Index: lib/libalias/Makefile =================================================================== RCS file: /home/dcvs/src/lib/libalias/Makefile,v retrieving revision 1.3 diff -u -r1.3 Makefile --- lib/libalias/Makefile 21 Apr 2005 13:42:33 -0000 1.3 +++ lib/libalias/Makefile 28 Jun 2006 02:30:49 -0000 @@ -4,9 +4,7 @@ LIB= alias SHLIB_MAJOR= 5 CFLAGS+= -Wall -Wmissing-prototypes -.if defined(IPFW2) CFLAGS+= -DIPFW2 -.endif SRCS= alias.c alias_cuseeme.c alias_db.c alias_ftp.c alias_irc.c \ alias_nbt.c alias_pptp.c alias_proxy.c alias_smedia.c \ alias_util.c Index: lib/libalias/alias_db.c =================================================================== RCS file: /home/dcvs/src/lib/libalias/alias_db.c,v retrieving revision 1.4 diff -u -r1.4 alias_db.c --- lib/libalias/alias_db.c 20 Aug 2004 00:08:17 -0000 1.4 +++ lib/libalias/alias_db.c 28 Jun 2006 02:08:47 -0000 @@ -2643,7 +2643,6 @@ #include #include -#if IPFW2 /* support for new firewall code */ /* * helper function, updates the pointer to cmd with the length * of the current command, and also cleans up the first word of @@ -2713,7 +2712,6 @@ return ((void *)cmd - buf); } -#endif /* IPFW2 */ static void ClearAllFWHoles(void); @@ -2804,7 +2802,6 @@ * add fwhole accept tcp from OAddr OPort to DAddr DPort * add fwhole accept tcp from DAddr DPort to OAddr OPort */ -#if IPFW2 if (GetOriginalPort(link) != 0 && GetDestPort(link) != 0) { u_int32_t rulebuf[255]; int i; @@ -2825,44 +2822,6 @@ if (r) err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); } -#else /* !IPFW2, old code to generate ipfw rule */ - - /* Build generic part of the two rules */ - rule.fw_number = fwhole; - IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */ - IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */ - rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT; - rule.fw_prot = IPPROTO_TCP; - rule.fw_smsk.s_addr = INADDR_BROADCAST; - rule.fw_dmsk.s_addr = INADDR_BROADCAST; - - /* Build and apply specific part of the rules */ - rule.fw_src = GetOriginalAddress(link); - rule.fw_dst = GetDestAddress(link); - rule.fw_uar.fw_pts[0] = ntohs(GetOriginalPort(link)); - rule.fw_uar.fw_pts[1] = ntohs(GetDestPort(link)); - - /* Skip non-bound links - XXX should not be strictly necessary, - but seems to leave hole if not done. Leak of non-bound links? - (Code should be left even if the problem is fixed - it is a - clear optimization) */ - if (rule.fw_uar.fw_pts[0] != 0 && rule.fw_uar.fw_pts[1] != 0) { - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)"); -#endif - rule.fw_src = GetDestAddress(link); - rule.fw_dst = GetOriginalAddress(link); - rule.fw_uar.fw_pts[0] = ntohs(GetDestPort(link)); - rule.fw_uar.fw_pts[1] = ntohs(GetOriginalPort(link)); - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); -#endif - } -#endif /* !IPFW2 */ /* Indicate hole applied */ link->data.tcp->fwhole = fwhole; fw_setfield(fireWallField, fwhole); @@ -2880,16 +2839,9 @@ return; memset(&rule, 0, sizeof rule); /* useless for ipfw2 */ -#if IPFW2 while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &fwhole, sizeof fwhole)) ; -#else /* !IPFW2 */ - rule.fw_number = fwhole; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, - &rule, sizeof rule)) - ; -#endif /* !IPFW2 */ fw_clrfield(fireWallField, fwhole); link->data.tcp->fwhole = -1; } @@ -2906,15 +2858,9 @@ memset(&rule, 0, sizeof rule); for (i = fireWallBaseNum; i < fireWallBaseNum + fireWallNumNums; i++) { -#if IPFW2 int r = i; while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r)) ; -#else /* !IPFW2 */ - rule.fw_number = i; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule)) - ; -#endif /* !IPFW2 */ } memset(fireWallField, 0, fireWallNumNums); } Index: sbin/ipfw/Makefile =================================================================== RCS file: /home/dcvs/src/sbin/ipfw/Makefile,v retrieving revision 1.2 diff -u -r1.2 Makefile --- sbin/ipfw/Makefile 17 Jun 2003 04:27:33 -0000 1.2 +++ sbin/ipfw/Makefile 28 Jun 2006 02:29:42 -0000 @@ -4,9 +4,7 @@ PROG= ipfw MAN= ipfw.8 CFLAGS+=-Wall -.if defined(IPFW2) SRCS= ipfw2.c CFLAGS+= -DIPFW2 -.endif .include Index: sbin/ipfw/ipfw.8 =================================================================== RCS file: /home/dcvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.8 diff -u -r1.8 ipfw.8 --- sbin/ipfw/ipfw.8 25 Jun 2006 11:02:37 -0000 1.8 +++ sbin/ipfw/ipfw.8 28 Jun 2006 02:27:09 -0000 @@ -89,13 +89,6 @@ .Sx IPFW2 ENHANCEMENTS , which you are encouraged to read to revise older rulesets and possibly write them more efficiently. -See Section -.Sx USING IPFW2 IN FreeBSD-STABLE -for instructions on how to run -.Nm ipfw2 -on -.Fx -STABLE. .Ed .Pp An @@ -1625,27 +1618,6 @@ .Nm . Default is no. .El -.Sh USING IPFW2 IN FreeBSD-STABLE -.Nm ipfw2 -is standard in -.Fx -CURRENT, whereas -.Fx -STABLE still uses -.Nm ipfw1 -unless the kernel is compiled with -.Cm options IPFW2 , -and -.Nm /sbin/ipfw -and -.Nm /usr/lib/libalias -are recompiled with -.Cm -DIPFW2 -and reinstalled (the same effect can be achieved by adding -.Cm IPFW2=TRUE -to -.Nm /etc/make.conf -before a buildworld). .Sh IPFW2 ENHANCEMENTS This Section lists the features that have been introduced in .Nm ipfw2 Index: sys/conf/options =================================================================== RCS file: /home/dcvs/src/sys/conf/options,v retrieving revision 1.50 diff -u -r1.50 options --- sys/conf/options 25 Jun 2006 11:02:37 -0000 1.50 +++ sys/conf/options 28 Jun 2006 02:13:56 -0000 @@ -283,7 +283,6 @@ IPFILTER_LOG opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFIREWALL opt_ipfw.h -IPFW2 opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h Index: sys/i386/conf/LINT =================================================================== RCS file: /home/dcvs/src/sys/i386/conf/LINT,v retrieving revision 1.84 diff -u -r1.84 LINT --- sys/i386/conf/LINT 25 Jun 2006 11:02:39 -0000 1.84 +++ sys/i386/conf/LINT 28 Jun 2006 02:14:24 -0000 @@ -2650,7 +2650,6 @@ options FE_8BIT_SUPPORT options I4B_SMP_WORKAROUND options I586_PMC_GUPROF=0x70000 -options IPFW2 options KBDIO_DEBUG=2 options KBD_MAXRETRY=4 options KBD_MAXWAIT=6 Index: sys/net/dummynet/Makefile =================================================================== RCS file: /home/dcvs/src/sys/net/dummynet/Makefile,v retrieving revision 1.3 diff -u -r1.3 Makefile --- sys/net/dummynet/Makefile 25 Jun 2006 11:02:39 -0000 1.3 +++ sys/net/dummynet/Makefile 28 Jun 2006 14:05:12 -0000 @@ -5,9 +5,7 @@ KMOD= dummynet SRCS= ip_dummynet.c NOMAN= -.if defined(IPFW2) CFLAGS+= -DIPFW2 -.endif KMODDEPS= ipfw .include Index: sys/net/dummynet/ip_dummynet.c =================================================================== RCS file: /home/dcvs/src/sys/net/dummynet/ip_dummynet.c,v retrieving revision 1.18 diff -u -r1.18 ip_dummynet.c --- sys/net/dummynet/ip_dummynet.c 25 Jun 2006 11:02:39 -0000 1.18 +++ sys/net/dummynet/ip_dummynet.c 28 Jun 2006 02:16:01 -0000 @@ -1000,7 +1000,6 @@ struct dn_flow_set * locate_flowset(int pipe_nr, struct ip_fw *rule) { -#if IPFW2 struct dn_flow_set *fs; ipfw_insn *cmd = rule->cmd + rule->act_ofs; @@ -1012,11 +1011,6 @@ return fs; if (cmd->opcode == O_QUEUE) -#else /* !IPFW2 */ - struct dn_flow_set *fs = NULL ; - - if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE ) -#endif /* !IPFW2 */ for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next) ; else { @@ -1027,12 +1021,7 @@ fs = &(p1->fs) ; } /* record for the future */ -#if IPFW2 ((ipfw_insn_pipe *)cmd)->pipe_ptr = fs; -#else - if (fs != NULL) - rule->pipe_ptr = fs; -#endif return fs ; } @@ -1062,15 +1051,11 @@ int is_pipe; crit_enter(); -#if IPFW2 ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs; if (cmd->opcode == O_LOG) cmd += F_LEN(cmd); is_pipe = (cmd->opcode == O_PIPE); -#else - is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE; -#endif pipe_nr &= 0xffff ; Index: sys/net/ipfw/Makefile =================================================================== RCS file: /home/dcvs/src/sys/net/ipfw/Makefile,v retrieving revision 1.2 diff -u -r1.2 Makefile --- sys/net/ipfw/Makefile 17 Jun 2003 04:28:44 -0000 1.2 +++ sys/net/ipfw/Makefile 28 Jun 2006 02:33:39 -0000 @@ -5,12 +5,8 @@ KMOD= ipfw NOMAN= CFLAGS+= -DIPFIREWALL -.if defined(IPFW2) SRCS= ip_fw2.c CFLAGS+= -DIPFW2 -.else -SRCS= ip_fw.c -.endif # #If you want it verbose #CFLAGS+= -DIPFIREWALL_VERBOSE Index: sys/net/ipfw/ip_fw.h =================================================================== RCS file: /home/dcvs/src/sys/net/ipfw/ip_fw.h,v retrieving revision 1.7 diff -u -r1.7 ip_fw.h --- sys/net/ipfw/ip_fw.h 25 Jun 2006 11:02:39 -0000 1.7 +++ sys/net/ipfw/ip_fw.h 28 Jun 2006 02:17:51 -0000 @@ -18,358 +18,6 @@ #ifndef _IP_FW_H #define _IP_FW_H -#if IPFW2 #include "ip_fw2.h" -#else /* !IPFW2, good old ipfw */ -#include - -/* - * This union structure identifies an interface, either explicitly - * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME - * and IP_FW_F_OIFNAME say how to interpret this structure. An - * interface unit number of -1 matches any unit number, while an - * IP address of 0.0.0.0 indicates matches any interface. - * - * The receive and transmit interfaces are only compared against the - * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) - * is set. Note some packets lack a receive or transmit interface - * (in which case the missing "interface" never matches). - */ - -union ip_fw_if { - struct in_addr fu_via_ip; /* Specified by IP address */ - struct { /* Specified by interface name */ -#define FW_IFNLEN IFNAMSIZ - char name[FW_IFNLEN]; - short glob; - } fu_via_if; -}; - -/* - * Format of an IP firewall descriptor - * - * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. - * fw_flg and fw_n*p are stored in host byte order (of course). - * Port numbers are stored in HOST byte order. - */ - -struct ip_fw { - LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */ - u_int32_t fw_flg; /* Operational Flags word */ - u_int64_t fw_pcnt; /* Packet counters */ - u_int64_t fw_bcnt; /* Byte counters */ - struct in_addr fw_src; /* Source IP address */ - struct in_addr fw_dst; /* Destination IP address */ - struct in_addr fw_smsk; /* Mask for source IP address */ - struct in_addr fw_dmsk; /* Mask for destination address */ - u_short fw_number; /* Rule number */ - u_char fw_prot; /* IP protocol */ -#if 1 - u_char fw_nports; /* # of src/dst port in array */ -#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) -#define IP_FW_SETNSRCP(rule, n) do { \ - (rule)->fw_nports &= ~0x0f; \ - (rule)->fw_nports |= (n); \ - } while (0) -#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) -#define IP_FW_SETNDSTP(rule, n) do { \ - (rule)->fw_nports &= ~0xf0; \ - (rule)->fw_nports |= (n) << 4;\ - } while (0) -#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0) -#else - u_char __pad[1]; - u_int _nsrcp; - u_int _ndstp; -#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp -#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n -#define IP_FW_GETNDSTP(rule) (rule)->_ndstp -#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n -#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0) -#endif -#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ - union { - u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */ -#define IP_FW_ICMPTYPES_MAX 128 -#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) - unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/ - } fw_uar; - - u_int fw_ipflg; /* IP flags word */ - u_short fw_iplen; /* IP length XXX */ - u_short fw_ipid; /* Identification XXX */ - - u_char fw_ipopt; /* IP options set */ - u_char fw_ipnopt; /* IP options unset */ - u_char fw_iptos; /* IP type of service set XXX */ - u_char fw_ipntos; /* IP type of service unset XXX */ - - u_char fw_ipttl; /* IP time to live XXX */ - u_char fw_ipver:4; /* IP version XXX */ - u_char fw_tcpopt; /* TCP options set */ - u_char fw_tcpnopt; /* TCP options unset */ - - u_char fw_tcpf; /* TCP flags set/unset */ - u_char fw_tcpnf; /* TCP flags set/unset */ - u_short fw_tcpwin; /* TCP window size XXX */ - - u_int32_t fw_tcpseq; /* TCP sequence XXX */ - u_int32_t fw_tcpack; /* TCP acknowledgement XXX */ - - long timestamp; /* timestamp (tv_sec) of last match */ - union ip_fw_if fw_in_if; /* Incoming interfaces */ - union ip_fw_if fw_out_if; /* Outgoing interfaces */ - union { - u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ - u_short fu_pipe_nr; /* queue number (option DUMMYNET) */ - u_short fu_skipto_rule; /* SKIPTO command rule number */ - u_short fu_reject_code; /* REJECT response code */ - struct sockaddr_in fu_fwd_ip; - } fw_un; - - /* - * N'of src ports and # of dst ports in ports array (dst ports - * follow src ports; max of 10 ports in all; count of 0 means - * match all ports) - */ - void *pipe_ptr; /* flow_set ptr for dummynet pipe */ - void *next_rule_ptr; /* next rule in case of match */ - uid_t fw_uid; /* uid to match */ - gid_t fw_gid; /* gid to match */ - int fw_logamount; /* amount to log */ - u_int64_t fw_loghighest; /* highest number packet to log */ - - long dont_match_prob; /* 0x7fffffff means 1.0-always fail */ - u_char dyn_type; /* type for dynamic rule */ - -#define DYN_KEEP_STATE 0 /* type for keep-state rules */ -#define DYN_LIMIT 1 /* type for limit connection rules */ -#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */ - - /* - * following two fields are used to limit number of connections - * basing on either src, srcport, dst, dstport. - */ - u_char limit_mask; /* mask type for limit rule, can - * have many. - */ -#define DYN_SRC_ADDR 0x1 -#define DYN_SRC_PORT 0x2 -#define DYN_DST_ADDR 0x4 -#define DYN_DST_PORT 0x8 - - u_short conn_limit; /* # of connections for limit rule */ -}; - -#define fw_divert_port fw_un.fu_divert_port -#define fw_skipto_rule fw_un.fu_skipto_rule -#define fw_reject_code fw_un.fu_reject_code -#define fw_pipe_nr fw_un.fu_pipe_nr -#define fw_fwd_ip fw_un.fu_fwd_ip - -/* - * - * rule_ptr -------------+ - * V - * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]---> - * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<--- - * [ body ] [ body ] [ body ] - * - */ - -/* - * Flow mask/flow id for each queue. - */ -struct ipfw_flow_id { - u_int32_t dst_ip; - u_int32_t src_ip; - u_int16_t dst_port; - u_int16_t src_port; - u_int8_t proto; - u_int8_t flags; /* protocol-specific flags */ -}; - -/* - * dynamic ipfw rule - */ -struct ipfw_dyn_rule { - struct ipfw_dyn_rule *next; - struct ipfw_flow_id id; /* (masked) flow id */ - struct ip_fw *rule; /* pointer to rule */ - struct ipfw_dyn_rule *parent; /* pointer to parent rule */ - u_int32_t expire; /* expire time */ - u_int64_t pcnt; /* packet match counters */ - u_int64_t bcnt; /* byte match counters */ - u_int32_t bucket; /* which bucket in hash table */ - u_int32_t state; /* state of this rule (typically a - * combination of TCP flags) - */ - u_int16_t dyn_type; /* rule type */ - u_int16_t count; /* refcount */ -}; - -/* - * Values for "flags" field . - */ -#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ -#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */ -#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */ -#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */ -#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */ -#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */ -#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */ -#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */ -#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding - * address" rule - */ -#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */ -#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */ - -#define IP_FW_F_IN 0x00000100 /* Check inbound packets */ -#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */ -#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */ -#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */ -#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */ -#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min - * and max range (stored in host byte - * order). - */ -#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min - * and max range (stored in host byte - * order). - */ -#define IP_FW_F_FRAG 0x00008000 /* Fragment */ -#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */ -#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/ -#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */ -#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */ -#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ -#define IP_FW_F_UID 0x00200000 /* filter by uid */ -#define IP_FW_F_GID 0x00400000 /* filter by gid */ -#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ -#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */ -#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */ -#define IP_FW_UNUSED0 0x04000000 -#define IP_FW_F_KEEP_S 0x08000000 /* keep state */ -#define IP_FW_F_CHECK_S 0x10000000 /* check state */ -#define IP_FW_F_SME 0x20000000 /* source = me */ -#define IP_FW_F_DME 0x40000000 /* destination = me */ - -#define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ - -/* - * Flags for the 'fw_ipflg' field, for comparing values - * of ip and its protocols. Not all are currently used, - * IP_FW_IF_*MSK list the one actually used. - */ -#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */ -#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */ -#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */ -#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */ -#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */ -#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */ -#define IP_FW_IF_TCPMSK 0x00000020 /* mask of all tcp values */ - -#define IP_FW_IF_IPOPT 0x00000100 /* ip options */ -#define IP_FW_IF_IPLEN 0x00000200 /* ip length */ -#define IP_FW_IF_IPID 0x00000400 /* ip identification */ -#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */ -#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */ -#define IP_FW_IF_IPVER 0x00002000 /* ip version */ -#define IP_FW_IF_IPMSK 0x00000000 /* mask of all ip values */ - -#define IP_FW_IF_MSK 0x00000020 /* All possible bits mask */ - -/* - * For backwards compatibility with rules specifying "via iface" but - * not restricted to only "in" or "out" packets, we define this combination - * of bits to represent this configuration. - */ - -#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) - -/* - * Definitions for REJECT response codes. - * Values less than 256 correspond to ICMP unreachable codes. - */ -#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ - -/* - * Definitions for IP option names. - */ -#define IP_FW_IPOPT_LSRR 0x01 -#define IP_FW_IPOPT_SSRR 0x02 -#define IP_FW_IPOPT_RR 0x04 -#define IP_FW_IPOPT_TS 0x08 - -/* - * Definitions for TCP option names. - */ -#define IP_FW_TCPOPT_MSS 0x01 -#define IP_FW_TCPOPT_WINDOW 0x02 -#define IP_FW_TCPOPT_SACK 0x04 -#define IP_FW_TCPOPT_TS 0x08 -#define IP_FW_TCPOPT_CC 0x10 - -/* - * Definitions for TCP flags. - */ -#define IP_FW_TCPF_FIN TH_FIN -#define IP_FW_TCPF_SYN TH_SYN -#define IP_FW_TCPF_RST TH_RST -#define IP_FW_TCPF_PSH TH_PUSH -#define IP_FW_TCPF_ACK TH_ACK -#define IP_FW_TCPF_URG TH_URG - -/* - * Main firewall chains definitions and global var's definitions. - */ -#ifdef _KERNEL - -#define IP_FW_PORT_DYNT_FLAG 0x10000 -#define IP_FW_PORT_TEE_FLAG 0x20000 -#define IP_FW_PORT_DENY_FLAG 0x40000 - -/* - * arguments for calling ipfw_chk() and dummynet_io(). We put them - * all into a structure because this way it is easier and more - * efficient to pass variables around and extend the interface. - */ -struct ip_fw_args { - struct mbuf *m; /* the mbuf chain */ - struct ifnet *oif; /* output interface */ - struct sockaddr_in *next_hop; /* forward address */ - struct ip_fw *rule; /* matching rule */ - struct ether_header *eh; /* for bridged packets */ - - struct route *ro; /* for dummynet */ - struct sockaddr_in *dst; /* for dummynet */ - int flags; /* for dummynet */ - - struct ipfw_flow_id f_id; /* grabbed from IP header */ - u_int32_t retval; -}; - -/* - * Function definitions. - */ -void ip_fw_init (void); - -/* Firewall hooks */ -struct sockopt; -struct dn_flow_set; -void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */ - -typedef int ip_fw_chk_t (struct ip_fw_args *args); -typedef int ip_fw_ctl_t (struct sockopt *); -extern ip_fw_chk_t *ip_fw_chk_ptr; -extern ip_fw_ctl_t *ip_fw_ctl_ptr; -extern int fw_one_pass; -extern int fw_enable; -extern struct ipfw_flow_id last_pkt; -#define IPFW_LOADED (ip_fw_chk_ptr != NULL) -#endif /* _KERNEL */ - -#endif /* !IPFW2 */ #endif /* _IP_FW_H */ Index: sys/net/ipfw/ip_fw2.c =================================================================== RCS file: /home/dcvs/src/sys/net/ipfw/ip_fw2.c,v retrieving revision 1.19 diff -u -r1.19 ip_fw2.c --- sys/net/ipfw/ip_fw2.c 25 Jun 2006 11:02:39 -0000 1.19 +++ sys/net/ipfw/ip_fw2.c 28 Jun 2006 02:20:23 -0000 @@ -43,7 +43,6 @@ #endif /* INET */ #endif -#if IPFW2 #include #include #include @@ -2767,4 +2766,4 @@ }; DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY); MODULE_VERSION(ipfw, 1); -#endif /* IPFW2 */ +