Lines Matching defs:and
219 * hand side to allow for binary searching of the array and include a trailer
418 * for each of IPv4 and IPv6. Adding a new protocol, for which there
420 * a new routine and expanding the ipf_pr_ipinit*() function rather than by
448 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
466 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
600 * and destroy whatever packet was here. The caller of this function
639 /* big enough for it to be in, checking if it is repeated and setting a */
799 /* Examine the IPv6 fragment header and extract fragment offset information.*/
820 /* and no packet is allowed to overlay that where offset = 0. */
1061 /* header being present and no authentication data (null algorithm used.) */
1202 /* except extrememly bad packets, both type and code will be present. */
1323 /* and make some checks with how they interact with other fields. */
1325 /* valid and mark the packet as bad if not. */
1373 * also be set and vice versa. Good TCP packets do not have
1397 * SYN with URG and PUSH set is not for normal TCP but it is
1408 * not set and if URG, PSH or FIN are set, consdier
1436 * marking up which TCP options are and are not present. The one we
1500 /* Extract the UDP source and destination ports, if present. If compiled */
1600 /* header being present and no authentication data (null algorithm used.) */
1634 * Adjust fin_dp and fin_dlen for skipping over the authentication
1680 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
1681 /* Check all options present and flag their presence if any exist. */
1705 /* Get both TTL and protocol */
1725 * set packet attribute flags based on the offset and
1750 * must have a length greater than 0 and it
1761 * Call per-protocol setup and checking
1807 * list of options present with this packet and set flags to indicate
1808 * which ones are here and which ones are not. For the somewhat out
1809 * of date and obscure security classification options, set a flag to
1926 /* header and returns that whilst also storing the highest sensitivity */
1930 /* by the user (rather than the protocol) and can be rather numerous on the */
2028 /* which is useful for comparing IP headers with and store this information */
2086 * Do opposite test to that required and continue if that succeeds.
2366 /* return value and fin->fin_fr points to the matched rule. */
2496 * in the rule, if it exists and use the results from that.
2591 * the rule to "not match" and keep on processing
2736 * If the rule has "keep frag" and the packet is actually a fragment,
2781 /* directed by firewall rules and of course whether or not to allow the */
2784 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
2809 * the packet is distilled, collected into a fr_info_t structure and
2857 * XXX For now, IP Filter and fast-forwarding of cached flows
2936 * becomes NULL and so we have no packet to free.
3087 * Up the reference on fr_lock and exit ipf_mutex. The generation of
3106 * WARNING: ICMP error packets AND TCP RST packets should
3148 * After the above so that ICMP unreachables and TCP RSTs get
3155 * If we didn't drop off the bottom of the list of rules (and thus
3372 /* and the TCP header. We also assume that data blocks aren't allocated in */
3375 /* Expects ip_len and ip_off to be in network byte order when called. */
3577 /* and thus its reference count needs to be lowered and the group free'd if */
3599 /* Remove the group from the list of groups and free it. */
3644 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
3673 /* encountered. if a rule is the head of a group and it has lost all its */
3730 /* and IPv6) as defined by the value of flags. */
3775 /* Walk through all of the groups under the given group head and remove all */
3779 /* what is fg_next and fg_next after that. So if a filter rule is actually */
3826 /* Search dst for a sequence of bytes matching those at src and extend for */
3948 /* Walk through a list of filter rules and resolve any interface names into */
3953 /* when the name points to a pool and that pool doest not exist. If this */
4068 /* filter rules, NAT entries and the state table and check if anything */
4105 * end up being unaligned) and on the kernel's local stack.
4115 /* to start copying from (src) and a pointer to where to store it (dst). */
4148 /* to start copying from (src) and a pointer to where to store it (dst). */
4175 /* Get the new value for the lock integer, set it and return the old value */
4365 /* Compare two rules and return 0 if they match or a number indicating */
4405 /* names are resolved here and other sanity checks are made on the content */
4407 /* then make sure they are created and initialised before exiting. */
4725 * Allowing a rule with both "keep state" and "with oow" is
4890 * If zero'ing statistics, copy current to caller and zero.
4898 * Copy and reduce lock because of impending copyout.
4900 * this call and the correctness of fr_hits and
5108 /* it from any linked lists and remove any groups it is responsible for. */
5166 * We've got to the last rule and everything
5197 /* When using pools and hash tables to store addresses for matching in */
5199 /* name or address (and return that pointer) and also provide the means by */
5310 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
5416 /* free it and any associated storage space being used by it. */
5483 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
5484 /* fr_ptr is later used by ipf_srcgrpmap and ipf_dstgrpmap. */
5535 /* the key, and descend into that group and continue matching rules against */
5563 /* address as the key, and descend into that group and continue matching */
5604 /* being requested. If it finds one, increments the reference counter and */
5605 /* returns a pointer to it. If none are found, it allocates a new one and */
5625 * gets reused rather than freed and reallocated.
5663 /* check the list of user defined timeout queues and call the free function */
5691 /* Remove a user defined timeout queue from the list of queues it is in and */
5726 /* Remove a tail queue entry from its queue and make it an orphan. */
5798 /* We use use ticks to calculate the expiration and mark for when we last */
5840 /* Add a new item to this queue and put it on the very end. */
5841 /* We use use ticks to calculate the expiration and mark for when we last */
5870 /* If it notices that the current entry is already last and does not need */
5878 * If the queue hasn't changed and we last touched this entry at the
5888 * queue and one not, could end up with things in a bizarre state.
5917 * lock on the old queue and get a lock on the new queue.
5952 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
6265 /* but it must not be smaller than the size defined for the type and the */
6324 /* but it must not be smaller than the size defined for the type and the */
6443 /* already populated with information and now we just need to use it. */
6506 * If the TCP packet isn't a fragment, isn't too short and otherwise
6634 i6addr_t *src, *and;
6637 and = (i6addr_t *)&mask->sin6_addr;
6650 inpmask->i6[0] = and->i6[0];
6651 inpmask->i6[1] = and->i6[1];
6652 inpmask->i6[2] = and->i6[2];
6653 inpmask->i6[3] = and->i6[3];
6656 inp->i6[0] = src->i6[0] & and->i6[0];
6657 inp->i6[1] = src->i6[1] & and->i6[1];
6658 inp->i6[2] = src->i6[2] & and->i6[2];
6659 inp->i6[3] = src->i6[3] & and->i6[3];
6681 /* comparison. This function should only be called with both tag1 and tag2 */
6814 /* Search the static array of tuneables and the list of dynamic tuneables */
6872 /* pointers so we don't need to walk parts of it with ++ and others with */
6937 /* Allocate memory for a new set of tuneable values and copy everything */
7039 /* returned and no further ones removed. */
7066 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
7067 /* three ioctls provide the means to access and control global variables */
7068 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
7070 /* and 'destruction' routines of the various components of ipfilter are all */
7094 * entry we looked at, so find it (if possible) and return a
7097 * to NULL and return that, indicating end of list, erstwhile
7184 * getting the new value safely and correctly out of
7246 /* Copies the current statistics out to userspace and then zero's the */
7281 /* Looks up an interface name in the frdest structure pointed to by fdp and */
7324 /* to that passed in and that is also being used for that IP protocol */
7326 /* for both IPv4 and IPv6 on the same physical NIC. */
7355 /* have been held for too long and need to be freed up. */
7378 /* Loop through all of the existing tokens and call deref to see if they */
7381 /* of greater than one and in that case the the reference would drop twice */
7554 /* Drop the reference count on the token structure and if it drops to zero, */
7669 /* When we have found the rule to return, increase its reference count and */
7811 /* This function serves as a stepping stone between ipf_ipf_ioctl and */
7813 /* the process doing the ioctl and use that to ask for the next rule. */
8213 /* buffer to point to the start of the inner packet and start processing */
8258 * there and bounce over it.
8261 /* This is really heavy weight and lots of room for error, */
8262 /* so for now, put it off and get the simple stuff right. */
8375 * that is local to the decapsulation processing and back into the
8409 /* describes it. Sanity checking and array size limitations are enforced */
8412 /* required is malloc'd and returned through changing *arrayptr. The */
8487 * (minimum 4 in length) and a trailer, for a total of 6.
8514 * (or else there is nothing to comapre with!) and it
8533 /* This function is used to apply a matching array against a packet and */
8555 * This is currently used with TCP and UDP port compares and
8687 /* This fucntion gets called when the state/NAT hash tables fill up and we */
8694 /* TCPS_TIME_WAIT and TCPS_CLOSED are considered to be the perfect */
8696 /* CLOSED or both CLOSED and TIME_WAIT brings us to the low watermark, */
8699 /* 2) Look for the oldest entries on each timeout queue and free them if */
8701 /* window starts and the steps taken to increase its size depend upon */
8716 /* ipf_ticks any given timeout queue and vice versa. */
8717 /* - both tqe_die and tqe_touched increase over time */
8719 /* bottom and therefore the smallest values of each are at the top */
8725 /* found in that range, "interval" is adjusted (so long as it isn't 30) and */
8726 /* we start again with a new value for "iend" and "istart". This is */
8760 * and kernels don't like floating point...
8876 /* state and NAT code, telling them to update their timeout queues. */
8905 /* to walk the entire list and apply the change. The sort order will not */
8938 /* This function applies the new timeout (p) to the TCP tunable (t) and */
9195 /* Work through all of the subsystems inside IPFilter and call the load */
9228 /* Work through all of the subsystems inside IPFilter and call the unload */
9261 /* Work through all of the subsystems inside IPFilter and call the create */
9332 /* Work through all of the subsystems inside IPFilter and call the destroy */
9393 /* Work through all of the subsystems inside IPFilter and call the init */
9438 /* Work through all of the subsystems inside IPFilter and call the fini */
9486 /* firewall rules. Both inactive and active lists are scanned for items to */
9539 /* family and the address itself. */
9591 /* have to be wary of that and not allow 32-128 to happen. */
9659 /* tree or a matching node exists and we're able to bump up its activity. */
9715 /* Try and find the address passed in amongst the leaves on this tree to */
9779 /* and free'ing each one. */
Indexes created Wed Oct 01 18:09:54 GMT 2025