Source: ../../fea/pa_backend_pf.hh


 
LOGO
 Annotated List  Files  Globals  Hierarchy  Index  Top
// -*- c-basic-offset: 4; tab-width: 8; indent-tabs-mode: t -*-
// vim:set sts=4 ts=8:

// Copyright (c) 2001-2007 International Computer Science Institute
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the "Software")
// to deal in the Software without restriction, subject to the conditions
// listed in the XORP LICENSE file. These conditions include: you must
// preserve this copyright notice, and you cannot mention the copyright
// holders in advertising related to the Software without their permission.
// The Software is provided WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED. This
// notice is a summary of the XORP LICENSE file; the license in that file is
// legally binding.

// $XORP: xorp/fea/pa_backend_pf.hh,v 1.3 2007/02/16 22:45:48 pavlin Exp $

#ifndef __FEA_PA_BACKEND_PF_HH__
#define __FEA_PA_BACKEND_PF_HH__

#include "pa_entry.hh"
#include "pa_table.hh"
#include "pa_backend.hh"

#include <map>
#include <bitset>

/* ------------------------------------------------------------------------- */

/**
 * @short PF ACL backend interface.
 *
 * Concrete class defining a backend which drives PF on [Free|Open|Net]BSD.
 *
 * PF is closer to IPF than IPFW2 in that it has a single inactive ruleset
 * which is used to install rules before being swapped in by its own
 * commit command.
 */
class PaPfBackend : public PaBackend {
    friend class Snapshot4;
public:
    PaPfBackend() throw(PaInvalidBackendException);
    virtual ~PaPfBackend();

#ifdef HAVE_PACKETFILTER_PF
protected:
    /* --------------------------------------------------------------------- */
    /*
     * @short State snapshot Memento classes.
     *
     * These are provider-specific and abstract. Attempting to instantiate
     * them directly will result in an exception being thrown.
     *
     * Be warned that they might not actually copy all the state in a form
     * which can be marshaled elsewhere. Each provider must implement
     * both of these classes and override the virtuals, and check that
     * snapshots passed to it are its own by using dynamic casts.
     */
    class Snapshot4 : public PaBackend::Snapshot4Base {
	friend class PaPfBackend;
    public:
	Snapshot4(const Snapshot4& snap4)
	    throw(PaInvalidSnapshotException);
	Snapshot4(const PaBackend::Snapshot4Base& snap4)
	    throw(PaInvalidSnapshotException);
	virtual ~Snapshot4();
	inline uint8_t get_ruleset() const { return _ruleset; }
    private:
	Snapshot4(PaPfBackend& parent, uint8_t ruleset)
	    throw(PaInvalidSnapshotException);

	PaPfBackend*	    _parent;
	int		    _nrules;
	struct pfioc_rule*  _rulebuf;
    };

    // Types used for directly manipulating kernel rule tables.
    typedef vector<uint32_t> RuleBuf;
    typedef map<uint16_t, RuleBuf> RulesetDB;

    // IPv4 state snapshots are indexed by their PF 'set number'.
    // These make it possible to freeze current state and copy them
    // to a free set which can then be manipulated independently
    // of the active set. PF allows more than one set to be active
    // at any given time, but XORP does not support this functionality.
    // XXX: This is a candidate for a simple array.
    typedef map<uint8_t, Snapshot4* >	Snapshot4DB;
    typedef bitset<MAX_RULESETS>	RulesetGroup;

#endif // HAVE_PACKETFILTER_PF

public:
    /* --------------------------------------------------------------------- */
    /* General back-end methods. */

    const char* get_name() const;
    const char* get_version() const;

    /* --------------------------------------------------------------------- */
    /* IPv4 ACL back-end methods. */

    bool push_entries4(const PaSnapshot4* snap);
    bool delete_all_entries4();
    const PaBackend::Snapshot4Base* create_snapshot4();
    bool restore_snapshot4(const PaBackend::Snapshot4Base* snap);

#ifdef notyet
    /* --------------------------------------------------------------------- */
    /* IPv6 ACL back-end methods. */

    bool push_entries6(const PaSnapshot6* snap);
    bool delete_all_entries6();
    const PaBackend::Snapshot6Base* create_snapshot6() const;
    bool restore_snapshot6(const PaBackend::Snapshot6Base* snap);
#endif

#ifdef HAVE_PACKETFILTER_PF
protected:
    /* --------------------------------------------------------------------- */
    /* Private back-end methods. */
    bool set_pf_enabled(bool enable);
    u_int32_t start_transaction();
    void abort_transaction(u_int32_t ticket);
    bool commit_transaction(u_int32_t ticket);
    bool transcribe_and_add_rule4(const PaEntry4& entry, u_int32_t ticket);

    // XXX: For some reason this access isn't permitted even though
    // Snapshot4 is a friend of PaPfBackend in this scope, which
    // makes no sense (under g++ 2.95).
public:
    inline Snapshot4** get_snapshotdb() { return _snapshot4db; }
#endif // HAVE_PACKETFILTER_PF

protected:
    /* --------------------------------------------------------------------- */
#ifdef HAVE_PACKETFILTER_PF
    // Holds mapping of PF state snapshots to set numbers.
    Snapshot4*		_snapshot4db[MAX_RULESETS];
    // Open file descriptor pointing to the /dev/pf device.
    int			_fd;
private:
    static const char *_pfname;
#endif
};

/* ------------------------------------------------------------------------- */

#endif // __FEA_PA_BACKEND_PF_HH__

Generated by: pavlin on possum.icir.org on Wed Mar 21 11:23:22 2007, using kdoc $.