Source: ../../fea/pa_backend_ipfw2.hh


 
LOGO
 Annotated List  Files  Globals  Hierarchy  Index  Top
// -*- c-basic-offset: 4; tab-width: 8; indent-tabs-mode: t -*-

// Copyright (c) 2001-2007 International Computer Science Institute
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the "Software")
// to deal in the Software without restriction, subject to the conditions
// listed in the XORP LICENSE file. These conditions include: you must
// preserve this copyright notice, and you cannot mention the copyright
// holders in advertising related to the Software without their permission.
// The Software is provided WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED. This
// notice is a summary of the XORP LICENSE file; the license in that file is
// legally binding.

// $XORP: xorp/fea/pa_backend_ipfw2.hh,v 1.5 2007/02/16 22:45:48 pavlin Exp $

#ifndef __FEA_PA_BACKEND_IPFW2_HH__
#define __FEA_PA_BACKEND_IPFW2_HH__

#include "pa_entry.hh"
#include "pa_table.hh"
#include "pa_backend.hh"

#include <map>
#include <bitset>

/* ------------------------------------------------------------------------- */

/**
 * @short IPFW2 ACL backend interface.
 *
 * Concrete class defining a backend which drives IPFW2 on FreeBSD.
 */
class PaIpfw2Backend : public PaBackend {
    friend class Snapshot4;
public:
    PaIpfw2Backend() throw(PaInvalidBackendException);
    virtual ~PaIpfw2Backend();

#ifdef HAVE_PACKETFILTER_IPFW2
protected:
    /* --------------------------------------------------------------------- */
    /*
     * @short State snapshot Memento classes.
     *
     * These are provider-specific and abstract. Attempting to instantiate
     * them directly will result in an exception being thrown.
     *
     * Be warned that they might not actually copy all the state in a form
     * which can be marshaled elsewhere. Each provider must implement
     * both of these classes and override the virtuals, and check that
     * snapshots passed to it are its own by using dynamic casts.
     */
    class Snapshot4 : public PaBackend::Snapshot4Base {
	friend class PaIpfw2Backend;
    public:
	Snapshot4(const Snapshot4& snap4)
	    throw(PaInvalidSnapshotException);
	Snapshot4(const PaBackend::Snapshot4Base& snap4)
	    throw(PaInvalidSnapshotException);
	virtual ~Snapshot4();
	inline uint8_t get_ruleset() const { return _ruleset; }
    private:
	Snapshot4(PaIpfw2Backend& parent, uint8_t ruleset)
	    throw(PaInvalidSnapshotException);

	PaIpfw2Backend*	_parent;
	uint8_t		_ruleset;
    };

    // Ruleset number constants. 31 is reserved for 'default rules' and
    // cannot have rules added to it, nor can it be enabled/disabled.
    enum { DEFAULT_RULESET = 0, TRANSCRIPT_RULESET = 1,
	   RESERVED_RULESET = 31, MAX_RULESETS = 32 };
    enum { MAX_IPFW2_RULE_WORDS = 255, IPFW_RULENUM_MAX = 65535 };

    // Enumeration defining encapsulated commands used to overload the
    // IP_FW_DEL socket option. Believe it or not these aren't defined
    // as constants anywhere in FreeBSD!!
    // Bits 24-31 are command opcode.
    // Bits 16-23 are destination ruleset index.
    // Bits 0-15 are source rule *or* source ruleset index.
    enum {
	CMD_DEL_RULE = 0,		// Delete a single rule
	CMD_DEL_RULES_WITH_SET = 1,	// Delete all rules in a set
	CMD_MOVE_RULE = 2,		// Move 1 rule to a ruleset
	CMD_MOVE_RULESET = 3,		// Move all rules in a set to new set
	CMD_SWAP_RULESETS = 4		// Swap two rulesets
    };

    // Types used for directly manipulating kernel rule tables.
    typedef vector<uint32_t> RuleBuf;
    typedef map<uint16_t, RuleBuf> RulesetDB;

    // IPv4 state snapshots are indexed by their IPFW2 'set number'.
    // These make it possible to freeze current state and copy them
    // to a free set which can then be manipulated independently
    // of the active set. IPFW2 allows more than one set to be active
    // at any given time, but XORP does not support this functionality.
    // XXX: This is a candidate for a simple array.
    typedef map<uint8_t, Snapshot4* >	Snapshot4DB;
    typedef bitset<MAX_RULESETS>	RulesetGroup;

#endif // HAVE_PACKETFILTER_IPFW2

public:
    /* --------------------------------------------------------------------- */
    /* General back-end methods. */

    const char* get_name() const;
    const char* get_version() const;

    /* --------------------------------------------------------------------- */
    /* IPv4 ACL back-end methods. */

    bool push_entries4(const PaSnapshot4* snap);
    bool delete_all_entries4();
    const PaBackend::Snapshot4Base* create_snapshot4();
    bool restore_snapshot4(const PaBackend::Snapshot4Base* snap);

#ifdef notyet
    /* --------------------------------------------------------------------- */
    /* IPv6 ACL back-end methods. */

    bool push_entries6(const PaSnapshot6* snap);
    bool delete_all_entries6();
    const PaBackend::Snapshot6Base* create_snapshot6() const;
    bool restore_snapshot6(const PaBackend::Snapshot6Base* snap);
#endif

#ifdef HAVE_PACKETFILTER_IPFW2
protected:
    /* --------------------------------------------------------------------- */
    /* Private back-end methods. */
    static bool get_autoinc_step(uint32_t& step);
    static bool set_autoinc_step(const uint32_t& step);

    int docmd4(int optname, void *optval, socklen_t optlen);

    int enable_disable_rulesets4(RulesetGroup& enable_group,
                                 RulesetGroup& disable_group);
    int enable_ruleset4(int index);
    int disable_ruleset4(int index);
    int move_ruleset4(int src_index, int dst_index);
    int swap_ruleset4(int first_index, int second_index);
    int flush_ruleset4(int index);
    int add_rule4(const int ruleset_index, const PaEntry4& entry);
    void copy_ruleset4(int src_index, int dst_index);
    int read_ruleset4(const int ruleset_index, RulesetDB& rulesetdb);
    void renumber_ruleset4(const int ruleset_index, RulesetDB& rulesetdb);
    int push_rulesetdb4(RulesetDB& rulesetdb);
    void transcribe_rule4(const PaEntry4& entry,
			  const int ruleset_index,
			  uint32_t rulebuf[MAX_IPFW2_RULE_WORDS],
			  uint32_t& size_used);
    int push_rule4(const int ruleset_index, uint32_t rulebuf[],
		   const uint32_t size_used);

    // XXX: For some reason this access isn't permitted even though
    // Snapshot4 is a friend of PaIpfw2Backend in this scope, which
    // makes no sense (under g++ 2.95).
public:
    inline Snapshot4** get_snapshotdb() { return _snapshot4db; }
#endif // HAVE_PACKETFILTER_IPFW2

protected:
    /* --------------------------------------------------------------------- */
#ifdef HAVE_PACKETFILTER_IPFW2
    // Holds mapping of IPFW2 state snapshots to set numbers.
    Snapshot4*		_snapshot4db[MAX_RULESETS];
#endif
    // Private IPv4 raw socket for talking to kernel.
    int			_s4;
};

/* ------------------------------------------------------------------------- */

#endif // __FEA_PA_BACKEND_IPFW2_HH__

Generated by: pavlin on possum.icir.org on Wed Mar 21 11:23:22 2007, using kdoc $.