diff options
| author | Luigi Rizzo <luigi@FreeBSD.org> | 1999-08-16 17:29:53 +0000 |
|---|---|---|
| committer | Luigi Rizzo <luigi@FreeBSD.org> | 1999-08-16 17:29:53 +0000 |
| commit | 27287164c1a981a5c93ba18f20387800e19672a6 (patch) | |
| tree | b4eca4da8eeb60f3195d0763f9b72d13d2d1cbb5 /sys/netinet | |
| parent | f97401583a271e20545cc426ec8ba7391b75d351 (diff) | |
Notes
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_fw.c | 25 | ||||
| -rw-r--r-- | sys/netinet/ip_fw.h | 22 |
2 files changed, 38 insertions, 9 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index d7e3b77391f0..50da4ad21151 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -12,7 +12,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.c,v 1.103.2.4 1999/05/24 10:09:21 luigi Exp $ + * $Id: ip_fw.c,v 1.103.2.5 1999/06/17 13:38:59 ru Exp $ */ /* @@ -611,7 +611,7 @@ again: /* Check protocol; if wildcard, match */ if (f->fw_prot == IPPROTO_IP) - goto got_match; + goto rnd_then_got_match; /* If different, don't match */ if (ip->ip_p != f->fw_prot) @@ -715,6 +715,10 @@ bogusfrag: goto dropit; } +rnd_then_got_match: + if ( ((struct ip_fw_ext *)f)->dont_match_prob && + random() < ((struct ip_fw_ext *)f)->dont_match_prob ) + continue ; got_match: *flow_id = chain ; /* XXX set flow id */ /* Update statistics */ @@ -870,12 +874,14 @@ static int add_entry(struct ip_fw_head *chainptr, struct ip_fw *frwl) { struct ip_fw *ftmp = 0; + struct ip_fw_ext *ftmp_ext = 0 struct ip_fw_chain *fwc = 0, *fcp, *fcpl = 0; u_short nbr = 0; int s; fwc = malloc(sizeof *fwc, M_IPFW, M_DONTWAIT); - ftmp = malloc(sizeof *ftmp, M_IPFW, M_DONTWAIT); + ftmp_ext = malloc(sizeof *ftmp_ext, M_IPFW, M_DONTWAIT); + ftmp = &ftmp_ext->rule ; if (!fwc || !ftmp) { dprintf(("%s malloc said no\n", err_prefix)); if (fwc) free(fwc, M_IPFW); @@ -883,7 +889,11 @@ add_entry(struct ip_fw_head *chainptr, struct ip_fw *frwl) return (ENOSPC); } - bcopy(frwl, ftmp, sizeof(struct ip_fw)); + bzero(ftmp_ext, sizeof(*ftmp_ext)); /* play safe! */ + bcopy(frwl, ftmp, sizeof(*ftmp)); + if (ftmp->fw_flg & IP_FW_F_RND_MATCH) + ftmp_ext->dont_match_prob = (long)(ftmp->pipe_ptr) ; + ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0'; ftmp->fw_pcnt = 0L; ftmp->fw_bcnt = 0L; @@ -1142,9 +1152,8 @@ ip_fw_ctl(struct sockopt *sopt) { int error, s; size_t size; - char *buf, *bp; struct ip_fw_chain *fcp; - struct ip_fw frwl; + struct ip_fw frwl, *bp , *buf; /* Disallow sets in really-really secure mode. */ if (sopt->sopt_dir == SOPT_SET && securelevel >= 3) @@ -1165,7 +1174,9 @@ ip_fw_ctl(struct sockopt *sopt) for (fcp = LIST_FIRST(&ip_fw_chain), bp = buf; fcp; fcp = LIST_NEXT(fcp, chain)) { bcopy(fcp->rule, bp, sizeof *fcp->rule); - bp += sizeof *fcp->rule; + (long)bp->pipe_ptr = + ((struct ip_fw_ext *)fcp->rule)->dont_match_prob; + bp ++ ; } error = sooptcopyout(sopt, buf, size); FREE(buf, M_TEMP); diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index a4cee76ed8e0..92a46fb7793f 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -11,7 +11,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.h,v 1.35 1998/09/02 19:14:01 phk Exp $ + * $Id: ip_fw.h,v 1.36 1998/12/14 18:09:13 luigi Exp $ */ #ifndef _IP_FW_H @@ -83,6 +83,22 @@ struct ip_fw { void *next_rule_ptr ; /* next rule in case of match */ }; +/* + * extended ipfw structure... some fields in the original struct + * can be used to pass parameters up/down, namely pointers + * void *pipe_ptr + * void *next_rule_ptr + * some others can be used to pass parameters down, namely counters etc. + * u_int64_t fw_pcnt,fw_bcnt; + * long timestamp; + */ + +struct ip_fw_ext { /* extended structure */ + struct ip_fw rule; /* must be at offset 0 */ + long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ + u_int param1; /* unused at the moment */ +}; + #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) #define IP_FW_SETNSRCP(rule, n) do { \ (rule)->fw_nports &= ~0x0f; \ @@ -144,7 +160,9 @@ struct ip_fw_chain { #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ -#define IP_FW_F_MASK 0x001FFFFF /* All possible flag bits mask */ +#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ + +#define IP_FW_F_MASK 0x009FFFFF /* All possible flag bits mask */ /* * For backwards compatibility with rules specifying "via iface" but |