diff options
| author | Andrey V. Elsukov <ae@FreeBSD.org> | 2018-07-09 11:35:18 +0000 |
|---|---|---|
| committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2018-07-09 11:35:18 +0000 |
| commit | f7c4fdee1af6c18aecf374bf797ffa27d33c6789 (patch) | |
| tree | 3927c2067701f855536553ccdf5d714ed6717f8b /sys/netpfil | |
| parent | 98a8fdf6dac8aa5c28a3ac6640a1020bbd7a28da (diff) | |
| download | src-f7c4fdee1af6c18aecf374bf797ffa27d33c6789.tar.gz src-f7c4fdee1af6c18aecf374bf797ffa27d33c6789.zip | |
Add "record-state", "set-limit" and "defer-action" rule options to ipfw.
"record-state" is similar to "keep-state", but it doesn't produce implicit
O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the
same feature as "record-state", it is single opcode without implicit
O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic
states. When rule with this opcode is matched, the rule's action will
not be executed, instead dynamic state will be created. And when this
state will be matched by "check-state", then rule action will be executed.
This allows create a more complicated rulesets.
Submitted by: lev
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D1776
Notes
Notes:
svn path=/head/; revision=336132
Diffstat (limited to 'sys/netpfil')
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 19 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_sockopt.c | 1 |
2 files changed, 19 insertions, 1 deletions
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index c5604492872a..eb2b120e51ca 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -2584,7 +2584,9 @@ do { \ * * O_LIMIT and O_KEEP_STATE: these opcodes are * not real 'actions', and are stored right - * before the 'action' part of the rule. + * before the 'action' part of the rule (one + * exception is O_SKIP_ACTION which could be + * between these opcodes and 'action' one). * These opcodes try to install an entry in the * state tables; if successful, we continue with * the next opcode (match=1; break;), otherwise @@ -2601,6 +2603,16 @@ do { \ * further instances of these opcodes become NOPs. * The jump to the next rule is done by setting * l=0, cmdlen=0. + * + * O_SKIP_ACTION: this opcode is not a real 'action' + * either, and is stored right before the 'action' + * part of the rule, right after the O_KEEP_STATE + * opcode. It causes match failure so the real + * 'action' could be executed only if the rule + * is checked via dynamic rule from the state + * table, as in such case execution starts + * from the true 'action' opcode directly. + * */ case O_LIMIT: case O_KEEP_STATE: @@ -2653,6 +2665,11 @@ do { \ match = 1; break; + case O_SKIP_ACTION: + match = 0; /* skip to the next rule */ + l = 0; /* exit inner loop */ + break; + case O_ACCEPT: retval = 0; /* accept */ l = 0; /* exit inner loop */ diff --git a/sys/netpfil/ipfw/ip_fw_sockopt.c b/sys/netpfil/ipfw/ip_fw_sockopt.c index 5d32b2eb0fcd..4103cedf4f87 100644 --- a/sys/netpfil/ipfw/ip_fw_sockopt.c +++ b/sys/netpfil/ipfw/ip_fw_sockopt.c @@ -1750,6 +1750,7 @@ check_ipfw_rule_body(ipfw_insn *cmd, int cmd_len, struct rule_check_info *ci) #endif case O_IP4: case O_TAG: + case O_SKIP_ACTION: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; |