svn commit: r348773 - stable/12/sbin/ipfw

Fri, 07 Jun 2019 01:22:15 -0700 

Author: ae
Date: Fri Jun  7 08:21:01 2019
New Revision: 348773
URL: https://svnweb.freebsd.org/changeset/base/348773

Log:
  MFC r348235:
    Add `missing` and `or-flush` options to "ipfw table <NAME> create"
    command to simplify firewall reloading.
  
    The `missing` option suppresses EEXIST error code, but does check that
    existing table has the same parameters as new one. The `or-flush` option
    implies `missing` option and additionally does flush for table if it
    is already exist.
  
    Submitted by:       lev
    Differential Revision:      https://reviews.freebsd.org/D18339
  
  MFC r348301
    Remove unused token that was added in r348235.

Modified:
  stable/12/sbin/ipfw/ipfw.8
  stable/12/sbin/ipfw/ipfw2.h
  stable/12/sbin/ipfw/tables.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sbin/ipfw/ipfw.8
==============================================================================
--- stable/12/sbin/ipfw/ipfw.8  Fri Jun  7 06:35:42 2019        (r348772)
+++ stable/12/sbin/ipfw/ipfw.8  Fri Jun  7 08:21:01 2019        (r348773)
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd April 21, 2019
+.Dd May 24, 2019
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -2138,7 +2138,7 @@ The following creation options are supported:
 .Bl -tag -width indent
 .It Ar create-options : Ar create-option | create-options
 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm 
algo Ar algo-desc |
-.Cm limit Ar number | Cm locked
+.Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
 .It Cm type
 Table key type.
 .It Cm valtype
@@ -2149,6 +2149,13 @@ Table algorithm to use (see below).
 Maximum number of items that may be inserted into table.
 .It Cm locked
 Restrict any table modifications.
+.It Cm missing
+Do not fail if table already exists and has exactly same options as new one.
+.It Cm or-flush
+Flush existing table with same name instead of returning error.
+Implies
+.Cm missing
+so existing table must be compatible with new one.
 .El
 .Pp
 Some of these options may be modified later via

Modified: stable/12/sbin/ipfw/ipfw2.h
==============================================================================
--- stable/12/sbin/ipfw/ipfw2.h Fri Jun  7 06:35:42 2019        (r348772)
+++ stable/12/sbin/ipfw/ipfw2.h Fri Jun  7 08:21:01 2019        (r348773)
@@ -264,6 +264,8 @@ enum tokens {
        TOK_UNLOCK,
        TOK_VLIST,
        TOK_OLIST,
+       TOK_MISSING,
+       TOK_ORFLUSH,
 
        /* NAT64 tokens */
        TOK_NAT64STL,

Modified: stable/12/sbin/ipfw/tables.c
==============================================================================
--- stable/12/sbin/ipfw/tables.c        Fri Jun  7 06:35:42 2019        
(r348772)
+++ stable/12/sbin/ipfw/tables.c        Fri Jun  7 08:21:01 2019        
(r348773)
@@ -327,6 +327,8 @@ static struct _s_x tablenewcmds[] = {
       { "algo",                TOK_ALGO },
       { "limit",       TOK_LIMIT },
       { "locked",      TOK_LOCK },
+      { "missing",     TOK_MISSING },
+      { "or-flush",    TOK_ORFLUSH },
       { NULL, 0 }
 };
 
@@ -389,19 +391,19 @@ table_print_type(char *tbuf, size_t size, uint8_t type
  * Creates new table
  *
  * ipfw table NAME create [ type { addr | iface | number | flow } ]
- *     [ algo algoname ]
+ *     [ algo algoname ] [missing] [or-flush]
  */
 static void
 table_create(ipfw_obj_header *oh, int ac, char *av[])
 {
-       ipfw_xtable_info xi;
-       int error, tcmd, val;
+       ipfw_xtable_info xi, xie;
+       int error, missing, orflush, tcmd, val;
        uint32_t fset, fclear;
        char *e, *p;
        char tbuf[128];
 
+       missing = orflush = 0;
        memset(&xi, 0, sizeof(xi));
-
        while (ac > 0) {
                tcmd = get_token(tablenewcmds, *av, "option");
                ac--; av++;
@@ -457,6 +459,12 @@ table_create(ipfw_obj_header *oh, int ac, char *av[])
                case TOK_LOCK:
                        xi.flags |= IPFW_TGFLAGS_LOCKED;
                        break;
+               case TOK_ORFLUSH:
+                       orflush = 1;
+                       /* FALLTHROUGH */
+               case TOK_MISSING:
+                       missing = 1;
+                       break;
                }
        }
 
@@ -466,8 +474,28 @@ table_create(ipfw_obj_header *oh, int ac, char *av[])
        if (xi.vmask == 0)
                xi.vmask = IPFW_VTYPE_LEGACY;
 
-       if ((error = table_do_create(oh, &xi)) != 0)
+       error = table_do_create(oh, &xi);
+
+       if (error == 0)
+               return;
+
+       if (errno != EEXIST || missing == 0)
                err(EX_OSERR, "Table creation failed");
+
+       /* Check that existing table is the same we are trying to create */
+       if (table_get_info(oh, &xie) != 0)
+               err(EX_OSERR, "Existing table check failed");
+
+       if (xi.limit != xie.limit || xi.type != xie.type ||
+           xi.tflags != xie.tflags || xi.vmask != xie.vmask || (
+           xi.algoname[0] != '\0' && strcmp(xi.algoname,
+           xie.algoname) != 0) || xi.flags != xie.flags)
+               errx(EX_DATAERR, "The existing table is not compatible "
+                   "with one you are creating.");
+
+       /* Flush existing table if instructed to do so */
+       if (orflush != 0 && table_flush(oh) != 0)
+               err(EX_OSERR, "Table flush on creation failed");
 }
 
 /*
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to