4 * Copyright (C) 2001-2005 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
9 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.7 2007/05/01 22:15:00 darrenr Exp $";
25 static char *portcmp[] = { "*", "==", "!=", "<", ">", "<=", ">=", "**", "***" };
28 int intcmp __P((const void *, const void *));
29 static void indent __P((FILE *, int));
30 static void printeq __P((FILE *, char *, int, int, int));
31 static void printipeq __P((FILE *, char *, int, int, int));
32 static void addrule __P((FILE *, frentry_t *));
33 static void printhooks __P((FILE *, int, int, frgroup_t *));
34 static void emitheader __P((frgroup_t *, u_int, u_int));
35 static void emitGroup __P((int, int, void *, frentry_t *, char *,
37 static void emittail __P((void));
38 static void printCgroup __P((int, frentry_t *, mc_t *, char *));
59 static FILE *cfile = NULL;
62 * This is called once per filter rule being loaded to emit data structures
76 if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE))
78 if ((fr->fr_type == FR_T_IPF) &&
79 ((fr->fr_datype != FRI_NORMAL) || (fr->fr_satype != FRI_NORMAL)))
84 cfile = fopen("ip_rules.c", "w");
90 fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n");
92 fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n");
93 fprintf(fp, "* provided that this notice is preserved and due credit is given\n");
94 fprintf(fp, "* to the original author and the contributors.\n");
95 fprintf(fp, "*/\n\n");
97 fprintf(fp, "#include <sys/param.h>\n");
98 fprintf(fp, "#include <sys/types.h>\n");
99 fprintf(fp, "#include <sys/time.h>\n");
100 fprintf(fp, "#include <sys/socket.h>\n");
101 fprintf(fp, "#if (__FreeBSD_version >= 40000)\n");
102 fprintf(fp, "# if defined(_KERNEL)\n");
103 fprintf(fp, "# include <sys/libkern.h>\n");
104 fprintf(fp, "# else\n");
105 fprintf(fp, "# include <sys/unistd.h>\n");
106 fprintf(fp, "# endif\n");
107 fprintf(fp, "#endif\n");
108 fprintf(fp, "#if (__NetBSD_Version__ >= 399000000)\n");
109 fprintf(fp, "#else\n");
110 fprintf(fp, "# if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
111 fprintf(fp, "# include <sys/systm.h>\n");
112 fprintf(fp, "# endif\n");
113 fprintf(fp, "#endif\n");
114 fprintf(fp, "#include <sys/errno.h>\n");
115 fprintf(fp, "#include <sys/param.h>\n");
117 "#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux)\n");
118 fprintf(fp, "# include <sys/mbuf.h>\n");
119 fprintf(fp, "#endif\n");
121 "#if defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n");
122 fprintf(fp, "# include <sys/sockio.h>\n");
123 fprintf(fp, "#else\n");
124 fprintf(fp, "# include <sys/ioctl.h>\n");
125 fprintf(fp, "#endif /* FreeBSD */\n");
126 fprintf(fp, "#include <net/if.h>\n");
127 fprintf(fp, "#include <netinet/in.h>\n");
128 fprintf(fp, "#include <netinet/in_systm.h>\n");
129 fprintf(fp, "#include <netinet/ip.h>\n");
130 fprintf(fp, "#include <netinet/tcp.h>\n");
131 fprintf(fp, "#include \"netinet/ip_compat.h\"\n");
132 fprintf(fp, "#include \"netinet/ip_fil.h\"\n\n");
133 fprintf(fp, "#include \"netinet/ip_rules.h\"\n\n");
134 fprintf(fp, "#ifndef _KERNEL\n");
135 fprintf(fp, "# include <string.h>\n");
136 fprintf(fp, "#endif /* _KERNEL */\n");
138 fprintf(fp, "#ifdef IPFILTER_COMPILED\n");
142 fr->fr_type |= FR_T_BUILTIN;
146 if (i & -(1 - sizeof(*ulp)))
148 for (i /= sizeof(u_long), ulp = (u_long *)fr; i > 0; i--) {
149 fprintf(fp, "%s%#lx", and, *ulp++);
152 fprintf(fp, "\n};\n");
153 fr->fr_type &= ~FR_T_BUILTIN;
161 static frgroup_t *groups = NULL;
164 static void addrule(fp, fr)
174 f = (frentry_t *)malloc(sizeof(*f));
175 bcopy((char *)fr, (char *)f, sizeof(*fr));
177 f->fr_ipf = (fripf_t *)malloc(sizeof(*f->fr_ipf));
178 bcopy((char *)fr->fr_ipf, (char *)f->fr_ipf,
179 sizeof(*fr->fr_ipf));
183 for (g = groups; g != NULL; g = g->fg_next)
184 if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) &&
185 (g->fg_flags == (f->fr_flags & FR_INOUT)))
189 g = (frgroup_t *)calloc(1, sizeof(*g));
193 bcopy(f->fr_group, g->fg_name, FR_GROUPLEN);
195 g->fg_flags = f->fr_flags & FR_INOUT;
198 for (fpp = &g->fg_start; *fpp != NULL; )
199 fpp = &((*fpp)->fr_next);
202 if (fr->fr_dsize > 0) {
204 static u_long ipf%s_rule_data_%s_%u[] = {\n",
205 f->fr_flags & FR_INQUE ? "in" : "out",
206 g->fg_name, g->fg_ref);
210 for (i /= sizeof(u_long); i > 0; i--) {
211 fprintf(fp, "%s%#lx", and, *ulp++);
214 fprintf(fp, "\n};\n");
217 fprintf(fp, "\nstatic u_long %s_rule_%s_%d[] = {\n",
218 f->fr_flags & FR_INQUE ? "in" : "out", g->fg_name, g->fg_ref);
222 if (f->fr_grhead != 0) {
223 for (g = groups; g != NULL; g = g->fg_next)
224 if ((strncmp(g->fg_name, f->fr_grhead,
225 FR_GROUPLEN) == 0) &&
226 g->fg_flags == (f->fr_flags & FR_INOUT))
229 g = (frgroup_t *)calloc(1, sizeof(*g));
233 bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN);
235 g->fg_flags = f->fr_flags & FR_INOUT;
244 const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2;
246 if (i1->n == i2->n) {
247 return i1->c - i2->c;
249 return i2->n - i1->n;
253 static void indent(fp, in)
261 static void printeq(fp, var, m, max, v)
267 fprintf(fp, "%s == %#x) {\n", var, v);
269 fprintf(fp, "(%s & %#x) == %#x) {\n", var, m, v);
273 * Parameters: var - IP# being compared
274 * fl - 0 for positive match, 1 for negative match
276 * v - required address
278 static void printipeq(fp, var, fl, m, v)
284 fprintf(fp, "%s ", var);
286 fprintf(fp, "(%s & %#x) ", var, m);
287 fprintf(fp, "%c", fl ? '!' : '=');
288 fprintf(fp, "= %#x) {\n", v);
292 void emit(num, dir, v, fr)
301 for (g = groups; g != NULL; g = g->fg_next) {
302 if (dir == 0 || dir == -1) {
303 if ((g->fg_flags & FR_INQUE) == 0)
305 for (incnt = 0, f = g->fg_start; f != NULL;
308 emitGroup(num, dir, v, fr, g->fg_name, incnt, 0);
310 if (dir == 1 || dir == -1) {
311 if ((g->fg_flags & FR_OUTQUE) == 0)
313 for (outcnt = 0, f = g->fg_start; f != NULL;
316 emitGroup(num, dir, v, fr, g->fg_name, 0, outcnt);
320 if (num == -1 && dir == -1) {
321 for (g = groups; g != NULL; g = g->fg_next) {
322 if ((g->fg_flags & FR_INQUE) != 0) {
323 for (incnt = 0, f = g->fg_start; f != NULL;
327 emitheader(g, incnt, 0);
329 if ((g->fg_flags & FR_OUTQUE) != 0) {
330 for (outcnt = 0, f = g->fg_start; f != NULL;
334 emitheader(g, 0, outcnt);
338 fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n");
344 static void emitheader(grp, incount, outcount)
346 u_int incount, outcount;
348 static FILE *fph = NULL;
352 fph = fopen("ip_rules.h", "w");
356 fprintf(fph, "extern int ipfrule_add __P((void));\n");
357 fprintf(fph, "extern int ipfrule_remove __P((void));\n");
360 printhooks(cfile, incount, outcount, grp);
364 extern frentry_t *ipfrule_match_in_%s __P((fr_info_t *, u_32_t *));\n\
365 extern frentry_t *ipf_rules_in_%s[%d];\n",
366 grp->fg_name, grp->fg_name, incount);
368 for (g = groups; g != grp; g = g->fg_next)
369 if ((strncmp(g->fg_name, grp->fg_name,
370 FR_GROUPLEN) == 0) &&
371 g->fg_flags == grp->fg_flags)
375 extern int ipfrule_add_in_%s __P((void));\n\
376 extern int ipfrule_remove_in_%s __P((void));\n", grp->fg_name, grp->fg_name);
381 extern frentry_t *ipfrule_match_out_%s __P((fr_info_t *, u_32_t *));\n\
382 extern frentry_t *ipf_rules_out_%s[%d];\n",
383 grp->fg_name, grp->fg_name, outcount);
385 for (g = groups; g != grp; g = g->fg_next)
386 if ((strncmp(g->fg_name, grp->fg_name,
387 FR_GROUPLEN) == 0) &&
388 g->fg_flags == grp->fg_flags)
392 extern int ipfrule_add_out_%s __P((void));\n\
393 extern int ipfrule_remove_out_%s __P((void));\n",
394 grp->fg_name, grp->fg_name);
399 static void emittail()
408 for (g = groups; g != NULL; g = g->fg_next)
410 err = ipfrule_add_%s_%s();\n\
413 (g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name);
420 int ipfrule_remove()\n\
424 for (g = groups; g != NULL; g = g->fg_next)
426 err = ipfrule_remove_%s_%s();\n\
429 (g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name);
432 fprintf(cfile, "}\n");
436 static void emitGroup(num, dir, v, fr, group, incount, outcount)
441 u_int incount, outcount;
443 static FILE *fp = NULL;
444 static int header[2] = { 0, 0 };
445 static char egroup[FR_GROUPLEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
446 static int openfunc = 0;
447 static mc_t *n = NULL;
459 if (strncmp(egroup, group, FR_GROUPLEN)) {
460 for (sin--; sin > 0; sin--) {
465 fprintf(fp, "\treturn fr;\n}\n");
475 strncpy(egroup, group, FR_GROUPLEN);
476 } else if (openfunc == 1 && num < 0) {
481 for (sin--; sin > 0; sin--) {
486 fprintf(fp, "\treturn fr;\n}\n");
494 for (g = groups; g != NULL; g = g->fg_next) {
495 if (dir == 0 && (g->fg_flags & FR_INQUE) == 0)
497 else if (dir == 1 && (g->fg_flags & FR_OUTQUE) == 0)
499 if (strncmp(g->fg_name, group, FR_GROUPLEN) != 0)
505 * Output the array of pointers to rules for this group.
507 if (g != NULL && num == -2 && dir == 0 && header[0] == 0 &&
509 fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {",
511 for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
512 if ((f->fr_flags & FR_INQUE) == 0)
518 "(frentry_t *)&in_rule_%s_%d",
524 fprintf(fp, "\n};\n");
527 if (g != NULL && num == -2 && dir == 1 && header[0] == 0 &&
529 fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {",
531 for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
532 if ((f->fr_flags & FR_OUTQUE) == 0)
538 "(frentry_t *)&out_rule_%s_%d",
540 if (i + 1 < outcount)
544 fprintf(fp, "\n};\n");
555 * If the function header has not been printed then print it now.
557 if (g != NULL && header[dir] == 0) {
558 int pdst = 0, psrc = 0;
561 fprintf(fp, "\nfrentry_t *ipfrule_match_%s_%s(fin, passp)\n",
562 (dir == 0) ? "in" : "out", group);
563 fprintf(fp, "fr_info_t *fin;\n");
564 fprintf(fp, "u_32_t *passp;\n");
566 fprintf(fp, "\tfrentry_t *fr = NULL;\n");
569 * Print out any variables that need to be declared.
571 for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
572 if (incount + outcount > m[FRC_SRC].e + 1)
574 if (incount + outcount > m[FRC_DST].e + 1)
578 fprintf(fp, "\tu_32_t src = ntohl(%s);\n",
579 "fin->fin_fi.fi_saddr");
581 fprintf(fp, "\tu_32_t dst = ntohl(%s);\n",
582 "fin->fin_fi.fi_daddr");
585 for (i = 0; i < FRC_MAX; i++) {
593 if (ipf != NULL && ipf->fri_mip.fi_v != 0)
597 if (ipf != NULL && ipf->fri_mip.fi_flx != 0)
601 if (ipf != NULL && ipf->fri_mip.fi_p != 0)
605 if (ipf != NULL && ipf->fri_mip.fi_ttl != 0)
609 if (ipf != NULL && ipf->fri_mip.fi_tos != 0)
615 if ((ipf->fri_ip.fi_p == IPPROTO_TCP) &&
622 if (fr->fr_scmp == FR_INRANGE)
624 else if (fr->fr_scmp == FR_OUTRANGE)
626 else if (fr->fr_scmp != 0)
632 if (fr->fr_dcmp == FR_INRANGE)
634 else if (fr->fr_dcmp == FR_OUTRANGE)
636 else if (fr->fr_dcmp != 0)
642 if (fr->fr_satype == FRI_LOOKUP) {
644 } else if ((fr->fr_smask != 0) ||
645 (fr->fr_flags & FR_NOTSRCIP) != 0)
651 if (fr->fr_datype == FRI_LOOKUP) {
653 } else if ((fr->fr_dmask != 0) ||
654 (fr->fr_flags & FR_NOTDSTIP) != 0)
660 if (fr->fr_optmask != 0)
666 if (fr->fr_secmask != 0)
672 if (fr->fr_authmask != 0)
678 if ((fr->fr_icmpm & 0xff00) != 0)
684 if ((fr->fr_icmpm & 0xff) != 0)
696 qsort(m, FRC_MAX, sizeof(mc_t), intcmp);
700 * Calculate the indentation interval upto the last common
701 * common comparison being made.
703 for (i = 0, in = 1; i < FRC_MAX; i++) {
704 if (n[i].c != m[i].c)
706 if (n[i].s != m[i].s)
709 if (n[i].n && (n[i].n > n[i].e)) {
721 for (j = sin - 1; j >= in; j--) {
732 * print out C code that implements a filter rule.
734 for (; i < FRC_MAX; i++) {
740 fprintf(fp, "if (fin->fin_ifp == ");
741 fprintf(fp, "ipf_rules_%s_%s[%d]->fr_ifa) {\n",
742 dir ? "out" : "in", group, num);
749 fprintf(fp, "if (fin->fin_v == %d) {\n",
758 printeq(fp, "fin->fin_flx",
759 ipf->fri_mip.fi_flx, 0xf,
767 fprintf(fp, "if (fin->fin_p == %d) {\n",
776 printeq(fp, "fin->fin_ttl",
777 ipf->fri_mip.fi_ttl, 0xff,
785 fprintf(fp, "if (fin->fin_tos");
786 printeq(fp, "fin->fin_tos",
787 ipf->fri_mip.fi_tos, 0xff,
796 printeq(fp, "fin->fin_tcpf", fr->fr_tcpfm,
804 if (fr->fr_scmp == FR_INRANGE) {
806 fprintf(fp, "if ((fin->fin_data[0] > %d) && ",
808 fprintf(fp, "(fin->fin_data[0] < %d)",
810 fprintf(fp, ") {\n");
812 } else if (fr->fr_scmp == FR_OUTRANGE) {
814 fprintf(fp, "if ((fin->fin_data[0] < %d) || ",
816 fprintf(fp, "(fin->fin_data[0] > %d)",
818 fprintf(fp, ") {\n");
820 } else if (fr->fr_scmp) {
822 fprintf(fp, "if (fin->fin_data[0] %s %d)",
823 portcmp[fr->fr_scmp], fr->fr_sport);
831 if (fr->fr_dcmp == FR_INRANGE) {
833 fprintf(fp, "if ((fin->fin_data[1] > %d) && ",
835 fprintf(fp, "(fin->fin_data[1] < %d)",
837 fprintf(fp, ") {\n");
839 } else if (fr->fr_dcmp == FR_OUTRANGE) {
841 fprintf(fp, "if ((fin->fin_data[1] < %d) || ",
843 fprintf(fp, "(fin->fin_data[1] > %d)",
845 fprintf(fp, ") {\n");
847 } else if (fr->fr_dcmp) {
849 fprintf(fp, "if (fin->fin_data[1] %s %d)",
850 portcmp[fr->fr_dcmp], fr->fr_dport);
858 if (fr->fr_satype == FRI_LOOKUP) {
860 } else if ((fr->fr_smask != 0) ||
861 (fr->fr_flags & FR_NOTSRCIP) != 0) {
865 fr->fr_flags & FR_NOTSRCIP,
866 fr->fr_smask, fr->fr_saddr);
873 if (fr->fr_datype == FRI_LOOKUP) {
875 } else if ((fr->fr_dmask != 0) ||
876 (fr->fr_flags & FR_NOTDSTIP) != 0) {
880 fr->fr_flags & FR_NOTDSTIP,
881 fr->fr_dmask, fr->fr_daddr);
889 printeq(fp, "fin->fin_fi.fi_optmsk",
890 fr->fr_optmask, 0xffffffff,
899 printeq(fp, "fin->fin_fi.fi_secmsk",
900 fr->fr_secmask, 0xffff,
909 printeq(fp, "fin->fin_fi.fi_authmsk",
910 fr->fr_authmask, 0xffff,
919 printeq(fp, "fin->fin_data[0]",
920 fr->fr_icmpm & 0xff00, 0xffff,
921 fr->fr_icmp & 0xff00);
929 printeq(fp, "fin->fin_data[0]",
930 fr->fr_icmpm & 0xff, 0xffff,
940 if (fr->fr_flags & FR_QUICK) {
941 fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n",
942 fr->fr_flags & FR_INQUE ? "in" : "out",
945 fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n",
946 fr->fr_flags & FR_INQUE ? "in" : "out",
950 n = (mc_t *)malloc(sizeof(*n) * FRC_MAX);
951 bcopy((char *)m, (char *)n, sizeof(*n) * FRC_MAX);
959 static mc_t *m = NULL;
963 m = (mc_t *)calloc(1, sizeof(*m) * FRC_MAX);
965 for (g = groups; g != NULL; g = g->fg_next) {
966 if ((dir == 0) && ((g->fg_flags & FR_INQUE) != 0))
967 printCgroup(dir, g->fg_start, m, g->fg_name);
968 if ((dir == 1) && ((g->fg_flags & FR_OUTQUE) != 0))
969 printCgroup(dir, g->fg_start, m, g->fg_name);
972 emit(-1, dir, m, NULL);
977 * Now print out code to implement all of the rules.
979 static void printCgroup(dir, top, m, group)
989 for (count = 0, fr1 = top; fr1 != NULL; fr1 = fr1->fr_next) {
990 if ((dir == 0) && ((fr1->fr_flags & FR_INQUE) != 0))
992 else if ((dir == 1) && ((fr1->fr_flags & FR_OUTQUE) != 0))
997 emitGroup(-2, dir, m, fr1, group, count, 0);
999 emitGroup(-2, dir, m, fr1, group, 0, count);
1002 * Before printing each rule, check to see how many of its fields are
1003 * matched by subsequent rules.
1005 for (fr1 = top, rn = 0; fr1 != NULL; fr1 = fr1->fr_next, rn++) {
1006 if (!dir && !(fr1->fr_flags & FR_INQUE))
1008 if (dir && !(fr1->fr_flags & FR_OUTQUE))
1012 for (i = 0; i < FRC_MAX; i++)
1014 qsort(m, FRC_MAX, sizeof(mc_t), intcmp);
1016 for (i = 0; i < FRC_MAX; i++) {
1023 for (fr = fr1->fr_next; fr; fr = fr->fr_next) {
1024 if (!dir && !(fr->fr_flags & FR_INQUE))
1026 if (dir && !(fr->fr_flags & FR_OUTQUE))
1030 !strcmp(fr1->fr_ifname, fr->fr_ifname)) {
1036 if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) {
1043 (fr->fr_type == fr1->fr_type) &&
1044 (fr->fr_type == FR_T_IPF) &&
1045 (fr1->fr_mip.fi_flx == fr->fr_mip.fi_flx) &&
1046 (fr1->fr_ip.fi_flx == fr->fr_ip.fi_flx)) {
1053 (fr->fr_type == fr1->fr_type) &&
1054 (fr->fr_type == FR_T_IPF) &&
1055 (fr1->fr_proto == fr->fr_proto)) {
1062 (fr->fr_type == fr1->fr_type) &&
1063 (fr->fr_type == FR_T_IPF) &&
1064 (fr1->fr_ttl == fr->fr_ttl)) {
1071 (fr->fr_type == fr1->fr_type) &&
1072 (fr->fr_type == FR_T_IPF) &&
1073 (fr1->fr_tos == fr->fr_tos)) {
1080 (fr->fr_type == fr1->fr_type) &&
1081 (fr->fr_type == FR_T_IPF) &&
1082 ((fr1->fr_tcpfm == fr->fr_tcpfm) &&
1083 (fr1->fr_tcpf == fr->fr_tcpf))) {
1090 (fr->fr_type == fr1->fr_type) &&
1091 (fr->fr_type == FR_T_IPF) &&
1092 ((fr1->fr_scmp == fr->fr_scmp) &&
1093 (fr1->fr_stop == fr->fr_stop) &&
1094 (fr1->fr_sport == fr->fr_sport))) {
1101 (fr->fr_type == fr1->fr_type) &&
1102 (fr->fr_type == FR_T_IPF) &&
1103 ((fr1->fr_dcmp == fr->fr_dcmp) &&
1104 (fr1->fr_dtop == fr->fr_dtop) &&
1105 (fr1->fr_dport == fr->fr_dport))) {
1112 (fr->fr_type == fr1->fr_type) &&
1113 (fr->fr_type == FR_T_IPF) &&
1114 ((fr1->fr_satype == FRI_LOOKUP) &&
1115 (fr->fr_satype == FRI_LOOKUP) &&
1116 (fr1->fr_srcnum == fr->fr_srcnum))) {
1119 } else if ((n & 0x0200) &&
1120 (fr->fr_type == fr1->fr_type) &&
1121 (fr->fr_type == FR_T_IPF) &&
1122 (((fr1->fr_flags & FR_NOTSRCIP) ==
1123 (fr->fr_flags & FR_NOTSRCIP)))) {
1124 if ((fr1->fr_smask == fr->fr_smask) &&
1125 (fr1->fr_saddr == fr->fr_saddr))
1129 if (fr1->fr_smask &&
1130 (fr1->fr_saddr & fr1->fr_smask) ==
1131 (fr->fr_saddr & fr1->fr_smask)) {
1140 (fr->fr_type == fr1->fr_type) &&
1141 (fr->fr_type == FR_T_IPF) &&
1142 ((fr1->fr_datype == FRI_LOOKUP) &&
1143 (fr->fr_datype == FRI_LOOKUP) &&
1144 (fr1->fr_dstnum == fr->fr_dstnum))) {
1147 } else if ((n & 0x0400) &&
1148 (fr->fr_type == fr1->fr_type) &&
1149 (fr->fr_type == FR_T_IPF) &&
1150 (((fr1->fr_flags & FR_NOTDSTIP) ==
1151 (fr->fr_flags & FR_NOTDSTIP)))) {
1152 if ((fr1->fr_dmask == fr->fr_dmask) &&
1153 (fr1->fr_daddr == fr->fr_daddr))
1157 if (fr1->fr_dmask &&
1158 (fr1->fr_daddr & fr1->fr_dmask) ==
1159 (fr->fr_daddr & fr1->fr_dmask)) {
1168 (fr->fr_type == fr1->fr_type) &&
1169 (fr->fr_type == FR_T_IPF) &&
1170 (fr1->fr_optmask == fr->fr_optmask) &&
1171 (fr1->fr_optbits == fr->fr_optbits)) {
1178 (fr->fr_type == fr1->fr_type) &&
1179 (fr->fr_type == FR_T_IPF) &&
1180 (fr1->fr_secmask == fr->fr_secmask) &&
1181 (fr1->fr_secbits == fr->fr_secbits)) {
1187 if ((n & 0x10000) &&
1188 (fr->fr_type == fr1->fr_type) &&
1189 (fr->fr_type == FR_T_IPF) &&
1190 (fr1->fr_authmask == fr->fr_authmask) &&
1191 (fr1->fr_authbits == fr->fr_authbits)) {
1197 if ((n & 0x20000) &&
1198 (fr->fr_type == fr1->fr_type) &&
1199 (fr->fr_type == FR_T_IPF) &&
1200 ((fr1->fr_icmpm & 0xff00) ==
1201 (fr->fr_icmpm & 0xff00)) &&
1202 ((fr1->fr_icmp & 0xff00) ==
1203 (fr->fr_icmp & 0xff00))) {
1209 if ((n & 0x40000) &&
1210 (fr->fr_type == fr1->fr_type) &&
1211 (fr->fr_type == FR_T_IPF) &&
1212 ((fr1->fr_icmpm & 0xff) == (fr->fr_icmpm & 0xff)) &&
1213 ((fr1->fr_icmp & 0xff) == (fr->fr_icmp & 0xff))) {
1222 emitGroup(rn, dir, m, fr1, group, count, 0);
1224 emitGroup(rn, dir, m, fr1, group, 0, count);
1228 static void printhooks(fp, in, out, grp)
1239 group = grp->fg_name;
1240 dogrp = *group ? 1 : 0;
1244 "printhooks called with both in and out set\n");
1255 fprintf(fp, "static frentry_t ipfrule_%s_%s;\n", instr, group);
1259 int ipfrule_add_%s_%s()\n", instr, group);
1262 int i, j, err = 0, max;\n\
1271 for (i = 0, fr = grp->fg_start; fr != NULL; i++, fr = fr->fr_next)
1272 if (fr->fr_dsize > 0) {
1274 ipf_rules_%s_%s[%d]->fr_data = &ipf%s_rule_data_%s_%u;\n",
1275 instr, grp->fg_name, i,
1276 instr, grp->fg_name, i);
1279 max = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *);\n\
1280 for (i = 0; i < max; i++) {\n\
1281 fp = ipf_rules_%s_%s[i];\n\
1282 fp->fr_next = NULL;\n", instr, group, instr, group);
1285 for (j = i + 1; j < max; j++)\n\
1286 if (strncmp(fp->fr_group,\n\
1287 ipf_rules_%s_%s[j]->fr_group,\n\
1288 FR_GROUPLEN) == 0) {\n\
1289 fp->fr_next = ipf_rules_%s_%s[j];\n\
1291 }\n", instr, group, instr, group);
1295 if (fp->fr_grhead != 0) {\n\
1296 fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\
1299 fp->fr_grp = &fg->fg_start;\n\
1304 fp = &ipfrule_%s_%s;\n", instr, group);
1306 bzero((char *)fp, sizeof(*fp));\n\
1307 fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\
1308 fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\
1309 fp->fr_data = (void *)ipf_rules_%s_%s[0];\n",
1310 (in != 0) ? "IN" : "OUT", instr, group);
1312 fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n",
1317 fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\
1318 err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n",
1320 fprintf(fp, "\treturn err;\n}\n");
1323 int ipfrule_remove_%s_%s()\n", instr, group);
1330 * Try to remove the %sbound rule.\n", instr);
1334 if (ipfrule_%s_%s.fr_ref > 0) {\n", instr, group);
1341 i = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *) - 1;\n\
1342 for (; i >= 0; i--) {\n\
1343 fp = ipf_rules_%s_%s[i];\n\
1344 if (fp->fr_ref > 1) {\n\
1351 err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\
1352 (caddr_t)&ipfrule_%s_%s, fr_active, 0);\n",
1353 instr, group, instr, group, instr, group);
1359 fprintf(fp, "\treturn err;\n}\n");
projects / FreeBSD / releng / 9.2.git / blob