Lines Matching +full:ulp +full:- +full:allow
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
143 VNET_DEFINE(unsigned int, fw_tables_sets) = 0; /* Don't use set-aware tables */
203 "Rule number auto-increment step");
220 "Use per-set namespace for tables");
252 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
262 int type = icmp->icmp_type; in icmptype_match()
264 return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) ); in icmptype_match()
273 int type = icmp->icmp_type; in is_icmp_query()
282 * low and high half of cmd->arg1 or cmd->d[0].
297 if ( ((cmd->arg1 & 0xff) & bits) != 0) in flags_match()
299 want_clear = (cmd->arg1 >> 8) & 0xff; in flags_match()
310 int x = (ip->ip_hl << 2) - sizeof (struct ip); in ipopts_match()
312 for (; x > 0; x -= optlen, cp += optlen) { in ipopts_match()
356 int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr); in tcpopts_parse()
358 for (; cnt > 0; cnt -= optlen, cp += optlen) { in tcpopts_parse()
395 if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0) in tcpopts_parse()
424 if (cmd->name[0] != '\0') { /* match by name */ in iface_match()
425 if (cmd->name[0] == '\1') /* use tablearg to match */ in iface_match()
426 return ipfw_lookup_table(chain, cmd->p.kidx, 0, in iface_match()
427 &ifp->if_index, tablearg); in iface_match()
429 if (cmd->p.glob) { in iface_match()
430 if (fnmatch(cmd->name, ifp->if_xname, 0) == 0) in iface_match()
433 if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0) in iface_match()
442 CK_STAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { in iface_match()
443 if (ia->ifa_addr->sa_family != AF_INET) in iface_match()
445 if (cmd->p.ip.s_addr == ((struct sockaddr_in *) in iface_match()
446 (ia->ifa_addr))->sin_addr.s_addr) in iface_match()
464 * commonly known as "anti-spoofing" or Unicast Reverse Path
465 * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
468 * ip verify unicast reverse-path
469 * ip verify unicast source reachable-via any
489 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp, in verify_path()
494 if (ifp != NULL && ifp != nh->nh_aifp) in verify_path()
498 if (ifp == NULL && (nh->nh_flags & NHF_DEFAULT) != 0) in verify_path()
502 if (ifp == NULL && (nh->nh_flags & (NHF_REJECT|NHF_BLACKHOLE)) != 0) in verify_path()
512 * is given by vtag. The T-bit is set in the ABORT chunk if and only if
533 M_SETFIB(m, id->fib); in ipfw_send_abort()
543 switch (id->addr_type) { in ipfw_send_abort()
559 m->m_data += max_linkhdr; in ipfw_send_abort()
560 m->m_flags |= M_SKIP_FIREWALL; in ipfw_send_abort()
561 m->m_pkthdr.len = m->m_len = tlen; in ipfw_send_abort()
562 m->m_pkthdr.rcvif = NULL; in ipfw_send_abort()
563 bzero(m->m_data, tlen); in ipfw_send_abort()
565 switch (id->addr_type) { in ipfw_send_abort()
569 ip->ip_v = 4; in ipfw_send_abort()
570 ip->ip_hl = sizeof(struct ip) >> 2; in ipfw_send_abort()
571 ip->ip_tos = IPTOS_LOWDELAY; in ipfw_send_abort()
572 ip->ip_len = htons(tlen); in ipfw_send_abort()
573 ip->ip_id = htons(0); in ipfw_send_abort()
574 ip->ip_off = htons(0); in ipfw_send_abort()
575 ip->ip_ttl = V_ip_defttl; in ipfw_send_abort()
576 ip->ip_p = IPPROTO_SCTP; in ipfw_send_abort()
577 ip->ip_sum = 0; in ipfw_send_abort()
578 ip->ip_src.s_addr = htonl(id->dst_ip); in ipfw_send_abort()
579 ip->ip_dst.s_addr = htonl(id->src_ip); in ipfw_send_abort()
587 ip6->ip6_vfc = IPV6_VERSION; in ipfw_send_abort()
588 ip6->ip6_plen = htons(plen); in ipfw_send_abort()
589 ip6->ip6_nxt = IPPROTO_SCTP; in ipfw_send_abort()
590 ip6->ip6_hlim = IPV6_DEFHLIM; in ipfw_send_abort()
591 ip6->ip6_src = id->dst_ip6; in ipfw_send_abort()
592 ip6->ip6_dst = id->src_ip6; in ipfw_send_abort()
599 sctp->src_port = htons(id->dst_port); in ipfw_send_abort()
600 sctp->dest_port = htons(id->src_port); in ipfw_send_abort()
601 sctp->v_tag = htonl(vtag); in ipfw_send_abort()
602 sctp->checksum = htonl(0); in ipfw_send_abort()
605 chunk->chunk_type = SCTP_ABORT_ASSOCIATION; in ipfw_send_abort()
606 chunk->chunk_flags = 0; in ipfw_send_abort()
608 chunk->chunk_flags |= SCTP_HAD_NO_TCB; in ipfw_send_abort()
610 chunk->chunk_length = htons(sizeof(struct sctp_chunkhdr)); in ipfw_send_abort()
612 sctp->checksum = sctp_calculate_cksum(m, hlen); in ipfw_send_abort()
641 M_SETFIB(m, id->fib); in ipfw_send_pkt()
651 switch (id->addr_type) { in ipfw_send_pkt()
667 m->m_data += max_linkhdr; in ipfw_send_pkt()
668 m->m_flags |= M_SKIP_FIREWALL; in ipfw_send_pkt()
669 m->m_pkthdr.len = m->m_len = len; in ipfw_send_pkt()
670 m->m_pkthdr.rcvif = NULL; in ipfw_send_pkt()
671 bzero(m->m_data, len); in ipfw_send_pkt()
673 switch (id->addr_type) { in ipfw_send_pkt()
678 h->ip_p = IPPROTO_TCP; in ipfw_send_pkt()
679 h->ip_len = htons(sizeof(struct tcphdr)); in ipfw_send_pkt()
681 h->ip_src.s_addr = htonl(id->src_ip); in ipfw_send_pkt()
682 h->ip_dst.s_addr = htonl(id->dst_ip); in ipfw_send_pkt()
684 h->ip_src.s_addr = htonl(id->dst_ip); in ipfw_send_pkt()
685 h->ip_dst.s_addr = htonl(id->src_ip); in ipfw_send_pkt()
695 h6->ip6_nxt = IPPROTO_TCP; in ipfw_send_pkt()
696 h6->ip6_plen = htons(sizeof(struct tcphdr)); in ipfw_send_pkt()
698 h6->ip6_src = id->src_ip6; in ipfw_send_pkt()
699 h6->ip6_dst = id->dst_ip6; in ipfw_send_pkt()
701 h6->ip6_src = id->dst_ip6; in ipfw_send_pkt()
702 h6->ip6_dst = id->src_ip6; in ipfw_send_pkt()
711 th->th_sport = htons(id->src_port); in ipfw_send_pkt()
712 th->th_dport = htons(id->dst_port); in ipfw_send_pkt()
714 th->th_sport = htons(id->dst_port); in ipfw_send_pkt()
715 th->th_dport = htons(id->src_port); in ipfw_send_pkt()
717 th->th_off = sizeof(struct tcphdr) >> 2; in ipfw_send_pkt()
721 th->th_seq = htonl(ack); in ipfw_send_pkt()
722 th->th_flags = TH_RST; in ipfw_send_pkt()
726 th->th_ack = htonl(seq); in ipfw_send_pkt()
727 th->th_flags = TH_RST | TH_ACK; in ipfw_send_pkt()
731 * Keepalive - use caller provided sequence numbers in ipfw_send_pkt()
733 th->th_seq = htonl(seq); in ipfw_send_pkt()
734 th->th_ack = htonl(ack); in ipfw_send_pkt()
735 th->th_flags = TH_ACK; in ipfw_send_pkt()
738 switch (id->addr_type) { in ipfw_send_pkt()
740 th->th_sum = in_cksum(m, len); in ipfw_send_pkt()
743 h->ip_v = 4; in ipfw_send_pkt()
744 h->ip_hl = sizeof(*h) >> 2; in ipfw_send_pkt()
745 h->ip_tos = IPTOS_LOWDELAY; in ipfw_send_pkt()
746 h->ip_off = htons(0); in ipfw_send_pkt()
747 h->ip_len = htons(len); in ipfw_send_pkt()
748 h->ip_ttl = V_ip_defttl; in ipfw_send_pkt()
749 h->ip_sum = 0; in ipfw_send_pkt()
753 th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(*h6), in ipfw_send_pkt()
757 h6->ip6_vfc |= IPV6_VERSION; in ipfw_send_pkt()
758 h6->ip6_hlim = IPV6_DEFHLIM; in ipfw_send_pkt()
773 return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) ); in icmp6type_match()
780 for (i=0; i <= cmd->o.arg1; ++i) in flow6id_match()
781 if (curr_flow == cmd->d[i]) in flow6id_match()
806 if (!IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) in ipfw_localip6()
808 if (IN6_ARE_MASKED_ADDR_EQUAL(&ia->ia_addr.sin6_addr, in ipfw_localip6()
831 if (ifp != NULL && ifp != nh->nh_aifp) in verify_path6()
835 if (ifp == NULL && (nh->nh_flags & NHF_DEFAULT) != 0) in verify_path6()
839 if (ifp == NULL && (nh->nh_flags & (NHF_REJECT|NHF_BLACKHOLE)) != 0) in verify_path6()
891 m = args->m; in send_reject6()
892 if (code == ICMP6_UNREACH_RST && args->f_id.proto == IPPROTO_TCP) { in send_reject6()
896 if ((tcp->th_flags & TH_RST) == 0) { in send_reject6()
898 m0 = ipfw_send_pkt(args->m, &(args->f_id), in send_reject6()
899 ntohl(tcp->th_seq), ntohl(tcp->th_ack), in send_reject6()
900 tcp->th_flags | TH_RST); in send_reject6()
907 args->f_id.proto == IPPROTO_SCTP) { in send_reject6()
915 v_tag = ntohl(sctp->v_tag); in send_reject6()
917 if (m->m_len >= hlen + sizeof(struct sctphdr) + in send_reject6()
922 switch (chunk->chunk_type) { in send_reject6()
926 * a zero v-tag. in send_reject6()
933 if (m->m_pkthdr.len > in send_reject6()
935 ntohs(chunk->chunk_length) + 3) { in send_reject6()
939 if ((m->m_len >= hlen + sizeof(struct sctphdr) + in send_reject6()
945 v_tag = ntohl(init->initiate_tag); in send_reject6()
963 m0 = ipfw_send_abort(args->m, &(args->f_id), v_tag, in send_reject6()
980 if (args->L3offset) in send_reject6()
981 m_adj(m, args->L3offset); in send_reject6()
987 args->m = NULL; in send_reject6()
1001 code = cmd->arg1; in send_reject()
1003 cmd->len == F_INSN_SIZE(ipfw_insn_u16)) in send_reject()
1004 mtu = ((const ipfw_insn_u16 *)cmd)->ports[0]; in send_reject()
1015 if (args->L3offset) in send_reject()
1016 m_adj(m, args->L3offset); in send_reject()
1020 icmp_error(args->m, ICMP_UNREACH, code, 0L, mtu); in send_reject()
1021 } else if (code == ICMP_REJECT_RST && args->f_id.proto == IPPROTO_TCP) { in send_reject()
1023 L3HDR(struct tcphdr, mtod(args->m, struct ip *)); in send_reject()
1024 if ( (tcp->th_flags & TH_RST) == 0) { in send_reject()
1026 m = ipfw_send_pkt(args->m, &(args->f_id), in send_reject()
1027 ntohl(tcp->th_seq), ntohl(tcp->th_ack), in send_reject()
1028 tcp->th_flags | TH_RST); in send_reject()
1032 FREE_PKT(args->m); in send_reject()
1034 args->f_id.proto == IPPROTO_SCTP) { in send_reject()
1042 sctp = L3HDR(struct sctphdr, mtod(args->m, struct ip *)); in send_reject()
1044 v_tag = ntohl(sctp->v_tag); in send_reject()
1045 if (iplen >= (ip->ip_hl << 2) + sizeof(struct sctphdr) + in send_reject()
1049 switch (chunk->chunk_type) { in send_reject()
1053 * a zero v-tag. in send_reject()
1061 (ip->ip_hl << 2) + sizeof(struct sctphdr) + in send_reject()
1062 ntohs(chunk->chunk_length) + 3) { in send_reject()
1066 if ((iplen >= (ip->ip_hl << 2) + in send_reject()
1071 v_tag = ntohl(init->initiate_tag); in send_reject()
1089 m = ipfw_send_abort(args->m, &(args->f_id), v_tag, in send_reject()
1094 FREE_PKT(args->m); in send_reject()
1096 FREE_PKT(args->m); in send_reject()
1097 args->m = NULL; in send_reject()
1104 * yet done a lookup, 1 if we succeeded, and -1 if we tried
1121 (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb); in check_uidgid()
1130 id = &args->f_id; in check_uidgid()
1131 inp = args->inp; in check_uidgid()
1140 if (inp->inp_socket != NULL) { in check_uidgid()
1141 *uc = crhold(inp->inp_cred); in check_uidgid()
1144 *ugid_lookupp = -1; in check_uidgid()
1151 if (*ugid_lookupp == -1) in check_uidgid()
1153 if (id->proto == IPPROTO_TCP) { in check_uidgid()
1156 } else if (id->proto == IPPROTO_UDP) { in check_uidgid()
1159 } else if (id->proto == IPPROTO_UDPLITE) { in check_uidgid()
1167 if (id->addr_type == 6) { in check_uidgid()
1169 if (args->flags & IPFW_ARGS_IN) in check_uidgid()
1171 &id->src_ip6, htons(id->src_port), in check_uidgid()
1172 &id->dst_ip6, htons(id->dst_port), in check_uidgid()
1173 lookupflags, NULL, args->m); in check_uidgid()
1176 &id->dst_ip6, htons(id->dst_port), in check_uidgid()
1177 &id->src_ip6, htons(id->src_port), in check_uidgid()
1178 lookupflags, args->ifp, args->m); in check_uidgid()
1180 *ugid_lookupp = -1; in check_uidgid()
1184 src_ip.s_addr = htonl(id->src_ip); in check_uidgid()
1185 dst_ip.s_addr = htonl(id->dst_ip); in check_uidgid()
1186 if (args->flags & IPFW_ARGS_IN) in check_uidgid()
1188 src_ip, htons(id->src_port), in check_uidgid()
1189 dst_ip, htons(id->dst_port), in check_uidgid()
1190 lookupflags, NULL, args->m); in check_uidgid()
1193 dst_ip, htons(id->dst_port), in check_uidgid()
1194 src_ip, htons(id->src_port), in check_uidgid()
1195 lookupflags, args->ifp, args->m); in check_uidgid()
1199 *uc = crhold(pcb->inp_cred); in check_uidgid()
1205 * We tried and failed, set the variable to -1 in check_uidgid()
1208 *ugid_lookupp = -1; in check_uidgid()
1212 if (insn->o.opcode == O_UID) in check_uidgid()
1213 match = ((*uc)->cr_uid == (uid_t)insn->d[0]); in check_uidgid()
1214 else if (insn->o.opcode == O_GID) in check_uidgid()
1215 match = groupmember((gid_t)insn->d[0], *uc); in check_uidgid()
1216 else if (insn->o.opcode == O_JAIL) in check_uidgid()
1217 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]); in check_uidgid()
1232 args->rule.chain_id = chain->id; in set_match()
1233 args->rule.slot = slot + 1; /* we use 0 as a marker */ in set_match()
1234 args->rule.rule_id = 1 + chain->map[slot]->id; in set_match()
1235 args->rule.rulenum = chain->map[slot]->rulenum; in set_match()
1236 args->flags |= IPFW_ARGS_REF; in set_match()
1247 if (jump_backwards == 0 && i <= f->rulenum) in jump_lookup_pos()
1248 i = f->rulenum + 1; in jump_lookup_pos()
1251 if (chain->idxmap != NULL) in jump_lookup_pos()
1252 f_pos = chain->idxmap[i]; in jump_lookup_pos()
1256 f_pos = chain->idxmap[i]; in jump_lookup_pos()
1279 * If possible use cached f_pos (in f->cache.pos), in jump_cached()
1280 * whose version is written in f->cache.id (horrible hacks in jump_cached()
1290 cache.raw_value = f->cache.raw_value; in jump_cached()
1291 if (cache.id == chain->id) in jump_cached()
1297 cache.id = chain->id; in jump_cached()
1298 f->cache.raw_value = cache.raw_value; in jump_cached()
1300 if (f->cache.id == chain->id) { in jump_cached()
1303 return (f->cache.pos); in jump_cached()
1308 f->cache.pos = f_pos; in jump_cached()
1311 f->cache.id = chain->id; in jump_cached()
1326 * args->m (in/out) The packet; we set to NULL when/if we nuke it.
1328 * args->L3offset Number of bytes bypassed if we came from L2.
1330 * args->ifp Incoming or outgoing interface.
1331 * args->divert_rule (in/out)
1333 * upon return, non-zero port number for divert or tee.
1335 * args->rule Pointer to the last matching rule (in/out)
1336 * args->next_hop Socket we are forwarding to (out).
1337 * args->next_hop6 IPv6 next hop we are forwarding to (out).
1338 * args->f_id Addresses grabbed from the packet (out)
1339 * args->rule.info a cookie depending on rule action
1347 * IP_FW_DUMMYNET to dummynet, pipe in args->cookie
1348 * IP_FW_NETGRAPH into netgraph, cookie args->cookie
1349 * args->rule contains the matching rule,
1350 * args->rule.info has additional information.
1366 * m | args->m Pointer to the mbuf, as received from the caller. in ipfw_chk()
1372 * args->mem Pointer to contigous memory chunk. in ipfw_chk()
1420 * proto The protocol. Set to 0 for non-ip packets, in ipfw_chk()
1441 * We store in ulp a pointer to the upper layer protocol header. in ipfw_chk()
1444 * ulp is NULL if not found. in ipfw_chk()
1446 void *ulp = NULL; /* upper layer protocol pointer. */ in ipfw_chk() local
1462 if ((mem = (args->flags & IPFW_ARGS_LENMASK))) { in ipfw_chk()
1463 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
1464 eh = (struct ether_header *)args->mem; in ipfw_chk()
1465 if (eh->ether_type == htons(ETHERTYPE_VLAN)) in ipfw_chk()
1472 ip = (struct ip *)args->mem; in ipfw_chk()
1474 pktlen = IPFW_ARGS_LENGTH(args->flags); in ipfw_chk()
1475 args->f_id.fib = args->ifp->if_fib; /* best guess */ in ipfw_chk()
1477 m = args->m; in ipfw_chk()
1478 if (m->m_flags & M_SKIP_FIREWALL || (! V_ipfw_vnet_ready)) in ipfw_chk()
1480 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
1482 if (m->m_len < min(m->m_pkthdr.len, max_protohdr) && in ipfw_chk()
1483 (args->m = m = m_pullup(m, min(m->m_pkthdr.len, in ipfw_chk()
1492 pktlen = m->m_pkthdr.len; in ipfw_chk()
1493 args->f_id.fib = M_GETFIB(m); /* mbuf not altered */ in ipfw_chk()
1508 #define EHLEN (eh != NULL ? ((char *)ip - (char *)eh) : 0) in ipfw_chk()
1517 p = (char *)args->mem + (_len) + EHLEN; \ in ipfw_chk()
1519 if (__predict_false((m)->m_len < x)) { \ in ipfw_chk()
1520 args->m = m = m_pullup(m, x); \ in ipfw_chk()
1545 args->m = m; \ in ipfw_chk()
1551 (eh == NULL || eh->ether_type == htons(ETHERTYPE_IPV6)) && in ipfw_chk()
1552 ip->ip_v == 6) { in ipfw_chk()
1556 args->flags |= IPFW_ARGS_IP6; in ipfw_chk()
1558 proto = ip6->ip6_nxt; in ipfw_chk()
1560 while (ulp == NULL && offset == 0) { in ipfw_chk()
1563 PULLUP_TO(hlen, ulp, struct icmp6_hdr); in ipfw_chk()
1565 icmp6_type = ICMP6(ulp)->icmp6_type; in ipfw_chk()
1570 PULLUP_TO(hlen, ulp, struct tcphdr); in ipfw_chk()
1571 dst_port = TCP(ulp)->th_dport; in ipfw_chk()
1572 src_port = TCP(ulp)->th_sport; in ipfw_chk()
1574 args->f_id._flags = TCP(ulp)->th_flags; in ipfw_chk()
1581 PULLUP_LEN(hlen, ulp, in ipfw_chk()
1586 PULLUP_LEN(hlen, ulp, pktlen - hlen); in ipfw_chk()
1588 PULLUP_LEN(hlen, ulp, in ipfw_chk()
1590 src_port = SCTP(ulp)->src_port; in ipfw_chk()
1591 dst_port = SCTP(ulp)->dest_port; in ipfw_chk()
1596 PULLUP_TO(hlen, ulp, struct udphdr); in ipfw_chk()
1597 dst_port = UDP(ulp)->uh_dport; in ipfw_chk()
1598 src_port = UDP(ulp)->uh_sport; in ipfw_chk()
1602 PULLUP_TO(hlen, ulp, struct ip6_hbh); in ipfw_chk()
1604 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; in ipfw_chk()
1605 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; in ipfw_chk()
1606 ulp = NULL; in ipfw_chk()
1610 PULLUP_TO(hlen, ulp, struct ip6_rthdr); in ipfw_chk()
1611 switch (((struct ip6_rthdr *)ulp)->ip6r_type) { in ipfw_chk()
1620 printf("IPFW2: IPV6 - Unknown " in ipfw_chk()
1623 ulp)->ip6r_type); in ipfw_chk()
1629 hlen += (((struct ip6_rthdr *)ulp)->ip6r_len + 1) << 3; in ipfw_chk()
1630 proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt; in ipfw_chk()
1631 ulp = NULL; in ipfw_chk()
1635 PULLUP_TO(hlen, ulp, struct ip6_frag); in ipfw_chk()
1638 proto = ((struct ip6_frag *)ulp)->ip6f_nxt; in ipfw_chk()
1639 offset = ((struct ip6_frag *)ulp)->ip6f_offlg & in ipfw_chk()
1641 ip6f_mf = ((struct ip6_frag *)ulp)->ip6f_offlg & in ipfw_chk()
1646 printf("IPFW2: IPV6 - Invalid " in ipfw_chk()
1652 args->f_id.extra = in ipfw_chk()
1653 ntohl(((struct ip6_frag *)ulp)->ip6f_ident); in ipfw_chk()
1654 ulp = NULL; in ipfw_chk()
1658 PULLUP_TO(hlen, ulp, struct ip6_hbh); in ipfw_chk()
1660 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; in ipfw_chk()
1661 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; in ipfw_chk()
1662 ulp = NULL; in ipfw_chk()
1666 PULLUP_TO(hlen, ulp, struct ip6_ext); in ipfw_chk()
1668 hlen += (((struct ip6_ext *)ulp)->ip6e_len + 2) << 2; in ipfw_chk()
1669 proto = ((struct ip6_ext *)ulp)->ip6e_nxt; in ipfw_chk()
1670 ulp = NULL; in ipfw_chk()
1674 PULLUP_TO(hlen, ulp, uint32_t); /* SPI, Seq# */ in ipfw_chk()
1686 ulp = ip; /* non-NULL to get out of loop. */ in ipfw_chk()
1691 PULLUP_TO(hlen, ulp, struct ip6_ext); in ipfw_chk()
1696 PULLUP_TO(hlen, ulp, struct pim); in ipfw_chk()
1701 PULLUP_TO(hlen, ulp, struct grehdr); in ipfw_chk()
1705 PULLUP_TO(hlen, ulp, offsetof( in ipfw_chk()
1708 ((struct carp_header *)ulp)->carp_type) in ipfw_chk()
1713 PULLUP_TO(hlen, ulp, struct ip6_hdr); in ipfw_chk()
1717 PULLUP_TO(hlen, ulp, struct ip); in ipfw_chk()
1721 PULLUP_TO(hlen, ulp, struct pfsync_header); in ipfw_chk()
1726 printf("IPFW2: IPV6 - Unknown " in ipfw_chk()
1731 PULLUP_TO(hlen, ulp, struct ip6_ext); in ipfw_chk()
1737 args->f_id.addr_type = 6; in ipfw_chk()
1738 args->f_id.src_ip6 = ip6->ip6_src; in ipfw_chk()
1739 args->f_id.dst_ip6 = ip6->ip6_dst; in ipfw_chk()
1740 args->f_id.flow_id6 = ntohl(ip6->ip6_flow); in ipfw_chk()
1741 iplen = ntohs(ip6->ip6_plen) + sizeof(*ip6); in ipfw_chk()
1743 (eh == NULL || eh->ether_type == htons(ETHERTYPE_IP)) && in ipfw_chk()
1744 ip->ip_v == 4) { in ipfw_chk()
1746 args->flags |= IPFW_ARGS_IP4; in ipfw_chk()
1747 hlen = ip->ip_hl << 2; in ipfw_chk()
1752 proto = ip->ip_p; in ipfw_chk()
1753 src_ip = ip->ip_src; in ipfw_chk()
1754 dst_ip = ip->ip_dst; in ipfw_chk()
1755 offset = ntohs(ip->ip_off) & IP_OFFMASK; in ipfw_chk()
1756 iplen = ntohs(ip->ip_len); in ipfw_chk()
1761 PULLUP_TO(hlen, ulp, struct tcphdr); in ipfw_chk()
1762 dst_port = TCP(ulp)->th_dport; in ipfw_chk()
1763 src_port = TCP(ulp)->th_sport; in ipfw_chk()
1765 args->f_id._flags = TCP(ulp)->th_flags; in ipfw_chk()
1772 PULLUP_LEN(hlen, ulp, in ipfw_chk()
1777 PULLUP_LEN(hlen, ulp, pktlen - hlen); in ipfw_chk()
1779 PULLUP_LEN(hlen, ulp, in ipfw_chk()
1781 src_port = SCTP(ulp)->src_port; in ipfw_chk()
1782 dst_port = SCTP(ulp)->dest_port; in ipfw_chk()
1787 PULLUP_TO(hlen, ulp, struct udphdr); in ipfw_chk()
1788 dst_port = UDP(ulp)->uh_dport; in ipfw_chk()
1789 src_port = UDP(ulp)->uh_sport; in ipfw_chk()
1793 PULLUP_TO(hlen, ulp, struct icmphdr); in ipfw_chk()
1794 //args->f_id.flags = ICMP(ulp)->icmp_type; in ipfw_chk()
1808 args->f_id.addr_type = 4; in ipfw_chk()
1809 args->f_id.src_ip = ntohl(src_ip.s_addr); in ipfw_chk()
1810 args->f_id.dst_ip = ntohl(dst_ip.s_addr); in ipfw_chk()
1815 args->f_id.addr_type = 1; /* XXX */ in ipfw_chk()
1821 args->f_id.proto = proto; in ipfw_chk()
1822 args->f_id.src_port = src_port = ntohs(src_port); in ipfw_chk()
1823 args->f_id.dst_port = dst_port = ntohs(dst_port); in ipfw_chk()
1830 if (args->flags & IPFW_ARGS_REF) { in ipfw_chk()
1833 * match on rule args->rule aka args->rule_id (PIPE, QUEUE, in ipfw_chk()
1838 f_pos = (args->rule.chain_id == chain->id) ? in ipfw_chk()
1839 args->rule.slot : in ipfw_chk()
1840 ipfw_find_rule(chain, args->rule.rulenum, in ipfw_chk()
1841 args->rule.rule_id); in ipfw_chk()
1846 if (args->flags & IPFW_ARGS_IN) { in ipfw_chk()
1847 iif = args->ifp; in ipfw_chk()
1850 MPASS(args->flags & IPFW_ARGS_OUT); in ipfw_chk()
1852 oif = args->ifp; in ipfw_chk()
1858 * need to break out of one or both loops, or re-enter one of in ipfw_chk()
1873 for (; f_pos < chain->n_rules; f_pos++) { in ipfw_chk()
1879 f = chain->map[f_pos]; in ipfw_chk()
1880 if (V_set_disable & (1 << f->set) ) in ipfw_chk()
1884 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; in ipfw_chk()
1885 l -= cmdlen, cmd += cmdlen) { in ipfw_chk()
1904 if ((cmd->len & F_OR) == 0) in ipfw_chk()
1910 switch (cmd->opcode) { in ipfw_chk()
1924 cmd->opcode); in ipfw_chk()
1961 match = iface_match(args->ifp, in ipfw_chk()
1966 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
1968 ((ipfw_insn_mac *)cmd)->addr; in ipfw_chk()
1970 ((ipfw_insn_mac *)cmd)->mask; in ipfw_chk()
1981 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
1983 ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
1986 for (i = cmdlen - 1; !match && i>0; in ipfw_chk()
1987 i--, p += 2) in ipfw_chk()
1989 (ntohs(eh->ether_type) >= in ipfw_chk()
1991 ntohs(eh->ether_type) <= in ipfw_chk()
2004 ((ntohs(ip->ip_off) & ~IP_OFFMASK) in ipfw_chk()
2011 match = (cmd->arg1 == 0x1 && in ipfw_chk()
2021 match = (args->flags & IPFW_ARGS_ETHER); in ipfw_chk()
2025 if ((args->flags & IPFW_ARGS_REF) == 0) in ipfw_chk()
2028 * For diverted packets, args->rule.info in ipfw_chk()
2032 match = ((args->rule.info & IPFW_IS_MASK) == in ipfw_chk()
2034 ((args->rule.info & IPFW_INFO_IN) ? in ipfw_chk()
2035 1: 2) & cmd->arg1); in ipfw_chk()
2040 * We do not allow an arg of 0 so the in ipfw_chk()
2043 match = (proto == cmd->arg1); in ipfw_chk()
2048 (((ipfw_insn_ip *)cmd)->addr.s_addr == in ipfw_chk()
2060 vidx = ((ipfw_insn_u32 *)cmd)->d[1]; in ipfw_chk()
2069 (void *)&args->f_id.dst_ip6: in ipfw_chk()
2073 (void *)&args->f_id.src_ip6: in ipfw_chk()
2106 ucred_cache->cr_uid: in ipfw_chk()
2107 ucred_cache->cr_prison->pr_id; in ipfw_chk()
2119 key = ip->ip_tos >> 2; in ipfw_chk()
2126 if ((args->flags & IPFW_ARGS_ETHER) == 0) in ipfw_chk()
2129 eh->ether_dhost: in ipfw_chk()
2130 eh->ether_shost; in ipfw_chk()
2134 key = args->rule.pkt_mark; in ipfw_chk()
2142 cmd->arg1, keylen, pkey, &vidx); in ipfw_chk()
2159 if (cmd->opcode == O_IP_DST_LOOKUP) in ipfw_chk()
2165 if (cmd->opcode == O_IP_DST_LOOKUP) in ipfw_chk()
2166 pkey = &args->f_id.dst_ip6; in ipfw_chk()
2168 pkey = &args->f_id.src_ip6; in ipfw_chk()
2171 match = ipfw_lookup_table(chain, cmd->arg1, in ipfw_chk()
2176 match = ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2193 if ((args->flags & IPFW_ARGS_ETHER) == 0) in ipfw_chk()
2196 if (cmd->opcode == O_MAC_DST_LOOKUP) in ipfw_chk()
2197 pkey = eh->ether_dhost; in ipfw_chk()
2199 pkey = eh->ether_shost; in ipfw_chk()
2201 match = ipfw_lookup_table(chain, cmd->arg1, in ipfw_chk()
2206 match = ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2219 cmd->arg1, 0, &args->f_id, &v); in ipfw_chk()
2223 match = ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2233 (cmd->opcode == O_IP_DST_MASK) ? in ipfw_chk()
2235 uint32_t *p = ((ipfw_insn_u32 *)cmd)->d; in ipfw_chk()
2236 int i = cmdlen-1; in ipfw_chk()
2238 for (; !match && i>0; i-= 2, p+= 2) in ipfw_chk()
2252 ipfw_localip6(&args->f_id.src_ip6); in ipfw_chk()
2261 cmd->opcode == O_IP_DST_SET ? in ipfw_chk()
2262 args->f_id.dst_ip : in ipfw_chk()
2263 args->f_id.src_ip; in ipfw_chk()
2267 addr -= d[0]; /* subtract base */ in ipfw_chk()
2268 match = (addr < cmd->arg1) && in ipfw_chk()
2276 (((ipfw_insn_ip *)cmd)->addr.s_addr == in ipfw_chk()
2289 ipfw_localip6(&args->f_id.dst_ip6); in ipfw_chk()
2305 (cmd->opcode == O_IP_SRCPORT) ? in ipfw_chk()
2308 ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2311 for (i = cmdlen - 1; !match && i>0; in ipfw_chk()
2312 i--, p += 2) in ipfw_chk()
2319 icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) ); in ipfw_chk()
2327 ICMP6(ulp)->icmp6_type, in ipfw_chk()
2339 cmd->arg1 == ip->ip_v); in ipfw_chk()
2352 if (cmd->opcode == O_IPLEN) in ipfw_chk()
2354 else if (cmd->opcode == O_IPTTL) in ipfw_chk()
2355 x = ip->ip_ttl; in ipfw_chk()
2357 x = ntohs(ip->ip_id); in ipfw_chk()
2359 match = (cmd->arg1 == x); in ipfw_chk()
2363 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2364 i = cmdlen - 1; in ipfw_chk()
2365 for (; !match && i>0; i--, p += 2) in ipfw_chk()
2372 (cmd->arg1 == (ip->ip_tos & 0xe0)) ); in ipfw_chk()
2377 flags_match(cmd, ip->ip_tos)); in ipfw_chk()
2385 p = ((ipfw_insn_u32 *)cmd)->d; in ipfw_chk()
2388 x = ip->ip_tos >> 2; in ipfw_chk()
2398 match = *(p + 1) & (1 << (x - 32)); in ipfw_chk()
2415 if (ip6->ip6_plen == 0) { in ipfw_chk()
2423 x = iplen - hlen; in ipfw_chk()
2426 x = iplen - (ip->ip_hl << 2); in ipfw_chk()
2427 tcp = TCP(ulp); in ipfw_chk()
2428 x -= tcp->th_off << 2; in ipfw_chk()
2430 match = (cmd->arg1 == x); in ipfw_chk()
2434 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2435 i = cmdlen - 1; in ipfw_chk()
2436 for (; !match && i>0; i--, p += 2) in ipfw_chk()
2443 flags_match(cmd, TCP(ulp)->th_flags)); in ipfw_chk()
2447 if (proto == IPPROTO_TCP && offset == 0 && ulp){ in ipfw_chk()
2448 PULLUP_LEN_LOCKED(hlen, ulp, in ipfw_chk()
2449 (TCP(ulp)->th_off << 2)); in ipfw_chk()
2450 match = tcpopts_match(TCP(ulp), cmd); in ipfw_chk()
2456 ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2457 TCP(ulp)->th_seq); in ipfw_chk()
2462 ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2463 TCP(ulp)->th_ack); in ipfw_chk()
2468 (args->f_id._flags & TH_SYN) != 0 && in ipfw_chk()
2469 ulp != NULL) { in ipfw_chk()
2473 PULLUP_LEN_LOCKED(hlen, ulp, in ipfw_chk()
2474 (TCP(ulp)->th_off << 2)); in ipfw_chk()
2475 if ((tcpopts_parse(TCP(ulp), &mss) & in ipfw_chk()
2479 match = (cmd->arg1 == mss); in ipfw_chk()
2483 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2484 i = cmdlen - 1; in ipfw_chk()
2485 for (; !match && i > 0; i--, p += 2) in ipfw_chk()
2497 x = ntohs(TCP(ulp)->th_win); in ipfw_chk()
2499 match = (cmd->arg1 == x); in ipfw_chk()
2503 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2504 i = cmdlen - 1; in ipfw_chk()
2505 for (; !match && i > 0; i--, p += 2) in ipfw_chk()
2514 (TCP(ulp)->th_flags & in ipfw_chk()
2525 * packet filtering system - pf(4). in ipfw_chk()
2531 if (at != NULL && at->qid != 0) in ipfw_chk()
2544 at->qid = altq->qid; in ipfw_chk()
2545 at->hdr = ip; in ipfw_chk()
2556 match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); in ipfw_chk()
2561 match = (args->flags & IPFW_ARGS_OUT || in ipfw_chk()
2565 verify_path6(&(args->f_id.src_ip6), in ipfw_chk()
2566 iif, args->f_id.fib) : in ipfw_chk()
2568 verify_path(src_ip, iif, args->f_id.fib))); in ipfw_chk()
2576 verify_path6(&(args->f_id.src_ip6), in ipfw_chk()
2577 NULL, args->f_id.fib) : in ipfw_chk()
2579 verify_path(src_ip, NULL, args->f_id.fib)))); in ipfw_chk()
2588 in6_localaddr(&(args->f_id.src_ip6))) in ipfw_chk()
2594 &(args->f_id.src_ip6), iif, in ipfw_chk()
2595 args->f_id.fib) : in ipfw_chk()
2598 args->f_id.fib); in ipfw_chk()
2612 IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6, in ipfw_chk()
2613 &((ipfw_insn_ip6 *)cmd)->addr6); in ipfw_chk()
2618 IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6, in ipfw_chk()
2619 &((ipfw_insn_ip6 *)cmd)->addr6); in ipfw_chk()
2624 int i = cmdlen - 1; in ipfw_chk()
2627 &((ipfw_insn_ip6 *)cmd)->addr6; in ipfw_chk()
2630 i -= F_INSN_SIZE(struct in6_addr) in ipfw_chk()
2632 p = (cmd->opcode == in ipfw_chk()
2634 args->f_id.src_ip6: in ipfw_chk()
2635 args->f_id.dst_ip6; in ipfw_chk()
2646 flow6id_match(args->f_id.flow_id6, in ipfw_chk()
2652 (ext_hd & ((ipfw_insn *) cmd)->arg1); in ipfw_chk()
2666 uint32_t tag = TARG(cmd->arg1, tag); in ipfw_chk()
2678 if (cmd->len & F_NOT) { /* `untag' action */ in ipfw_chk()
2695 if (args->f_id.fib == cmd->arg1) in ipfw_chk()
2701 struct inpcb *inp = args->inp; in ipfw_chk()
2733 &args->f_id.src_ip6, in ipfw_chk()
2735 &args->f_id.dst_ip6, in ipfw_chk()
2742 if (inp->inp_socket) { in ipfw_chk()
2744 inp->inp_socket->so_user_cookie; in ipfw_chk()
2757 uint32_t tag = TARG(cmd->arg1, tag); in ipfw_chk()
2772 if (mtag->m_tag_cookie != MTAG_IPFW) in ipfw_chk()
2775 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2776 i = cmdlen - 1; in ipfw_chk()
2777 for(; !match && i > 0; i--, p += 2) in ipfw_chk()
2779 mtag->m_tag_id >= p[0] && in ipfw_chk()
2780 mtag->m_tag_id <= p[1]; in ipfw_chk()
2787 if (cmd->arg1 == IP_FW_TARG) in ipfw_chk()
2790 mark = ((ipfw_insn_u32 *)cmd)->d[0]; in ipfw_chk()
2792 (args->rule.pkt_mark & in ipfw_chk()
2793 ((ipfw_insn_u32 *)cmd)->d[1]) == in ipfw_chk()
2794 (mark & ((ipfw_insn_u32 *)cmd)->d[1]); in ipfw_chk()
2804 * (but there are exceptions -- see below). in ipfw_chk()
2854 (ipfw_insn_limit *)cmd, args, ulp, in ipfw_chk()
2868 * keep-state or check-state occurrence, in ipfw_chk()
2876 (q = ipfw_dyn_lookup_state(args, ulp, in ipfw_chk()
2887 l = f->cmd_len - f->act_ofs; in ipfw_chk()
2896 if (cmd->opcode == O_CHECK_STATE) in ipfw_chk()
2915 args->rule.info = TARG(cmd->arg1, pipe); in ipfw_chk()
2916 if (cmd->opcode == O_PIPE) in ipfw_chk()
2917 args->rule.info |= IPFW_IS_PIPE; in ipfw_chk()
2919 args->rule.info |= IPFW_ONEPASS; in ipfw_chk()
2927 if (args->flags & IPFW_ARGS_ETHER) in ipfw_chk()
2932 retval = (cmd->opcode == O_DIVERT) ? in ipfw_chk()
2935 args->rule.info = TARG(cmd->arg1, divert); in ipfw_chk()
2945 f_pos = JUMP(chain, f, cmd->arg1, tablearg, 0); in ipfw_chk()
2947 * Skip disabled rules, and re-enter in ipfw_chk()
2952 for (; f_pos < chain->n_rules - 1 && in ipfw_chk()
2954 (1 << chain->map[f_pos]->set)); in ipfw_chk()
2957 /* Re-enter the inner loop at the skipto rule. */ in ipfw_chk()
2958 f = chain->map[f_pos]; in ipfw_chk()
2959 l = f->cmd_len; in ipfw_chk()
2960 cmd = f->cmd; in ipfw_chk()
2981 #define IS_CALL ((cmd->len & F_NOT) == 0) in ipfw_chk()
2982 #define IS_RETURN ((cmd->len & F_NOT) != 0) in ipfw_chk()
2984 * Hand-rolled version of m_tag_locate() with in ipfw_chk()
2990 if (mtag->m_tag_cookie == in ipfw_chk()
3008 mtag->m_tag_id == 0)) { in ipfw_chk()
3013 mtag->m_tag_id >= IPFW_CALLSTACK_SIZE)) { in ipfw_chk()
3025 * (in f->next_rule), whose version is written in ipfw_chk()
3026 * in f->next_rule. in ipfw_chk()
3028 * fixed jump address in cmd->arg1 and can't use in ipfw_chk()
3032 stack[mtag->m_tag_id] = f->rulenum; in ipfw_chk()
3033 mtag->m_tag_id++; in ipfw_chk()
3034 f_pos = JUMP(chain, f, cmd->arg1, in ipfw_chk()
3037 mtag->m_tag_id--; in ipfw_chk()
3038 jmpto = stack[mtag->m_tag_id] + 1; in ipfw_chk()
3043 * Skip disabled rules, and re-enter in ipfw_chk()
3048 for (; f_pos < chain->n_rules - 1 && in ipfw_chk()
3050 (1 << chain->map[f_pos]->set)); f_pos++) in ipfw_chk()
3052 /* Re-enter the inner loop at the dest rule. */ in ipfw_chk()
3053 f = chain->map[f_pos]; in ipfw_chk()
3054 l = f->cmd_len; in ipfw_chk()
3055 cmd = f->cmd; in ipfw_chk()
3072 is_icmp_query(ICMP(ulp))) && in ipfw_chk()
3073 !(m->m_flags & (M_BCAST|M_MCAST)) && in ipfw_chk()
3076 m = args->m; in ipfw_chk()
3085 !(m->m_flags & (M_BCAST|M_MCAST)) && in ipfw_chk()
3087 &args->f_id.dst_ip6)) { in ipfw_chk()
3089 cmd->opcode == O_REJECT ? in ipfw_chk()
3090 map_icmp_unreach(cmd->arg1): in ipfw_chk()
3091 cmd->arg1, hlen, in ipfw_chk()
3093 m = args->m; in ipfw_chk()
3104 if (args->flags & IPFW_ARGS_ETHER) in ipfw_chk()
3110 sa = &(((ipfw_insn_sa *)cmd)->sa); in ipfw_chk()
3111 if (sa->sin_addr.s_addr == INADDR_ANY) { in ipfw_chk()
3124 args->flags |= IPFW_ARGS_NH6; in ipfw_chk()
3125 nh6 = &args->hopstore6; in ipfw_chk()
3126 nh6->sin6_addr = TARG_VAL( in ipfw_chk()
3128 nh6->sin6_port = sa->sin_port; in ipfw_chk()
3129 nh6->sin6_scope_id = TARG_VAL( in ipfw_chk()
3134 args->flags |= IPFW_ARGS_NH4; in ipfw_chk()
3135 args->hopstore.sin_port = in ipfw_chk()
3136 sa->sin_port; in ipfw_chk()
3137 sa = &args->hopstore; in ipfw_chk()
3138 sa->sin_family = AF_INET; in ipfw_chk()
3139 sa->sin_len = sizeof(*sa); in ipfw_chk()
3140 sa->sin_addr.s_addr = htonl( in ipfw_chk()
3145 args->flags |= IPFW_ARGS_NH4PTR; in ipfw_chk()
3146 args->next_hop = sa; in ipfw_chk()
3156 if (args->flags & IPFW_ARGS_ETHER) in ipfw_chk()
3162 sin6 = &(((ipfw_insn_sa6 *)cmd)->sa); in ipfw_chk()
3163 args->flags |= IPFW_ARGS_NH6PTR; in ipfw_chk()
3164 args->next_hop6 = sin6; in ipfw_chk()
3175 args->rule.info = TARG(cmd->arg1, netgraph); in ipfw_chk()
3177 args->rule.info |= IPFW_ONEPASS; in ipfw_chk()
3178 retval = (cmd->opcode == O_NETGRAPH) ? in ipfw_chk()
3188 fib = TARG(cmd->arg1, fib) & 0x7FFF; in ipfw_chk()
3192 args->f_id.fib = fib; /* XXX */ in ipfw_chk()
3200 code = TARG(cmd->arg1, dscp) & 0x3F; in ipfw_chk()
3206 ip->ip_tos = (code << 2) | in ipfw_chk()
3207 (ip->ip_tos & 0x03); in ipfw_chk()
3208 ip->ip_sum = cksum_adjust(ip->ip_sum, in ipfw_chk()
3212 args->f_id.flow_id6 = in ipfw_chk()
3214 args->f_id.flow_id6 |= code << 22; in ipfw_chk()
3217 htonl(args->f_id.flow_id6); in ipfw_chk()
3240 args->rule.info = 0; in ipfw_chk()
3243 if (cmd->arg1 == IP_FW_NAT44_GLOBAL) { in ipfw_chk()
3247 t = ((ipfw_insn_nat *)cmd)->nat; in ipfw_chk()
3249 nat_id = TARG(cmd->arg1, nat); in ipfw_chk()
3250 t = (*lookup_nat_ptr)(&chain->nat, nat_id); in ipfw_chk()
3256 if (cmd->arg1 != IP_FW_TARG) in ipfw_chk()
3257 ((ipfw_insn_nat *)cmd)->nat = t; in ipfw_chk()
3269 ip_off = ntohs(ip->ip_off); in ipfw_chk()
3275 args->m = m = ip_reass(m); in ipfw_chk()
3286 hlen = ip->ip_hl << 2; in ipfw_chk()
3287 ip->ip_sum = 0; in ipfw_chk()
3289 ip->ip_sum = in_cksum_hdr(ip); in ipfw_chk()
3291 ip->ip_sum = in_cksum(m, hlen); in ipfw_chk()
3293 args->rule.info = 0; in ipfw_chk()
3302 args->rule.pkt_mark = ( in ipfw_chk()
3303 (cmd->arg1 == IP_FW_TARG) ? in ipfw_chk()
3305 ((ipfw_insn_u32 *)cmd)->d[0]); in ipfw_chk()
3334 panic("-- unknown opcode %d\n", cmd->opcode); in ipfw_chk()
3340 if (cmd->len & F_NOT) in ipfw_chk()
3344 if (cmd->len & F_OR) in ipfw_chk()
3347 if (!(cmd->len & F_OR)) /* not an OR block, */ in ipfw_chk()
3363 struct ip_fw *rule = chain->map[f_pos]; in ipfw_chk()
3369 (uintptr_t)&args->f_id.src_ip6, in ipfw_chk()
3371 (uintptr_t)&args->f_id.dst_ip6, in ipfw_chk()
3404 if ((error != 0) || (req->newptr == NULL)) in sysctl_ipfw_table_num()
3411 * Switches table namespace between global and per-set.
3423 if ((error != 0) || (req->newptr == NULL)) in sysctl_ipfw_tables_sets()
3479 /* Check user-supplied table count for validness */ in ipfw_init()
3527 LIST_INIT(&chain->nat); in vnet_ipfw_init()
3539 free(chain->map, M_IPFW); in vnet_ipfw_init()
3548 rule->flags |= IPFW_RULE_NOOPT; in vnet_ipfw_init()
3549 rule->cmd_len = 1; in vnet_ipfw_init()
3550 rule->cmd[0].len = 1; in vnet_ipfw_init()
3551 rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; in vnet_ipfw_init()
3552 chain->default_rule = rule; in vnet_ipfw_init()
3573 * changes in the underlying (per-vnet) variables trigger in vnet_ipfw_init()
3613 for (i = 0; i < chain->n_rules; i++) in vnet_ipfw_uninit()
3614 ipfw_reap_add(chain, &reap, chain->map[i]); in vnet_ipfw_uninit()
3615 free(chain->map, M_IPFW); in vnet_ipfw_uninit()
3677 #define IPFW_MODEVENT_ORDER (SI_ORDER_ANY - 255) /* On boot slot in here. */