flg & IP_FW_F_OIFACE_COMPAT)) {
/*
- printf(("%s outgoing interface check on incoming\n",
- err_prefix));
- */
- return (EINVAL);
+ * printf(("%s outgoing interface check on incoming\n",
+ * err_prefix));
+ */
+ return EINVAL;
}
/* Sanity check port ranges */
if ((frwl->fw_flg & IP_FW_F_SRNG_COMPAT) && IP_FW_GETNSRCP_COMPAT(frwl) < 2) {
/*
- printf(("%s src range set but n_src_p=%d\n",
- err_prefix, IP_FW_GETNSRCP_COMPAT(frwl)));
- */
- return (EINVAL);
+ * printf(("%s src range set but n_src_p=%d\n",
+ * err_prefix, IP_FW_GETNSRCP_COMPAT(frwl)));
+ */
+ return EINVAL;
}
if ((frwl->fw_flg & IP_FW_F_DRNG_COMPAT) && IP_FW_GETNDSTP_COMPAT(frwl) < 2) {
/*
- printf(("%s dst range set but n_dst_p=%d\n",
- err_prefix, IP_FW_GETNDSTP_COMPAT(frwl)));
- */
- return (EINVAL);
+ * printf(("%s dst range set but n_dst_p=%d\n",
+ * err_prefix, IP_FW_GETNDSTP_COMPAT(frwl)));
+ */
+ return EINVAL;
}
if (IP_FW_GETNSRCP_COMPAT(frwl) + IP_FW_GETNDSTP_COMPAT(frwl) > IP_FW_MAX_PORTS_COMPAT) {
/*
- printf(("%s too many ports (%d+%d)\n",
- err_prefix, IP_FW_GETNSRCP_COMPAT(frwl), IP_FW_GETNDSTP_COMPAT(frwl)));
- */
- return (EINVAL);
+ * printf(("%s too many ports (%d+%d)\n",
+ * err_prefix, IP_FW_GETNSRCP_COMPAT(frwl), IP_FW_GETNDSTP_COMPAT(frwl)));
+ */
+ return EINVAL;
}
/*
* Protocols other than TCP/UDP don't use port range
(frwl->fw_prot != IPPROTO_UDP) &&
(IP_FW_GETNSRCP_COMPAT(frwl) || IP_FW_GETNDSTP_COMPAT(frwl))) {
/*
- printf(("%s port(s) specified for non TCP/UDP rule\n",
- err_prefix));
- */
- return (EINVAL);
+ * printf(("%s port(s) specified for non TCP/UDP rule\n",
+ * err_prefix));
+ */
+ return EINVAL;
}
/*
- * Rather than modify the entry to make such entries work,
+ * Rather than modify the entry to make such entries work,
* we reject this rule and require user level utilities
* to enforce whatever policy they deem appropriate.
*/
- if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
- (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
+ if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
+ (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
/*
- printf(("%s rule never matches\n", err_prefix));
- */
- return (EINVAL);
+ * printf(("%s rule never matches\n", err_prefix));
+ */
+ return EINVAL;
}
if ((frwl->fw_flg & IP_FW_F_FRAG_COMPAT) &&
- (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
+ (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
if (frwl->fw_nports) {
- /*
- printf(("%s cannot mix 'frag' and ports\n", err_prefix));
- */
- return (EINVAL);
+ /*
+ * printf(("%s cannot mix 'frag' and ports\n", err_prefix));
+ */
+ return EINVAL;
}
if (frwl->fw_prot == IPPROTO_TCP &&
- frwl->fw_tcpf != frwl->fw_tcpnf) {
- /*
- printf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
- */
- return (EINVAL);
+ frwl->fw_tcpf != frwl->fw_tcpnf) {
+ /*
+ * printf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
+ */
+ return EINVAL;
}
}
/* Check command specific stuff */
- switch (frwl->fw_flg & IP_FW_F_COMMAND_COMPAT)
- {
+ switch (frwl->fw_flg & IP_FW_F_COMMAND_COMPAT) {
case IP_FW_F_REJECT_COMPAT:
if (frwl->fw_reject_code_compat >= 0x100
&& !(frwl->fw_prot == IPPROTO_TCP
- && frwl->fw_reject_code_compat == IP_FW_REJECT_RST_COMPAT)) {
- /*
- printf(("%s unknown reject code\n", err_prefix));
- */
- return (EINVAL);
+ && frwl->fw_reject_code_compat == IP_FW_REJECT_RST_COMPAT)) {
+ /*
+ * printf(("%s unknown reject code\n", err_prefix));
+ */
+ return EINVAL;
}
break;
- case IP_FW_F_DIVERT_COMPAT: /* Diverting to port zero is invalid */
+ case IP_FW_F_DIVERT_COMPAT: /* Diverting to port zero is invalid */
case IP_FW_F_TEE_COMPAT:
case IP_FW_F_PIPE_COMPAT: /* piping through 0 is invalid */
case IP_FW_F_QUEUE_COMPAT: /* piping through 0 is invalid */
if (frwl->fw_divert_port_compat == 0) {
- /*
- printf(("%s can't divert to port 0\n", err_prefix));
- */
- return (EINVAL);
+ /*
+ * printf(("%s can't divert to port 0\n", err_prefix));
+ */
+ return EINVAL;
}
break;
case IP_FW_F_DENY_COMPAT:
break;
default:
/*
- printf(("%s invalid command\n", err_prefix));
- */
- return (EINVAL);
+ * printf(("%s invalid command\n", err_prefix));
+ */
+ return EINVAL;
}
return 0;
{
/* Check for invalid flag bits */
if ((frwl->fw_flg & ~IP_FW_F_MASK_COMPAT) != 0) {
- /*
- printf(("%s undefined flag bits set (flags=%x)\n",
- err_prefix, frwl->fw_flg));
- */
-
- return (EINVAL);
+ /*
+ * printf(("%s undefined flag bits set (flags=%x)\n",
+ * err_prefix, frwl->fw_flg));
+ */
+
+ return EINVAL;
}
if (frwl->fw_flg == IP_FW_F_CHECK_S_COMPAT) {
/* check-state */
- return 0 ;
+ return 0;
}
/* Must apply to incoming or outgoing (or both) */
if (!(frwl->fw_flg & (IP_FW_F_IN_COMPAT | IP_FW_F_OUT_COMPAT))) {
/*
- printf(("%s neither in nor out\n", err_prefix));
- */
-
- return (EINVAL);
+ * printf(("%s neither in nor out\n", err_prefix));
+ */
+
+ return EINVAL;
}
/* Empty interface name is no good */
if (((frwl->fw_flg & IP_FW_F_IIFNAME_COMPAT)
- && !*frwl->fw_in_if.fu_via_if_compat.name)
+ && !*frwl->fw_in_if.fu_via_if_compat.name)
|| ((frwl->fw_flg & IP_FW_F_OIFNAME_COMPAT)
- && !*frwl->fw_out_if.fu_via_if_compat.name)) {
+ && !*frwl->fw_out_if.fu_via_if_compat.name)) {
/*
- printf(("%s empty interface name\n", err_prefix));
- */
-
- return (EINVAL);
+ * printf(("%s empty interface name\n", err_prefix));
+ */
+
+ return EINVAL;
}
/* Sanity check interface matching */
if ((frwl->fw_flg & IF_FW_F_VIAHACK_COMPAT) == IF_FW_F_VIAHACK_COMPAT) {
- ; /* allow "via" backwards compatibility */
+ ; /* allow "via" backwards compatibility */
} else if ((frwl->fw_flg & IP_FW_F_IN_COMPAT)
&& (frwl->fw_flg & IP_FW_F_OIFACE_COMPAT)) {
/*
- printf(("%s outgoing interface check on incoming\n",
- err_prefix));
- */
-
- return (EINVAL);
+ * printf(("%s outgoing interface check on incoming\n",
+ * err_prefix));
+ */
+
+ return EINVAL;
}
/* Sanity check port ranges */
if ((frwl->fw_flg & IP_FW_F_SRNG_COMPAT) && IP_FW_GETNSRCP_COMPAT(frwl) < 2) {
/*
- printf(("%s src range set but n_src_p=%d\n",
- err_prefix, IP_FW_GETNSRCP_COMPAT(frwl)));
- */
-
- return (EINVAL);
+ * printf(("%s src range set but n_src_p=%d\n",
+ * err_prefix, IP_FW_GETNSRCP_COMPAT(frwl)));
+ */
+
+ return EINVAL;
}
if ((frwl->fw_flg & IP_FW_F_DRNG_COMPAT) && IP_FW_GETNDSTP_COMPAT(frwl) < 2) {
/*
- printf(("%s dst range set but n_dst_p=%d\n",
- err_prefix, IP_FW_GETNDSTP_COMPAT(frwl)));
- */
+ * printf(("%s dst range set but n_dst_p=%d\n",
+ * err_prefix, IP_FW_GETNDSTP_COMPAT(frwl)));
+ */
- return (EINVAL);
+ return EINVAL;
}
if (IP_FW_GETNSRCP_COMPAT(frwl) + IP_FW_GETNDSTP_COMPAT(frwl) > IP_FW_MAX_PORTS_COMPAT) {
/*
- printf(("%s too many ports (%d+%d)\n",
- err_prefix, IP_FW_GETNSRCP_COMPAT(frwl), IP_FW_GETNDSTP_COMPAT(frwl)));
- */
-
- return (EINVAL);
+ * printf(("%s too many ports (%d+%d)\n",
+ * err_prefix, IP_FW_GETNSRCP_COMPAT(frwl), IP_FW_GETNDSTP_COMPAT(frwl)));
+ */
+
+ return EINVAL;
}
/*
* Protocols other than TCP/UDP don't use port range
(frwl->fw_prot != IPPROTO_UDP) &&
(IP_FW_GETNSRCP_COMPAT(frwl) || IP_FW_GETNDSTP_COMPAT(frwl))) {
/*
- printf(("%s port(s) specified for non TCP/UDP rule\n",
- err_prefix));
- */
-
- return (EINVAL);
+ * printf(("%s port(s) specified for non TCP/UDP rule\n",
+ * err_prefix));
+ */
+
+ return EINVAL;
}
/*
- * Rather than modify the entry to make such entries work,
+ * Rather than modify the entry to make such entries work,
* we reject this rule and require user level utilities
* to enforce whatever policy they deem appropriate.
*/
- if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
- (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
+ if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
+ (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
/*
- printf(("%s rule never matches\n", err_prefix));
- */
-
- return (EINVAL);
+ * printf(("%s rule never matches\n", err_prefix));
+ */
+
+ return EINVAL;
}
if ((frwl->fw_flg & IP_FW_F_FRAG_COMPAT) &&
- (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
+ (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
if (frwl->fw_nports) {
- /*
- printf(("%s cannot mix 'frag' and ports\n", err_prefix));
- */
-
- return (EINVAL);
+ /*
+ * printf(("%s cannot mix 'frag' and ports\n", err_prefix));
+ */
+
+ return EINVAL;
}
if (frwl->fw_prot == IPPROTO_TCP &&
- frwl->fw_tcpf != frwl->fw_tcpnf) {
- /*
- printf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
- */
-
- return (EINVAL);
+ frwl->fw_tcpf != frwl->fw_tcpnf) {
+ /*
+ * printf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
+ */
+
+ return EINVAL;
}
}
/* Check command specific stuff */
- switch (frwl->fw_flg & IP_FW_F_COMMAND_COMPAT)
- {
+ switch (frwl->fw_flg & IP_FW_F_COMMAND_COMPAT) {
case IP_FW_F_REJECT_COMPAT:
if (frwl->fw_reject_code_compat >= 0x100
&& !(frwl->fw_prot == IPPROTO_TCP
- && frwl->fw_reject_code_compat == IP_FW_REJECT_RST_COMPAT)) {
- /*
- printf(("%s unknown reject code\n", err_prefix));
- */
-
- return (EINVAL);
+ && frwl->fw_reject_code_compat == IP_FW_REJECT_RST_COMPAT)) {
+ /*
+ * printf(("%s unknown reject code\n", err_prefix));
+ */
+
+ return EINVAL;
}
break;
- case IP_FW_F_DIVERT_COMPAT: /* Diverting to port zero is invalid */
+ case IP_FW_F_DIVERT_COMPAT: /* Diverting to port zero is invalid */
case IP_FW_F_TEE_COMPAT:
case IP_FW_F_PIPE_COMPAT: /* piping through 0 is invalid */
case IP_FW_F_QUEUE_COMPAT: /* piping through 0 is invalid */
if (frwl->fw_divert_port_compat == 0) {
- /*
- printf(("%s can't divert to port 0\n", err_prefix));
- */
-
- return (EINVAL);
+ /*
+ * printf(("%s can't divert to port 0\n", err_prefix));
+ */
+
+ return EINVAL;
}
break;
case IP_FW_F_DENY_COMPAT:
break;
default:
/*
- printf(("%s invalid command\n", err_prefix));
- */
-
- return (EINVAL);
+ * printf(("%s invalid command\n", err_prefix));
+ */
+
+ return EINVAL;
}
return 0;
static void
ipfw_convert_to_cmds_32(struct ip_fw *curr_rule, struct ip_fw_compat_32 *compat_rule)
{
- int k;
- uint32_t actbuf[255], cmdbuf[255];
- ipfw_insn *action, *cmd, *src, *dst;
- ipfw_insn *have_state = NULL; /* track check-state or keep-state */
-
- if (!compat_rule || !curr_rule || !(curr_rule->cmd)) {
+ int k;
+ uint32_t actbuf[255], cmdbuf[255];
+ ipfw_insn *action, *cmd, *src, *dst;
+ ipfw_insn *have_state = NULL; /* track check-state or keep-state */
+
+ if (!compat_rule || !curr_rule) {
return;
}
/* bad rule */
return;
}
-
- bzero(actbuf, sizeof(actbuf)); /* actions go here */
+
+ bzero(actbuf, sizeof(actbuf)); /* actions go here */
bzero(cmdbuf, sizeof(cmdbuf));
/* fill in action */
action = (ipfw_insn *)actbuf;
{
- u_int flag = compat_rule->fw_flg;
-
- action->len = 1; /* default */
-
- if (flag & IP_FW_F_CHECK_S_COMPAT) {
- have_state = action;
- action->opcode = O_CHECK_STATE;
- }
- else {
- switch (flag & IP_FW_F_COMMAND_COMPAT) {
+ u_int flag = compat_rule->fw_flg;
+
+ action->len = 1; /* default */
+
+ if (flag & IP_FW_F_CHECK_S_COMPAT) {
+ have_state = action;
+ action->opcode = O_CHECK_STATE;
+ } else {
+ switch (flag & IP_FW_F_COMMAND_COMPAT) {
case IP_FW_F_ACCEPT_COMPAT:
action->opcode = O_ACCEPT;
break;
case IP_FW_F_FWD_COMPAT:
{
ipfw_insn_sa *p = (ipfw_insn_sa *)action;
-
+
action->opcode = O_FORWARD_IP;
action->len = F_INSN_SIZE(ipfw_insn_sa);
-
+
p->sa.sin_len = compat_rule->fw_fwd_ip_compat.sin_len;
p->sa.sin_family = compat_rule->fw_fwd_ip_compat.sin_family;
p->sa.sin_port = compat_rule->fw_fwd_ip_compat.sin_port;
p->sa.sin_addr = compat_rule->fw_fwd_ip_compat.sin_addr;
-
+
break;
}
case IP_FW_F_DENY_COMPAT:
default:
action->opcode = O_NOP;
break;
+ }
}
- }
-
- /* action is mandatory */
- if (action->opcode == O_NOP) {
+
+ /* action is mandatory */
+ if (action->opcode == O_NOP) {
return;
- }
-
- action = next_cmd(action);
+ }
+
+ action = next_cmd(action);
} /* end actions */
-
+
cmd = (ipfw_insn *)cmdbuf;
/* this is O_CHECK_STATE, we're done */
if (have_state) {
- goto done;
+ goto done;
}
{
- ipfw_insn *prev = NULL;
- u_int flag = compat_rule->fw_flg;
-
- /* logging */
- if (flag & IP_FW_F_PRN_COMPAT) {
- ipfw_insn_log *c = (ipfw_insn_log *)cmd;
-
- cmd->opcode = O_LOG;
- cmd->len |= F_INSN_SIZE(ipfw_insn_log);
- c->max_log = compat_rule->fw_logamount;
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* protocol */
- if (compat_rule->fw_prot != 0) {
- fill_cmd(cmd, O_PROTO, compat_rule->fw_prot);
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* source */
- if (flag & IP_FW_F_SME_COMPAT) {
- cmd->opcode = O_IP_SRC_ME;
- cmd->len |= F_INSN_SIZE(ipfw_insn);
- if (flag & IP_FW_F_INVSRC_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- } else {
- if (compat_rule->fw_smsk.s_addr != 0) {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- ip->addr = compat_rule->fw_src;
- ip->mask = compat_rule->fw_smsk;
- cmd->opcode = O_IP_SRC_MASK;
- cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
- } else {
- /* one IP */
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- if (compat_rule->fw_src.s_addr == 0) {
- /* any */
- cmd32->o.len &= ~F_LEN_MASK; /* zero len */
- } else {
- cmd32->d[0] = compat_rule->fw_src.s_addr;
- cmd32->o.opcode = O_IP_SRC;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
- }
- }
-
- if (flag & IP_FW_F_INVSRC_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
+ ipfw_insn *prev = NULL;
+ u_int flag = compat_rule->fw_flg;
+
+ /* logging */
+ if (flag & IP_FW_F_PRN_COMPAT) {
+ ipfw_insn_log *c = (ipfw_insn_log *)cmd;
+
+ cmd->opcode = O_LOG;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_log);
+ c->max_log = compat_rule->fw_logamount;
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
}
- if (F_LEN(cmd) != 0) { /* !any */
+ /* protocol */
+ if (compat_rule->fw_prot != 0) {
+ fill_cmd(cmd, O_PROTO, compat_rule->fw_prot);
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- /* source ports */
- {
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i, j = 0,
- nports = IP_FW_GETNSRCP_COMPAT(compat_rule),
- have_range = 0;
-
- cmd->opcode = O_IP_SRCPORT;
- for (i = 0; i < nports; i++) {
- if (((flag & IP_FW_F_SRNG_COMPAT) ||
- (flag & IP_FW_F_SMSK_COMPAT)) && !have_range) {
- p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
- p[1] = compat_rule->fw_uar_compat.fw_pts[i];
- have_range = 1;
- } else {
- p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+
+ /* source */
+ if (flag & IP_FW_F_SME_COMPAT) {
+ cmd->opcode = O_IP_SRC_ME;
+ cmd->len |= F_INSN_SIZE(ipfw_insn);
+ if (flag & IP_FW_F_INVSRC_COMPAT) {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
}
- p += 2;
- j++;
- }
-
- if (j > 0) {
- ports->o.len |= j+1; /* leave F_NOT and F_OR untouched */
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* destination */
- if (flag & IP_FW_F_DME_COMPAT) {
- cmd->opcode = O_IP_DST_ME;
- cmd->len |= F_INSN_SIZE(ipfw_insn);
- if (flag & IP_FW_F_INVDST_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
- }
- prev = cmd;
- cmd = next_cmd(cmd);
- } else {
- if (compat_rule->fw_dmsk.s_addr != 0) {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- ip->addr = compat_rule->fw_dst;
- ip->mask = compat_rule->fw_dmsk;
- cmd->opcode = O_IP_DST_MASK;
- cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
+ prev = cmd;
+ cmd = next_cmd(cmd);
} else {
- /* one IP */
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- if (compat_rule->fw_dst.s_addr == 0) {
- /* any */
- cmd32->o.len &= ~F_LEN_MASK; /* zero len */
+ if (compat_rule->fw_smsk.s_addr != 0) {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ ip->addr = compat_rule->fw_src;
+ ip->mask = compat_rule->fw_smsk;
+ cmd->opcode = O_IP_SRC_MASK;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
} else {
- cmd32->d[0] = compat_rule->fw_dst.s_addr;
- cmd32->o.opcode = O_IP_DST;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ /* one IP */
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ if (compat_rule->fw_src.s_addr == 0) {
+ /* any */
+ cmd32->o.len &= ~F_LEN_MASK; /* zero len */
+ } else {
+ cmd32->d[0] = compat_rule->fw_src.s_addr;
+ cmd32->o.opcode = O_IP_SRC;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ }
+ }
+
+ if (flag & IP_FW_F_INVSRC_COMPAT) {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
+ }
+
+ if (F_LEN(cmd) != 0) { /* !any */
+ prev = cmd;
+ cmd = next_cmd(cmd);
}
}
-
- if (flag & IP_FW_F_INVDST_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
- }
- if (F_LEN(cmd) != 0) { /* !any */
+ /* source ports */
+ {
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i, j = 0,
+ nports = IP_FW_GETNSRCP_COMPAT(compat_rule),
+ have_range = 0;
+
+ cmd->opcode = O_IP_SRCPORT;
+ for (i = 0; i < nports; i++) {
+ if (((flag & IP_FW_F_SRNG_COMPAT) ||
+ (flag & IP_FW_F_SMSK_COMPAT)) && !have_range) {
+ p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
+ p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ have_range = 1;
+ } else {
+ p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ }
+ p += 2;
+ j++;
+ }
+
+ if (j > 0) {
+ ports->o.len |= j + 1; /* leave F_NOT and F_OR untouched */
+ }
+
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- /* dest. ports */
- {
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i = IP_FW_GETNSRCP_COMPAT(compat_rule),
- j = 0,
- nports = (IP_FW_GETNDSTP_COMPAT(compat_rule) + i),
- have_range = 0;
-
- cmd->opcode = O_IP_DSTPORT;
- for (; i < nports; i++, p += 2) {
- if (((flag & IP_FW_F_DRNG_COMPAT) ||
- (flag & IP_FW_F_DMSK_COMPAT)) && !have_range) {
- /* range */
- p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
- p[1] = compat_rule->fw_uar_compat.fw_pts[i];
- have_range = 1;
- } else {
- p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
- }
- j++;
- }
-
- if (j > 0) {
- ports->o.len |= j+1; /* leave F_NOT and F_OR untouched */
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if (flag & IP_FW_F_UID_COMPAT) {
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- cmd32->o.opcode = O_UID;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
- cmd32->d[0] = compat_rule->fw_uid;
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if (flag & IP_FW_F_KEEP_S_COMPAT) {
- have_state = cmd;
- fill_cmd(cmd, O_KEEP_STATE, 0);
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
- if (flag & IP_FW_BRIDGED_COMPAT) {
- fill_cmd(cmd, O_LAYER2, 0);
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if ((flag & IF_FW_F_VIAHACK_COMPAT) == IF_FW_F_VIAHACK_COMPAT) {
- /* via */
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu = compat_rule->fw_in_if;
-
- cmd->opcode = O_VIA;
- ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
-
- if (ifu.fu_via_ip.s_addr == 0) {
- /* "any" */
- ifcmd->name[0] = '\0';
- ifcmd->o.len = 0;
- }
- else if (compat_rule->fw_flg & IP_FW_F_IIFNAME_COMPAT) {
- /* by name */
- strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
- ifcmd->p.unit = ifu.fu_via_if_compat.unit;
- } else {
- /* by addr */
- ifcmd->p.ip = ifu.fu_via_ip;
- }
- prev = cmd;
- cmd = next_cmd(cmd);
- } else {
- if (flag & IP_FW_F_IN_COMPAT) {
- fill_cmd(cmd, O_IN, 0);
-
+ /* destination */
+ if (flag & IP_FW_F_DME_COMPAT) {
+ cmd->opcode = O_IP_DST_ME;
+ cmd->len |= F_INSN_SIZE(ipfw_insn);
+ if (flag & IP_FW_F_INVDST_COMPAT) {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
+ }
+
prev = cmd;
cmd = next_cmd(cmd);
- }
- if (flag & IP_FW_F_OUT_COMPAT) {
- /* if the previous command was O_IN, and this
- * is being set as well, it's equivalent to not
- * having either command, so let's back up prev
- * to the cmd before it and move cmd to prev.
- */
- if (prev->opcode == O_IN) {
- cmd = prev;
- bzero(cmd, sizeof(*cmd));
+ } else {
+ if (compat_rule->fw_dmsk.s_addr != 0) {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ ip->addr = compat_rule->fw_dst;
+ ip->mask = compat_rule->fw_dmsk;
+ cmd->opcode = O_IP_DST_MASK;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
} else {
+ /* one IP */
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ if (compat_rule->fw_dst.s_addr == 0) {
+ /* any */
+ cmd32->o.len &= ~F_LEN_MASK; /* zero len */
+ } else {
+ cmd32->d[0] = compat_rule->fw_dst.s_addr;
+ cmd32->o.opcode = O_IP_DST;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ }
+ }
+
+ if (flag & IP_FW_F_INVDST_COMPAT) {
cmd->len ^= F_NOT; /* toggle F_NOT */
- fill_cmd(cmd, O_IN, 0);
-
+ }
+
+ if (F_LEN(cmd) != 0) { /* !any */
prev = cmd;
cmd = next_cmd(cmd);
}
}
- if (flag & IP_FW_F_OIFACE_COMPAT) {
- /* xmit */
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu = compat_rule->fw_out_if;
-
- cmd->opcode = O_XMIT;
- ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
-
- if (ifu.fu_via_ip.s_addr == 0) {
- /* "any" */
- ifcmd->name[0] = '\0';
- ifcmd->o.len = 0;
+
+ /* dest. ports */
+ {
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i = IP_FW_GETNSRCP_COMPAT(compat_rule),
+ j = 0,
+ nports = (IP_FW_GETNDSTP_COMPAT(compat_rule) + i),
+ have_range = 0;
+
+ cmd->opcode = O_IP_DSTPORT;
+ for (; i < nports; i++, p += 2) {
+ if (((flag & IP_FW_F_DRNG_COMPAT) ||
+ (flag & IP_FW_F_DMSK_COMPAT)) && !have_range) {
+ /* range */
+ p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
+ p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ have_range = 1;
+ } else {
+ p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ }
+ j++;
}
- else if (flag & IP_FW_F_OIFNAME_COMPAT) {
- /* by name */
- strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
- ifcmd->p.unit = ifu.fu_via_if_compat.unit;
- } else {
- /* by addr */
- ifcmd->p.ip = ifu.fu_via_ip;
+
+ if (j > 0) {
+ ports->o.len |= j + 1; /* leave F_NOT and F_OR untouched */
}
-
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+
+ if (flag & IP_FW_F_UID_COMPAT) {
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ cmd32->o.opcode = O_UID;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ cmd32->d[0] = compat_rule->fw_uid;
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+
+ if (flag & IP_FW_F_KEEP_S_COMPAT) {
+ have_state = cmd;
+ fill_cmd(cmd, O_KEEP_STATE, 0);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ if (flag & IP_FW_BRIDGED_COMPAT) {
+ fill_cmd(cmd, O_LAYER2, 0);
+
prev = cmd;
cmd = next_cmd(cmd);
- }
- else if (flag & IP_FW_F_IIFACE_COMPAT) {
- /* recv */
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu = compat_rule->fw_in_if;
-
- cmd->opcode = O_RECV;
+ }
+
+ if ((flag & IF_FW_F_VIAHACK_COMPAT) == IF_FW_F_VIAHACK_COMPAT) {
+ /* via */
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu = compat_rule->fw_in_if;
+
+ cmd->opcode = O_VIA;
ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
-
+
if (ifu.fu_via_ip.s_addr == 0) {
/* "any" */
ifcmd->name[0] = '\0';
ifcmd->o.len = 0;
- }
- else if (flag & IP_FW_F_IIFNAME_COMPAT) {
+ } else if (compat_rule->fw_flg & IP_FW_F_IIFNAME_COMPAT) {
/* by name */
strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
ifcmd->p.unit = ifu.fu_via_if_compat.unit;
/* by addr */
ifcmd->p.ip = ifu.fu_via_ip;
}
-
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ } else {
+ if (flag & IP_FW_F_IN_COMPAT) {
+ fill_cmd(cmd, O_IN, 0);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ if (flag & IP_FW_F_OUT_COMPAT) {
+ /* if the previous command was O_IN, and this
+ * is being set as well, it's equivalent to not
+ * having either command, so let's back up prev
+ * to the cmd before it and move cmd to prev.
+ */
+ if (prev->opcode == O_IN) {
+ cmd = prev;
+ bzero(cmd, sizeof(*cmd));
+ } else {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
+ fill_cmd(cmd, O_IN, 0);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ }
+ if (flag & IP_FW_F_OIFACE_COMPAT) {
+ /* xmit */
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu = compat_rule->fw_out_if;
+
+ cmd->opcode = O_XMIT;
+ ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
+
+ if (ifu.fu_via_ip.s_addr == 0) {
+ /* "any" */
+ ifcmd->name[0] = '\0';
+ ifcmd->o.len = 0;
+ } else if (flag & IP_FW_F_OIFNAME_COMPAT) {
+ /* by name */
+ strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
+ ifcmd->p.unit = ifu.fu_via_if_compat.unit;
+ } else {
+ /* by addr */
+ ifcmd->p.ip = ifu.fu_via_ip;
+ }
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ } else if (flag & IP_FW_F_IIFACE_COMPAT) {
+ /* recv */
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu = compat_rule->fw_in_if;
+
+ cmd->opcode = O_RECV;
+ ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
+
+ if (ifu.fu_via_ip.s_addr == 0) {
+ /* "any" */
+ ifcmd->name[0] = '\0';
+ ifcmd->o.len = 0;
+ } else if (flag & IP_FW_F_IIFNAME_COMPAT) {
+ /* by name */
+ strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
+ ifcmd->p.unit = ifu.fu_via_if_compat.unit;
+ } else {
+ /* by addr */
+ ifcmd->p.ip = ifu.fu_via_ip;
+ }
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ }
+
+ if (flag & IP_FW_F_FRAG_COMPAT) {
+ fill_cmd(cmd, O_FRAG, 0);
+
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- if (flag & IP_FW_F_FRAG_COMPAT) {
- fill_cmd(cmd, O_FRAG, 0);
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* IP options */
- if (compat_rule->fw_ipopt != 0 || compat_rule->fw_ipnopt != 0) {
- fill_cmd(cmd, O_IPOPT, (compat_rule->fw_ipopt & 0xff) |
- (compat_rule->fw_ipnopt & 0xff) << 8);
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if (compat_rule->fw_prot == IPPROTO_TCP) {
- if (compat_rule->fw_ipflg & IP_FW_IF_TCPEST_COMPAT) {
- fill_cmd(cmd, O_ESTAB, 0);
-
+ /* IP options */
+ if (compat_rule->fw_ipopt != 0 || compat_rule->fw_ipnopt != 0) {
+ fill_cmd(cmd, O_IPOPT, (compat_rule->fw_ipopt & 0xff) |
+ (compat_rule->fw_ipnopt & 0xff) << 8);
+
prev = cmd;
cmd = next_cmd(cmd);
}
-
- /* TCP options and flags */
- if (compat_rule->fw_tcpf != 0 || compat_rule->fw_tcpnf != 0) {
- if ((compat_rule->fw_tcpf & IP_FW_TCPF_SYN_COMPAT) &&
- compat_rule->fw_tcpnf & IP_FW_TCPF_ACK_COMPAT) {
- fill_cmd(cmd, O_TCPFLAGS, (TH_SYN) | ( (TH_ACK) & 0xff) <<8);
-
+
+ if (compat_rule->fw_prot == IPPROTO_TCP) {
+ if (compat_rule->fw_ipflg & IP_FW_IF_TCPEST_COMPAT) {
+ fill_cmd(cmd, O_ESTAB, 0);
+
prev = cmd;
cmd = next_cmd(cmd);
}
- else {
- fill_cmd(cmd, O_TCPFLAGS, (compat_rule->fw_tcpf & 0xff) |
- (compat_rule->fw_tcpnf & 0xff) << 8);
-
+
+ /* TCP options and flags */
+ if (compat_rule->fw_tcpf != 0 || compat_rule->fw_tcpnf != 0) {
+ if ((compat_rule->fw_tcpf & IP_FW_TCPF_SYN_COMPAT) &&
+ compat_rule->fw_tcpnf & IP_FW_TCPF_ACK_COMPAT) {
+ fill_cmd(cmd, O_TCPFLAGS, (TH_SYN) | ((TH_ACK) & 0xff) << 8);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ } else {
+ fill_cmd(cmd, O_TCPFLAGS, (compat_rule->fw_tcpf & 0xff) |
+ (compat_rule->fw_tcpnf & 0xff) << 8);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ }
+ if (compat_rule->fw_tcpopt != 0 || compat_rule->fw_tcpnopt != 0) {
+ fill_cmd(cmd, O_TCPOPTS, (compat_rule->fw_tcpopt & 0xff) |
+ (compat_rule->fw_tcpnopt & 0xff) << 8);
+
prev = cmd;
cmd = next_cmd(cmd);
}
}
- if (compat_rule->fw_tcpopt != 0 || compat_rule->fw_tcpnopt != 0) {
- fill_cmd(cmd, O_TCPOPTS, (compat_rule->fw_tcpopt & 0xff) |
- (compat_rule->fw_tcpnopt & 0xff) << 8);
-
+
+ /* ICMP */
+ /* XXX: check this */
+ if (flag & IP_FW_F_ICMPBIT_COMPAT) {
+ int i;
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ cmd32->o.opcode = O_ICMPTYPE;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+
+ for (i = 0; i < IP_FW_ICMPTYPES_DIM_COMPAT; i++) {
+ cmd32->d[0] |= compat_rule->fw_uar_compat.fw_icmptypes[i];
+ }
+
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- /* ICMP */
- /* XXX: check this */
- if (flag & IP_FW_F_ICMPBIT_COMPAT) {
- int i;
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- cmd32->o.opcode = O_ICMPTYPE;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
-
- for (i = 0; i < IP_FW_ICMPTYPES_DIM_COMPAT; i++) {
- cmd32->d[0] |= compat_rule->fw_uar_compat.fw_icmptypes[i];
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
} /* end commands */
-
+
done:
- /* finally, copy everything into the current
+ /* finally, copy everything into the current
* rule buffer in the right order.
*/
dst = curr_rule->cmd;
-
+
/* first, do match probability */
if (compat_rule->fw_flg & IP_FW_F_RND_MATCH_COMPAT) {
dst->opcode = O_PROB;
dst->len = 2;
- *((int32_t *)(dst+1)) = compat_rule->pipe_ptr;
+ *((int32_t *)(dst + 1)) = compat_rule->pipe_ptr;
dst += dst->len;
}
-
+
/* generate O_PROBE_STATE if necessary */
if (have_state && have_state->opcode != O_CHECK_STATE) {
fill_cmd(dst, O_PROBE_STATE, 0);
dst = next_cmd(dst);
}
-
+
/*
* copy all commands but O_LOG, O_KEEP_STATE
*/
bcopy(have_state, dst, k * sizeof(uint32_t));
dst += k;
}
-
+
/*
* start action section
*/
bcopy(src, dst, k * sizeof(uint32_t));
dst += k;
}
-
+
/*
* copy all other actions
*/
}
curr_rule->cmd_len = (uint32_t *)dst - (uint32_t *)(curr_rule->cmd);
-
+
return;
}
static void
ipfw_convert_to_cmds_64(struct ip_fw *curr_rule, struct ip_fw_compat_64 *compat_rule)
{
- int k;
- uint32_t actbuf[255], cmdbuf[255];
- ipfw_insn *action, *cmd, *src, *dst;
- ipfw_insn *have_state = NULL; /* track check-state or keep-state */
-
- if (!compat_rule || !curr_rule || !(curr_rule->cmd)) {
+ int k;
+ uint32_t actbuf[255], cmdbuf[255];
+ ipfw_insn *action, *cmd, *src, *dst;
+ ipfw_insn *have_state = NULL; /* track check-state or keep-state */
+
+ if (!compat_rule || !curr_rule) {
return;
}
/* bad rule */
return;
}
-
- bzero(actbuf, sizeof(actbuf)); /* actions go here */
+
+ bzero(actbuf, sizeof(actbuf)); /* actions go here */
bzero(cmdbuf, sizeof(cmdbuf));
/* fill in action */
action = (ipfw_insn *)actbuf;
{
- u_int flag = compat_rule->fw_flg;
-
- action->len = 1; /* default */
-
- if (flag & IP_FW_F_CHECK_S_COMPAT) {
- have_state = action;
- action->opcode = O_CHECK_STATE;
- }
- else {
- switch (flag & IP_FW_F_COMMAND_COMPAT) {
+ u_int flag = compat_rule->fw_flg;
+
+ action->len = 1; /* default */
+
+ if (flag & IP_FW_F_CHECK_S_COMPAT) {
+ have_state = action;
+ action->opcode = O_CHECK_STATE;
+ } else {
+ switch (flag & IP_FW_F_COMMAND_COMPAT) {
case IP_FW_F_ACCEPT_COMPAT:
action->opcode = O_ACCEPT;
break;
case IP_FW_F_FWD_COMPAT:
{
ipfw_insn_sa *p = (ipfw_insn_sa *)action;
-
+
action->opcode = O_FORWARD_IP;
action->len = F_INSN_SIZE(ipfw_insn_sa);
-
+
p->sa.sin_len = compat_rule->fw_fwd_ip_compat.sin_len;
p->sa.sin_family = compat_rule->fw_fwd_ip_compat.sin_family;
p->sa.sin_port = compat_rule->fw_fwd_ip_compat.sin_port;
p->sa.sin_addr = compat_rule->fw_fwd_ip_compat.sin_addr;
-
+
break;
}
case IP_FW_F_DENY_COMPAT:
default:
action->opcode = O_NOP;
break;
+ }
}
- }
-
- /* action is mandatory */
- if (action->opcode == O_NOP) {
+
+ /* action is mandatory */
+ if (action->opcode == O_NOP) {
return;
- }
-
- action = next_cmd(action);
+ }
+
+ action = next_cmd(action);
} /* end actions */
-
+
cmd = (ipfw_insn *)cmdbuf;
/* this is O_CHECK_STATE, we're done */
if (have_state) {
- goto done;
+ goto done;
}
{
- ipfw_insn *prev = NULL;
- u_int flag = compat_rule->fw_flg;
-
- /* logging */
- if (flag & IP_FW_F_PRN_COMPAT) {
- ipfw_insn_log *c = (ipfw_insn_log *)cmd;
-
- cmd->opcode = O_LOG;
- cmd->len |= F_INSN_SIZE(ipfw_insn_log);
- c->max_log = compat_rule->fw_logamount;
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* protocol */
- if (compat_rule->fw_prot != 0) {
- fill_cmd(cmd, O_PROTO, compat_rule->fw_prot);
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* source */
- if (flag & IP_FW_F_SME_COMPAT) {
- cmd->opcode = O_IP_SRC_ME;
- cmd->len |= F_INSN_SIZE(ipfw_insn);
- if (flag & IP_FW_F_INVSRC_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- } else {
- if (compat_rule->fw_smsk.s_addr != 0) {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- ip->addr = compat_rule->fw_src;
- ip->mask = compat_rule->fw_smsk;
- cmd->opcode = O_IP_SRC_MASK;
- cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
- } else {
- /* one IP */
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- if (compat_rule->fw_src.s_addr == 0) {
- /* any */
- cmd32->o.len &= ~F_LEN_MASK; /* zero len */
- } else {
- cmd32->d[0] = compat_rule->fw_src.s_addr;
- cmd32->o.opcode = O_IP_SRC;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
- }
- }
-
- if (flag & IP_FW_F_INVSRC_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
+ ipfw_insn *prev = NULL;
+ u_int flag = compat_rule->fw_flg;
+
+ /* logging */
+ if (flag & IP_FW_F_PRN_COMPAT) {
+ ipfw_insn_log *c = (ipfw_insn_log *)cmd;
+
+ cmd->opcode = O_LOG;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_log);
+ c->max_log = compat_rule->fw_logamount;
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
}
- if (F_LEN(cmd) != 0) { /* !any */
+ /* protocol */
+ if (compat_rule->fw_prot != 0) {
+ fill_cmd(cmd, O_PROTO, compat_rule->fw_prot);
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- /* source ports */
- {
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i, j = 0,
- nports = IP_FW_GETNSRCP_COMPAT(compat_rule),
- have_range = 0;
-
- cmd->opcode = O_IP_SRCPORT;
- for (i = 0; i < nports; i++) {
- if (((flag & IP_FW_F_SRNG_COMPAT) ||
- (flag & IP_FW_F_SMSK_COMPAT)) && !have_range) {
- p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
- p[1] = compat_rule->fw_uar_compat.fw_pts[i];
- have_range = 1;
- } else {
- p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+
+ /* source */
+ if (flag & IP_FW_F_SME_COMPAT) {
+ cmd->opcode = O_IP_SRC_ME;
+ cmd->len |= F_INSN_SIZE(ipfw_insn);
+ if (flag & IP_FW_F_INVSRC_COMPAT) {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
}
- p += 2;
- j++;
- }
-
- if (j > 0) {
- ports->o.len |= j+1; /* leave F_NOT and F_OR untouched */
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* destination */
- if (flag & IP_FW_F_DME_COMPAT) {
- cmd->opcode = O_IP_DST_ME;
- cmd->len |= F_INSN_SIZE(ipfw_insn);
- if (flag & IP_FW_F_INVDST_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
- }
- prev = cmd;
- cmd = next_cmd(cmd);
- } else {
- if (compat_rule->fw_dmsk.s_addr != 0) {
- /* addr/mask */
- ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
-
- ip->addr = compat_rule->fw_dst;
- ip->mask = compat_rule->fw_dmsk;
- cmd->opcode = O_IP_DST_MASK;
- cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
+ prev = cmd;
+ cmd = next_cmd(cmd);
} else {
- /* one IP */
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- if (compat_rule->fw_dst.s_addr == 0) {
- /* any */
- cmd32->o.len &= ~F_LEN_MASK; /* zero len */
+ if (compat_rule->fw_smsk.s_addr != 0) {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ ip->addr = compat_rule->fw_src;
+ ip->mask = compat_rule->fw_smsk;
+ cmd->opcode = O_IP_SRC_MASK;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
} else {
- cmd32->d[0] = compat_rule->fw_dst.s_addr;
- cmd32->o.opcode = O_IP_DST;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ /* one IP */
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ if (compat_rule->fw_src.s_addr == 0) {
+ /* any */
+ cmd32->o.len &= ~F_LEN_MASK; /* zero len */
+ } else {
+ cmd32->d[0] = compat_rule->fw_src.s_addr;
+ cmd32->o.opcode = O_IP_SRC;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ }
+ }
+
+ if (flag & IP_FW_F_INVSRC_COMPAT) {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
+ }
+
+ if (F_LEN(cmd) != 0) { /* !any */
+ prev = cmd;
+ cmd = next_cmd(cmd);
}
}
-
- if (flag & IP_FW_F_INVDST_COMPAT) {
- cmd->len ^= F_NOT; /* toggle F_NOT */
- }
- if (F_LEN(cmd) != 0) { /* !any */
+ /* source ports */
+ {
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i, j = 0,
+ nports = IP_FW_GETNSRCP_COMPAT(compat_rule),
+ have_range = 0;
+
+ cmd->opcode = O_IP_SRCPORT;
+ for (i = 0; i < nports; i++) {
+ if (((flag & IP_FW_F_SRNG_COMPAT) ||
+ (flag & IP_FW_F_SMSK_COMPAT)) && !have_range) {
+ p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
+ p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ have_range = 1;
+ } else {
+ p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ }
+ p += 2;
+ j++;
+ }
+
+ if (j > 0) {
+ ports->o.len |= j + 1; /* leave F_NOT and F_OR untouched */
+ }
+
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- /* dest. ports */
- {
- ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
- uint16_t *p = ports->ports;
- int i = IP_FW_GETNSRCP_COMPAT(compat_rule),
- j = 0,
- nports = (IP_FW_GETNDSTP_COMPAT(compat_rule) + i),
- have_range = 0;
-
- cmd->opcode = O_IP_DSTPORT;
- for (; i < nports; i++, p += 2) {
- if (((flag & IP_FW_F_DRNG_COMPAT) ||
- (flag & IP_FW_F_DMSK_COMPAT)) && !have_range) {
- /* range */
- p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
- p[1] = compat_rule->fw_uar_compat.fw_pts[i];
- have_range = 1;
- } else {
- p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
- }
- j++;
- }
-
- if (j > 0) {
- ports->o.len |= j+1; /* leave F_NOT and F_OR untouched */
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if (flag & IP_FW_F_UID_COMPAT) {
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
-
- cmd32->o.opcode = O_UID;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
- cmd32->d[0] = compat_rule->fw_uid;
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if (flag & IP_FW_F_KEEP_S_COMPAT) {
- have_state = cmd;
- fill_cmd(cmd, O_KEEP_STATE, 0);
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
- if (flag & IP_FW_BRIDGED_COMPAT) {
- fill_cmd(cmd, O_LAYER2, 0);
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if ((flag & IF_FW_F_VIAHACK_COMPAT) == IF_FW_F_VIAHACK_COMPAT) {
- /* via */
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu = compat_rule->fw_in_if;
-
- cmd->opcode = O_VIA;
- ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
-
- if (ifu.fu_via_ip.s_addr == 0) {
- /* "any" */
- ifcmd->name[0] = '\0';
- ifcmd->o.len = 0;
- }
- else if (compat_rule->fw_flg & IP_FW_F_IIFNAME_COMPAT) {
- /* by name */
- strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
- ifcmd->p.unit = ifu.fu_via_if_compat.unit;
- } else {
- /* by addr */
- ifcmd->p.ip = ifu.fu_via_ip;
- }
- prev = cmd;
- cmd = next_cmd(cmd);
- } else {
- if (flag & IP_FW_F_IN_COMPAT) {
- fill_cmd(cmd, O_IN, 0);
-
+ /* destination */
+ if (flag & IP_FW_F_DME_COMPAT) {
+ cmd->opcode = O_IP_DST_ME;
+ cmd->len |= F_INSN_SIZE(ipfw_insn);
+ if (flag & IP_FW_F_INVDST_COMPAT) {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
+ }
+
prev = cmd;
cmd = next_cmd(cmd);
- }
- if (flag & IP_FW_F_OUT_COMPAT) {
- /* if the previous command was O_IN, and this
- * is being set as well, it's equivalent to not
- * having either command, so let's back up prev
- * to the cmd before it and move cmd to prev.
- */
- if (prev->opcode == O_IN) {
- cmd = prev;
- bzero(cmd, sizeof(*cmd));
+ } else {
+ if (compat_rule->fw_dmsk.s_addr != 0) {
+ /* addr/mask */
+ ipfw_insn_ip *ip = (ipfw_insn_ip *)cmd;
+
+ ip->addr = compat_rule->fw_dst;
+ ip->mask = compat_rule->fw_dmsk;
+ cmd->opcode = O_IP_DST_MASK;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_ip); /* double check this */
} else {
+ /* one IP */
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ if (compat_rule->fw_dst.s_addr == 0) {
+ /* any */
+ cmd32->o.len &= ~F_LEN_MASK; /* zero len */
+ } else {
+ cmd32->d[0] = compat_rule->fw_dst.s_addr;
+ cmd32->o.opcode = O_IP_DST;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ }
+ }
+
+ if (flag & IP_FW_F_INVDST_COMPAT) {
cmd->len ^= F_NOT; /* toggle F_NOT */
- fill_cmd(cmd, O_IN, 0);
-
+ }
+
+ if (F_LEN(cmd) != 0) { /* !any */
prev = cmd;
cmd = next_cmd(cmd);
}
}
- if (flag & IP_FW_F_OIFACE_COMPAT) {
- /* xmit */
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu = compat_rule->fw_out_if;
-
- cmd->opcode = O_XMIT;
- ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
-
- if (ifu.fu_via_ip.s_addr == 0) {
- /* "any" */
- ifcmd->name[0] = '\0';
- ifcmd->o.len = 0;
+
+ /* dest. ports */
+ {
+ ipfw_insn_u16 *ports = (ipfw_insn_u16 *)cmd;
+ uint16_t *p = ports->ports;
+ int i = IP_FW_GETNSRCP_COMPAT(compat_rule),
+ j = 0,
+ nports = (IP_FW_GETNDSTP_COMPAT(compat_rule) + i),
+ have_range = 0;
+
+ cmd->opcode = O_IP_DSTPORT;
+ for (; i < nports; i++, p += 2) {
+ if (((flag & IP_FW_F_DRNG_COMPAT) ||
+ (flag & IP_FW_F_DMSK_COMPAT)) && !have_range) {
+ /* range */
+ p[0] = compat_rule->fw_uar_compat.fw_pts[i++];
+ p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ have_range = 1;
+ } else {
+ p[0] = p[1] = compat_rule->fw_uar_compat.fw_pts[i];
+ }
+ j++;
}
- else if (flag & IP_FW_F_OIFNAME_COMPAT) {
- /* by name */
- strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
- ifcmd->p.unit = ifu.fu_via_if_compat.unit;
- } else {
- /* by addr */
- ifcmd->p.ip = ifu.fu_via_ip;
+
+ if (j > 0) {
+ ports->o.len |= j + 1; /* leave F_NOT and F_OR untouched */
}
-
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+
+ if (flag & IP_FW_F_UID_COMPAT) {
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+
+ cmd32->o.opcode = O_UID;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+ cmd32->d[0] = compat_rule->fw_uid;
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+
+ if (flag & IP_FW_F_KEEP_S_COMPAT) {
+ have_state = cmd;
+ fill_cmd(cmd, O_KEEP_STATE, 0);
+
prev = cmd;
cmd = next_cmd(cmd);
- }
- else if (flag & IP_FW_F_IIFACE_COMPAT) {
- /* recv */
- ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
- union ip_fw_if_compat ifu = compat_rule->fw_in_if;
-
- cmd->opcode = O_RECV;
+ }
+ if (flag & IP_FW_BRIDGED_COMPAT) {
+ fill_cmd(cmd, O_LAYER2, 0);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+
+ if ((flag & IF_FW_F_VIAHACK_COMPAT) == IF_FW_F_VIAHACK_COMPAT) {
+ /* via */
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu = compat_rule->fw_in_if;
+
+ cmd->opcode = O_VIA;
ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
-
+
if (ifu.fu_via_ip.s_addr == 0) {
/* "any" */
ifcmd->name[0] = '\0';
ifcmd->o.len = 0;
- }
- else if (flag & IP_FW_F_IIFNAME_COMPAT) {
+ } else if (compat_rule->fw_flg & IP_FW_F_IIFNAME_COMPAT) {
/* by name */
strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
ifcmd->p.unit = ifu.fu_via_if_compat.unit;
/* by addr */
ifcmd->p.ip = ifu.fu_via_ip;
}
-
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ } else {
+ if (flag & IP_FW_F_IN_COMPAT) {
+ fill_cmd(cmd, O_IN, 0);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ if (flag & IP_FW_F_OUT_COMPAT) {
+ /* if the previous command was O_IN, and this
+ * is being set as well, it's equivalent to not
+ * having either command, so let's back up prev
+ * to the cmd before it and move cmd to prev.
+ */
+ if (prev->opcode == O_IN) {
+ cmd = prev;
+ bzero(cmd, sizeof(*cmd));
+ } else {
+ cmd->len ^= F_NOT; /* toggle F_NOT */
+ fill_cmd(cmd, O_IN, 0);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ }
+ if (flag & IP_FW_F_OIFACE_COMPAT) {
+ /* xmit */
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu = compat_rule->fw_out_if;
+
+ cmd->opcode = O_XMIT;
+ ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
+
+ if (ifu.fu_via_ip.s_addr == 0) {
+ /* "any" */
+ ifcmd->name[0] = '\0';
+ ifcmd->o.len = 0;
+ } else if (flag & IP_FW_F_OIFNAME_COMPAT) {
+ /* by name */
+ strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
+ ifcmd->p.unit = ifu.fu_via_if_compat.unit;
+ } else {
+ /* by addr */
+ ifcmd->p.ip = ifu.fu_via_ip;
+ }
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ } else if (flag & IP_FW_F_IIFACE_COMPAT) {
+ /* recv */
+ ipfw_insn_if *ifcmd = (ipfw_insn_if *)cmd;
+ union ip_fw_if_compat ifu = compat_rule->fw_in_if;
+
+ cmd->opcode = O_RECV;
+ ifcmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
+
+ if (ifu.fu_via_ip.s_addr == 0) {
+ /* "any" */
+ ifcmd->name[0] = '\0';
+ ifcmd->o.len = 0;
+ } else if (flag & IP_FW_F_IIFNAME_COMPAT) {
+ /* by name */
+ strncpy(ifcmd->name, ifu.fu_via_if_compat.name, sizeof(ifcmd->name));
+ ifcmd->p.unit = ifu.fu_via_if_compat.unit;
+ } else {
+ /* by addr */
+ ifcmd->p.ip = ifu.fu_via_ip;
+ }
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ }
+
+ if (flag & IP_FW_F_FRAG_COMPAT) {
+ fill_cmd(cmd, O_FRAG, 0);
+
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- if (flag & IP_FW_F_FRAG_COMPAT) {
- fill_cmd(cmd, O_FRAG, 0);
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- /* IP options */
- if (compat_rule->fw_ipopt != 0 || compat_rule->fw_ipnopt != 0) {
- fill_cmd(cmd, O_IPOPT, (compat_rule->fw_ipopt & 0xff) |
- (compat_rule->fw_ipnopt & 0xff) << 8);
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
-
- if (compat_rule->fw_prot == IPPROTO_TCP) {
- if (compat_rule->fw_ipflg & IP_FW_IF_TCPEST_COMPAT) {
- fill_cmd(cmd, O_ESTAB, 0);
-
+ /* IP options */
+ if (compat_rule->fw_ipopt != 0 || compat_rule->fw_ipnopt != 0) {
+ fill_cmd(cmd, O_IPOPT, (compat_rule->fw_ipopt & 0xff) |
+ (compat_rule->fw_ipnopt & 0xff) << 8);
+
prev = cmd;
cmd = next_cmd(cmd);
}
-
- /* TCP options and flags */
- if (compat_rule->fw_tcpf != 0 || compat_rule->fw_tcpnf != 0) {
- if ((compat_rule->fw_tcpf & IP_FW_TCPF_SYN_COMPAT) &&
- compat_rule->fw_tcpnf & IP_FW_TCPF_ACK_COMPAT) {
- fill_cmd(cmd, O_TCPFLAGS, (TH_SYN) | ( (TH_ACK) & 0xff) <<8);
-
+
+ if (compat_rule->fw_prot == IPPROTO_TCP) {
+ if (compat_rule->fw_ipflg & IP_FW_IF_TCPEST_COMPAT) {
+ fill_cmd(cmd, O_ESTAB, 0);
+
prev = cmd;
cmd = next_cmd(cmd);
}
- else {
- fill_cmd(cmd, O_TCPFLAGS, (compat_rule->fw_tcpf & 0xff) |
- (compat_rule->fw_tcpnf & 0xff) << 8);
-
+
+ /* TCP options and flags */
+ if (compat_rule->fw_tcpf != 0 || compat_rule->fw_tcpnf != 0) {
+ if ((compat_rule->fw_tcpf & IP_FW_TCPF_SYN_COMPAT) &&
+ compat_rule->fw_tcpnf & IP_FW_TCPF_ACK_COMPAT) {
+ fill_cmd(cmd, O_TCPFLAGS, (TH_SYN) | ((TH_ACK) & 0xff) << 8);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ } else {
+ fill_cmd(cmd, O_TCPFLAGS, (compat_rule->fw_tcpf & 0xff) |
+ (compat_rule->fw_tcpnf & 0xff) << 8);
+
+ prev = cmd;
+ cmd = next_cmd(cmd);
+ }
+ }
+ if (compat_rule->fw_tcpopt != 0 || compat_rule->fw_tcpnopt != 0) {
+ fill_cmd(cmd, O_TCPOPTS, (compat_rule->fw_tcpopt & 0xff) |
+ (compat_rule->fw_tcpnopt & 0xff) << 8);
+
prev = cmd;
cmd = next_cmd(cmd);
}
}
- if (compat_rule->fw_tcpopt != 0 || compat_rule->fw_tcpnopt != 0) {
- fill_cmd(cmd, O_TCPOPTS, (compat_rule->fw_tcpopt & 0xff) |
- (compat_rule->fw_tcpnopt & 0xff) << 8);
-
+
+ /* ICMP */
+ /* XXX: check this */
+ if (flag & IP_FW_F_ICMPBIT_COMPAT) {
+ int i;
+ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;/* alias for cmd */
+ cmd32->o.opcode = O_ICMPTYPE;
+ cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
+
+ for (i = 0; i < IP_FW_ICMPTYPES_DIM_COMPAT; i++) {
+ cmd32->d[0] |= compat_rule->fw_uar_compat.fw_icmptypes[i];
+ }
+
prev = cmd;
cmd = next_cmd(cmd);
}
- }
-
- /* ICMP */
- /* XXX: check this */
- if (flag & IP_FW_F_ICMPBIT_COMPAT) {
- int i;
- ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; /* alias for cmd */
- cmd32->o.opcode = O_ICMPTYPE;
- cmd32->o.len |= F_INSN_SIZE(ipfw_insn_u32);
-
- for (i = 0; i < IP_FW_ICMPTYPES_DIM_COMPAT; i++) {
- cmd32->d[0] |= compat_rule->fw_uar_compat.fw_icmptypes[i];
- }
-
- prev = cmd;
- cmd = next_cmd(cmd);
- }
} /* end commands */
done:
- /* finally, copy everything into the current
+ /* finally, copy everything into the current
* rule buffer in the right order.
*/
dst = curr_rule->cmd;
-
+
/* first, do match probability */
if (compat_rule->fw_flg & IP_FW_F_RND_MATCH_COMPAT) {
dst->opcode = O_PROB;
dst->len = 2;
- *((int32_t *)(dst+1)) = compat_rule->pipe_ptr;
+ *((int32_t *)(dst + 1)) = compat_rule->pipe_ptr;
dst += dst->len;
}
-
+
/* generate O_PROBE_STATE if necessary */
if (have_state && have_state->opcode != O_CHECK_STATE) {
fill_cmd(dst, O_PROBE_STATE, 0);
dst = next_cmd(dst);
}
-
+
/*
* copy all commands but O_LOG, O_KEEP_STATE
*/
bcopy(have_state, dst, k * sizeof(uint32_t));
dst += k;
}
-
+
/*
* start action section
*/
bcopy(src, dst, k * sizeof(uint32_t));
dst += k;
}
-
+
/*
* copy all other actions
*/
}
static int
-ipfw_version_one_to_version_two_32(struct sockopt *sopt, struct ip_fw *curr_rule,
- struct ip_fw_compat_32 *rule_vers1)
+ipfw_version_one_to_version_two_32(struct sockopt *sopt, struct ip_fw *curr_rule,
+ struct ip_fw_compat_32 *rule_vers1)
{
- int err = EINVAL;
- struct ip_fw_compat_32 *rule_ptr;
- struct ip_fw_compat_32 rule;
-
+ int err = EINVAL;
+ struct ip_fw_compat_32 *rule_ptr;
+ struct ip_fw_compat_32 rule;
+
if (rule_vers1) {
rule_ptr = rule_vers1;
err = 0;
} else {
/* do some basic size checking here, more extensive checking later */
- if (!sopt->sopt_val || sopt->sopt_valsize < sizeof(struct ip_fw_compat_32))
+ if (!sopt->sopt_val || sopt->sopt_valsize < sizeof(struct ip_fw_compat_32)) {
return err;
-
- if ((err = sooptcopyin(sopt, &rule, sizeof(struct ip_fw_compat_32),
- sizeof(struct ip_fw_compat_32)))) {
+ }
+
+ if ((err = sooptcopyin(sopt, &rule, sizeof(struct ip_fw_compat_32),
+ sizeof(struct ip_fw_compat_32)))) {
return err;
}
-
+
rule_ptr = &rule;
}
curr_rule->bcnt = rule_ptr->fw_bcnt;
curr_rule->timestamp = rule_ptr->timestamp;
-
+
#if FW2_DEBUG_VERBOSE
ipfw_print_vers2_struct(curr_rule);
#endif
-
+
return err;
}
static int
-ipfw_version_one_to_version_two_64(struct sockopt *sopt, struct ip_fw *curr_rule,
- struct ip_fw_compat_64 *rule_vers1)
+ipfw_version_one_to_version_two_64(struct sockopt *sopt, struct ip_fw *curr_rule,
+ struct ip_fw_compat_64 *rule_vers1)
{
- int err = EINVAL;
- struct ip_fw_compat_64 *rule_ptr;
- struct ip_fw_compat_64 rule;
-
+ int err = EINVAL;
+ struct ip_fw_compat_64 *rule_ptr;
+ struct ip_fw_compat_64 rule;
+
if (rule_vers1) {
rule_ptr = rule_vers1;
err = 0;
} else {
/* do some basic size checking here, more extensive checking later */
- if (!sopt->sopt_val || sopt->sopt_valsize < sizeof(struct ip_fw_compat_64))
+ if (!sopt->sopt_val || sopt->sopt_valsize < sizeof(struct ip_fw_compat_64)) {
return err;
-
- if ((err = sooptcopyin(sopt, &rule, sizeof(struct ip_fw_compat_64),
- sizeof(struct ip_fw_compat_64)))) {
+ }
+
+ if ((err = sooptcopyin(sopt, &rule, sizeof(struct ip_fw_compat_64),
+ sizeof(struct ip_fw_compat_64)))) {
return err;
}
rule_ptr = &rule;
curr_rule->bcnt = rule_ptr->fw_bcnt;
curr_rule->timestamp = rule_ptr->timestamp;
-
+
#if FW2_DEBUG_VERBOSE
ipfw_print_vers2_struct(curr_rule);
#endif
-
+
return err;
}
-/* This converts to whatever the latest version is. Currently the
+/* This converts to whatever the latest version is. Currently the
* latest version of the firewall is ipfw2.
*/
static int
ipfw_version_one_to_latest_32(struct sockopt *sopt, struct ip_fw *curr_rule, struct ip_fw_compat_32 *rule_vers1)
{
int err;
-
+
/* if rule_vers1 is not null then this is coming from
* ipfw_version_zero_to_latest(), so pass that along;
* otherwise let ipfw_version_one_to_version_two()
* get the rule from sopt.
*/
err = ipfw_version_one_to_version_two_32(sopt, curr_rule, rule_vers1);
-
+
return err;
}
ipfw_version_one_to_latest_64(struct sockopt *sopt, struct ip_fw *curr_rule, struct ip_fw_compat_64 *rule_vers1)
{
int err;
-
+
/* if rule_vers1 is not null then this is coming from
* ipfw_version_zero_to_latest(), so pass that along;
* otherwise let ipfw_version_one_to_version_two()
* get the rule from sopt.
*/
err = ipfw_version_one_to_version_two_64(sopt, curr_rule, rule_vers1);
-
+
return err;
}
#if 0
-/*
+/*
* XXX - ipfw_version_zero_to_one
- *
+ *
* This function is only used in version #1 of ipfw, which is now deprecated.
*
- */
+ */
static void
ipfw_version_zero_to_one(struct ip_old_fw *rule_vers0, struct ip_fw_compat *rule_vers1)
#endif /* !ipfw_version_zero_to_one */
-/* rule is a u_int32_t buffer[255] into which the converted
+/* rule is a u_int32_t buffer[255] into which the converted
* (if necessary) rules go.
*/
int
ipfw_convert_to_latest(struct sockopt *sopt, struct ip_fw *curr_rule, int api_version, int is64user)
{
- int err = 0;
-
+ int err = 0;
+
/* the following functions copy the rules passed in and
* convert to latest structures based on version
*/
switch (api_version) {
- case IP_FW_VERSION_0:
- /* we're not supporting VERSION 0 */
- err = EOPNOTSUPP;
- break;
-
- case IP_FW_VERSION_1:
- /* this is the version supported in Panther */
- if ( is64user )
- err = ipfw_version_one_to_latest_64(sopt, curr_rule, NULL);
- else
- err = ipfw_version_one_to_latest_32(sopt, curr_rule, NULL);
- break;
-
- case IP_FW_CURRENT_API_VERSION:
- /* IPFW2 for now */
- /* do nothing here... */
- break;
-
- default:
- /* unrecognized/unsupported version */
- err = EINVAL;
- break;
+ case IP_FW_VERSION_0:
+ /* we're not supporting VERSION 0 */
+ err = EOPNOTSUPP;
+ break;
+
+ case IP_FW_VERSION_1:
+ /* this is the version supported in Panther */
+ if (is64user) {
+ err = ipfw_version_one_to_latest_64(sopt, curr_rule, NULL);
+ } else {
+ err = ipfw_version_one_to_latest_32(sopt, curr_rule, NULL);
+ }
+ break;
+
+ case IP_FW_CURRENT_API_VERSION:
+ /* IPFW2 for now */
+ /* do nothing here... */
+ break;
+
+ default:
+ /* unrecognized/unsupported version */
+ err = EINVAL;
+ break;
}
-
+
return err;
}
{
int cmd;
int err = 0;
- u_int32_t vers = IP_FW_VERSION_NONE;
-
+ u_int32_t vers = IP_FW_VERSION_NONE;
+
/* first deal with the oldest version */
- if (sopt->sopt_name == IP_OLD_FW_GET) {
+ if (sopt->sopt_name == IP_OLD_FW_GET) {
vers = IP_FW_VERSION_0;
cmd = IP_FW_GET;
- }
- else if (sopt->sopt_name == IP_OLD_FW_FLUSH) {
+ } else if (sopt->sopt_name == IP_OLD_FW_FLUSH) {
vers = IP_FW_VERSION_0;
cmd = IP_FW_FLUSH;
- }
- else if (sopt->sopt_name == IP_OLD_FW_ZERO) {
+ } else if (sopt->sopt_name == IP_OLD_FW_ZERO) {
vers = IP_FW_VERSION_0;
cmd = IP_FW_ZERO;
- }
- else if (sopt->sopt_name == IP_OLD_FW_ADD) {
+ } else if (sopt->sopt_name == IP_OLD_FW_ADD) {
vers = IP_FW_VERSION_0;
cmd = IP_FW_ADD;
- }
- else if (sopt->sopt_name == IP_OLD_FW_DEL) {
+ } else if (sopt->sopt_name == IP_OLD_FW_DEL) {
vers = IP_FW_VERSION_0;
cmd = IP_FW_DEL;
- }
- else if (sopt->sopt_name == IP_OLD_FW_RESETLOG) {
+ } else if (sopt->sopt_name == IP_OLD_FW_RESETLOG) {
vers = IP_FW_VERSION_0;
cmd = IP_FW_RESETLOG;
- }
- else {
+ } else {
cmd = sopt->sopt_name;
}
-
+
if (vers == IP_FW_VERSION_NONE) {
/* working off the fact that the offset
* is the same in both structs.
*/
struct ip_fw_64 rule;
- size_t copyinsize;
-
- if (proc_is64bit(sopt->sopt_p))
- copyinsize = sizeof(struct ip_fw_64);
- else
- copyinsize = sizeof(struct ip_fw_32);
-
- if (!sopt->sopt_val || sopt->sopt_valsize < copyinsize)
+ size_t copyinsize;
+
+ if (proc_is64bit(sopt->sopt_p)) {
+ copyinsize = sizeof(struct ip_fw_64);
+ } else {
+ copyinsize = sizeof(struct ip_fw_32);
+ }
+
+ if (!sopt->sopt_val || sopt->sopt_valsize < copyinsize) {
return EINVAL;
+ }
if ((err = sooptcopyin(sopt, &rule, copyinsize, copyinsize))) {
return err;
}
-
+
vers = rule.version;
}
if (api_version) {
*api_version = vers;
}
-
+
return err;
}
-
projects / apple / xnu.git / blobdiff