[src/trunk]: src/sys/net/npf NPF:

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/7b30b0324b69
branches:  trunk
changeset: 325102:7b30b0324b69
user:      rmind <rmind%NetBSD.org@localhost>
date:      Fri Dec 06 01:33:37 2013 +0000

description:
NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
  less usual setups which are possible when using 'map' with a custom
  filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
  for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
  direction-agnostic elsewhere.

diffstat:

 sys/net/npf/npf.h          |  19 +++++++--
 sys/net/npf/npf_alg.c      |  10 ++---
 sys/net/npf/npf_alg_icmp.c |  33 +++++++++-------
 sys/net/npf/npf_bpf.c      |   6 +-
 sys/net/npf/npf_impl.h     |  19 +++++----
 sys/net/npf/npf_inet.c     |  40 +++++++++-----------
 sys/net/npf/npf_nat.c      |  90 +++++++++++++++++++++++++--------------------
 sys/net/npf/npf_session.c  |  17 +++++---
 8 files changed, 128 insertions(+), 106 deletions(-)

diffs (truncated from 650 to 300 lines):

diff -r e7044127776d -r 7b30b0324b69 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Thu Dec 05 22:51:08 2013 +0000
+++ b/sys/net/npf/npf.h Fri Dec 06 01:33:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.33 2013/11/12 00:46:34 rmind Exp $   */
+/*     $NetBSD: npf.h,v 1.34 2013/12/06 01:33:37 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -104,18 +104,24 @@
 typedef struct {
        /* Information flags. */
        uint32_t                npc_info;
-       /* Pointers to the IP v4/v6 addresses. */
-       npf_addr_t *            npc_srcip;
-       npf_addr_t *            npc_dstip;
-       /* Size (v4 or v6) of IP addresses. */
+
+       /*
+        * Pointers to the IP source and destination addresses,
+        * and the address length (4 for IPv4 or 16 for IPv6).
+        */
+       npf_addr_t *            npc_ips[2];
        uint8_t                 npc_alen;
+
+       /* IP header length and L4 protocol. */
        uint8_t                 npc_hlen;
        uint16_t                npc_proto;
+
        /* IPv4, IPv6. */
        union {
                struct ip *             v4;
                struct ip6_hdr *        v6;
        } npc_ip;
+
        /* TCP, UDP, ICMP. */
        union {
                struct tcphdr *         tcp;
@@ -132,6 +138,9 @@
        return __predict_true((npc->npc_info & inf) != 0);
 }
 
+#define        NPF_SRC         0
+#define        NPF_DST         1
+
 /*
  * Network buffer interface.
  */
diff -r e7044127776d -r 7b30b0324b69 sys/net/npf/npf_alg.c
--- a/sys/net/npf/npf_alg.c     Thu Dec 05 22:51:08 2013 +0000
+++ b/sys/net/npf/npf_alg.c     Fri Dec 06 01:33:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_alg.c,v 1.9 2013/06/02 02:20:04 rmind Exp $        */
+/*     $NetBSD: npf_alg.c,v 1.10 2013/12/06 01:33:37 rmind Exp $       */
 
 /*-
  * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.9 2013/06/02 02:20:04 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.10 2013/12/06 01:33:37 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -58,8 +58,6 @@
        u_int           na_slot;
 };
 
-#define        NPF_MAX_ALGS    8
-
 /* List of ALGs and the count. */
 static pserialize_t    alg_psz                 __cacheline_aligned;
 static npf_alg_t       alg_list[NPF_MAX_ALGS]  __read_mostly;
@@ -218,7 +216,7 @@
  * npf_alg_exec: execute ALG hooks for translation.
  */
 void
-npf_alg_exec(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, int di)
+npf_alg_exec(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, bool forw)
 {
        int s;
 
@@ -227,7 +225,7 @@
                npf_alg_func_t func;
 
                if ((func = alg_tfunc[i]) != NULL) {
-                       func(npc, nbuf, nt, di);
+                       func(npc, nbuf, nt, (int)forw);
                }
        }
        pserialize_read_exit(s);
diff -r e7044127776d -r 7b30b0324b69 sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c        Thu Dec 05 22:51:08 2013 +0000
+++ b/sys/net/npf/npf_alg_icmp.c        Fri Dec 06 01:33:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_alg_icmp.c,v 1.17 2013/06/02 02:20:04 rmind Exp $  */
+/*     $NetBSD: npf_alg_icmp.c,v 1.18 2013/12/06 01:33:37 rmind Exp $  */
 
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.17 2013/06/02 02:20:04 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.18 2013/12/06 01:33:37 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/module.h>
@@ -106,8 +106,8 @@
 }
 
 /*
- * npfa_icmp_match: ALG matching inspector - determines ALG case and
- * associates ALG with NAT entry.
+ * npfa_icmp_match: match inspector - determines ALG case and associates
+ * our ALG with the NAT entry.
  */
 static bool
 npfa_icmp_match(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, int di)
@@ -119,8 +119,8 @@
        KASSERT(npf_iscached(npc, NPC_IP46));
        KASSERT(npf_iscached(npc, NPC_LAYER4));
 
-       /* Check for low TTL. */
-       if (ip->ip_ttl > TR_MAX_TTL) {
+       /* Check for low TTL.  Also, we support outbound NAT only. */
+       if (ip->ip_ttl > TR_MAX_TTL || di != PFIL_OUT) {
                return false;
        }
 
@@ -303,7 +303,7 @@
        bool ret, forw;
 
        #define SWAP(type, x, y) { type tmp = x; x = y; y = tmp; }
-       SWAP(npf_addr_t *, enpc.npc_srcip, enpc.npc_dstip);
+       SWAP(npf_addr_t *, enpc.npc_ips[NPF_SRC], enpc.npc_ips[NPF_DST]);
 
        switch (enpc.npc_proto) {
        case IPPROTO_TCP:
@@ -339,15 +339,15 @@
 }
 
 /*
- * npfa_icmp_nat: ALG inbound translation inspector, rewrite IP address
- * in the IP header, which is embedded in ICMP packet.
+ * npfa_icmp_nat: ALG translator - rewrites IP address in the IP header
+ * which is embedded in ICMP packet.  Note: backwards stream only.
  */
 static bool
-npfa_icmp_nat(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, int di)
+npfa_icmp_nat(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, int forw)
 {
        npf_cache_t enpc;
 
-       if (di != PFIL_IN || !npf_iscached(npc, NPC_ICMP))
+       if (forw || !npf_iscached(npc, NPC_ICMP))
                return false;
        if (!npfa_icmp_inspect(npc, nbuf, &enpc))
                return false;
@@ -365,6 +365,9 @@
         * Retrieve the original address and port, then calculate ICMP
         * checksum for these changes in the embedded packet.  While data
         * is not rewritten in the cache, save IP and TCP/UDP checksums.
+        *
+        * XXX: Assumes NPF_NATOUT (source address/port).  Currently,
+        * npfa_icmp_match() matches only for the PFIL_OUT traffic.
         */
        const int proto = enpc.npc_proto;
        uint16_t ipcksum = 0, l4cksum = 0;
@@ -377,7 +380,7 @@
                const struct ip *eip = enpc.npc_ip.v4;
                ipcksum = eip->ip_sum;
        }
-       cksum = npf_addr_cksum(cksum, enpc.npc_alen, enpc.npc_srcip, addr);
+       cksum = npf_addr_cksum(cksum, enpc.npc_alen, enpc.npc_ips[NPF_SRC], addr);
 
        switch (proto) {
        case IPPROTO_TCP: {
@@ -401,10 +404,10 @@
 
        /*
         * Rewrite the source IP address and port of the embedded IP header,
-        * which represents the original packet, therefore passing PFIL_OUT.
-        * This updates the checksums in the embedded packet.
+        * which represents the original packet.  This updates the checksums
+        * in the embedded packet.
         */
-       if (npf_nat_translate(&enpc, nbuf, nt, false, PFIL_OUT)) {
+       if (npf_nat_translate(&enpc, nbuf, nt, forw)) {
                return false;
        }
 
diff -r e7044127776d -r 7b30b0324b69 sys/net/npf/npf_bpf.c
--- a/sys/net/npf/npf_bpf.c     Thu Dec 05 22:51:08 2013 +0000
+++ b/sys/net/npf/npf_bpf.c     Fri Dec 06 01:33:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_bpf.c,v 1.5 2013/11/23 19:32:20 rmind Exp $        */
+/*     $NetBSD: npf_bpf.c,v 1.6 2013/12/06 01:33:37 rmind Exp $        */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.5 2013/11/23 19:32:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.6 2013/12/06 01:33:37 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -157,6 +157,6 @@
        if ((t = npf_tableset_getbyid(tblset, tid)) == NULL) {
                return 0;
        }
-       addr = (A & SRC_FLAG_BIT) ? npc->npc_srcip : npc->npc_dstip;
+       addr = npc->npc_ips[(A & SRC_FLAG_BIT) ? NPF_SRC : NPF_DST];
        return npf_table_lookup(t, npc->npc_alen, addr) == 0;
 }
diff -r e7044127776d -r 7b30b0324b69 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h    Thu Dec 05 22:51:08 2013 +0000
+++ b/sys/net/npf/npf_impl.h    Fri Dec 06 01:33:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_impl.h,v 1.44 2013/12/04 01:38:49 rmind Exp $      */
+/*     $NetBSD: npf_impl.h,v 1.45 2013/12/06 01:33:37 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -100,8 +100,12 @@
 typedef npf_session_t *(*npf_alg_sfunc_t)(npf_cache_t *, nbuf_t *, int);
 typedef void (*npf_workfunc_t)(void);
 
-/* Some artificial limits. */
+/*
+ * Some artificial limits.
+ * Note: very unlikely to have many ALGs.
+ */
 #define        NPF_MAX_RULES           (1024 * 1024)
+#define        NPF_MAX_ALGS            4
 #define        NPF_MAX_TABLES          128
 #define        NPF_MAX_RPROCS          128
 #define        NPF_MAX_IFMAP           64
@@ -184,9 +188,9 @@
 int            npf_cache_all(npf_cache_t *, nbuf_t *);
 void           npf_recache(npf_cache_t *, nbuf_t *);
 
-bool           npf_rwrip(const npf_cache_t *, int, const npf_addr_t *);
-bool           npf_rwrport(const npf_cache_t *, int, const in_port_t);
-bool           npf_rwrcksum(const npf_cache_t *, const int,
+bool           npf_rwrip(const npf_cache_t *, u_int, const npf_addr_t *);
+bool           npf_rwrport(const npf_cache_t *, u_int, const in_port_t);
+bool           npf_rwrcksum(const npf_cache_t *, u_int,
                    const npf_addr_t *, const in_port_t);
 
 uint16_t       npf_fixup16_cksum(uint16_t, uint16_t, uint16_t);
@@ -327,8 +331,7 @@
 void           npf_nat_freealg(npf_natpolicy_t *, npf_alg_t *);
 
 int            npf_do_nat(npf_cache_t *, npf_session_t *, nbuf_t *, const int);
-int            npf_nat_translate(npf_cache_t *, nbuf_t *, npf_nat_t *,
-                   const bool, const int);
+int            npf_nat_translate(npf_cache_t *, nbuf_t *, npf_nat_t *, bool);
 void           npf_nat_destroy(npf_nat_t *);
 void           npf_nat_getorig(npf_nat_t *, npf_addr_t **, in_port_t *);
 void           npf_nat_gettrans(npf_nat_t *, npf_addr_t **, in_port_t *);
@@ -345,7 +348,7 @@
 int            npf_alg_unregister(npf_alg_t *);
 npf_alg_t *    npf_alg_construct(const char *);
 bool           npf_alg_match(npf_cache_t *, nbuf_t *, npf_nat_t *, int);
-void           npf_alg_exec(npf_cache_t *, nbuf_t *, npf_nat_t *, int);
+void           npf_alg_exec(npf_cache_t *, nbuf_t *, npf_nat_t *, bool);
 npf_session_t *        npf_alg_session(npf_cache_t *, nbuf_t *, int);
 
 /* Debugging routines. */
diff -r e7044127776d -r 7b30b0324b69 sys/net/npf/npf_inet.c
--- a/sys/net/npf/npf_inet.c    Thu Dec 05 22:51:08 2013 +0000
+++ b/sys/net/npf/npf_inet.c    Fri Dec 06 01:33:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_inet.c,v 1.27 2013/11/22 01:48:36 rmind Exp $      */
+/*     $NetBSD: npf_inet.c,v 1.28 2013/12/06 01:33:37 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.27 2013/11/22 01:48:36 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.28 2013/12/06 01:33:37 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -338,8 +338,8 @@
 
                /* Cache: layer 3 - IPv4. */
                npc->npc_alen = sizeof(struct in_addr);
-               npc->npc_srcip = (npf_addr_t *)&ip->ip_src;
-               npc->npc_dstip = (npf_addr_t *)&ip->ip_dst;