netpfil/ipfw/ip_fw_table.c

3b3a8eb9SGleb Smirnoff/*-
3b3a8eb9SGleb Smirnoff * Copyright (c) 2004 Ruslan Ermilov and Vsevolod Lobko.
3b3a8eb9SGleb Smirnoff *
3b3a8eb9SGleb Smirnoff * Redistribution and use in source and binary forms, with or without
3b3a8eb9SGleb Smirnoff * modification, are permitted provided that the following conditions
3b3a8eb9SGleb Smirnoff * are met:
3b3a8eb9SGleb Smirnoff * 1. Redistributions of source code must retain the above copyright
3b3a8eb9SGleb Smirnoff *    notice, this list of conditions and the following disclaimer.
3b3a8eb9SGleb Smirnoff * 2. Redistributions in binary form must reproduce the above copyright
3b3a8eb9SGleb Smirnoff *    notice, this list of conditions and the following disclaimer in the
3b3a8eb9SGleb Smirnoff *    documentation and/or other materials provided with the distribution.
3b3a8eb9SGleb Smirnoff *
3b3a8eb9SGleb Smirnoff * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
3b3a8eb9SGleb Smirnoff * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3b3a8eb9SGleb Smirnoff * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3b3a8eb9SGleb Smirnoff * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
3b3a8eb9SGleb Smirnoff * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3b3a8eb9SGleb Smirnoff * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3b3a8eb9SGleb Smirnoff * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3b3a8eb9SGleb Smirnoff * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3b3a8eb9SGleb Smirnoff * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3b3a8eb9SGleb Smirnoff * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3b3a8eb9SGleb Smirnoff * SUCH DAMAGE.
3b3a8eb9SGleb Smirnoff */
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff#include <sys/cdefs.h>
3b3a8eb9SGleb Smirnoff__FBSDID("$FreeBSD$");
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff/*
563b5ab1SAlexander V. Chernikov * Lookup table support for ipfw.
3b3a8eb9SGleb Smirnoff *
ac35ff17SAlexander V. Chernikov * This file contains handlers for all generic tables' operations:
563b5ab1SAlexander V. Chernikov * add/del/flush entries, list/dump tables etc..
3b3a8eb9SGleb Smirnoff *
563b5ab1SAlexander V. Chernikov * Table data modification is protected by both UH and runtimg lock
563b5ab1SAlexander V. Chernikov * while reading configuration/data is protected by UH lock.
563b5ab1SAlexander V. Chernikov *
563b5ab1SAlexander V. Chernikov * Lookup algorithms for all table types are located in ip_fw_table_algo.c
3b3a8eb9SGleb Smirnoff */
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff#include "opt_ipfw.h"
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff#include <sys/param.h>
3b3a8eb9SGleb Smirnoff#include <sys/systm.h>
3b3a8eb9SGleb Smirnoff#include <sys/malloc.h>
3b3a8eb9SGleb Smirnoff#include <sys/kernel.h>
3b3a8eb9SGleb Smirnoff#include <sys/lock.h>
3b3a8eb9SGleb Smirnoff#include <sys/rwlock.h>
3b3a8eb9SGleb Smirnoff#include <sys/socket.h>
f1220db8SAlexander V. Chernikov#include <sys/socketvar.h>
3b3a8eb9SGleb Smirnoff#include <sys/queue.h>
3b3a8eb9SGleb Smirnoff#include <net/if.h>	/* ip_fw.h requires IFNAMSIZ */
3b3a8eb9SGleb Smirnoff#include <net/route.h>
3b3a8eb9SGleb Smirnoff#include <net/vnet.h>
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff#include <netinet/in.h>
3b3a8eb9SGleb Smirnoff#include <netinet/ip_var.h>	/* struct ipfw_rule_ref */
3b3a8eb9SGleb Smirnoff#include <netinet/ip_fw.h>
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff#include <netpfil/ipfw/ip_fw_private.h>
ea761a5dSAlexander V. Chernikov#include <netpfil/ipfw/ip_fw_table.h>
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff /*
b074b7bbSAlexander V. Chernikov * Table has the following `type` concepts:
b074b7bbSAlexander V. Chernikov *
9f7d47b0SAlexander V. Chernikov * `no.type` represents lookup key type (cidr, ifp, uid, etc..)
9f7d47b0SAlexander V. Chernikov * `ta->atype` represents exact lookup algorithm.
b074b7bbSAlexander V. Chernikov *     For example, we can use more efficient search schemes if we plan
b074b7bbSAlexander V. Chernikov *     to use some specific table for storing host-routes only.
9490a627SAlexander V. Chernikov * `ftype` (at the moment )is pure userland field helping to properly
9490a627SAlexander V. Chernikov *     format value data e.g. "value is IPv4 nexthop" or "value is DSCP"
9490a627SAlexander V. Chernikov *     or "value is port".
b074b7bbSAlexander V. Chernikov *
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstruct table_config {
b074b7bbSAlexander V. Chernikov	struct named_object	no;
ac35ff17SAlexander V. Chernikov	uint8_t		vtype;		/* format table type */
b074b7bbSAlexander V. Chernikov	uint8_t		linked;		/* 1 if already linked */
9f7d47b0SAlexander V. Chernikov	uint16_t	spare0;
b074b7bbSAlexander V. Chernikov	uint32_t	count;		/* Number of records */
b074b7bbSAlexander V. Chernikov	char		tablename[64];	/* table name */
9f7d47b0SAlexander V. Chernikov	struct table_algo	*ta;	/* Callbacks for given algo */
9f7d47b0SAlexander V. Chernikov	void		*astate;	/* algorithm state */
9f7d47b0SAlexander V. Chernikov	struct table_info	ti;	/* data to put to table_info */
b074b7bbSAlexander V. Chernikov};
b074b7bbSAlexander V. Chernikov#define	TABLE_SET(set)	((V_fw_tables_sets != 0) ? set : 0)
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikovstruct tables_config {
b074b7bbSAlexander V. Chernikov	struct namedobj_instance	*namehash;
9f7d47b0SAlexander V. Chernikov	int				algo_count;
9f7d47b0SAlexander V. Chernikov	struct table_algo 		*algo[256];
b074b7bbSAlexander V. Chernikov};
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikovstatic struct table_config *find_table(struct namedobj_instance *ni,
b074b7bbSAlexander V. Chernikov    struct tid_info *ti);
b074b7bbSAlexander V. Chernikovstatic struct table_config *alloc_table_config(struct namedobj_instance *ni,
9490a627SAlexander V. Chernikov    struct tid_info *ti, struct table_algo *ta, char *adata);
b074b7bbSAlexander V. Chernikovstatic void free_table_config(struct namedobj_instance *ni,
b074b7bbSAlexander V. Chernikov    struct table_config *tc);
b074b7bbSAlexander V. Chernikovstatic void link_table(struct ip_fw_chain *chain, struct table_config *tc);
b074b7bbSAlexander V. Chernikovstatic void unlink_table(struct ip_fw_chain *chain, struct table_config *tc);
b074b7bbSAlexander V. Chernikovstatic void free_table_state(void **state, void **xstate, uint8_t type);
2d99a349SAlexander V. Chernikovstatic int export_tables(struct ip_fw_chain *ch, ipfw_obj_lheader *olh,
2d99a349SAlexander V. Chernikov    struct sockopt_data *sd);
ac35ff17SAlexander V. Chernikovstatic void export_table_info(struct ip_fw_chain *ch, struct table_config *tc,
ac35ff17SAlexander V. Chernikov    ipfw_xtable_info *i);
f1220db8SAlexander V. Chernikovstatic int dump_table_xentry(void *e, void *arg);
b074b7bbSAlexander V. Chernikov
2d99a349SAlexander V. Chernikovstatic int ipfw_dump_table_v0(struct ip_fw_chain *ch, struct sockopt_data *sd);
2d99a349SAlexander V. Chernikovstatic int ipfw_dump_table_v1(struct ip_fw_chain *ch, struct sockopt_data *sd);
ac35ff17SAlexander V. Chernikovstatic int ipfw_modify_table_v0(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd);
ac35ff17SAlexander V. Chernikovstatic int ipfw_modify_table_v1(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikovstatic int destroy_table(struct ip_fw_chain *ch, struct tid_info *ti);
d3a4f924SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikovstatic struct table_algo *find_table_algo(struct tables_config *tableconf,
9490a627SAlexander V. Chernikov    struct tid_info *ti, char *name);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov#define	CHAIN_TO_TCFG(chain)	((struct tables_config *)(chain)->tblcfg)
b074b7bbSAlexander V. Chernikov#define	CHAIN_TO_NI(chain)	(CHAIN_TO_TCFG(chain)->namehash)
9f7d47b0SAlexander V. Chernikov#define	KIDX_TO_TI(ch, k)	(&(((struct table_info *)(ch)->tablestate)[k]))
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoffint
1832a7b3SAlexander V. Chernikovadd_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
b074b7bbSAlexander V. Chernikov    struct tentry_info *tei)
3b3a8eb9SGleb Smirnoff{
b074b7bbSAlexander V. Chernikov	struct table_config *tc, *tc_new;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov	uint16_t kidx;
9f7d47b0SAlexander V. Chernikov	int error;
9f7d47b0SAlexander V. Chernikov	char ta_buf[128];
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
9f7d47b0SAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/*
9f7d47b0SAlexander V. Chernikov	 * Find and reference existing table.
9f7d47b0SAlexander V. Chernikov	 */
9f7d47b0SAlexander V. Chernikov	ta = NULL;
9f7d47b0SAlexander V. Chernikov	if ((tc = find_table(ni, ti)) != NULL) {
9f7d47b0SAlexander V. Chernikov		/* check table type */
9f7d47b0SAlexander V. Chernikov		if (tc->no.type != ti->type) {
9f7d47b0SAlexander V. Chernikov			IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff			return (EINVAL);
3b3a8eb9SGleb Smirnoff		}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov		/* Reference and unlock */
9f7d47b0SAlexander V. Chernikov		tc->no.refcnt++;
9f7d47b0SAlexander V. Chernikov		ta = tc->ta;
9f7d47b0SAlexander V. Chernikov	}
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	tc_new = NULL;
ac35ff17SAlexander V. Chernikov	if (tc == NULL) {
9f7d47b0SAlexander V. Chernikov		/* Table not found. We have to create new one */
9490a627SAlexander V. Chernikov		if ((ta = find_table_algo(CHAIN_TO_TCFG(ch), ti, NULL)) == NULL)
9f7d47b0SAlexander V. Chernikov			return (ENOTSUP);
3b3a8eb9SGleb Smirnoff
9490a627SAlexander V. Chernikov		tc_new = alloc_table_config(ni, ti, ta, NULL);
9f7d47b0SAlexander V. Chernikov		if (tc_new == NULL)
9f7d47b0SAlexander V. Chernikov			return (ENOMEM);
9f7d47b0SAlexander V. Chernikov	}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	/* Prepare record (allocate memory) */
9f7d47b0SAlexander V. Chernikov	memset(&ta_buf, 0, sizeof(ta_buf));
9f7d47b0SAlexander V. Chernikov	error = ta->prepare_add(tei, &ta_buf);
9f7d47b0SAlexander V. Chernikov	if (error != 0) {
9f7d47b0SAlexander V. Chernikov		if (tc_new != NULL)
9f7d47b0SAlexander V. Chernikov			free_table_config(ni, tc_new);
9f7d47b0SAlexander V. Chernikov		return (error);
3b3a8eb9SGleb Smirnoff	}
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	if (tc == NULL) {
ac35ff17SAlexander V. Chernikov		/* Check if another table has been allocated by other thread */
b074b7bbSAlexander V. Chernikov		if ((tc = find_table(ni, ti)) != NULL) {
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov			/*
9f7d47b0SAlexander V. Chernikov			 * Check if algoritm is the same since we've
9f7d47b0SAlexander V. Chernikov			 * already allocated state using @ta algoritm
9f7d47b0SAlexander V. Chernikov			 * callbacks.
9f7d47b0SAlexander V. Chernikov			 */
9f7d47b0SAlexander V. Chernikov			if (tc->ta != ta) {
b074b7bbSAlexander V. Chernikov				IPFW_UH_WUNLOCK(ch);
ac35ff17SAlexander V. Chernikov				error = EINVAL;
ac35ff17SAlexander V. Chernikov				goto done;
3b3a8eb9SGleb Smirnoff			}
3b3a8eb9SGleb Smirnoff		} else {
ac35ff17SAlexander V. Chernikov			/* Table still does not exists */
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov			/* Allocate table index. */
ac35ff17SAlexander V. Chernikov			if (ipfw_objhash_alloc_idx(ni, &kidx) != 0) {
b074b7bbSAlexander V. Chernikov				/* Index full. */
b074b7bbSAlexander V. Chernikov				IPFW_UH_WUNLOCK(ch);
ac35ff17SAlexander V. Chernikov				printf("Unable to allocate index for table %s"
ac35ff17SAlexander V. Chernikov				    "in set %u. Consider increasing "
b074b7bbSAlexander V. Chernikov				    "net.inet.ip.fw.tables_max",
ac35ff17SAlexander V. Chernikov				    tc_new->no.name, ti->set);
ac35ff17SAlexander V. Chernikov				error = EBUSY;
ac35ff17SAlexander V. Chernikov				goto done;
3b3a8eb9SGleb Smirnoff			}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov			/* Set tc_new to zero not to free it afterwards. */
ac35ff17SAlexander V. Chernikov			tc = tc_new;
ac35ff17SAlexander V. Chernikov			tc_new = NULL;
b074b7bbSAlexander V. Chernikov			/* Save kidx */
b074b7bbSAlexander V. Chernikov			tc->no.kidx = kidx;
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov	} else {
9f7d47b0SAlexander V. Chernikov		/* Drop reference we've used in first search */
9f7d47b0SAlexander V. Chernikov		tc->no.refcnt--;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/* We've got valid table in @tc. Let's add data */
9f7d47b0SAlexander V. Chernikov	kidx = tc->no.kidx;
9f7d47b0SAlexander V. Chernikov	ta = tc->ta;
9f7d47b0SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_WLOCK(ch);
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	if (tc->linked == 0)
b074b7bbSAlexander V. Chernikov		link_table(ch, tc);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	error = ta->add(tc->astate, KIDX_TO_TI(ch, kidx), tei, &ta_buf);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	IPFW_WUNLOCK(ch);
9f7d47b0SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Update number of records. */
ac35ff17SAlexander V. Chernikov	if (error == 0 && (tei->flags & TEI_FLAGS_UPDATED) == 0)
9f7d47b0SAlexander V. Chernikov		tc->count++;
9f7d47b0SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikovdone:
b074b7bbSAlexander V. Chernikov	if (tc_new != NULL)
ac35ff17SAlexander V. Chernikov		free_table_config(ni, tc_new);
ac35ff17SAlexander V. Chernikov	/* Run cleaning callback anyway */
9f7d47b0SAlexander V. Chernikov	ta->flush_entry(tei, &ta_buf);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	return (error);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoffint
1832a7b3SAlexander V. Chernikovdel_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
b074b7bbSAlexander V. Chernikov    struct tentry_info *tei)
3b3a8eb9SGleb Smirnoff{
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov	uint16_t kidx;
9f7d47b0SAlexander V. Chernikov	int error;
9f7d47b0SAlexander V. Chernikov	char ta_buf[128];
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov	if ((tc = find_table(ni, ti)) == NULL) {
9f7d47b0SAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff		return (ESRCH);
3b3a8eb9SGleb Smirnoff	}
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	if (tc->no.type != ti->type) {
9f7d47b0SAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff		return (EINVAL);
3b3a8eb9SGleb Smirnoff	}
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ta = tc->ta;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	memset(&ta_buf, 0, sizeof(ta_buf));
9f7d47b0SAlexander V. Chernikov	if ((error = ta->prepare_del(tei, &ta_buf)) != 0) {
9f7d47b0SAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
9f7d47b0SAlexander V. Chernikov		return (error);
9f7d47b0SAlexander V. Chernikov	}
9f7d47b0SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	kidx = tc->no.kidx;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_WLOCK(ch);
9f7d47b0SAlexander V. Chernikov	error = ta->del(tc->astate, KIDX_TO_TI(ch, kidx), tei, &ta_buf);
3b3a8eb9SGleb Smirnoff	IPFW_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	if (error == 0)
9f7d47b0SAlexander V. Chernikov		tc->count--;
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	ta->flush_entry(tei, &ta_buf);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	return (error);
ac35ff17SAlexander V. Chernikov}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikovint
ac35ff17SAlexander V. Chernikovipfw_modify_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd)
ac35ff17SAlexander V. Chernikov{
ac35ff17SAlexander V. Chernikov	int error;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	switch (op3->version) {
ac35ff17SAlexander V. Chernikov	case 0:
ac35ff17SAlexander V. Chernikov		error = ipfw_modify_table_v0(ch, op3, sd);
ac35ff17SAlexander V. Chernikov		break;
ac35ff17SAlexander V. Chernikov	case 1:
ac35ff17SAlexander V. Chernikov		error = ipfw_modify_table_v1(ch, op3, sd);
ac35ff17SAlexander V. Chernikov		break;
ac35ff17SAlexander V. Chernikov	default:
ac35ff17SAlexander V. Chernikov		error = ENOTSUP;
ac35ff17SAlexander V. Chernikov	}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	return (error);
ac35ff17SAlexander V. Chernikov}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov/*
ac35ff17SAlexander V. Chernikov * Adds or deletes record in table.
ac35ff17SAlexander V. Chernikov * Data layout (v0):
ac35ff17SAlexander V. Chernikov * Request: [ ip_fw3_opheader ipfw_table_xentry ]
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns 0 on success
ac35ff17SAlexander V. Chernikov */
ac35ff17SAlexander V. Chernikovstatic int
ac35ff17SAlexander V. Chernikovipfw_modify_table_v0(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd)
ac35ff17SAlexander V. Chernikov{
ac35ff17SAlexander V. Chernikov	ipfw_table_xentry *xent;
ac35ff17SAlexander V. Chernikov	struct tentry_info tei;
ac35ff17SAlexander V. Chernikov	struct tid_info ti;
ac35ff17SAlexander V. Chernikov	int error, hdrlen, read;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	hdrlen = offsetof(ipfw_table_xentry, k);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Check minimum header size */
ac35ff17SAlexander V. Chernikov	if (sd->valsize < (sizeof(*op3) + hdrlen))
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	read = sizeof(ip_fw3_opheader);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Check if xentry len field is valid */
ac35ff17SAlexander V. Chernikov	xent = (ipfw_table_xentry *)(op3 + 1);
ac35ff17SAlexander V. Chernikov	if (xent->len < hdrlen || xent->len + read > sd->valsize)
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	memset(&tei, 0, sizeof(tei));
ac35ff17SAlexander V. Chernikov	tei.paddr = &xent->k;
ac35ff17SAlexander V. Chernikov	tei.masklen = xent->masklen;
ac35ff17SAlexander V. Chernikov	tei.value = xent->value;
ac35ff17SAlexander V. Chernikov	/* Old requests compability */
ac35ff17SAlexander V. Chernikov	if (xent->type == IPFW_TABLE_CIDR) {
ac35ff17SAlexander V. Chernikov		if (xent->len - hdrlen == sizeof(in_addr_t))
ac35ff17SAlexander V. Chernikov			tei.subtype = AF_INET;
ac35ff17SAlexander V. Chernikov		else
ac35ff17SAlexander V. Chernikov			tei.subtype = AF_INET6;
ac35ff17SAlexander V. Chernikov	}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	memset(&ti, 0, sizeof(ti));
ac35ff17SAlexander V. Chernikov	ti.uidx = xent->tbl;
ac35ff17SAlexander V. Chernikov	ti.type = xent->type;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	error = (op3->opcode == IP_FW_TABLE_XADD) ?
1832a7b3SAlexander V. Chernikov	    add_table_entry(ch, &ti, &tei) :
1832a7b3SAlexander V. Chernikov	    del_table_entry(ch, &ti, &tei);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	return (error);
ac35ff17SAlexander V. Chernikov}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov/*
ac35ff17SAlexander V. Chernikov * Adds or deletes record in table.
ac35ff17SAlexander V. Chernikov * Data layout (v1)(current):
ac35ff17SAlexander V. Chernikov * Request: [ ipfw_obj_header ipfw_obj_tentry ]
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns 0 on success
ac35ff17SAlexander V. Chernikov */
ac35ff17SAlexander V. Chernikovstatic int
ac35ff17SAlexander V. Chernikovipfw_modify_table_v1(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd)
ac35ff17SAlexander V. Chernikov{
ac35ff17SAlexander V. Chernikov	ipfw_obj_tentry *tent;
ac35ff17SAlexander V. Chernikov	ipfw_obj_header *oh;
ac35ff17SAlexander V. Chernikov	struct tentry_info tei;
ac35ff17SAlexander V. Chernikov	struct tid_info ti;
ac35ff17SAlexander V. Chernikov	int error, read;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Check minimum header size */
ac35ff17SAlexander V. Chernikov	if (sd->valsize < (sizeof(*oh) + sizeof(*tent)))
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Check if passed data is too long */
ac35ff17SAlexander V. Chernikov	if (sd->valsize != sd->kavail)
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	oh = (ipfw_obj_header *)sd->kbuf;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Basic length checks for TLVs */
ac35ff17SAlexander V. Chernikov	if (oh->ntlv.head.length != sizeof(oh->ntlv))
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	read = sizeof(*oh);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/* Assume tentry may grow to support larger keys */
ac35ff17SAlexander V. Chernikov	tent = (ipfw_obj_tentry *)(oh + 1);
ac35ff17SAlexander V. Chernikov	if (tent->head.length < sizeof(*tent) ||
ac35ff17SAlexander V. Chernikov	    tent->head.length + read > sd->valsize)
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	memset(&tei, 0, sizeof(tei));
ac35ff17SAlexander V. Chernikov	tei.paddr = &tent->k;
ac35ff17SAlexander V. Chernikov	tei.subtype = tent->subtype;
ac35ff17SAlexander V. Chernikov	tei.masklen = tent->masklen;
ac35ff17SAlexander V. Chernikov	if (tent->flags & IPFW_TF_UPDATE)
ac35ff17SAlexander V. Chernikov		tei.flags |= TEI_FLAGS_UPDATE;
ac35ff17SAlexander V. Chernikov	tei.value = tent->value;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	memset(&ti, 0, sizeof(ti));
ac35ff17SAlexander V. Chernikov	ti.uidx = tent->idx;
ac35ff17SAlexander V. Chernikov	ti.type = oh->ntlv.type;
ac35ff17SAlexander V. Chernikov	ti.tlvs = &oh->ntlv;
ac35ff17SAlexander V. Chernikov	ti.tlen = oh->ntlv.head.length;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	error = (oh->opheader.opcode == IP_FW_TABLE_XADD) ?
1832a7b3SAlexander V. Chernikov	    add_table_entry(ch, &ti, &tei) :
1832a7b3SAlexander V. Chernikov	    del_table_entry(ch, &ti, &tei);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	return (error);
ac35ff17SAlexander V. Chernikov}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikovint
ac35ff17SAlexander V. Chernikovipfw_flush_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd)
ac35ff17SAlexander V. Chernikov{
ac35ff17SAlexander V. Chernikov	int error;
ac35ff17SAlexander V. Chernikov	struct _ipfw_obj_header *oh;
ac35ff17SAlexander V. Chernikov	struct tid_info ti;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	if (sd->valsize != sizeof(*oh))
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	oh = (struct _ipfw_obj_header *)op3;
ac35ff17SAlexander V. Chernikov	objheader_to_ti(oh, &ti);
ac35ff17SAlexander V. Chernikov
1832a7b3SAlexander V. Chernikov	if (op3->opcode == IP_FW_TABLE_XDESTROY)
ac35ff17SAlexander V. Chernikov		error = destroy_table(ch, &ti);
1832a7b3SAlexander V. Chernikov	else if (op3->opcode == IP_FW_TABLE_XFLUSH)
ac35ff17SAlexander V. Chernikov		error = flush_table(ch, &ti);
ac35ff17SAlexander V. Chernikov	else
ac35ff17SAlexander V. Chernikov		return (ENOTSUP);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	return (error);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov/*
9f7d47b0SAlexander V. Chernikov * Flushes all entries in given table.
ac35ff17SAlexander V. Chernikov * Data layout (v0)(current):
ac35ff17SAlexander V. Chernikov * Request: [ ip_fw3_opheader ]
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns 0 on success
b074b7bbSAlexander V. Chernikov */
1832a7b3SAlexander V. Chernikovint
ac35ff17SAlexander V. Chernikovflush_table(struct ip_fw_chain *ch, struct tid_info *ti)
3b3a8eb9SGleb Smirnoff{
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
9f7d47b0SAlexander V. Chernikov	struct table_info ti_old, ti_new, *tablestate;
9f7d47b0SAlexander V. Chernikov	void *astate_old, *astate_new;
b074b7bbSAlexander V. Chernikov	int error;
b074b7bbSAlexander V. Chernikov	uint16_t kidx;
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	/*
9f7d47b0SAlexander V. Chernikov	 * Stage 1: save table algoritm.
b074b7bbSAlexander V. Chernikov	 * Reference found table to ensure it won't disappear.
3b3a8eb9SGleb Smirnoff	 */
b074b7bbSAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov	if ((tc = find_table(ni, ti)) == NULL) {
b074b7bbSAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov		return (ESRCH);
b074b7bbSAlexander V. Chernikov	}
9f7d47b0SAlexander V. Chernikov	ta = tc->ta;
b074b7bbSAlexander V. Chernikov	tc->no.refcnt++;
b074b7bbSAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	/*
9f7d47b0SAlexander V. Chernikov	 * Stage 2: allocate new table instance using same algo.
9490a627SAlexander V. Chernikov	 * TODO: pass startup parametes somehow.
b074b7bbSAlexander V. Chernikov	 */
9f7d47b0SAlexander V. Chernikov	memset(&ti_new, 0, sizeof(struct table_info));
9490a627SAlexander V. Chernikov	if ((error = ta->init(&astate_new, &ti_new, NULL)) != 0) {
b074b7bbSAlexander V. Chernikov		IPFW_UH_WLOCK(ch);
b074b7bbSAlexander V. Chernikov		tc->no.refcnt--;
b074b7bbSAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov		return (error);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/*
b074b7bbSAlexander V. Chernikov	 * Stage 3: swap old state pointers with newly-allocated ones.
b074b7bbSAlexander V. Chernikov	 * Decrease refcount.
b074b7bbSAlexander V. Chernikov	 */
b074b7bbSAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov	kidx = tc->no.kidx;
9f7d47b0SAlexander V. Chernikov	tablestate = (struct table_info *)ch->tablestate;
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	IPFW_WLOCK(ch);
9f7d47b0SAlexander V. Chernikov	ti_old = tablestate[kidx];
9f7d47b0SAlexander V. Chernikov	tablestate[kidx] = ti_new;
9f7d47b0SAlexander V. Chernikov	IPFW_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	astate_old = tc->astate;
9f7d47b0SAlexander V. Chernikov	tc->astate = astate_new;
9f7d47b0SAlexander V. Chernikov	tc->ti = ti_new;
9f7d47b0SAlexander V. Chernikov	tc->count = 0;
b074b7bbSAlexander V. Chernikov	tc->no.refcnt--;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	/*
b074b7bbSAlexander V. Chernikov	 * Stage 4: perform real flush.
b074b7bbSAlexander V. Chernikov	 */
9f7d47b0SAlexander V. Chernikov	ta->destroy(astate_old, &ti_old);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	return (0);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov/*
9f7d47b0SAlexander V. Chernikov * Destroys table specified by @ti.
ac35ff17SAlexander V. Chernikov * Data layout (v0)(current):
ac35ff17SAlexander V. Chernikov * Request: [ ip_fw3_opheader ]
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns 0 on success
b074b7bbSAlexander V. Chernikov */
ac35ff17SAlexander V. Chernikovstatic int
ac35ff17SAlexander V. Chernikovdestroy_table(struct ip_fw_chain *ch, struct tid_info *ti)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov	if ((tc = find_table(ni, ti)) == NULL) {
b074b7bbSAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov		return (ESRCH);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Do not permit destroying referenced tables */
9f7d47b0SAlexander V. Chernikov	if (tc->no.refcnt > 0) {
b074b7bbSAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov		return (EBUSY);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_WLOCK(ch);
b074b7bbSAlexander V. Chernikov	unlink_table(ch, tc);
b074b7bbSAlexander V. Chernikov	IPFW_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/* Free obj index */
ac35ff17SAlexander V. Chernikov	if (ipfw_objhash_free_idx(ni, tc->no.kidx) != 0)
b074b7bbSAlexander V. Chernikov		printf("Error unlinking kidx %d from table %s\n",
b074b7bbSAlexander V. Chernikov		    tc->no.kidx, tc->tablename);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	free_table_config(ni, tc);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	return (0);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikovstatic void
b074b7bbSAlexander V. Chernikovdestroy_table_locked(struct namedobj_instance *ni, struct named_object *no,
b074b7bbSAlexander V. Chernikov    void *arg)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	unlink_table((struct ip_fw_chain *)arg, (struct table_config *)no);
ac35ff17SAlexander V. Chernikov	if (ipfw_objhash_free_idx(ni, no->kidx) != 0)
b074b7bbSAlexander V. Chernikov		printf("Error unlinking kidx %d from table %s\n",
b074b7bbSAlexander V. Chernikov		    no->kidx, no->name);
b074b7bbSAlexander V. Chernikov	free_table_config(ni, (struct table_config *)no);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
3b3a8eb9SGleb Smirnoffvoid
3b3a8eb9SGleb Smirnoffipfw_destroy_tables(struct ip_fw_chain *ch)
3b3a8eb9SGleb Smirnoff{
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	/* Remove all tables from working set */
b074b7bbSAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
b074b7bbSAlexander V. Chernikov	IPFW_WLOCK(ch);
b074b7bbSAlexander V. Chernikov	ipfw_objhash_foreach(CHAIN_TO_NI(ch), destroy_table_locked, ch);
b074b7bbSAlexander V. Chernikov	IPFW_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	/* Free pointers itself */
9f7d47b0SAlexander V. Chernikov	free(ch->tablestate, M_IPFW);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ipfw_table_algo_destroy(ch);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ipfw_objhash_destroy(CHAIN_TO_NI(ch));
b074b7bbSAlexander V. Chernikov	free(CHAIN_TO_TCFG(ch), M_IPFW);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoffint
3b3a8eb9SGleb Smirnoffipfw_init_tables(struct ip_fw_chain *ch)
3b3a8eb9SGleb Smirnoff{
b074b7bbSAlexander V. Chernikov	struct tables_config *tcfg;
b074b7bbSAlexander V. Chernikov
3b3a8eb9SGleb Smirnoff	/* Allocate pointers */
9f7d47b0SAlexander V. Chernikov	ch->tablestate = malloc(V_fw_tables_max * sizeof(struct table_info),
9f7d47b0SAlexander V. Chernikov	    M_IPFW, M_WAITOK | M_ZERO);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	tcfg = malloc(sizeof(struct tables_config), M_IPFW, M_WAITOK | M_ZERO);
b074b7bbSAlexander V. Chernikov	tcfg->namehash = ipfw_objhash_create(V_fw_tables_max);
b074b7bbSAlexander V. Chernikov	ch->tblcfg = tcfg;
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ipfw_table_algo_init(ch);
9f7d47b0SAlexander V. Chernikov
3b3a8eb9SGleb Smirnoff	return (0);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoffint
3b3a8eb9SGleb Smirnoffipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables)
3b3a8eb9SGleb Smirnoff{
3b3a8eb9SGleb Smirnoff	unsigned int ntables_old, tbl;
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
9f7d47b0SAlexander V. Chernikov	void *new_idx, *old_tablestate, *tablestate;
b074b7bbSAlexander V. Chernikov	int new_blocks;
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	/* Check new value for validity */
3b3a8eb9SGleb Smirnoff	if (ntables > IPFW_TABLES_MAX)
3b3a8eb9SGleb Smirnoff		ntables = IPFW_TABLES_MAX;
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	/* Allocate new pointers */
9f7d47b0SAlexander V. Chernikov	tablestate = malloc(ntables * sizeof(struct table_info),
9f7d47b0SAlexander V. Chernikov	    M_IPFW, M_WAITOK | M_ZERO);
9f7d47b0SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ipfw_objhash_bitmap_alloc(ntables, (void *)&new_idx, &new_blocks);
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	tbl = (ntables >= V_fw_tables_max) ? V_fw_tables_max : ntables;
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Temporary restrict decreasing max_tables */
9f7d47b0SAlexander V. Chernikov	if (ntables < V_fw_tables_max) {
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov		/*
9f7d47b0SAlexander V. Chernikov		 * FIXME: Check if we really can shrink
9f7d47b0SAlexander V. Chernikov		 */
9f7d47b0SAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov		return (EINVAL);
b074b7bbSAlexander V. Chernikov	}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	/* Copy table info/indices */
9f7d47b0SAlexander V. Chernikov	memcpy(tablestate, ch->tablestate, sizeof(struct table_info) * tbl);
9f7d47b0SAlexander V. Chernikov	ipfw_objhash_bitmap_merge(ni, &new_idx, &new_blocks);
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	IPFW_WLOCK(ch);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Change pointers */
9f7d47b0SAlexander V. Chernikov	old_tablestate = ch->tablestate;
9f7d47b0SAlexander V. Chernikov	ch->tablestate = tablestate;
9f7d47b0SAlexander V. Chernikov	ipfw_objhash_bitmap_swap(ni, &new_idx, &new_blocks);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	ntables_old = V_fw_tables_max;
3b3a8eb9SGleb Smirnoff	V_fw_tables_max = ntables;
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	IPFW_WUNLOCK(ch);
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	/* Free old pointers */
9f7d47b0SAlexander V. Chernikov	free(old_tablestate, M_IPFW);
b074b7bbSAlexander V. Chernikov	ipfw_objhash_bitmap_free(new_idx, new_blocks);
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	return (0);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoffint
3b3a8eb9SGleb Smirnoffipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
3b3a8eb9SGleb Smirnoff    uint32_t *val)
3b3a8eb9SGleb Smirnoff{
9f7d47b0SAlexander V. Chernikov	struct table_info *ti;
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	ti = &(((struct table_info *)ch->tablestate)[tbl]);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	return (ti->lookup(ti, &addr, sizeof(in_addr_t), val));
3b3a8eb9SGleb Smirnoff}
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikovint
9f7d47b0SAlexander V. Chernikovipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, uint16_t plen,
9f7d47b0SAlexander V. Chernikov    void *paddr, uint32_t *val)
9f7d47b0SAlexander V. Chernikov{
9f7d47b0SAlexander V. Chernikov	struct table_info *ti;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ti = &(((struct table_info *)ch->tablestate)[tbl]);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	return (ti->lookup(ti, paddr, plen, val));
9f7d47b0SAlexander V. Chernikov}
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov/*
9f7d47b0SAlexander V. Chernikov * Info/List/dump support for tables.
9f7d47b0SAlexander V. Chernikov *
9f7d47b0SAlexander V. Chernikov */
9f7d47b0SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov/*
d3a4f924SAlexander V. Chernikov * High-level 'get' cmds sysctl handlers
d3a4f924SAlexander V. Chernikov */
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov/*
d3a4f924SAlexander V. Chernikov * Get buffer size needed to list info for all tables.
ac35ff17SAlexander V. Chernikov * Data layout (v0)(current):
d3a4f924SAlexander V. Chernikov * Request: [ empty ], size = sizeof(ipfw_obj_lheader)
d3a4f924SAlexander V. Chernikov * Reply: [ ipfw_obj_lheader ]
d3a4f924SAlexander V. Chernikov *
d3a4f924SAlexander V. Chernikov * Returns 0 on success
f1220db8SAlexander V. Chernikov */
f1220db8SAlexander V. Chernikovint
2d99a349SAlexander V. Chernikovipfw_listsize_tables(struct ip_fw_chain *ch, struct sockopt_data *sd)
f1220db8SAlexander V. Chernikov{
f1220db8SAlexander V. Chernikov	struct _ipfw_obj_lheader *olh;
f1220db8SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	olh = (struct _ipfw_obj_lheader *)ipfw_get_sopt_header(sd,sizeof(*olh));
2d99a349SAlexander V. Chernikov	if (olh == NULL)
d3a4f924SAlexander V. Chernikov		return (EINVAL);
d3a4f924SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	olh->size = sizeof(*olh); /* Make export_table store needed size */
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	IPFW_UH_RLOCK(ch);
2d99a349SAlexander V. Chernikov	export_tables(ch, olh, sd);
f1220db8SAlexander V. Chernikov	IPFW_UH_RUNLOCK(ch);
f1220db8SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	return (0);
f1220db8SAlexander V. Chernikov}
f1220db8SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov/*
d3a4f924SAlexander V. Chernikov * Lists all tables currently available in kernel.
ac35ff17SAlexander V. Chernikov * Data layout (v0)(current):
d3a4f924SAlexander V. Chernikov * Request: [ ipfw_obj_lheader ], size = ipfw_obj_lheader.size
d3a4f924SAlexander V. Chernikov * Reply: [ ipfw_obj_lheader ipfw_xtable_info x N ]
d3a4f924SAlexander V. Chernikov *
d3a4f924SAlexander V. Chernikov * Returns 0 on success
d3a4f924SAlexander V. Chernikov */
f1220db8SAlexander V. Chernikovint
2d99a349SAlexander V. Chernikovipfw_list_tables(struct ip_fw_chain *ch, struct sockopt_data *sd)
f1220db8SAlexander V. Chernikov{
f1220db8SAlexander V. Chernikov	struct _ipfw_obj_lheader *olh;
d3a4f924SAlexander V. Chernikov	uint32_t sz;
f1220db8SAlexander V. Chernikov	int error;
f1220db8SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	olh = (struct _ipfw_obj_lheader *)ipfw_get_sopt_header(sd,sizeof(*olh));
2d99a349SAlexander V. Chernikov	if (olh == NULL)
d3a4f924SAlexander V. Chernikov		return (EINVAL);
d3a4f924SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	IPFW_UH_RLOCK(ch);
f1220db8SAlexander V. Chernikov	sz = ipfw_objhash_count(CHAIN_TO_NI(ch));
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	if (sd->valsize < sz) {
2d99a349SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
2d99a349SAlexander V. Chernikov		return (ENOMEM);
2d99a349SAlexander V. Chernikov	}
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	error = export_tables(ch, olh, sd);
f1220db8SAlexander V. Chernikov	IPFW_UH_RUNLOCK(ch);
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	return (error);
f1220db8SAlexander V. Chernikov}
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov/*
2d99a349SAlexander V. Chernikov * Store table info to buffer provided by @sd.
ac35ff17SAlexander V. Chernikov * Data layout (v0)(current):
d3a4f924SAlexander V. Chernikov * Request: [ ipfw_obj_header ipfw_xtable_info(empty)]
d3a4f924SAlexander V. Chernikov * Reply: [ ipfw_obj_header ipfw_xtable_info ]
d3a4f924SAlexander V. Chernikov *
d3a4f924SAlexander V. Chernikov * Returns 0 on success.
d3a4f924SAlexander V. Chernikov */
d3a4f924SAlexander V. Chernikovint
2d99a349SAlexander V. Chernikovipfw_describe_table(struct ip_fw_chain *ch, struct sockopt_data *sd)
d3a4f924SAlexander V. Chernikov{
d3a4f924SAlexander V. Chernikov	struct _ipfw_obj_header *oh;
d3a4f924SAlexander V. Chernikov	struct table_config *tc;
d3a4f924SAlexander V. Chernikov	struct tid_info ti;
d3a4f924SAlexander V. Chernikov	size_t sz;
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	sz = sizeof(*oh) + sizeof(ipfw_xtable_info);
2d99a349SAlexander V. Chernikov	oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
2d99a349SAlexander V. Chernikov	if (oh == NULL)
d3a4f924SAlexander V. Chernikov		return (EINVAL);
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	objheader_to_ti(oh, &ti);
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	IPFW_UH_RLOCK(ch);
d3a4f924SAlexander V. Chernikov	if ((tc = find_table(CHAIN_TO_NI(ch), &ti)) == NULL) {
d3a4f924SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
d3a4f924SAlexander V. Chernikov		return (ESRCH);
d3a4f924SAlexander V. Chernikov	}
d3a4f924SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	export_table_info(ch, tc, (ipfw_xtable_info *)(oh + 1));
d3a4f924SAlexander V. Chernikov	IPFW_UH_RUNLOCK(ch);
d3a4f924SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	return (0);
d3a4f924SAlexander V. Chernikov}
d3a4f924SAlexander V. Chernikov
f1220db8SAlexander V. Chernikovstruct dump_args {
f1220db8SAlexander V. Chernikov	struct table_info *ti;
f1220db8SAlexander V. Chernikov	struct table_config *tc;
2d99a349SAlexander V. Chernikov	struct sockopt_data *sd;
f1220db8SAlexander V. Chernikov	uint32_t cnt;
f1220db8SAlexander V. Chernikov	uint16_t uidx;
2d99a349SAlexander V. Chernikov	ipfw_table_entry *ent;
2d99a349SAlexander V. Chernikov	uint32_t size;
f1220db8SAlexander V. Chernikov};
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikovint
2d99a349SAlexander V. Chernikovipfw_dump_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
2d99a349SAlexander V. Chernikov    struct sockopt_data *sd)
f1220db8SAlexander V. Chernikov{
d3a4f924SAlexander V. Chernikov	int error;
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	switch (op3->version) {
d3a4f924SAlexander V. Chernikov	case 0:
2d99a349SAlexander V. Chernikov		error = ipfw_dump_table_v0(ch, sd);
d3a4f924SAlexander V. Chernikov		break;
d3a4f924SAlexander V. Chernikov	case 1:
2d99a349SAlexander V. Chernikov		error = ipfw_dump_table_v1(ch, sd);
d3a4f924SAlexander V. Chernikov		break;
d3a4f924SAlexander V. Chernikov	default:
d3a4f924SAlexander V. Chernikov		error = ENOTSUP;
d3a4f924SAlexander V. Chernikov	}
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	return (error);
d3a4f924SAlexander V. Chernikov}
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov/*
d3a4f924SAlexander V. Chernikov * Dumps all table data
ac35ff17SAlexander V. Chernikov * Data layout (v1)(current):
2d99a349SAlexander V. Chernikov * Request: [ ipfw_obj_header ], size = ipfw_xtable_info.size
2d99a349SAlexander V. Chernikov * Reply: [ ipfw_obj_header ipfw_xtable_info ipfw_table_xentry x N ]
d3a4f924SAlexander V. Chernikov *
d3a4f924SAlexander V. Chernikov * Returns 0 on success
d3a4f924SAlexander V. Chernikov */
d3a4f924SAlexander V. Chernikovstatic int
2d99a349SAlexander V. Chernikovipfw_dump_table_v1(struct ip_fw_chain *ch, struct sockopt_data *sd)
d3a4f924SAlexander V. Chernikov{
f1220db8SAlexander V. Chernikov	struct _ipfw_obj_header *oh;
f1220db8SAlexander V. Chernikov	ipfw_xtable_info *i;
f1220db8SAlexander V. Chernikov	struct tid_info ti;
f1220db8SAlexander V. Chernikov	struct table_config *tc;
f1220db8SAlexander V. Chernikov	struct table_algo *ta;
f1220db8SAlexander V. Chernikov	struct dump_args da;
d3a4f924SAlexander V. Chernikov	uint32_t sz;
f1220db8SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	sz = sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info);
2d99a349SAlexander V. Chernikov	oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
2d99a349SAlexander V. Chernikov	if (oh == NULL)
d3a4f924SAlexander V. Chernikov		return (EINVAL);
d3a4f924SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	i = (ipfw_xtable_info *)(oh + 1);
d3a4f924SAlexander V. Chernikov	objheader_to_ti(oh, &ti);
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	IPFW_UH_RLOCK(ch);
f1220db8SAlexander V. Chernikov	if ((tc = find_table(CHAIN_TO_NI(ch), &ti)) == NULL) {
f1220db8SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
f1220db8SAlexander V. Chernikov		return (ESRCH);
f1220db8SAlexander V. Chernikov	}
ac35ff17SAlexander V. Chernikov	export_table_info(ch, tc, i);
2d99a349SAlexander V. Chernikov	sz = tc->count;
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	if (sd->valsize < sz + tc->count * sizeof(ipfw_table_xentry)) {
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov		/*
2d99a349SAlexander V. Chernikov		 * Submitted buffer size is not enough.
2d99a349SAlexander V. Chernikov		 * WE've already filled in @i structure with
2d99a349SAlexander V. Chernikov		 * relevant table info including size, so we
2d99a349SAlexander V. Chernikov		 * can return. Buffer will be flushed automatically.
2d99a349SAlexander V. Chernikov		 */
f1220db8SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
2d99a349SAlexander V. Chernikov		return (ENOMEM);
f1220db8SAlexander V. Chernikov	}
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	/*
f1220db8SAlexander V. Chernikov	 * Do the actual dump in eXtended format
f1220db8SAlexander V. Chernikov	 */
d3a4f924SAlexander V. Chernikov	memset(&da, 0, sizeof(da));
f1220db8SAlexander V. Chernikov	da.ti = KIDX_TO_TI(ch, tc->no.kidx);
f1220db8SAlexander V. Chernikov	da.tc = tc;
2d99a349SAlexander V. Chernikov	da.sd = sd;
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	ta = tc->ta;
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	ta->foreach(tc->astate, da.ti, dump_table_xentry, &da);
f1220db8SAlexander V. Chernikov	IPFW_UH_RUNLOCK(ch);
f1220db8SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov	return (0);
f1220db8SAlexander V. Chernikov}
f1220db8SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov/*
d3a4f924SAlexander V. Chernikov * Dumps all table data
2d99a349SAlexander V. Chernikov * Data layout (version 0)(legacy):
d3a4f924SAlexander V. Chernikov * Request: [ ipfw_xtable ], size = IP_FW_TABLE_XGETSIZE()
d3a4f924SAlexander V. Chernikov * Reply: [ ipfw_xtable ipfw_table_xentry x N ]
d3a4f924SAlexander V. Chernikov *
d3a4f924SAlexander V. Chernikov * Returns 0 on success
d3a4f924SAlexander V. Chernikov */
d3a4f924SAlexander V. Chernikovstatic int
2d99a349SAlexander V. Chernikovipfw_dump_table_v0(struct ip_fw_chain *ch, struct sockopt_data *sd)
d3a4f924SAlexander V. Chernikov{
d3a4f924SAlexander V. Chernikov	ipfw_xtable *xtbl;
d3a4f924SAlexander V. Chernikov	struct tid_info ti;
d3a4f924SAlexander V. Chernikov	struct table_config *tc;
d3a4f924SAlexander V. Chernikov	struct table_algo *ta;
d3a4f924SAlexander V. Chernikov	struct dump_args da;
d3a4f924SAlexander V. Chernikov	size_t sz;
d3a4f924SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	xtbl = (ipfw_xtable *)ipfw_get_sopt_header(sd, sizeof(ipfw_xtable));
2d99a349SAlexander V. Chernikov	if (xtbl == NULL)
d3a4f924SAlexander V. Chernikov		return (EINVAL);
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	memset(&ti, 0, sizeof(ti));
d3a4f924SAlexander V. Chernikov	ti.uidx = xtbl->tbl;
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	IPFW_UH_RLOCK(ch);
d3a4f924SAlexander V. Chernikov	if ((tc = find_table(CHAIN_TO_NI(ch), &ti)) == NULL) {
d3a4f924SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
d3a4f924SAlexander V. Chernikov		return (0);
d3a4f924SAlexander V. Chernikov	}
d3a4f924SAlexander V. Chernikov	sz = tc->count * sizeof(ipfw_table_xentry) + sizeof(ipfw_xtable);
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	xtbl->cnt = tc->count;
2d99a349SAlexander V. Chernikov	xtbl->size = sz;
2d99a349SAlexander V. Chernikov	xtbl->type = tc->no.type;
2d99a349SAlexander V. Chernikov	xtbl->tbl = ti.uidx;
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	if (sd->valsize < sz) {
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov		/*
2d99a349SAlexander V. Chernikov		 * Submitted buffer size is not enough.
2d99a349SAlexander V. Chernikov		 * WE've already filled in @i structure with
2d99a349SAlexander V. Chernikov		 * relevant table info including size, so we
2d99a349SAlexander V. Chernikov		 * can return. Buffer will be flushed automatically.
2d99a349SAlexander V. Chernikov		 */
d3a4f924SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
2d99a349SAlexander V. Chernikov		return (ENOMEM);
d3a4f924SAlexander V. Chernikov	}
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	/* Do the actual dump in eXtended format */
d3a4f924SAlexander V. Chernikov	memset(&da, 0, sizeof(da));
d3a4f924SAlexander V. Chernikov	da.ti = KIDX_TO_TI(ch, tc->no.kidx);
d3a4f924SAlexander V. Chernikov	da.tc = tc;
2d99a349SAlexander V. Chernikov	da.sd = sd;
2d99a349SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	ta = tc->ta;
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	ta->foreach(tc->astate, da.ti, dump_table_xentry, &da);
d3a4f924SAlexander V. Chernikov	IPFW_UH_RUNLOCK(ch);
d3a4f924SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	return (0);
d3a4f924SAlexander V. Chernikov}
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov/*
9490a627SAlexander V. Chernikov * Creates new table.
ac35ff17SAlexander V. Chernikov * Data layout (v0)(current):
9490a627SAlexander V. Chernikov * Request: [ ipfw_obj_header ipfw_xtable_info ]
9490a627SAlexander V. Chernikov *
9490a627SAlexander V. Chernikov * Returns 0 on success
9490a627SAlexander V. Chernikov */
9490a627SAlexander V. Chernikovint
ac35ff17SAlexander V. Chernikovipfw_create_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
ac35ff17SAlexander V. Chernikov    struct sockopt_data *sd)
9490a627SAlexander V. Chernikov{
9490a627SAlexander V. Chernikov	struct _ipfw_obj_header *oh;
9490a627SAlexander V. Chernikov	ipfw_xtable_info *i;
9490a627SAlexander V. Chernikov	char *tname, *aname;
9490a627SAlexander V. Chernikov	struct tid_info ti;
9490a627SAlexander V. Chernikov	struct namedobj_instance *ni;
9490a627SAlexander V. Chernikov	struct table_config *tc;
9490a627SAlexander V. Chernikov	struct table_algo *ta;
9490a627SAlexander V. Chernikov	uint16_t kidx;
9490a627SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	if (sd->valsize != sizeof(*oh) + sizeof(ipfw_xtable_info))
9490a627SAlexander V. Chernikov		return (EINVAL);
9490a627SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	oh = (struct _ipfw_obj_header *)sd->kbuf;
9490a627SAlexander V. Chernikov	i = (ipfw_xtable_info *)(oh + 1);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	/*
9490a627SAlexander V. Chernikov	 * Verify user-supplied strings.
2d99a349SAlexander V. Chernikov	 * Check for null-terminated/zero-length strings/
9490a627SAlexander V. Chernikov	 */
ac35ff17SAlexander V. Chernikov	tname = oh->ntlv.name;
9490a627SAlexander V. Chernikov	aname = i->algoname;
ac35ff17SAlexander V. Chernikov	if (ipfw_check_table_name(tname) != 0 ||
9490a627SAlexander V. Chernikov	    strnlen(aname, sizeof(i->algoname)) == sizeof(i->algoname))
9490a627SAlexander V. Chernikov		return (EINVAL);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	if (aname[0] == '\0') {
9490a627SAlexander V. Chernikov		/* Use default algorithm */
9490a627SAlexander V. Chernikov		aname = NULL;
9490a627SAlexander V. Chernikov	}
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	objheader_to_ti(oh, &ti);
ac35ff17SAlexander V. Chernikov	ti.type = i->type;
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	IPFW_UH_RLOCK(ch);
9490a627SAlexander V. Chernikov	if ((tc = find_table(ni, &ti)) != NULL) {
9490a627SAlexander V. Chernikov		IPFW_UH_RUNLOCK(ch);
9490a627SAlexander V. Chernikov		return (EEXIST);
9490a627SAlexander V. Chernikov	}
9490a627SAlexander V. Chernikov	ta = find_table_algo(CHAIN_TO_TCFG(ch), &ti, aname);
9490a627SAlexander V. Chernikov	IPFW_UH_RUNLOCK(ch);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	if (ta == NULL)
9490a627SAlexander V. Chernikov		return (ENOTSUP);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	if ((tc = alloc_table_config(ni, &ti, ta, aname)) == NULL)
9490a627SAlexander V. Chernikov		return (ENOMEM);
ac35ff17SAlexander V. Chernikov	/* TODO: move inside alloc_table_config() */
ac35ff17SAlexander V. Chernikov	tc->vtype = i->vtype;
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
ac35ff17SAlexander V. Chernikov	if (ipfw_objhash_alloc_idx(ni, &kidx) != 0) {
9490a627SAlexander V. Chernikov		IPFW_UH_WUNLOCK(ch);
9490a627SAlexander V. Chernikov		printf("Unable to allocate table index for table %s in set %u."
9490a627SAlexander V. Chernikov		    " Consider increasing net.inet.ip.fw.tables_max",
9490a627SAlexander V. Chernikov		    tname, ti.set);
9490a627SAlexander V. Chernikov		free_table_config(ni, tc);
9490a627SAlexander V. Chernikov		return (EBUSY);
9490a627SAlexander V. Chernikov	}
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	tc->no.kidx = kidx;
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	IPFW_WLOCK(ch);
9490a627SAlexander V. Chernikov	link_table(ch, tc);
9490a627SAlexander V. Chernikov	IPFW_WUNLOCK(ch);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	return (0);
9490a627SAlexander V. Chernikov}
9490a627SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikovvoid
d3a4f924SAlexander V. Chernikovobjheader_to_ti(struct _ipfw_obj_header *oh, struct tid_info *ti)
d3a4f924SAlexander V. Chernikov{
d3a4f924SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	memset(ti, 0, sizeof(struct tid_info));
d3a4f924SAlexander V. Chernikov	ti->set = oh->set;
d3a4f924SAlexander V. Chernikov	ti->uidx = oh->idx;
d3a4f924SAlexander V. Chernikov	ti->tlvs = &oh->ntlv;
d3a4f924SAlexander V. Chernikov	ti->tlen = oh->ntlv.head.length;
d3a4f924SAlexander V. Chernikov}
d3a4f924SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikovint
563b5ab1SAlexander V. Chernikovipfw_export_table_ntlv(struct ip_fw_chain *ch, uint16_t kidx,
563b5ab1SAlexander V. Chernikov    struct sockopt_data *sd)
563b5ab1SAlexander V. Chernikov{
563b5ab1SAlexander V. Chernikov	struct namedobj_instance *ni;
563b5ab1SAlexander V. Chernikov	struct named_object *no;
563b5ab1SAlexander V. Chernikov	ipfw_obj_ntlv *ntlv;
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
563b5ab1SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	no = ipfw_objhash_lookup_kidx(ni, kidx);
563b5ab1SAlexander V. Chernikov	KASSERT(no != NULL, ("invalid table kidx passed"));
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov	ntlv = (ipfw_obj_ntlv *)ipfw_get_sopt_space(sd, sizeof(*ntlv));
563b5ab1SAlexander V. Chernikov	if (ntlv == NULL)
563b5ab1SAlexander V. Chernikov		return (ENOMEM);
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov	ntlv->head.type = IPFW_TLV_TBL_NAME;
563b5ab1SAlexander V. Chernikov	ntlv->head.length = sizeof(*ntlv);
563b5ab1SAlexander V. Chernikov	ntlv->idx = no->kidx;
563b5ab1SAlexander V. Chernikov	strlcpy(ntlv->name, no->name, sizeof(ntlv->name));
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov	return (0);
563b5ab1SAlexander V. Chernikov}
563b5ab1SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikovstatic void
ac35ff17SAlexander V. Chernikovexport_table_info(struct ip_fw_chain *ch, struct table_config *tc,
ac35ff17SAlexander V. Chernikov    ipfw_xtable_info *i)
9f7d47b0SAlexander V. Chernikov{
ac35ff17SAlexander V. Chernikov	struct table_info *ti;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	i->type = tc->no.type;
ac35ff17SAlexander V. Chernikov	i->vtype = tc->vtype;
9f7d47b0SAlexander V. Chernikov	i->set = tc->no.set;
9f7d47b0SAlexander V. Chernikov	i->kidx = tc->no.kidx;
9f7d47b0SAlexander V. Chernikov	i->refcnt = tc->no.refcnt;
9f7d47b0SAlexander V. Chernikov	i->count = tc->count;
9f7d47b0SAlexander V. Chernikov	i->size = tc->count * sizeof(ipfw_table_xentry);
f1220db8SAlexander V. Chernikov	i->size += sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info);
9f7d47b0SAlexander V. Chernikov	strlcpy(i->tablename, tc->tablename, sizeof(i->tablename));
ac35ff17SAlexander V. Chernikov	if (tc->ta->print_config != NULL) {
ac35ff17SAlexander V. Chernikov		/* Use algo function to print table config to string */
ac35ff17SAlexander V. Chernikov		ti = KIDX_TO_TI(ch, tc->no.kidx);
ac35ff17SAlexander V. Chernikov		tc->ta->print_config(tc->astate, ti, i->algoname,
ac35ff17SAlexander V. Chernikov		    sizeof(i->algoname));
ac35ff17SAlexander V. Chernikov	} else
ac35ff17SAlexander V. Chernikov		strlcpy(i->algoname, tc->ta->name, sizeof(i->algoname));
9f7d47b0SAlexander V. Chernikov}
9f7d47b0SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikovstruct dump_table_args {
ac35ff17SAlexander V. Chernikov	struct ip_fw_chain *ch;
ac35ff17SAlexander V. Chernikov	struct sockopt_data *sd;
ac35ff17SAlexander V. Chernikov};
ac35ff17SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikovstatic void
9f7d47b0SAlexander V. Chernikovexport_table_internal(struct namedobj_instance *ni, struct named_object *no,
9f7d47b0SAlexander V. Chernikov    void *arg)
3b3a8eb9SGleb Smirnoff{
9f7d47b0SAlexander V. Chernikov	ipfw_xtable_info *i;
ac35ff17SAlexander V. Chernikov	struct dump_table_args *dta;
3b3a8eb9SGleb Smirnoff
ac35ff17SAlexander V. Chernikov	dta = (struct dump_table_args *)arg;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	i = (ipfw_xtable_info *)ipfw_get_sopt_space(dta->sd, sizeof(*i));
2d99a349SAlexander V. Chernikov	KASSERT(i == 0, ("previously checked buffer is not enough"));
9f7d47b0SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	export_table_info(dta->ch, (struct table_config *)no, i);
9f7d47b0SAlexander V. Chernikov}
9f7d47b0SAlexander V. Chernikov
f1220db8SAlexander V. Chernikov/*
f1220db8SAlexander V. Chernikov * Export all tables as ipfw_xtable_info structures to
2d99a349SAlexander V. Chernikov * storage provided by @sd.
f1220db8SAlexander V. Chernikov * Returns 0 on success.
f1220db8SAlexander V. Chernikov */
f1220db8SAlexander V. Chernikovstatic int
2d99a349SAlexander V. Chernikovexport_tables(struct ip_fw_chain *ch, ipfw_obj_lheader *olh,
2d99a349SAlexander V. Chernikov    struct sockopt_data *sd)
9f7d47b0SAlexander V. Chernikov{
9f7d47b0SAlexander V. Chernikov	uint32_t size;
9f7d47b0SAlexander V. Chernikov	uint32_t count;
ac35ff17SAlexander V. Chernikov	struct dump_table_args dta;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	count = ipfw_objhash_count(CHAIN_TO_NI(ch));
9f7d47b0SAlexander V. Chernikov	size = count * sizeof(ipfw_xtable_info) + sizeof(ipfw_obj_lheader);
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	/* Fill in header regadless of buffer size */
f1220db8SAlexander V. Chernikov	olh->count = count;
f1220db8SAlexander V. Chernikov	olh->objsize = sizeof(ipfw_xtable_info);
2d99a349SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	if (size > olh->size) {
2d99a349SAlexander V. Chernikov		/* Store necessary size */
2d99a349SAlexander V. Chernikov		olh->size = size;
9f7d47b0SAlexander V. Chernikov		return (ENOMEM);
f1220db8SAlexander V. Chernikov	}
9f7d47b0SAlexander V. Chernikov	olh->size = size;
2d99a349SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	dta.ch = ch;
ac35ff17SAlexander V. Chernikov	dta.sd = sd;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	ipfw_objhash_foreach(CHAIN_TO_NI(ch), export_table_internal, &dta);
9f7d47b0SAlexander V. Chernikov
3b3a8eb9SGleb Smirnoff	return (0);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoffint
b074b7bbSAlexander V. Chernikovipfw_count_table(struct ip_fw_chain *ch, struct tid_info *ti, uint32_t *cnt)
3b3a8eb9SGleb Smirnoff{
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	if ((tc = find_table(CHAIN_TO_NI(ch), ti)) == NULL)
b074b7bbSAlexander V. Chernikov		return (ESRCH);
9f7d47b0SAlexander V. Chernikov	*cnt = tc->count;
3b3a8eb9SGleb Smirnoff	return (0);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikovint
9f7d47b0SAlexander V. Chernikovipfw_count_xtable(struct ip_fw_chain *ch, struct tid_info *ti, uint32_t *cnt)
3b3a8eb9SGleb Smirnoff{
9f7d47b0SAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	if ((tc = find_table(CHAIN_TO_NI(ch), ti)) == NULL) {
d3a4f924SAlexander V. Chernikov		*cnt = 0;
9f7d47b0SAlexander V. Chernikov		return (0); /* 'table all list' requires success */
d3a4f924SAlexander V. Chernikov	}
9f7d47b0SAlexander V. Chernikov	*cnt = tc->count * sizeof(ipfw_table_xentry);
9f7d47b0SAlexander V. Chernikov	if (tc->count > 0)
9f7d47b0SAlexander V. Chernikov		*cnt += sizeof(ipfw_xtable);
9f7d47b0SAlexander V. Chernikov	return (0);
9f7d47b0SAlexander V. Chernikov}
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikovstatic int
9f7d47b0SAlexander V. Chernikovdump_table_entry(void *e, void *arg)
9f7d47b0SAlexander V. Chernikov{
9f7d47b0SAlexander V. Chernikov	struct dump_args *da;
9f7d47b0SAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
3b3a8eb9SGleb Smirnoff	ipfw_table_entry *ent;
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	da = (struct dump_args *)arg;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	tc = da->tc;
9f7d47b0SAlexander V. Chernikov	ta = tc->ta;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Out of memory, returning */
f1220db8SAlexander V. Chernikov	if (da->cnt == da->size)
3b3a8eb9SGleb Smirnoff		return (1);
f1220db8SAlexander V. Chernikov	ent = da->ent++;
f1220db8SAlexander V. Chernikov	ent->tbl = da->uidx;
f1220db8SAlexander V. Chernikov	da->cnt++;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	return (ta->dump_entry(tc->astate, da->ti, e, ent));
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
f1220db8SAlexander V. Chernikov/*
f1220db8SAlexander V. Chernikov * Dumps table in pre-8.1 legacy format.
f1220db8SAlexander V. Chernikov */
3b3a8eb9SGleb Smirnoffint
f1220db8SAlexander V. Chernikovipfw_dump_table_legacy(struct ip_fw_chain *ch, struct tid_info *ti,
f1220db8SAlexander V. Chernikov    ipfw_table *tbl)
3b3a8eb9SGleb Smirnoff{
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
9f7d47b0SAlexander V. Chernikov	struct dump_args da;
3b3a8eb9SGleb Smirnoff
3b3a8eb9SGleb Smirnoff	tbl->cnt = 0;
3b3a8eb9SGleb Smirnoff
b074b7bbSAlexander V. Chernikov	if ((tc = find_table(CHAIN_TO_NI(ch), ti)) == NULL)
b074b7bbSAlexander V. Chernikov		return (0);	/* XXX: We should return ESRCH */
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ta = tc->ta;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	if (ta->dump_entry == NULL)
9f7d47b0SAlexander V. Chernikov		return (0);	/* Legacy dump support is not necessary */
9f7d47b0SAlexander V. Chernikov
d3a4f924SAlexander V. Chernikov	memset(&da, 0, sizeof(da));
9f7d47b0SAlexander V. Chernikov	da.ti = KIDX_TO_TI(ch, tc->no.kidx);
9f7d47b0SAlexander V. Chernikov	da.tc = tc;
f1220db8SAlexander V. Chernikov	da.ent = &tbl->ent[0];
f1220db8SAlexander V. Chernikov	da.size = tbl->size;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	tbl->cnt = 0;
9f7d47b0SAlexander V. Chernikov	ta->foreach(tc->astate, da.ti, dump_table_entry, &da);
f1220db8SAlexander V. Chernikov	tbl->cnt = da.cnt;
9f7d47b0SAlexander V. Chernikov
3b3a8eb9SGleb Smirnoff	return (0);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
9490a627SAlexander V. Chernikov/*
9490a627SAlexander V. Chernikov * Dumps table entry in eXtended format (current).
9490a627SAlexander V. Chernikov */
3b3a8eb9SGleb Smirnoffstatic int
9f7d47b0SAlexander V. Chernikovdump_table_xentry(void *e, void *arg)
3b3a8eb9SGleb Smirnoff{
9f7d47b0SAlexander V. Chernikov	struct dump_args *da;
9f7d47b0SAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
3b3a8eb9SGleb Smirnoff	ipfw_table_xentry *xent;
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	da = (struct dump_args *)arg;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	tc = da->tc;
9f7d47b0SAlexander V. Chernikov	ta = tc->ta;
9f7d47b0SAlexander V. Chernikov
2d99a349SAlexander V. Chernikov	xent = (ipfw_table_xentry *)ipfw_get_sopt_space(da->sd, sizeof(*xent));
3b3a8eb9SGleb Smirnoff	/* Out of memory, returning */
2d99a349SAlexander V. Chernikov	if (xent == NULL)
3b3a8eb9SGleb Smirnoff		return (1);
3b3a8eb9SGleb Smirnoff	xent->len = sizeof(ipfw_table_xentry);
f1220db8SAlexander V. Chernikov	xent->tbl = da->uidx;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	return (ta->dump_xentry(tc->astate, da->ti, e, xent));
9f7d47b0SAlexander V. Chernikov}
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov/*
9f7d47b0SAlexander V. Chernikov * Table algorithms
9f7d47b0SAlexander V. Chernikov */
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov/*
9490a627SAlexander V. Chernikov * Finds algoritm by index, table type or supplied name
9f7d47b0SAlexander V. Chernikov */
9f7d47b0SAlexander V. Chernikovstatic struct table_algo *
9490a627SAlexander V. Chernikovfind_table_algo(struct tables_config *tcfg, struct tid_info *ti, char *name)
9f7d47b0SAlexander V. Chernikov{
9490a627SAlexander V. Chernikov	int i, l;
9490a627SAlexander V. Chernikov	struct table_algo *ta;
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Search by index */
9f7d47b0SAlexander V. Chernikov	if (ti->atype != 0) {
9f7d47b0SAlexander V. Chernikov		if (ti->atype > tcfg->algo_count)
9f7d47b0SAlexander V. Chernikov			return (NULL);
9f7d47b0SAlexander V. Chernikov		return (tcfg->algo[ti->atype]);
9f7d47b0SAlexander V. Chernikov	}
9f7d47b0SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	/* Search by name if supplied */
9490a627SAlexander V. Chernikov	if (name != NULL) {
9490a627SAlexander V. Chernikov		/* TODO: better search */
9490a627SAlexander V. Chernikov		for (i = 1; i <= tcfg->algo_count; i++) {
9490a627SAlexander V. Chernikov			ta = tcfg->algo[i];
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov			/*
9490a627SAlexander V. Chernikov			 * One can supply additional algorithm
9490a627SAlexander V. Chernikov			 * parameters so we compare only the first word
9490a627SAlexander V. Chernikov			 * of supplied name:
9490a627SAlexander V. Chernikov			 * 'hash_cidr hsize=32'
9490a627SAlexander V. Chernikov			 * '^^^^^^^^^'
9490a627SAlexander V. Chernikov			 *
9490a627SAlexander V. Chernikov			 */
9490a627SAlexander V. Chernikov			l = strlen(ta->name);
9490a627SAlexander V. Chernikov			if (strncmp(name, ta->name, l) == 0) {
9490a627SAlexander V. Chernikov				if (name[l] == '\0' || name[l] == ' ')
9490a627SAlexander V. Chernikov					return (ta);
9490a627SAlexander V. Chernikov			}
9490a627SAlexander V. Chernikov		}
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov		return (NULL);
9490a627SAlexander V. Chernikov	}
9490a627SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Search by type */
9f7d47b0SAlexander V. Chernikov	switch (ti->type) {
3b3a8eb9SGleb Smirnoff	case IPFW_TABLE_CIDR:
9f7d47b0SAlexander V. Chernikov		return (&radix_cidr);
3b3a8eb9SGleb Smirnoff	case IPFW_TABLE_INTERFACE:
9f7d47b0SAlexander V. Chernikov		return (&radix_iface);
3b3a8eb9SGleb Smirnoff	}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	return (NULL);
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikovvoid
9f7d47b0SAlexander V. Chernikovipfw_add_table_algo(struct ip_fw_chain *ch, struct table_algo *ta)
3b3a8eb9SGleb Smirnoff{
9f7d47b0SAlexander V. Chernikov	struct tables_config *tcfg;
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov	tcfg = CHAIN_TO_TCFG(ch);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	KASSERT(tcfg->algo_count < 255, ("Increase algo array size"));
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	tcfg->algo[++tcfg->algo_count] = ta;
9f7d47b0SAlexander V. Chernikov	ta->idx = tcfg->algo_count;
3b3a8eb9SGleb Smirnoff}
3b3a8eb9SGleb Smirnoff
9f7d47b0SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Tables rewriting code
b074b7bbSAlexander V. Chernikov *
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Determine table number and lookup type for @cmd.
b074b7bbSAlexander V. Chernikov * Fill @tbl and @type with appropriate values.
b074b7bbSAlexander V. Chernikov * Returns 0 for relevant opcodes, 1 otherwise.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstatic int
b074b7bbSAlexander V. Chernikovclassify_table_opcode(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	ipfw_insn_if *cmdif;
b074b7bbSAlexander V. Chernikov	int skip;
b074b7bbSAlexander V. Chernikov	uint16_t v;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	skip = 1;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	switch (cmd->opcode) {
b074b7bbSAlexander V. Chernikov	case O_IP_SRC_LOOKUP:
b074b7bbSAlexander V. Chernikov	case O_IP_DST_LOOKUP:
b074b7bbSAlexander V. Chernikov		/* Basic IPv4/IPv6 or u32 lookups */
b074b7bbSAlexander V. Chernikov		*puidx = cmd->arg1;
b074b7bbSAlexander V. Chernikov		/* Assume CIDR by default */
b074b7bbSAlexander V. Chernikov		*ptype = IPFW_TABLE_CIDR;
b074b7bbSAlexander V. Chernikov		skip = 0;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		if (F_LEN(cmd) > F_INSN_SIZE(ipfw_insn_u32)) {
b074b7bbSAlexander V. Chernikov			/*
b074b7bbSAlexander V. Chernikov			 * generic lookup. The key must be
b074b7bbSAlexander V. Chernikov			 * in 32bit big-endian format.
b074b7bbSAlexander V. Chernikov			 */
b074b7bbSAlexander V. Chernikov			v = ((ipfw_insn_u32 *)cmd)->d[1];
b074b7bbSAlexander V. Chernikov			switch (v) {
b074b7bbSAlexander V. Chernikov			case 0:
b074b7bbSAlexander V. Chernikov			case 1:
b074b7bbSAlexander V. Chernikov				/* IPv4 src/dst */
b074b7bbSAlexander V. Chernikov				break;
b074b7bbSAlexander V. Chernikov			case 2:
b074b7bbSAlexander V. Chernikov			case 3:
b074b7bbSAlexander V. Chernikov				/* src/dst port */
b074b7bbSAlexander V. Chernikov				//type = IPFW_TABLE_U16;
b074b7bbSAlexander V. Chernikov				break;
b074b7bbSAlexander V. Chernikov			case 4:
b074b7bbSAlexander V. Chernikov				/* uid/gid */
b074b7bbSAlexander V. Chernikov				//type = IPFW_TABLE_U32;
b074b7bbSAlexander V. Chernikov			case 5:
b074b7bbSAlexander V. Chernikov				//type = IPFW_TABLE_U32;
b074b7bbSAlexander V. Chernikov				/* jid */
b074b7bbSAlexander V. Chernikov			case 6:
b074b7bbSAlexander V. Chernikov				//type = IPFW_TABLE_U16;
b074b7bbSAlexander V. Chernikov				/* dscp */
b074b7bbSAlexander V. Chernikov				break;
b074b7bbSAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov		break;
b074b7bbSAlexander V. Chernikov	case O_XMIT:
b074b7bbSAlexander V. Chernikov	case O_RECV:
b074b7bbSAlexander V. Chernikov	case O_VIA:
b074b7bbSAlexander V. Chernikov		/* Interface table, possibly */
b074b7bbSAlexander V. Chernikov		cmdif = (ipfw_insn_if *)cmd;
b074b7bbSAlexander V. Chernikov		if (cmdif->name[0] != '\1')
b074b7bbSAlexander V. Chernikov			break;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		*ptype = IPFW_TABLE_INTERFACE;
b074b7bbSAlexander V. Chernikov		*puidx = cmdif->p.glob;
b074b7bbSAlexander V. Chernikov		skip = 0;
b074b7bbSAlexander V. Chernikov		break;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	return (skip);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Sets new table value for given opcode.
b074b7bbSAlexander V. Chernikov * Assume the same opcodes as classify_table_opcode()
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstatic void
b074b7bbSAlexander V. Chernikovupdate_table_opcode(ipfw_insn *cmd, uint16_t idx)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	ipfw_insn_if *cmdif;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	switch (cmd->opcode) {
b074b7bbSAlexander V. Chernikov	case O_IP_SRC_LOOKUP:
b074b7bbSAlexander V. Chernikov	case O_IP_DST_LOOKUP:
b074b7bbSAlexander V. Chernikov		/* Basic IPv4/IPv6 or u32 lookups */
b074b7bbSAlexander V. Chernikov		cmd->arg1 = idx;
b074b7bbSAlexander V. Chernikov		break;
b074b7bbSAlexander V. Chernikov	case O_XMIT:
b074b7bbSAlexander V. Chernikov	case O_RECV:
b074b7bbSAlexander V. Chernikov	case O_VIA:
b074b7bbSAlexander V. Chernikov		/* Interface table, possibly */
b074b7bbSAlexander V. Chernikov		cmdif = (ipfw_insn_if *)cmd;
b074b7bbSAlexander V. Chernikov		cmdif->p.glob = idx;
b074b7bbSAlexander V. Chernikov		break;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov/*
ac35ff17SAlexander V. Chernikov * Checks table name for validity.
ac35ff17SAlexander V. Chernikov * Enforce basic length checks, the rest
ac35ff17SAlexander V. Chernikov * should be done in userland.
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns 0 if name is considered valid.
ac35ff17SAlexander V. Chernikov */
ac35ff17SAlexander V. Chernikovint
ac35ff17SAlexander V. Chernikovipfw_check_table_name(char *name)
ac35ff17SAlexander V. Chernikov{
ac35ff17SAlexander V. Chernikov	int nsize;
ac35ff17SAlexander V. Chernikov	ipfw_obj_ntlv *ntlv = NULL;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	nsize = sizeof(ntlv->name);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	if (strnlen(name, nsize) == nsize)
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	if (name[0] == '\0')
ac35ff17SAlexander V. Chernikov		return (EINVAL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	/*
ac35ff17SAlexander V. Chernikov	 * TODO: do some more complicated checks
ac35ff17SAlexander V. Chernikov	 */
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	return (0);
ac35ff17SAlexander V. Chernikov}
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov/*
ac35ff17SAlexander V. Chernikov * Find tablename TLV by @uid.
ac35ff17SAlexander V. Chernikov * Check @tlvs for valid data inside.
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns pointer to found TLV or NULL.
ac35ff17SAlexander V. Chernikov */
ac35ff17SAlexander V. Chernikovstatic ipfw_obj_ntlv *
b074b7bbSAlexander V. Chernikovfind_name_tlv(void *tlvs, int len, uint16_t uidx)
b074b7bbSAlexander V. Chernikov{
9f7d47b0SAlexander V. Chernikov	ipfw_obj_ntlv *ntlv;
b074b7bbSAlexander V. Chernikov	uintptr_t pa, pe;
b074b7bbSAlexander V. Chernikov	int l;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	pa = (uintptr_t)tlvs;
b074b7bbSAlexander V. Chernikov	pe = pa + len;
b074b7bbSAlexander V. Chernikov	l = 0;
b074b7bbSAlexander V. Chernikov	for (; pa < pe; pa += l) {
9f7d47b0SAlexander V. Chernikov		ntlv = (ipfw_obj_ntlv *)pa;
b074b7bbSAlexander V. Chernikov		l = ntlv->head.length;
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov		if (l != sizeof(*ntlv))
ac35ff17SAlexander V. Chernikov			return (NULL);
ac35ff17SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov		if (ntlv->head.type != IPFW_TLV_TBL_NAME)
b074b7bbSAlexander V. Chernikov			continue;
ac35ff17SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		if (ntlv->idx != uidx)
b074b7bbSAlexander V. Chernikov			continue;
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov		if (ipfw_check_table_name(ntlv->name) != 0)
ac35ff17SAlexander V. Chernikov			return (NULL);
ac35ff17SAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov		return (ntlv);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	return (NULL);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov/*
ac35ff17SAlexander V. Chernikov * Finds table config based on either legacy index
ac35ff17SAlexander V. Chernikov * or name in ntlv.
ac35ff17SAlexander V. Chernikov * Note @ti structure contains unchecked data from userland.
ac35ff17SAlexander V. Chernikov *
ac35ff17SAlexander V. Chernikov * Returns pointer to table_config or NULL.
ac35ff17SAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstatic struct table_config *
b074b7bbSAlexander V. Chernikovfind_table(struct namedobj_instance *ni, struct tid_info *ti)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	char *name, bname[16];
b074b7bbSAlexander V. Chernikov	struct named_object *no;
ac35ff17SAlexander V. Chernikov	ipfw_obj_ntlv *ntlv;
ac35ff17SAlexander V. Chernikov	uint32_t set;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	if (ti->tlvs != NULL) {
ac35ff17SAlexander V. Chernikov		ntlv = find_name_tlv(ti->tlvs, ti->tlen, ti->uidx);
ac35ff17SAlexander V. Chernikov		if (ntlv == NULL)
b074b7bbSAlexander V. Chernikov			return (NULL);
ac35ff17SAlexander V. Chernikov		name = ntlv->name;
ac35ff17SAlexander V. Chernikov		set = ntlv->set;
b074b7bbSAlexander V. Chernikov	} else {
b074b7bbSAlexander V. Chernikov		snprintf(bname, sizeof(bname), "%d", ti->uidx);
b074b7bbSAlexander V. Chernikov		name = bname;
ac35ff17SAlexander V. Chernikov		set = 0;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov	no = ipfw_objhash_lookup_name(ni, set, name);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	return ((struct table_config *)no);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikovstatic struct table_config *
9f7d47b0SAlexander V. Chernikovalloc_table_config(struct namedobj_instance *ni, struct tid_info *ti,
9490a627SAlexander V. Chernikov    struct table_algo *ta, char *aname)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	char *name, bname[16];
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
b074b7bbSAlexander V. Chernikov	int error;
ac35ff17SAlexander V. Chernikov	ipfw_obj_ntlv *ntlv;
ac35ff17SAlexander V. Chernikov	uint32_t set;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	if (ti->tlvs != NULL) {
ac35ff17SAlexander V. Chernikov		ntlv = find_name_tlv(ti->tlvs, ti->tlen, ti->uidx);
ac35ff17SAlexander V. Chernikov		if (ntlv == NULL)
b074b7bbSAlexander V. Chernikov			return (NULL);
ac35ff17SAlexander V. Chernikov		name = ntlv->name;
ac35ff17SAlexander V. Chernikov		set = ntlv->set;
b074b7bbSAlexander V. Chernikov	} else {
b074b7bbSAlexander V. Chernikov		snprintf(bname, sizeof(bname), "%d", ti->uidx);
b074b7bbSAlexander V. Chernikov		name = bname;
ac35ff17SAlexander V. Chernikov		set = 0;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	tc = malloc(sizeof(struct table_config), M_IPFW, M_WAITOK | M_ZERO);
b074b7bbSAlexander V. Chernikov	tc->no.name = tc->tablename;
b074b7bbSAlexander V. Chernikov	tc->no.type = ti->type;
ac35ff17SAlexander V. Chernikov	tc->no.set = set;
9f7d47b0SAlexander V. Chernikov	tc->ta = ta;
b074b7bbSAlexander V. Chernikov	strlcpy(tc->tablename, name, sizeof(tc->tablename));
ac35ff17SAlexander V. Chernikov	/* Set default value type to u32 for compability reasons */
ac35ff17SAlexander V. Chernikov	tc->vtype = IPFW_VTYPE_U32;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	if (ti->tlvs == NULL) {
b074b7bbSAlexander V. Chernikov		tc->no.compat = 1;
b074b7bbSAlexander V. Chernikov		tc->no.uidx = ti->uidx;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/* Preallocate data structures for new tables */
9490a627SAlexander V. Chernikov	error = ta->init(&tc->astate, &tc->ti, aname);
b074b7bbSAlexander V. Chernikov	if (error != 0) {
b074b7bbSAlexander V. Chernikov		free(tc, M_IPFW);
b074b7bbSAlexander V. Chernikov		return (NULL);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	return (tc);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikovstatic void
b074b7bbSAlexander V. Chernikovfree_table_config(struct namedobj_instance *ni, struct table_config *tc)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	if (tc->linked == 0)
9f7d47b0SAlexander V. Chernikov		tc->ta->destroy(&tc->astate, &tc->ti);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	free(tc, M_IPFW);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Links @tc to @chain table named instance.
b074b7bbSAlexander V. Chernikov * Sets appropriate type/states in @chain table info.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstatic void
9f7d47b0SAlexander V. Chernikovlink_table(struct ip_fw_chain *ch, struct table_config *tc)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
9f7d47b0SAlexander V. Chernikov	struct table_info *ti;
b074b7bbSAlexander V. Chernikov	uint16_t kidx;
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WLOCK_ASSERT(ch);
9f7d47b0SAlexander V. Chernikov	IPFW_WLOCK_ASSERT(ch);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov	kidx = tc->no.kidx;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ipfw_objhash_add(ni, &tc->no);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ti = KIDX_TO_TI(ch, kidx);
9f7d47b0SAlexander V. Chernikov	*ti = tc->ti;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	tc->linked = 1;
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Unlinks @tc from @chain table named instance.
b074b7bbSAlexander V. Chernikov * Zeroes states in @chain and stores them in @tc.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstatic void
9f7d47b0SAlexander V. Chernikovunlink_table(struct ip_fw_chain *ch, struct table_config *tc)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
9f7d47b0SAlexander V. Chernikov	struct table_info *ti;
b074b7bbSAlexander V. Chernikov	uint16_t kidx;
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WLOCK_ASSERT(ch);
9f7d47b0SAlexander V. Chernikov	IPFW_WLOCK_ASSERT(ch);
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
b074b7bbSAlexander V. Chernikov	kidx = tc->no.kidx;
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	/* Clear state. @ti copy is already saved inside @tc */
b074b7bbSAlexander V. Chernikov	ipfw_objhash_del(ni, &tc->no);
9f7d47b0SAlexander V. Chernikov	ti = KIDX_TO_TI(ch, kidx);
9f7d47b0SAlexander V. Chernikov	memset(ti, 0, sizeof(struct table_info));
b074b7bbSAlexander V. Chernikov	tc->linked = 0;
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Finds named object by @uidx number.
b074b7bbSAlexander V. Chernikov * Refs found object, allocate new index for non-existing object.
9490a627SAlexander V. Chernikov * Fills in @oib with userland/kernel indexes.
9490a627SAlexander V. Chernikov * First free oidx pointer is saved back in @oib.
b074b7bbSAlexander V. Chernikov *
b074b7bbSAlexander V. Chernikov * Returns 0 on success.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovstatic int
9490a627SAlexander V. Chernikovbind_table_rule(struct ip_fw_chain *ch, struct ip_fw *rule,
9490a627SAlexander V. Chernikov    struct rule_check_info *ci, struct obj_idx **oib, struct tid_info *ti)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
9490a627SAlexander V. Chernikov	struct namedobj_instance *ni;
9490a627SAlexander V. Chernikov	struct named_object *no;
9490a627SAlexander V. Chernikov	int error, l, cmdlen;
9490a627SAlexander V. Chernikov	ipfw_insn *cmd;
9490a627SAlexander V. Chernikov	struct obj_idx *pidx, *p;
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	pidx = *oib;
9490a627SAlexander V. Chernikov	l = rule->cmd_len;
9490a627SAlexander V. Chernikov	cmd = rule->cmd;
9490a627SAlexander V. Chernikov	cmdlen = 0;
9490a627SAlexander V. Chernikov	error = 0;
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	IPFW_UH_WLOCK(ch);
9490a627SAlexander V. Chernikov	ni = CHAIN_TO_NI(ch);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
9490a627SAlexander V. Chernikov		cmdlen = F_LEN(cmd);
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov		if (classify_table_opcode(cmd, &ti->uidx, &ti->type) != 0)
9490a627SAlexander V. Chernikov			continue;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		pidx->uidx = ti->uidx;
b074b7bbSAlexander V. Chernikov		pidx->type = ti->type;
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov		if ((tc = find_table(ni, ti)) != NULL) {
9490a627SAlexander V. Chernikov			if (tc->no.type != ti->type) {
9490a627SAlexander V. Chernikov				/* Incompatible types */
9490a627SAlexander V. Chernikov				error = EINVAL;
9490a627SAlexander V. Chernikov				break;
9490a627SAlexander V. Chernikov			}
9f7d47b0SAlexander V. Chernikov
9490a627SAlexander V. Chernikov			/* Reference found table and save kidx */
9490a627SAlexander V. Chernikov			tc->no.refcnt++;
9490a627SAlexander V. Chernikov			pidx->kidx = tc->no.kidx;
9490a627SAlexander V. Chernikov			pidx++;
9490a627SAlexander V. Chernikov			continue;
9490a627SAlexander V. Chernikov		}
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov		/* Table not found. Allocate new index and save for later */
ac35ff17SAlexander V. Chernikov		if (ipfw_objhash_alloc_idx(ni, &pidx->kidx) != 0) {
ac35ff17SAlexander V. Chernikov			printf("Unable to allocate table %s index in set %u."
b074b7bbSAlexander V. Chernikov			    " Consider increasing net.inet.ip.fw.tables_max",
ac35ff17SAlexander V. Chernikov			    "", ti->set);
9490a627SAlexander V. Chernikov			error = EBUSY;
9490a627SAlexander V. Chernikov			break;
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		ci->new_tables++;
9490a627SAlexander V. Chernikov		pidx->new = 1;
9490a627SAlexander V. Chernikov		pidx++;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov	if (error != 0) {
9490a627SAlexander V. Chernikov		/* Unref everything we have already done */
9490a627SAlexander V. Chernikov		for (p = *oib; p < pidx; p++) {
9490a627SAlexander V. Chernikov			if (p->new != 0) {
ac35ff17SAlexander V. Chernikov				ipfw_objhash_free_idx(ni, p->kidx);
9490a627SAlexander V. Chernikov				continue;
9490a627SAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov			/* Find & unref by existing idx */
ac35ff17SAlexander V. Chernikov			no = ipfw_objhash_lookup_kidx(ni, p->kidx);
9490a627SAlexander V. Chernikov			KASSERT(no != NULL, ("Ref'd table %d disappeared",
9490a627SAlexander V. Chernikov			    p->kidx));
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov			no->refcnt--;
9490a627SAlexander V. Chernikov		}
9490a627SAlexander V. Chernikov	}
9490a627SAlexander V. Chernikov	IPFW_UH_WUNLOCK(ch);
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov	*oib = pidx;
9490a627SAlexander V. Chernikov
9490a627SAlexander V. Chernikov	return (error);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Compatibility function for old ipfw(8) binaries.
b074b7bbSAlexander V. Chernikov * Rewrites table kernel indices with userland ones.
b074b7bbSAlexander V. Chernikov * Works for \d+ talbes only (e.g. for tables, converted
b074b7bbSAlexander V. Chernikov * from old numbered system calls).
b074b7bbSAlexander V. Chernikov *
b074b7bbSAlexander V. Chernikov * Returns 0 on success.
b074b7bbSAlexander V. Chernikov * Raises error on any other tables.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovint
b074b7bbSAlexander V. Chernikovipfw_rewrite_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule)
b074b7bbSAlexander V. Chernikov{
1832a7b3SAlexander V. Chernikov	int cmdlen, error, l;
b074b7bbSAlexander V. Chernikov	ipfw_insn *cmd;
1832a7b3SAlexander V. Chernikov	uint16_t kidx, uidx;
b074b7bbSAlexander V. Chernikov	uint8_t type;
b074b7bbSAlexander V. Chernikov	struct named_object *no;
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(chain);
1832a7b3SAlexander V. Chernikov	error = 0;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	l = rule->cmd_len;
b074b7bbSAlexander V. Chernikov	cmd = rule->cmd;
b074b7bbSAlexander V. Chernikov	cmdlen = 0;
b074b7bbSAlexander V. Chernikov	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
b074b7bbSAlexander V. Chernikov		cmdlen = F_LEN(cmd);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		if (classify_table_opcode(cmd, &kidx, &type) != 0)
b074b7bbSAlexander V. Chernikov			continue;
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov		if ((no = ipfw_objhash_lookup_kidx(ni, kidx)) == NULL)
b074b7bbSAlexander V. Chernikov			return (1);
b074b7bbSAlexander V. Chernikov
1832a7b3SAlexander V. Chernikov		uidx = no->uidx;
1832a7b3SAlexander V. Chernikov		if (no->compat == 0) {
b074b7bbSAlexander V. Chernikov
1832a7b3SAlexander V. Chernikov			/*
1832a7b3SAlexander V. Chernikov			 * We are called via legacy opcode.
1832a7b3SAlexander V. Chernikov			 * Save error and show table as fake number
1832a7b3SAlexander V. Chernikov			 * not to make ipfw(8) hang.
1832a7b3SAlexander V. Chernikov			 */
1832a7b3SAlexander V. Chernikov			uidx = 65535;
1832a7b3SAlexander V. Chernikov			error = 2;
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov
1832a7b3SAlexander V. Chernikov		update_table_opcode(cmd, uidx);
1832a7b3SAlexander V. Chernikov	}
1832a7b3SAlexander V. Chernikov
1832a7b3SAlexander V. Chernikov	return (error);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov/*
563b5ab1SAlexander V. Chernikov * Sets every table kidx in @bmask which is used in rule @rule.
563b5ab1SAlexander V. Chernikov *
563b5ab1SAlexander V. Chernikov * Returns number of newly-referenced tables.
563b5ab1SAlexander V. Chernikov */
563b5ab1SAlexander V. Chernikovint
563b5ab1SAlexander V. Chernikovipfw_mark_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule,
563b5ab1SAlexander V. Chernikov    uint32_t *bmask)
563b5ab1SAlexander V. Chernikov{
563b5ab1SAlexander V. Chernikov	int cmdlen, l, count;
563b5ab1SAlexander V. Chernikov	ipfw_insn *cmd;
563b5ab1SAlexander V. Chernikov	uint16_t kidx;
563b5ab1SAlexander V. Chernikov	uint8_t type;
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov	l = rule->cmd_len;
563b5ab1SAlexander V. Chernikov	cmd = rule->cmd;
563b5ab1SAlexander V. Chernikov	cmdlen = 0;
563b5ab1SAlexander V. Chernikov	count = 0;
563b5ab1SAlexander V. Chernikov	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
563b5ab1SAlexander V. Chernikov		cmdlen = F_LEN(cmd);
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov		if (classify_table_opcode(cmd, &kidx, &type) != 0)
563b5ab1SAlexander V. Chernikov			continue;
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov		if ((bmask[kidx / 32] & (1 << (kidx % 32))) == 0)
563b5ab1SAlexander V. Chernikov			count++;
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov		bmask[kidx / 32] |= 1 << (kidx % 32);
563b5ab1SAlexander V. Chernikov	}
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov	return (count);
563b5ab1SAlexander V. Chernikov}
563b5ab1SAlexander V. Chernikov
563b5ab1SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Checks is opcode is referencing table of appropriate type.
b074b7bbSAlexander V. Chernikov * Adds reference count for found table if true.
b074b7bbSAlexander V. Chernikov * Rewrites user-supplied opcode values with kernel ones.
b074b7bbSAlexander V. Chernikov *
b074b7bbSAlexander V. Chernikov * Returns 0 on success and appropriate error code otherwise.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovint
b074b7bbSAlexander V. Chernikovipfw_rewrite_table_uidx(struct ip_fw_chain *chain,
b074b7bbSAlexander V. Chernikov    struct rule_check_info *ci)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	int cmdlen, error, ftype, l;
b074b7bbSAlexander V. Chernikov	ipfw_insn *cmd;
b074b7bbSAlexander V. Chernikov	uint16_t uidx;
b074b7bbSAlexander V. Chernikov	uint8_t type;
b074b7bbSAlexander V. Chernikov	struct table_config *tc;
9f7d47b0SAlexander V. Chernikov	struct table_algo *ta;
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov	struct named_object *no, *no_n, *no_tmp;
9490a627SAlexander V. Chernikov	struct obj_idx *p, *pidx_first, *pidx_last;
b074b7bbSAlexander V. Chernikov	struct namedobjects_head nh;
b074b7bbSAlexander V. Chernikov	struct tid_info ti;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(chain);
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov	/* Prepare queue to store configs */
9490a627SAlexander V. Chernikov	TAILQ_INIT(&nh);
9490a627SAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/*
b074b7bbSAlexander V. Chernikov	 * Prepare an array for storing opcode indices.
b074b7bbSAlexander V. Chernikov	 * Use stack allocation by default.
b074b7bbSAlexander V. Chernikov	 */
b074b7bbSAlexander V. Chernikov	if (ci->table_opcodes <= (sizeof(ci->obuf)/sizeof(ci->obuf[0]))) {
b074b7bbSAlexander V. Chernikov		/* Stack */
9490a627SAlexander V. Chernikov		pidx_first = ci->obuf;
b074b7bbSAlexander V. Chernikov	} else
9490a627SAlexander V. Chernikov		pidx_first = malloc(ci->table_opcodes * sizeof(struct obj_idx),
b074b7bbSAlexander V. Chernikov		    M_IPFW, M_WAITOK | M_ZERO);
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov	pidx_last = pidx_first;
b074b7bbSAlexander V. Chernikov	error = 0;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	type = 0;
b074b7bbSAlexander V. Chernikov	ftype = 0;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	memset(&ti, 0, sizeof(ti));
1832a7b3SAlexander V. Chernikov
1832a7b3SAlexander V. Chernikov	/*
1832a7b3SAlexander V. Chernikov	 * Use default set for looking up tables (old way) or
1832a7b3SAlexander V. Chernikov	 * use set rule is assigned to (new way).
1832a7b3SAlexander V. Chernikov	 */
1832a7b3SAlexander V. Chernikov	ti.set = (V_fw_tables_sets != 0) ? ci->krule->set : 0;
6c2997ffSAlexander V. Chernikov	if (ci->ctlv != NULL) {
6c2997ffSAlexander V. Chernikov		ti.tlvs = (void *)(ci->ctlv + 1);
6c2997ffSAlexander V. Chernikov		ti.tlen = ci->ctlv->head.length - sizeof(ipfw_obj_ctlv);
6c2997ffSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/*
9490a627SAlexander V. Chernikov	 * Stage 1: reference existing tables, determine number
9490a627SAlexander V. Chernikov	 * of tables we need to allocate and allocate indexes for each.
b074b7bbSAlexander V. Chernikov	 */
9490a627SAlexander V. Chernikov	error = bind_table_rule(chain, ci->krule, ci, &pidx_last, &ti);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	if (error != 0) {
9490a627SAlexander V. Chernikov		if (pidx_first != ci->obuf)
9490a627SAlexander V. Chernikov			free(pidx_first, M_IPFW);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		return (error);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/*
b074b7bbSAlexander V. Chernikov	 * Stage 2: allocate table configs for every non-existent table
b074b7bbSAlexander V. Chernikov	 */
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	if (ci->new_tables > 0) {
9490a627SAlexander V. Chernikov		for (p = pidx_first; p < pidx_last; p++) {
b074b7bbSAlexander V. Chernikov			if (p->new == 0)
b074b7bbSAlexander V. Chernikov				continue;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov			ti.uidx = p->uidx;
b074b7bbSAlexander V. Chernikov			ti.type = p->type;
9f7d47b0SAlexander V. Chernikov			ti.atype = 0;
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov			ta = find_table_algo(CHAIN_TO_TCFG(chain), &ti, NULL);
9f7d47b0SAlexander V. Chernikov			if (ta == NULL) {
9f7d47b0SAlexander V. Chernikov				error = ENOTSUP;
9f7d47b0SAlexander V. Chernikov				goto free;
9f7d47b0SAlexander V. Chernikov			}
9490a627SAlexander V. Chernikov			tc = alloc_table_config(ni, &ti, ta, NULL);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov			if (tc == NULL) {
b074b7bbSAlexander V. Chernikov				error = ENOMEM;
b074b7bbSAlexander V. Chernikov				goto free;
b074b7bbSAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov			tc->no.kidx = p->kidx;
b074b7bbSAlexander V. Chernikov			tc->no.refcnt = 1;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov			/* Add to list */
b074b7bbSAlexander V. Chernikov			TAILQ_INSERT_TAIL(&nh, &tc->no, nn_next);
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		/*
b074b7bbSAlexander V. Chernikov		 * Stage 2.1: Check if we're going to create 2 tables
b074b7bbSAlexander V. Chernikov		 * with the same name, but different table types.
b074b7bbSAlexander V. Chernikov		 */
b074b7bbSAlexander V. Chernikov		TAILQ_FOREACH(no, &nh, nn_next) {
b074b7bbSAlexander V. Chernikov			TAILQ_FOREACH(no_tmp, &nh, nn_next) {
9490a627SAlexander V. Chernikov				if (ipfw_objhash_same_name(ni, no, no_tmp) == 0)
b074b7bbSAlexander V. Chernikov					continue;
b074b7bbSAlexander V. Chernikov				if (no->type != no_tmp->type) {
b074b7bbSAlexander V. Chernikov					error = EINVAL;
b074b7bbSAlexander V. Chernikov					goto free;
b074b7bbSAlexander V. Chernikov				}
b074b7bbSAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov		}
9f7d47b0SAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	IPFW_UH_WLOCK(chain);
9f7d47b0SAlexander V. Chernikov
9f7d47b0SAlexander V. Chernikov	if (ci->new_tables > 0) {
b074b7bbSAlexander V. Chernikov		/*
b074b7bbSAlexander V. Chernikov		 * Stage 3: link & reference new table configs
b074b7bbSAlexander V. Chernikov		 */
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		/*
b074b7bbSAlexander V. Chernikov		 * Step 3.1: Check if some tables we need to create have been
b074b7bbSAlexander V. Chernikov		 * already created with different table type.
b074b7bbSAlexander V. Chernikov		 */
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		error = 0;
b074b7bbSAlexander V. Chernikov		TAILQ_FOREACH_SAFE(no, &nh, nn_next, no_tmp) {
b074b7bbSAlexander V. Chernikov			no_n = ipfw_objhash_lookup_name(ni, no->set, no->name);
b074b7bbSAlexander V. Chernikov			if (no_n == NULL)
b074b7bbSAlexander V. Chernikov				continue;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov			if (no_n->type != no->type) {
b074b7bbSAlexander V. Chernikov				error = EINVAL;
b074b7bbSAlexander V. Chernikov				break;
b074b7bbSAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		if (error != 0) {
b074b7bbSAlexander V. Chernikov			/*
b074b7bbSAlexander V. Chernikov			 * Someone has allocated table with different table type.
b074b7bbSAlexander V. Chernikov			 * We have to rollback everything.
b074b7bbSAlexander V. Chernikov			 */
b074b7bbSAlexander V. Chernikov			IPFW_UH_WUNLOCK(chain);
b074b7bbSAlexander V. Chernikov			goto free;
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		/*
9f7d47b0SAlexander V. Chernikov		 * Attach new tables.
9f7d47b0SAlexander V. Chernikov		 * We need to set table pointers for each new table,
b074b7bbSAlexander V. Chernikov		 * so we have to acquire main WLOCK.
b074b7bbSAlexander V. Chernikov		 */
b074b7bbSAlexander V. Chernikov		IPFW_WLOCK(chain);
b074b7bbSAlexander V. Chernikov		TAILQ_FOREACH_SAFE(no, &nh, nn_next, no_tmp) {
b074b7bbSAlexander V. Chernikov			no_n = ipfw_objhash_lookup_name(ni, no->set, no->name);
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov			if (no_n == NULL) {
9490a627SAlexander V. Chernikov				/* New table. Attach to runtime hash */
9490a627SAlexander V. Chernikov				TAILQ_REMOVE(&nh, no, nn_next);
9490a627SAlexander V. Chernikov				link_table(chain, (struct table_config *)no);
b074b7bbSAlexander V. Chernikov				continue;
b074b7bbSAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov			/*
9490a627SAlexander V. Chernikov			 * Newly-allocated table with the same type.
9490a627SAlexander V. Chernikov			 * Reference it and update out @pidx array
9490a627SAlexander V. Chernikov			 * rewrite info.
9490a627SAlexander V. Chernikov			 */
9490a627SAlexander V. Chernikov			no_n->refcnt++;
9490a627SAlexander V. Chernikov			/* Keep oib array in sync: update kidx */
9490a627SAlexander V. Chernikov			for (p = pidx_first; p < pidx_last; p++) {
9490a627SAlexander V. Chernikov				if (p->kidx != no->kidx)
9490a627SAlexander V. Chernikov					continue;
9490a627SAlexander V. Chernikov				/* Update kidx */
9490a627SAlexander V. Chernikov				p->kidx = no_n->kidx;
9490a627SAlexander V. Chernikov				break;
9490a627SAlexander V. Chernikov			}
b074b7bbSAlexander V. Chernikov		}
b074b7bbSAlexander V. Chernikov		IPFW_WUNLOCK(chain);
9f7d47b0SAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/* Perform rule rewrite */
b074b7bbSAlexander V. Chernikov	l = ci->krule->cmd_len;
b074b7bbSAlexander V. Chernikov	cmd = ci->krule->cmd;
b074b7bbSAlexander V. Chernikov	cmdlen = 0;
9490a627SAlexander V. Chernikov	p = pidx_first;
b074b7bbSAlexander V. Chernikov	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
b074b7bbSAlexander V. Chernikov		cmdlen = F_LEN(cmd);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		if (classify_table_opcode(cmd, &uidx, &type) != 0)
b074b7bbSAlexander V. Chernikov			continue;
9490a627SAlexander V. Chernikov		update_table_opcode(cmd, p->kidx);
9490a627SAlexander V. Chernikov		p++;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	IPFW_UH_WUNLOCK(chain);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	error = 0;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	/*
b074b7bbSAlexander V. Chernikov	 * Stage 4: free resources
b074b7bbSAlexander V. Chernikov	 */
b074b7bbSAlexander V. Chernikovfree:
9490a627SAlexander V. Chernikov	if (!TAILQ_EMPTY(&nh)) {
9490a627SAlexander V. Chernikov		/* Free indexes first */
9490a627SAlexander V. Chernikov		IPFW_UH_WLOCK(chain);
9490a627SAlexander V. Chernikov		TAILQ_FOREACH_SAFE(no, &nh, nn_next, no_tmp) {
ac35ff17SAlexander V. Chernikov			ipfw_objhash_free_idx(ni, no->kidx);
9490a627SAlexander V. Chernikov		}
9490a627SAlexander V. Chernikov		IPFW_UH_WUNLOCK(chain);
9490a627SAlexander V. Chernikov		/* Free configs */
b074b7bbSAlexander V. Chernikov		TAILQ_FOREACH_SAFE(no, &nh, nn_next, no_tmp)
b074b7bbSAlexander V. Chernikov			free_table_config(ni, tc);
9490a627SAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov
9490a627SAlexander V. Chernikov	if (pidx_first != ci->obuf)
9490a627SAlexander V. Chernikov		free(pidx_first, M_IPFW);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	return (error);
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Remove references from every table used in @rule.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovvoid
b074b7bbSAlexander V. Chernikovipfw_unbind_table_rule(struct ip_fw_chain *chain, struct ip_fw *rule)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	int cmdlen, l;
b074b7bbSAlexander V. Chernikov	ipfw_insn *cmd;
b074b7bbSAlexander V. Chernikov	struct namedobj_instance *ni;
b074b7bbSAlexander V. Chernikov	struct named_object *no;
b074b7bbSAlexander V. Chernikov	uint16_t kidx;
b074b7bbSAlexander V. Chernikov	uint8_t type;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	ni = CHAIN_TO_NI(chain);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	l = rule->cmd_len;
b074b7bbSAlexander V. Chernikov	cmd = rule->cmd;
b074b7bbSAlexander V. Chernikov	cmdlen = 0;
b074b7bbSAlexander V. Chernikov	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
b074b7bbSAlexander V. Chernikov		cmdlen = F_LEN(cmd);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		if (classify_table_opcode(cmd, &kidx, &type) != 0)
b074b7bbSAlexander V. Chernikov			continue;
b074b7bbSAlexander V. Chernikov
ac35ff17SAlexander V. Chernikov		no = ipfw_objhash_lookup_kidx(ni, kidx);
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		KASSERT(no != NULL, ("table id %d not found", kidx));
b074b7bbSAlexander V. Chernikov		KASSERT(no->type == type, ("wrong type %d (%d) for table id %d",
b074b7bbSAlexander V. Chernikov		    no->type, type, kidx));
b074b7bbSAlexander V. Chernikov		KASSERT(no->refcnt > 0, ("refcount for table %d is %d",
b074b7bbSAlexander V. Chernikov		    kidx, no->refcnt));
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov		no->refcnt--;
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov/*
b074b7bbSAlexander V. Chernikov * Removes table bindings for every rule in rule chain @head.
b074b7bbSAlexander V. Chernikov */
b074b7bbSAlexander V. Chernikovvoid
b074b7bbSAlexander V. Chernikovipfw_unbind_table_list(struct ip_fw_chain *chain, struct ip_fw *head)
b074b7bbSAlexander V. Chernikov{
b074b7bbSAlexander V. Chernikov	struct ip_fw *rule;
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov	while ((rule = head) != NULL) {
b074b7bbSAlexander V. Chernikov		head = head->x_next;
b074b7bbSAlexander V. Chernikov		ipfw_unbind_table_rule(chain, rule);
b074b7bbSAlexander V. Chernikov	}
b074b7bbSAlexander V. Chernikov}
b074b7bbSAlexander V. Chernikov
b074b7bbSAlexander V. Chernikov
3b3a8eb9SGleb Smirnoff/* end of file */