static void
nat64lsn_apply_mask(int af, void *prefix, uint16_t plen)
{
struct in6_addr mask6, *p6;
struct in_addr mask4, *p4;
if (af == AF_INET) {
p4 = (struct in_addr *)prefix;
mask4.s_addr = htonl(~((1 << (32 - plen)) - 1));
p4->s_addr &= mask4.s_addr;
} else if (af == AF_INET6) {
p6 = (struct in6_addr *)prefix;
n2mask(&mask6, plen);
APPLY_MASK(p6, &mask6);
}
}
/*
* fill the addr and mask fields in the instruction as appropriate from av.
* Update length as appropriate.
* The following formats are allowed:
* any matches any IP6. Actually returns an empty instruction.
* me returns O_IP6_*_ME
*
* 03f1::234:123:0342 single IP6 address
* 03f1::234:123:0342/24 address/masklen
* 03f1::234:123:0342/ffff::ffff:ffff address/mask
* 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
*
* Set of address (as in ipv6) not supported because ipv6 address
* are typically random past the initial prefix.
* Return 1 on success, 0 on failure.
*/
static int
fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
{
int len = 0;
struct in6_addr *d = &(cmd->addr6);
/*
* Needed for multiple address.
* Note d[1] points to struct in6_add r mask6 of cmd
*/
cmd->o.len &= ~F_LEN_MASK; /* zero len */
if (strcmp(av, "any") == 0)
return (1);
if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/
cmd->o.len |= F_INSN_SIZE(ipfw_insn);
return (1);
}
if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/
cmd->o.len |= F_INSN_SIZE(ipfw_insn);
return (1);
}
if (strncmp(av, "table(", 6) == 0) {
fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
return (1);
}
av = strdup(av);
while (av) {
/*
* After the address we can have '/' indicating a mask,
* or ',' indicating another address follows.
*/
char *p, *q;
int masklen;
char md = '\0';
CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr));
if ((q = strchr(av, ',')) ) {
*q = '\0';
q++;
}
if ((p = strchr(av, '/')) ) {
md = *p; /* save the separator */
*p = '\0'; /* terminate address string */
p++; /* and skip past it */
}
/* now p points to NULL, mask or next entry */
/* lookup stores address in *d as a side effect */
if (lookup_host6(av, d) != 0) {
/* XXX: failed. Free memory and go */
errx(EX_DATAERR, "bad address \"%s\"", av);
}
/* next, look at the mask, if any */
if (md == '/' && strchr(p, ':')) {
if (!inet_pton(AF_INET6, p, &d[1]))
errx(EX_DATAERR, "bad mask \"%s\"", p);
masklen = contigmask((uint8_t *)&(d[1]), 128);
} else {
masklen = (md == '/') ? atoi(p) : 128;
if (masklen > 128 || masklen < 0)
errx(EX_DATAERR, "bad width \"%s\''", p);
else
n2mask(&d[1], masklen);
}
APPLY_MASK(d, &d[1]) /* mask base address with mask */
av = q;
/* Check this entry */
if (masklen == 0) {
/*
* 'any' turns the entire list into a NOP.
* 'not any' never matches, so it is removed from the
* list unless it is the only item, in which case we
* report an error.
*/
if (cmd->o.len & F_NOT && av == NULL && len == 0)
errx(EX_DATAERR, "not any never matches");
continue;
}
/*
* A single IP can be stored alone
*/
if (masklen == 128 && av == NULL && len == 0) {
len = F_INSN_SIZE(struct in6_addr);
break;
}
/* Update length and pointer to arguments */
len += F_INSN_SIZE(struct in6_addr)*2;
d += 2;
} /* end while */
/*
* configuration of pipes, schedulers, flowsets.
* When we configure a new scheduler, an empty pipe is created, so:
*
* do_pipe = 1 -> "pipe N config ..." only for backward compatibility
* sched N+Delta type fifo sched_mask ...
* pipe N+Delta <parameters>
* flowset N+Delta pipe N+Delta (no parameters)
* sched N type wf2q+ sched_mask ...
* pipe N <parameters>
*
* do_pipe = 2 -> flowset N config
* flowset N parameters
*
* do_pipe = 3 -> sched N config
* sched N parameters (default no pipe)
* optional Pipe N config ...
* pipe ==>
*/
int
ipfw_config_pipe(int ac, char **av, int do_pipe)
{
int i, j;
char *end;
void *par = NULL;
struct dn_id *buf, *base;
struct dn_sch *sch = NULL;
struct dn_link *p = NULL;
struct dn_fs *fs = NULL;
struct ipfw_flow_id *mask = NULL;
int lmax;
uint32_t _foo = 0, *flags = &_foo , *buckets = &_foo;
/*
* allocate space for 1 header,
* 1 scheduler, 1 link, 1 flowset, 1 profile
*/
lmax = sizeof(struct dn_id); /* command header */
lmax += sizeof(struct dn_sch) + sizeof(struct dn_link) +
sizeof(struct dn_fs) + sizeof(struct dn_profile);
av++; ac--;
/* Pipe number */
if (ac && isdigit(**av)) {
i = atoi(*av); av++; ac--;
} else
i = -1;
if (i <= 0) {
php_printf("need a pipe/flowset/sched number");
return (-1);
}
base = buf = calloc(1, lmax);
if (base == NULL)
return (-1);
/* all commands start with a 'CONFIGURE' and a version */
o_next(&buf, sizeof(struct dn_id), DN_CMD_CONFIG);
base->id = DN_API_VERSION;
switch (do_pipe) {
case 1: /* "pipe N config ..." */
/* Allocate space for the WF2Q+ scheduler, its link
* and the FIFO flowset. Set the number, but leave
* the scheduler subtype and other parameters to 0
* so the kernel will use appropriate defaults.
* XXX todo: add a flag to record if a parameter
* is actually configured.
* If we do a 'pipe config' mask -> sched_mask.
* The FIFO scheduler and link are derived from the
* WF2Q+ one in the kernel.
*/
sch = o_next(&buf, sizeof(*sch), DN_SCH);
p = o_next(&buf, sizeof(*p), DN_LINK);
fs = o_next(&buf, sizeof(*fs), DN_FS);
sch->sched_nr = i;
sch->oid.subtype = 0; /* defaults to WF2Q+ */
mask = &sch->sched_mask;
flags = &sch->flags;
buckets = &sch->buckets;
*flags |= DN_PIPE_CMD;
p->link_nr = i;
/* This flowset is only for the FIFO scheduler */
fs->fs_nr = i + 2*DN_MAX_ID;
fs->sched_nr = i + DN_MAX_ID;
break;
case 2: /* "queue N config ... " */
fs = o_next(&buf, sizeof(*fs), DN_FS);
fs->fs_nr = i;
mask = &fs->flow_mask;
flags = &fs->flags;
buckets = &fs->buckets;
break;
case 3: /* "sched N config ..." */
sch = o_next(&buf, sizeof(*sch), DN_SCH);
fs = o_next(&buf, sizeof(*fs), DN_FS);
sch->sched_nr = i;
mask = &sch->sched_mask;
flags = &sch->flags;
buckets = &sch->buckets;
/* fs is used only with !MULTIQUEUE schedulers */
fs->fs_nr = i + DN_MAX_ID;
fs->sched_nr = i;
break;
}
/* set to -1 those fields for which we want to reuse existing
* values from the kernel.
* Also, *_nr and subtype = 0 mean reuse the value from the kernel.
* XXX todo: support reuse of the mask.
*/
if (p)
p->bandwidth = -1;
for (j = 0; j < sizeof(fs->par)/sizeof(fs->par[0]); j++)
fs->par[j] = -1;
while (ac > 0) {
double d;
int tok = match_token(dummynet_params, *av);
ac--; av++;
switch(tok) {
case TOK_NOERROR:
NEED(fs, "noerror is only for pipes");
fs->flags |= DN_NOERROR;
break;
case TOK_PLR:
NEED(fs, "plr is only for pipes");
NEED1("plr needs argument 0..1\n");
d = strtod(av[0], NULL);
if (d > 1)
d = 1;
else if (d < 0)
d = 0;
fs->plr = (int)(d*0x7fffffff);
ac--; av++;
break;
case TOK_QUEUE:
NEED(fs, "queue is only for pipes or flowsets");
NEED1("queue needs queue size\n");
end = NULL;
fs->qsize = strtoul(av[0], &end, 0);
if (*end == 'K' || *end == 'k') {
fs->flags |= DN_QSIZE_BYTES;
fs->qsize *= 1024;
} else if (*end == 'B' ||
_substrcmp2(end, "by", "bytes") == 0) {
fs->flags |= DN_QSIZE_BYTES;
}
ac--; av++;
break;
case TOK_BUCKETS:
NEED(fs, "buckets is only for pipes or flowsets");
NEED1("buckets needs argument\n");
*buckets = strtoul(av[0], NULL, 0);
ac--; av++;
break;
case TOK_FLOW_MASK:
case TOK_SCHED_MASK:
case TOK_MASK:
NEED(mask, "tok_mask");
NEED1("mask needs mask specifier\n");
/*
* per-flow queue, mask is dst_ip, dst_port,
* src_ip, src_port, proto measured in bits
*/
par = NULL;
bzero(mask, sizeof(*mask));
end = NULL;
while (ac >= 1) {
uint32_t *p32 = NULL;
uint16_t *p16 = NULL;
uint32_t *p20 = NULL;
struct in6_addr *pa6 = NULL;
uint32_t a;
tok = match_token(dummynet_params, *av);
ac--; av++;
switch(tok) {
case TOK_ALL:
/*
* special case, all bits significant
* except 'extra' (the queue number)
*/
mask->dst_ip = ~0;
mask->src_ip = ~0;
mask->dst_port = ~0;
mask->src_port = ~0;
mask->proto = ~0;
n2mask(&mask->dst_ip6, 128);
n2mask(&mask->src_ip6, 128);
mask->flow_id6 = ~0;
*flags |= DN_HAVE_MASK;
goto end_mask;
case TOK_QUEUE:
mask->extra = ~0;
*flags |= DN_HAVE_MASK;
goto end_mask;
case TOK_DSTIP:
mask->addr_type = 4;
p32 = &mask->dst_ip;
break;
case TOK_SRCIP:
mask->addr_type = 4;
p32 = &mask->src_ip;
break;
case TOK_DSTIP6:
mask->addr_type = 6;
pa6 = &mask->dst_ip6;
break;
case TOK_SRCIP6:
mask->addr_type = 6;
pa6 = &mask->src_ip6;
break;
case TOK_FLOWID:
mask->addr_type = 6;
p20 = &mask->flow_id6;
break;
case TOK_DSTPORT:
p16 = &mask->dst_port;
break;
case TOK_SRCPORT:
p16 = &mask->src_port;
break;
case TOK_PROTO:
break;
default:
ac++; av--; /* backtrack */
goto end_mask;
}
if (ac < 1) {
php_printf("mask: value missing");
goto end;
}
if (*av[0] == '/') {
a = strtoul(av[0]+1, &end, 0);
if (pa6 == NULL)
a = (a == 32) ? ~0 : (1 << a) - 1;
} else
a = strtoul(av[0], &end, 0);
if (p32 != NULL)
*p32 = a;
else if (p16 != NULL) {
if (a > 0xFFFF) {
php_printf("port mask must be 16 bit");
goto end;
}
*p16 = (uint16_t)a;
} else if (p20 != NULL) {
if (a > 0xfffff) {
php_printf("flow_id mask must be 20 bit");
goto end;
}
*p20 = (uint32_t)a;
} else if (pa6 != NULL) {
if (a > 128) {
php_printf("in6addr invalid mask len");
goto end;
}
else
n2mask(pa6, a);
} else {
if (a > 0xFF) {
php_printf("proto mask must be 8 bit");
goto end;
}
mask->proto = (uint8_t)a;
}
if (a != 0)
*flags |= DN_HAVE_MASK;
ac--; av++;
} /* end while, config masks */
end_mask:
break;
case TOK_DROPTAIL:
NEED(fs, "droptail is only for flowsets");
fs->flags &= ~(DN_IS_RED|DN_IS_GENTLE_RED);
break;
case TOK_BW:
NEED(p, "bw is only for links");
NEED1("bw needs bandwidth or interface\n");
if (read_bandwidth(av[0], &p->bandwidth, NULL, 0) < 0)
goto end;
ac--; av++;
break;
case TOK_DELAY:
NEED(p, "delay is only for links");
NEED1("delay needs argument 0..10000ms\n");
p->delay = strtoul(av[0], NULL, 0);
ac--; av++;
break;
case TOK_TYPE: {
int l;
NEED(sch, "type is only for schedulers");
NEED1("type needs a string");
l = strlen(av[0]);
if (l == 0 || l > 15) {
php_printf("type %s too long\n", av[0]);
goto end;
}
strcpy(sch->name, av[0]);
sch->oid.subtype = 0; /* use string */
ac--; av++;
break;
}
case TOK_WEIGHT:
NEED(fs, "weight is only for flowsets");
NEED1("weight needs argument\n");
fs->par[0] = strtol(av[0], &end, 0);
ac--; av++;
break;
case TOK_LMAX:
NEED(fs, "lmax is only for flowsets");
NEED1("lmax needs argument\n");
fs->par[1] = strtol(av[0], &end, 0);
ac--; av++;
break;
case TOK_PRI:
NEED(fs, "priority is only for flowsets");
NEED1("priority needs argument\n");
fs->par[2] = strtol(av[0], &end, 0);
ac--; av++;
break;
case TOK_SCHED:
case TOK_PIPE:
NEED(fs, "pipe/sched");
NEED1("pipe/link/sched needs number\n");
fs->sched_nr = strtoul(av[0], &end, 0);
ac--; av++;
break;
default:
php_printf("unrecognised option ``%s''", av[-1]);
goto end;
}
}
/* check validity of parameters */
if (p) {
if (p->delay > 10000) {
php_printf("delay must be < 10000");
goto end;
}
if (p->bandwidth == -1)
p->bandwidth = 0;
}
if (fs) {
/* XXX accept a 0 scheduler to keep the default */
if (fs->flags & DN_QSIZE_BYTES) {
size_t len;
long limit;
len = sizeof(limit);
if (sysctlbyname("net.inet.ip.dummynet.pipe_byte_limit",
&limit, &len, NULL, 0) == -1)
limit = 1024*1024;
if (fs->qsize > limit) {
php_printf("queue size must be < %ldB", limit);
goto end;
}
} else {
size_t len;
long limit;
len = sizeof(limit);
if (sysctlbyname("net.inet.ip.dummynet.pipe_slot_limit",
&limit, &len, NULL, 0) == -1)
limit = 100;
if (fs->qsize > limit) {
php_printf("2 <= queue size <= %ld", limit);
goto end;
}
}
if (fs->flags & DN_IS_RED) {
size_t len;
int lookup_depth, avg_pkt_size;
double w_q;
if (fs->min_th >= fs->max_th) {
php_printf("min_th %d must be < than max_th %d",
fs->min_th, fs->max_th);
goto end;
}
if (fs->max_th == 0) {
php_printf("max_th must be > 0");
goto end;
}
len = sizeof(int);
if (sysctlbyname("net.inet.ip.dummynet.red_lookup_depth",
&lookup_depth, &len, NULL, 0) == -1)
lookup_depth = 256;
if (lookup_depth == 0) {
php_printf("net.inet.ip.dummynet.red_lookup_depth"
" must be greater than zero");
goto end;
}
len = sizeof(int);
if (sysctlbyname("net.inet.ip.dummynet.red_avg_pkt_size",
&avg_pkt_size, &len, NULL, 0) == -1)
avg_pkt_size = 512;
if (avg_pkt_size == 0) {
php_printf("net.inet.ip.dummynet.red_avg_pkt_size must"
" be greater than zero");
goto end;
}
/*
* Ticks needed for sending a medium-sized packet.
* Unfortunately, when we are configuring a WF2Q+ queue, we
* do not have bandwidth information, because that is stored
* in the parent pipe, and also we have multiple queues
* competing for it. So we set s=0, which is not very
* correct. But on the other hand, why do we want RED with
* WF2Q+ ?
*/
#if 0
if (p.bandwidth==0) /* this is a WF2Q+ queue */
s = 0;
else
s = (double)ck.hz * avg_pkt_size * 8 / p.bandwidth;
#endif
/*
* max idle time (in ticks) before avg queue size becomes 0.
* NOTA: (3/w_q) is approx the value x so that
* (1-w_q)^x < 10^-3.
*/
w_q = ((double)fs->w_q) / (1 << SCALE_RED);
#if 0 // go in kernel
idle = s * 3. / w_q;
fs->lookup_step = (int)idle / lookup_depth;
if (!fs->lookup_step)
fs->lookup_step = 1;
weight = 1 - w_q;
for (t = fs->lookup_step; t > 1; --t)
weight *= 1 - w_q;
fs->lookup_weight = (int)(weight * (1 << SCALE_RED));
#endif
}
}
i = do_cmd(IP_DUMMYNET3, base, (char *)buf - (char *)base);
if (i)
php_printf("setsockopt(%s)", "IP_DUMMYNET_CONFIGURE");
free(base);
return (0); /* XXX: i? */
end:
if (base != NULL)
free(base);
return (-1);
}
/*
* fill the addr and mask fields in the instruction as appropriate from av.
* Update length as appropriate.
* The following formats are allowed:
* any matches any IP6. Actually returns an empty instruction.
* me returns O_IP6_*_ME
*
* 03f1::234:123:0342 single IP6 addres
* 03f1::234:123:0342/24 address/mask
* 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
*
* Set of address (as in ipv6) not supported because ipv6 address
* are typically random past the initial prefix.
* Return 1 on success, 0 on failure.
*/
static int
fill_ip6(ipfw_insn_ip6 *cmd, char *av)
{
int len = 0;
struct in6_addr *d = &(cmd->addr6);
/*
* Needed for multiple address.
* Note d[1] points to struct in6_add r mask6 of cmd
*/
cmd->o.len &= ~F_LEN_MASK; /* zero len */
if (strcmp(av, "any") == 0)
return (1);
if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/
cmd->o.len |= F_INSN_SIZE(ipfw_insn);
return (1);
}
if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/
cmd->o.len |= F_INSN_SIZE(ipfw_insn);
return (1);
}
if (strncmp(av, "table(", 6) == 0) {
char *p = strchr(av + 6, ',');
uint32_t *dm = ((ipfw_insn_u32 *)cmd)->d;
if (p)
*p++ = '\0';
cmd->o.opcode = O_IP_DST_LOOKUP;
cmd->o.arg1 = strtoul(av + 6, NULL, 0);
if (p) {
cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
dm[0] = strtoul(p, NULL, 0);
} else
cmd->o.len |= F_INSN_SIZE(ipfw_insn);
return (1);
}
av = strdup(av);
while (av) {
/*
* After the address we can have '/' indicating a mask,
* or ',' indicating another address follows.
*/
char *p;
int masklen;
char md = '\0';
if ((p = strpbrk(av, "/,")) ) {
md = *p; /* save the separator */
*p = '\0'; /* terminate address string */
p++; /* and skip past it */
}
/* now p points to NULL, mask or next entry */
/* lookup stores address in *d as a side effect */
if (lookup_host6(av, d) != 0) {
/* XXX: failed. Free memory and go */
errx(EX_DATAERR, "bad address \"%s\"", av);
}
/* next, look at the mask, if any */
masklen = (md == '/') ? atoi(p) : 128;
if (masklen > 128 || masklen < 0)
errx(EX_DATAERR, "bad width \"%s\''", p);
else
n2mask(&d[1], masklen);
APPLY_MASK(d, &d[1]) /* mask base address with mask */
/* find next separator */
if (md == '/') { /* find separator past the mask */
p = strpbrk(p, ",");
if (p != NULL)
p++;
}
av = p;
/* Check this entry */
if (masklen == 0) {
/*
* 'any' turns the entire list into a NOP.
* 'not any' never matches, so it is removed from the
* list unless it is the only item, in which case we
* report an error.
*/
if (cmd->o.len & F_NOT && av == NULL && len == 0)
errx(EX_DATAERR, "not any never matches");
continue;
}
/*
* A single IP can be stored alone
*/
if (masklen == 128 && av == NULL && len == 0) {
len = F_INSN_SIZE(struct in6_addr);
break;
}
/* Update length and pointer to arguments */
len += F_INSN_SIZE(struct in6_addr)*2;
d += 2;
} /* end while */
static void
nptv6_create(const char *name, uint8_t set, int ac, char *av[])
{
char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nptv6_cfg)];
struct in6_addr mask;
ipfw_nptv6_cfg *cfg;
ipfw_obj_lheader *olh;
int tcmd, flags, plen;
char *p = "\0";
plen = 0;
memset(buf, 0, sizeof(buf));
olh = (ipfw_obj_lheader *)buf;
cfg = (ipfw_nptv6_cfg *)(olh + 1);
cfg->set = set;
flags = 0;
while (ac > 0) {
tcmd = get_token(nptv6newcmds, *av, "option");
ac--; av++;
switch (tcmd) {
case TOK_INTPREFIX:
NEED1("IPv6 prefix required");
nptv6_parse_prefix(*av, &cfg->internal, &plen);
flags |= NPTV6_HAS_INTPREFIX;
if (plen > 0)
goto check_prefix;
ac--; av++;
break;
case TOK_EXTPREFIX:
if (flags & NPTV6_HAS_EXTPREFIX)
errx(EX_USAGE,
"Only one ext_prefix or ext_if allowed");
NEED1("IPv6 prefix required");
nptv6_parse_prefix(*av, &cfg->external, &plen);
flags |= NPTV6_HAS_EXTPREFIX;
if (plen > 0)
goto check_prefix;
ac--; av++;
break;
case TOK_EXTIF:
if (flags & NPTV6_HAS_EXTPREFIX)
errx(EX_USAGE,
"Only one ext_prefix or ext_if allowed");
NEED1("Interface name required");
if (strlen(*av) >= sizeof(cfg->if_name))
errx(EX_USAGE, "Invalid interface name");
flags |= NPTV6_HAS_EXTPREFIX;
cfg->flags |= NPTV6_DYNAMIC_PREFIX;
strncpy(cfg->if_name, *av, sizeof(cfg->if_name));
ac--; av++;
break;
case TOK_PREFIXLEN:
NEED1("IPv6 prefix length required");
plen = strtol(*av, &p, 10);
check_prefix:
if (*p != '\0' || plen < 8 || plen > 64)
errx(EX_USAGE, "wrong prefix length: %s", *av);
/* RFC 6296 Sec. 3.1 */
if (cfg->plen > 0 && cfg->plen != plen) {
warnx("Prefix length mismatch (%d vs %d). "
"It was extended up to %d",
cfg->plen, plen, MAX(plen, cfg->plen));
plen = MAX(plen, cfg->plen);
}
cfg->plen = plen;
flags |= NPTV6_HAS_PREFIXLEN;
ac--; av++;
break;
}
}
/* Check validness */
if ((flags & NPTV6_HAS_INTPREFIX) != NPTV6_HAS_INTPREFIX)
errx(EX_USAGE, "int_prefix required");
if ((flags & NPTV6_HAS_EXTPREFIX) != NPTV6_HAS_EXTPREFIX)
errx(EX_USAGE, "ext_prefix or ext_if required");
if ((flags & NPTV6_HAS_PREFIXLEN) != NPTV6_HAS_PREFIXLEN)
errx(EX_USAGE, "prefixlen required");
n2mask(&mask, cfg->plen);
APPLY_MASK(&cfg->internal, &mask);
if ((cfg->flags & NPTV6_DYNAMIC_PREFIX) == 0)
APPLY_MASK(&cfg->external, &mask);
olh->count = 1;
olh->objsize = sizeof(*cfg);
olh->size = sizeof(buf);
strlcpy(cfg->name, name, sizeof(cfg->name));
if (do_set3(IP_FW_NPTV6_CREATE, &olh->opheader, sizeof(buf)) != 0)
err(EX_OSERR, "nptv6 instance creation failed");
}
