diff options
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipfstat.c | 13 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipmon.c | 8 | ||||
| -rw-r--r-- | usr/src/common/net/patricia/radix.c | 9 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/fil.c | 52 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/ip_fil_solaris.c | 14 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/ip_state.c | 111 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/netinet/ip_compat.h | 11 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/netinet/ip_fil.h | 1 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/solaris.c | 72 |
9 files changed, 185 insertions, 106 deletions
diff --git a/usr/src/cmd/ipf/tools/ipfstat.c b/usr/src/cmd/ipf/tools/ipfstat.c index 46707d6a34..1262b86921 100644 --- a/usr/src/cmd/ipf/tools/ipfstat.c +++ b/usr/src/cmd/ipf/tools/ipfstat.c @@ -1055,12 +1055,10 @@ ips_stat_t *ipsp; if (!(opts & OPT_SHOWLIST)) { PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); - PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, - ipsp->iss_miss); - PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull); - PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); + PRINTF("\t%lu hits\n\t%lu misses\n", + ipsp->iss_hits, ipsp->iss_miss); + PRINTF("\t%lu maximum\n\t%lu no memory\n", ipsp->iss_max, + ipsp->iss_nomem); PRINTF("\t%lu active\n\t%lu expired\n", ipsp->iss_active, ipsp->iss_expire); PRINTF("\t%lu closed\n\t%u orphans\n", @@ -1070,7 +1068,8 @@ ips_stat_t *ipsp; state_logging ? "en" : "dis"); PRINTF("\nState table bucket statistics:\n"); - PRINTF("\t%lu in use\t\n", ipsp->iss_inuse); + PRINTF("\t%lu in use\n\t%lu max bucket\n", ipsp->iss_inuse, + ipsp->iss_bucketfull); minlen = ipsp->iss_max; totallen = 0; diff --git a/usr/src/cmd/ipf/tools/ipmon.c b/usr/src/cmd/ipf/tools/ipmon.c index e9d37720ef..d4a351b015 100644 --- a/usr/src/cmd/ipf/tools/ipmon.c +++ b/usr/src/cmd/ipf/tools/ipmon.c @@ -7,7 +7,6 @@ * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" #ifndef SOLARIS #define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun) @@ -1278,8 +1277,13 @@ printipflog: t += 8; } if ((ipf->fl_lflags & FI_OOW) != 0) { + if (ipf->fl_lflags & FI_NEG_OOW) { + strcpy(t, " NEG_OOW"); + t += sizeof (" NEG_OOW") - 1; + } else { strcpy(t, " OOW"); - t += 4; + t += sizeof (" OOW") - 1; + } } if ((ipf->fl_lflags & FI_BAD) != 0) { strcpy(t, " bad"); diff --git a/usr/src/common/net/patricia/radix.c b/usr/src/common/net/patricia/radix.c index a61cbaa619..9a1d3f78ed 100644 --- a/usr/src/common/net/patricia/radix.c +++ b/usr/src/common/net/patricia/radix.c @@ -1,5 +1,5 @@ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * Copyright (c) 1988, 1989, 1993 @@ -34,7 +34,6 @@ * imp Exp $ */ -#pragma ident "%Z%%M% %I% %E% SMI" /* * Routines to build and maintain radix trees for routing lookups. @@ -87,7 +86,11 @@ static struct radix_node *rn_delete(void *, void *, struct radix_node_head *); static boolean_t rn_refines(void *, void *); -#define MAX_KEYLEN 16 +/* + * IPF also uses PATRICIA tree to manage ippools. IPF stores its own structure + * addrfamily_t. sizeof (addrfamily_t) == 24. + */ +#define MAX_KEYLEN 24 static int max_keylen = MAX_KEYLEN; #ifdef _KERNEL diff --git a/usr/src/uts/common/inet/ipf/fil.c b/usr/src/uts/common/inet/ipf/fil.c index 84f6774a2c..732c522521 100644 --- a/usr/src/uts/common/inet/ipf/fil.c +++ b/usr/src/uts/common/inet/ipf/fil.c @@ -881,12 +881,19 @@ int plen; { #if defined(_KERNEL) if (fin->fin_m != NULL) { + int ipoff; + + ipoff = (char *)fin->fin_ip - MTOD(fin->fin_m, char *); + if (fin->fin_dp != NULL) plen += (char *)fin->fin_dp - ((char *)fin->fin_ip + fin->fin_hlen); - plen += ((char *)fin->fin_ip - MTOD(fin->fin_m, char *)) + - fin->fin_hlen; - if (M_LEN(fin->fin_m) < plen) { + plen += fin->fin_hlen; + /* + * We don't do 'plen += ipoff;' here. The fr_pullup() will + * do it for us. + */ + if (M_LEN(fin->fin_m) < plen + ipoff) { if (fr_pullup(fin->fin_m, fin, plen) == NULL) return -1; } @@ -3619,8 +3626,9 @@ u_32_t *msk; /* v(I) - IP version being sync'd (v4 or v6) */ /* newifp(I) - interface identifier being introduced/removed */ /* oldifp(I) - interface identifier in a filter rule */ -/* newname(I) - name associated with oldifp interface */ -/* oldname(I) - name associated with newifp interface */ +/* newname(I) - name associated with newifp interface */ +/* oldname(I) - name associated with oldifp interface */ +/* ifs - pointer to IPF stack instance */ /* */ /* This function returns what the new value for "oldifp" should be for its */ /* caller. In some cases it will not change, in some it will. */ @@ -3634,6 +3642,30 @@ u_32_t *msk; /* action == IPFSYNC_OLDIFP */ /* if oldifp matches newifp then we are are doing a sync to remove any */ /* references to oldifp, so we return "-1". */ +/* ----- */ +/* NOTE: */ +/* This function processes NIC event from PF_HOOKS. The action parameter */ +/* is set in ipf_nic_event_v4()/ipf_nic_event_v6() function. There is */ +/* one single switch statement() in ipf_nic_event_vx() function, which */ +/* translates the HOOK event type to action parameter passed to fr_ifsync. */ +/* The translation table looks as follows: */ +/* event | action */ +/* ----------------+------------- */ +/* NE_PLUMB | IPFSYNC_NEWIFP */ +/* NE_UNPLUMB | IPFSYNC_OLDIFP */ +/* NE_ADDRESS_CHANGE | IPFSYNC_RESYNC */ +/* */ +/* The oldname and oldifp parameters are taken from IPF entry (rule, state */ +/* table entry, NAT table entry, fragment ...). The newname and newifp */ +/* parameters come from hook event data, parameters are taken from event */ +/* in ipf_nic_event_vx() functions. Any time NIC changes, the IPF is */ +/* notified by hook function. */ +/* */ +/* We get NE_UNPLUMB event from PF_HOOKS even if someone coincidently tries */ +/* to plumb the interface, which is already plumbed. In such case we always */ +/* get the event from PF_HOOKS as follows: */ +/* event: NE_PLUMB */ +/* NIC: 0x0 */ /* ------------------------------------------------------------------------ */ static void *fr_ifsync(action, v, newname, oldname, newifp, oldifp, ifs) int action, v; @@ -3655,6 +3687,12 @@ ipf_stack_t *ifs; rval = newifp; break; case IPFSYNC_OLDIFP : + /* + * If interface gets unplumbed it must be invalidated, which + * means set all existing references to the interface to -1. + * We don't want to invalidate references for wildcard + * (unbound) rules (entries). + */ if (newifp == oldifp) rval = (oldifp) ? (void *)-1 : NULL; break; @@ -3670,7 +3708,9 @@ ipf_stack_t *ifs; /* Parameters: action(I) - type of synchronisation to do */ /* v(I) - IP version being sync'd (v4 or v6) */ /* ifp(I) - interface identifier associated with action */ -/* name(I) - name associated with ifp parameter */ +/* ifname(I) - name associated with ifp parameter */ +/* fr(I) - pointer to filter rule */ +/* ifs - pointer to IPF stack instance */ /* Write Locks: ipf_mutex */ /* */ /* Walk through a list of filter rules and resolve any interface names into */ diff --git a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c index 24c3755eb0..9fe6d7cc2b 100644 --- a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c +++ b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c @@ -275,9 +275,9 @@ ipf_stack_t *ifs; "ipfilter_hook4_in", ifs); HOOK_INIT(ifs->ifs_ipfhook4_out, ipf_hook4_out, "ipfilter_hook4_out", ifs); - HOOK_INIT(ifs->ifs_ipfhook4_loop_in, ipf_hook4_in, + HOOK_INIT(ifs->ifs_ipfhook4_loop_in, ipf_hook4_loop_in, "ipfilter_hook4_loop_in", ifs); - HOOK_INIT(ifs->ifs_ipfhook4_loop_out, ipf_hook4_out, + HOOK_INIT(ifs->ifs_ipfhook4_loop_out, ipf_hook4_loop_out, "ipfilter_hook4_loop_out", ifs); /* @@ -336,9 +336,9 @@ ipf_stack_t *ifs; "ipfilter_hook6_in", ifs); HOOK_INIT(ifs->ifs_ipfhook6_out, ipf_hook6_out, "ipfilter_hook6_out", ifs); - HOOK_INIT(ifs->ifs_ipfhook6_loop_in, ipf_hook6_in, + HOOK_INIT(ifs->ifs_ipfhook6_loop_in, ipf_hook6_loop_in, "ipfilter_hook6_loop_in", ifs); - HOOK_INIT(ifs->ifs_ipfhook6_loop_out, ipf_hook6_out, + HOOK_INIT(ifs->ifs_ipfhook6_loop_out, ipf_hook6_loop_out, "ipfilter_hook6_loop_out", ifs); ifs->ifs_hook6_nic_events = (net_hook_register(ifs->ifs_ipf_ipv6, @@ -1549,7 +1549,7 @@ int len; else dpoff = 0; - if (M_LEN(m) < len) { + if (M_LEN(m) < len + ipoff) { /* * pfil_precheck ensures the IP header is on a 32bit @@ -1891,7 +1891,7 @@ int ipf_hook6_loop_out(hook_event_token_t token, hook_data_t info, void *arg) } /* ------------------------------------------------------------------------ */ -/* Function: ipf_hook_loop_in */ +/* Function: ipf_hook4_loop_in */ /* Returns: int - 0 == packet ok, else problem, free packet if not done */ /* Parameters: event(I) - pointer to event */ /* info(I) - pointer to hook information for firewalling */ @@ -1899,7 +1899,7 @@ int ipf_hook6_loop_out(hook_event_token_t token, hook_data_t info, void *arg) /* Calling ipf_hook. */ /* ------------------------------------------------------------------------ */ /*ARGSUSED*/ -int ipf_hook_loop_in(hook_event_token_t token, hook_data_t info, void *arg) +int ipf_hook4_loop_in(hook_event_token_t token, hook_data_t info, void *arg) { return ipf_hook(info, 0, FI_NOCKSUM, arg); } diff --git a/usr/src/uts/common/inet/ipf/ip_state.c b/usr/src/uts/common/inet/ipf/ip_state.c index fc22fc1c73..8ef8db6dcb 100644 --- a/usr/src/uts/common/inet/ipf/ip_state.c +++ b/usr/src/uts/common/inet/ipf/ip_state.c @@ -862,12 +862,12 @@ ipstate_t *is2; if (is1->is_saddr == is2->is_saddr && is1->is_daddr == is2->is_daddr) rv = 2; - else if (is1->is_saddr == is2->is_daddr && + else if (is1->is_saddr == is2->is_daddr && is1->is_daddr == is2->is_saddr) rv = 1; else rv = 0; - + return (rv); } @@ -885,8 +885,8 @@ ipstate_t *is2; { int rv; - if (IP6_EQ(&is1->is_src, &is2->is_src) && - IP6_EQ(&is1->is_dst, &is2->is_dst)) + if (IP6_EQ(&is1->is_src, &is2->is_src) && + IP6_EQ(&is1->is_dst, &is2->is_dst)) rv = 2; else if (IP6_EQ(&is1->is_src, &is2->is_dst) && IP6_EQ(&is1->is_dst, &is2->is_src)) { @@ -900,7 +900,7 @@ ipstate_t *is2; /* ------------------------------------------------------------------------ */ /* Function: fr_match_addresses */ /* Returns: int - 2 strong match (same addresses, same direction) */ -/* 1 weak match (same address, opposite directions) */ +/* 1 weak match (same address, opposite directions) */ /* 0 no match */ /* Parameters: is1, is2 pointers to states we are checking */ /* */ @@ -915,11 +915,10 @@ ipstate_t *is2; if (is1->is_v == 4) { rv = fr_match_ipv4addrs(is1, is2); - } - else { + } else { rv = fr_match_ipv6addrs(is1, is2); } - + return (rv); } @@ -939,10 +938,10 @@ port_pair_t *ppairs2; { int rv; - if (ppairs1->pp_sport == ppairs2->pp_sport && + if (ppairs1->pp_sport == ppairs2->pp_sport && ppairs1->pp_dport == ppairs2->pp_dport) rv = 2; - else if (ppairs1->pp_sport == ppairs2->pp_dport && + else if (ppairs1->pp_sport == ppairs2->pp_dport && ppairs1->pp_dport == ppairs2->pp_sport) rv = 1; else @@ -953,7 +952,7 @@ port_pair_t *ppairs2; /* ------------------------------------------------------------------------ */ /* Function: fr_match_l4_hdr */ -/* Returns: int - 0 no match, */ +/* Returns: int - 0 no match, */ /* 1 weak match (same ports, different directions) */ /* 2 strong match (same ports, same direction) */ /* Parameters is1, is2 - states we want to match */ @@ -997,7 +996,7 @@ ipstate_t *is2; break; case IPPROTO_ICMP: case IPPROTO_ICMPV6: - if (bcmp(&is1->is_ps, &is2->is_ps, sizeof(icmpinfo_t))) + if (bcmp(&is1->is_ps, &is2->is_ps, sizeof (icmpinfo_t))) rv = 1; else rv = 0; @@ -1015,14 +1014,14 @@ ipstate_t *is2; /* Parameters is1, is2 - states we want to match */ /* */ /* The state entries are equal (identical match) if they belong to the same */ -/* session. Any time new state entry is being added the fr_addstate() */ +/* session. Any time new state entry is being added the fr_addstate() */ /* function creates temporal state entry from the data it gets from IP and */ /* L4 header. The fr_matchstats() must be also aware of packet direction, */ /* which is also stored within the state entry. We should keep in mind the */ /* information about packet direction is spread accross L3 (addresses) and */ /* L4 (ports). There are three possible relationships betwee is1, is2: */ /* - no match (match(is1, is2) == 0)) */ -/* - weak match same addresses (ports), but different */ +/* - weak match same addresses (ports), but different */ /* directions (1) (fr_match_xxxx(is1, is2) == 1) */ /* - strong match same addresses (ports) and same directions */ /* (2) (fr_match_xxxx(is1, is2) == 2) */ @@ -1036,7 +1035,7 @@ ipstate_t *is2; /* suppose there are two connections between hosts A, B. Connection 1: */ /* a.a.a.a:12345 <=> b.b.b.b:54321 */ /* Connection 2: */ -/* a.a.a.a:54321 <=> b.b.b.b:12345 */ +/* a.a.a.a:54321 <=> b.b.b.b:12345 */ /* since we've introduced match levels into our fr_matchstates(), we are */ /* able to identify, which packets belong to connection A and which belong */ /* to connection B. Assume there are two entries is1, is2. is1 has been */ @@ -1051,7 +1050,7 @@ ipstate_t *is2; /* result. */ /* ------------------------------------------------------------------------ */ static int fr_matchstates(is1, is2) -ipstate_t *is1; +ipstate_t *is1; ipstate_t *is2; { int rv; @@ -1059,12 +1058,12 @@ ipstate_t *is2; int pmatch; if (bcmp(&is1->is_pass, &is2->is_pass, - offsetof(struct ipstate, is_ps) - - offsetof(struct ipstate, is_pass)) == 0) { - + offsetof(struct ipstate, is_ps) - + offsetof(struct ipstate, is_pass)) == 0) { + pmatch = fr_match_l4_hdr(is1, is2); amatch = fr_match_addresses(is1, is2); - /* + /* * If addresses match (amatch != 0), then 'match levels' * must be same for matching entries. If amatch and pmatch * have different values (different match levels), then @@ -1147,8 +1146,7 @@ u_int flags; if (fr == NULL) { pass = ifs->ifs_fr_flags; is->is_tag = FR_NOLOGTAG; - } - else { + } else { pass = fr->fr_flags; } @@ -1315,7 +1313,7 @@ u_int flags; TH_SYN && (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) { if (fr_tcpoptions(fin, tcp, - &is->is_tcp.ts_data[0]) == -1) { + &is->is_tcp.ts_data[0]) == -1) { fin->fin_flx |= FI_BAD; } } @@ -1372,7 +1370,7 @@ u_int flags; if (fr_matchstates(&ips, is) == 1) break; } - + /* * we've found a matching state -> state already exists, * we are not going to add a duplicate record. @@ -1567,8 +1565,8 @@ tcpdata_t *td; else if (i < 0) i = 0; td->td_winscale = i; - td->td_winflags |= TCP_WSCALE_SEEN| - TCP_WSCALE_FIRST; + td->td_winflags |= TCP_WSCALE_SEEN | + TCP_WSCALE_FIRST; } else retval = -1; break; @@ -1690,7 +1688,7 @@ ipstate_t *is; if (flags == (TH_SYN|TH_ACK)) { is->is_s0[source] = ntohl(tcp->th_ack); is->is_s0[!source] = ntohl(tcp->th_seq) + 1; - if (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)) { + if (TCP_OFF(tcp) > (sizeof (tcphdr_t) >> 2)) { (void) fr_tcpoptions(fin, tcp, fdata); } if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN)) @@ -1782,7 +1780,7 @@ int flags; win = ntohs(tcp->th_win); else win = ntohs(tcp->th_win) << fdata->td_winscale; - + /* * win 0 means the receiving endpoint has closed the window, because it * has not enough memory to receive data from sender. In such case we @@ -1795,7 +1793,7 @@ int flags; win = 1; dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) + - ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0); + ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0); /* * if window scaling is present, the scaling is only allowed @@ -1841,6 +1839,7 @@ int flags; */ if ((flags & IS_STRICT) != 0) { if (seq != fdata->td_end) { + DTRACE_PROBE(strict_check); return 0; } } @@ -1848,9 +1847,24 @@ int flags; #define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) #define SEQ_GT(a,b) ((int)((a) - (b)) > 0) inseq = 0; + DTRACE_PROBE4( + dyn_params, + int, dsize, + int, ackskew, + int, maxwin, + int, win + ); if ( #if defined(_KERNEL) + /* + * end <-> s + n + * maxend <-> ack + win + * this is upperbound check + */ (SEQ_GE(fdata->td_maxend, end)) && + /* + * this is lowerbound check + */ (SEQ_GE(seq, fdata->td_end - maxwin)) && #endif /* XXX what about big packets */ @@ -1872,7 +1886,7 @@ int flags; * listeing to on a port, where the SYN packet has came to. */ } else if ((seq == 0) && (tcpflags == (TH_RST|TH_ACK)) && - (ackskew >= -1) && (ackskew <= 1)) { + (ackskew >= -1) && (ackskew <= 1)) { inseq = 1; } else if (!(flags & IS_TCPFSM)) { @@ -1904,19 +1918,48 @@ int flags; * Thus, when ackskew is negative but still seems to belong * to this session, we bump up the destinations end value. */ - if (ackskew < 0) + if (ackskew < 0) { + DTRACE_PROBE2(end_update_td, + int, tdata->td_end, + int, ack + ); tdata->td_end = ack; + } /* update max window seen */ - if (fdata->td_maxwin < win) + if (fdata->td_maxwin < win) { + DTRACE_PROBE2(win_update_fd, + int, fdata->td_maxwin, + int, win + ); fdata->td_maxwin = win; - if (SEQ_GT(end, fdata->td_end)) + } + + if (SEQ_GT(end, fdata->td_end)) { + DTRACE_PROBE2(end_update_fd, + int, fdata->td_end, + int, end + ); fdata->td_end = end; - if (SEQ_GE(ack + win, tdata->td_maxend)) + } + + if (SEQ_GE(ack + win, tdata->td_maxend)) { + DTRACE_PROBE2(max_end_update_td, + int, tdata->td_maxend, + int, ack + win + ); tdata->td_maxend = ack + win; + } + return 1; } fin->fin_flx |= FI_OOW; + +#if defined(_KERNEL) + if (!(SEQ_GE(seq, fdata->td_end - maxwin))) + fin->fin_flx |= FI_NEG_OOW; +#endif + return 0; } diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_compat.h b/usr/src/uts/common/inet/ipf/netinet/ip_compat.h index fe255eb134..957d297172 100644 --- a/usr/src/uts/common/inet/ipf/netinet/ip_compat.h +++ b/usr/src/uts/common/inet/ipf/netinet/ip_compat.h @@ -233,6 +233,9 @@ typedef unsigned int u_32_t; # ifdef _KERNEL # define KRWLOCK_T krwlock_t # define KMUTEX_T kmutex_t +# if SOLARIS2 >= 10 +# include <sys/sdt.h> +# endif /* SOLARIS2 >= 10 */ # if SOLARIS2 >= 6 # if SOLARIS2 == 6 # define ATOMIC_INCL(x) atomic_add_long((uint32_t*)&(x), 1) @@ -2455,4 +2458,12 @@ typedef struct tcpiphdr tcpiphdr_t; # undef IPFILTER_BPF #endif +#ifndef DTRACE_PROBE +# define DTRACE_PROBE(_x_) +# define DTRACE_PROBE1(_x_, _t1_, _a1_) +# define DTRACE_PROBE2(_x_, _t1_, _a1_, _t2_, _a2_) +# define DTRACE_PROBE3(_x_, _t1_, _a1_, _t2_, _a2_, _t3_, _a3_) +# define DTRACE_PROBE4(_x_, _t1_, _a1_, _t2_, _a2_, _t3_, _a3_, _t4_, _a4_) +#endif + #endif /* __IP_COMPAT_H__ */ diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h index 57f6ab4c25..498e2da258 100644 --- a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h +++ b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h @@ -279,6 +279,7 @@ typedef struct fr_ip { #define FI_COALESCE 0x20000 #define FI_ICMPQUERY 0x40000 #define FI_NEWNAT 0x80000 +#define FI_NEG_OOW 0x10000000 /* packet underflows TCP window */ #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */ #define FI_DONTCACHE 0x40000000 /* don't cache the result */ #define FI_IGNORE 0x80000000 diff --git a/usr/src/uts/common/inet/ipf/solaris.c b/usr/src/uts/common/inet/ipf/solaris.c index 965814812b..5d837bbf36 100644 --- a/usr/src/uts/common/inet/ipf/solaris.c +++ b/usr/src/uts/common/inet/ipf/solaris.c @@ -710,61 +710,39 @@ dev_info_t *dip; ipf_stack_t *ifs; { ipftuneable_t *ipft; - int64_t *i64p; char *name; uint_t one; int *i32p; - int err; + int err, rv = 0; - for (ipft = ifs->ifs_ipf_tuneables; (name = ipft->ipft_name) != NULL; - ipft++) { + for (ipft = ifs->ifs_ipf_tuneables; + (name = ipft->ipft_name) != NULL; ipft++) { one = 1; - switch (ipft->ipft_sz) - { - case 4 : - i32p = NULL; - err = ddi_prop_lookup_int_array(DDI_DEV_T_ANY, dip, - 0, name, &i32p, &one); - if (err == DDI_PROP_NOT_FOUND) - continue; + i32p = NULL; + err = ddi_prop_lookup_int_array(DDI_DEV_T_ANY, dip, + 0, name, &i32p, &one); + if (err == DDI_PROP_NOT_FOUND) + continue; #ifdef IPFDEBUG - cmn_err(CE_CONT, "IP Filter: lookup_int(%s) = %d\n", - name, err); + cmn_err(CE_CONT, "IP Filter: lookup_int(%s) = %d\n", + name, err); #endif - if (err != DDI_PROP_SUCCESS) - return (err); - if (*i32p >= ipft->ipft_min && *i32p <= ipft->ipft_max) - *ipft->ipft_pint = *i32p; - else - err = DDI_PROP_CANNOT_DECODE; - ddi_prop_free(i32p); - break; + if (err != DDI_PROP_SUCCESS) { + rv = err; + continue; + } -#if SOLARIS2 > 8 - case 8 : - i64p = NULL; - err = ddi_prop_lookup_int64_array(DDI_DEV_T_ANY, dip, - 0, name, &i64p, &one); - if (err == DDI_PROP_NOT_FOUND) - continue; -#ifdef IPFDEBUG - cmn_err(CE_CONT, "IP Filter: lookup_int64(%s) = %d\n", - name, err); -#endif - if (err != DDI_PROP_SUCCESS) - return (err); - if (*i64p >= ipft->ipft_min && *i64p <= ipft->ipft_max) - *ipft->ipft_pint = *i64p; - else - err = DDI_PROP_CANNOT_DECODE; - ddi_prop_free(i64p); - break; -#endif - default : - break; + if (*i32p >= ipft->ipft_min && + *i32p <= ipft->ipft_max) { + if (ipft->ipft_sz == sizeof (uint32_t)) { + *ipft->ipft_pint = *i32p; + } else if (ipft->ipft_sz == sizeof (uint64_t)) { + *ipft->ipft_plong = *i32p; + } } - if (err != DDI_SUCCESS) - break; + + ddi_prop_free(i32p); } - return (err); + + return (rv); } |