Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys NPF: partially rewrite the connection tracking mechanism:
details: https://anonhg.NetBSD.org/src/rev/77806978db37
branches: trunk
changeset: 330734:77806978db37
user: rmind <rmind%NetBSD.org@localhost>
date: Sat Jul 19 18:24:16 2014 +0000
description:
NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
diffstat:
sys/modules/npf/Makefile | 6 +-
sys/net/npf/files.npf | 5 +-
sys/net/npf/npf.c | 17 +-
sys/net/npf/npf.h | 6 +-
sys/net/npf/npf_alg.c | 14 +-
sys/net/npf/npf_alg_icmp.c | 17 +-
sys/net/npf/npf_conn.c | 982 +++++++++++++++++++++++++++++++++++++++
sys/net/npf/npf_conndb.c | 268 ++++++++++
sys/net/npf/npf_ctl.c | 90 +-
sys/net/npf/npf_handler.c | 49 +-
sys/net/npf/npf_if.c | 6 +-
sys/net/npf/npf_impl.h | 52 +-
sys/net/npf/npf_inet.c | 17 +-
sys/net/npf/npf_nat.c | 95 +-
sys/net/npf/npf_session.c | 48 +-
sys/net/npf/npf_state.c | 46 +-
sys/net/npf/npf_state_tcp.c | 5 +-
sys/rump/net/lib/libnpf/Makefile | 8 +-
18 files changed, 1496 insertions(+), 235 deletions(-)
diffs (truncated from 2626 to 300 lines):
diff -r ce80b5357c46 -r 77806978db37 sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile Sat Jul 19 18:18:31 2014 +0000
+++ b/sys/modules/npf/Makefile Sat Jul 19 18:24:16 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.16 2013/11/08 00:38:26 rmind Exp $
+# $NetBSD: Makefile,v 1.17 2014/07/19 18:24:17 rmind Exp $
#
# Public Domain.
#
@@ -11,9 +11,9 @@
SRCS= npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
SRCS+= npf_bpf.c npf_if.c npf_inet.c npf_mbuf.c npf_nat.c
-SRCS+= npf_ruleset.c npf_rproc.c npf_sendpkt.c npf_session.c
+SRCS+= npf_ruleset.c npf_conn.c npf_conndb.c npf_rproc.c
SRCS+= npf_state.c npf_state_tcp.c npf_tableset.c
-SRCS+= npf_tableset_ptree.c npf_worker.c
+SRCS+= npf_tableset_ptree.c npf_sendpkt.c npf_worker.c
CPPFLAGS+= -DINET6
diff -r ce80b5357c46 -r 77806978db37 sys/net/npf/files.npf
--- a/sys/net/npf/files.npf Sat Jul 19 18:18:31 2014 +0000
+++ b/sys/net/npf/files.npf Sat Jul 19 18:24:16 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.16 2013/11/08 00:38:26 rmind Exp $
+# $NetBSD: files.npf,v 1.17 2014/07/19 18:24:16 rmind Exp $
#
# Public Domain.
#
@@ -22,7 +22,8 @@
file net/npf/npf_tableset_ptree.c npf
file net/npf/npf_if.c npf
file net/npf/npf_inet.c npf
-file net/npf/npf_session.c npf
+file net/npf/npf_conn.c npf
+file net/npf/npf_conndb.c npf
file net/npf/npf_state.c npf
file net/npf/npf_state_tcp.c npf
file net/npf/npf_nat.c npf
diff -r ce80b5357c46 -r 77806978db37 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Sat Jul 19 18:18:31 2014 +0000
+++ b/sys/net/npf/npf.c Sat Jul 19 18:24:16 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.19 2014/03/16 05:20:30 dholland Exp $ */
+/* $NetBSD: npf.c,v 1.20 2014/07/19 18:24:16 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.19 2014/03/16 05:20:30 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.20 2014/07/19 18:24:16 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -52,6 +52,7 @@
#include <sys/uio.h>
#include "npf_impl.h"
+#include "npf_conn.h"
/*
* Module and device structures.
@@ -100,7 +101,7 @@
npf_bpf_sysinit();
npf_worker_sysinit();
npf_tableset_sysinit();
- npf_session_sysinit();
+ npf_conn_sysinit();
npf_nat_sysinit();
npf_alg_sysinit();
npf_ext_sysinit();
@@ -129,15 +130,15 @@
#endif
npf_pfil_unregister(true);
- /* Flush all sessions, destroy configuration (ruleset, etc). */
- npf_session_tracking(false);
+ /* Flush all connections, destroy configuration (ruleset, etc). */
+ npf_conn_tracking(false);
npf_config_fini();
/* Finally, safe to destroy the subsystems. */
npf_ext_sysfini();
npf_alg_sysfini();
npf_nat_sysfini();
- npf_session_sysfini();
+ npf_conn_sysfini();
npf_tableset_sysfini();
npf_bpf_sysfini();
@@ -226,10 +227,10 @@
error = npfctl_stats(data);
break;
case IOC_NPF_SESSIONS_SAVE:
- error = npfctl_sessions_save(cmd, data);
+ error = npfctl_conn_save(cmd, data);
break;
case IOC_NPF_SESSIONS_LOAD:
- error = npfctl_sessions_load(cmd, data);
+ error = npfctl_conn_load(cmd, data);
break;
case IOC_NPF_SWITCH:
error = npfctl_switch(data);
diff -r ce80b5357c46 -r 77806978db37 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sat Jul 19 18:18:31 2014 +0000
+++ b/sys/net/npf/npf.h Sat Jul 19 18:24:16 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.42 2014/06/29 00:05:24 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.43 2014/07/19 18:24:16 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 14
+#define NPF_VERSION 15
/*
* Public declarations and definitions.
@@ -326,7 +326,7 @@
/* Packets blocked. */
NPF_STAT_BLOCK_DEFAULT,
NPF_STAT_BLOCK_RULESET,
- /* Session and NAT entries. */
+ /* Connection and NAT entries. */
NPF_STAT_SESSION_CREATE,
NPF_STAT_SESSION_DESTROY,
NPF_STAT_NAT_CREATE,
diff -r ce80b5357c46 -r 77806978db37 sys/net/npf/npf_alg.c
--- a/sys/net/npf/npf_alg.c Sat Jul 19 18:18:31 2014 +0000
+++ b/sys/net/npf/npf_alg.c Sat Jul 19 18:24:16 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.12 2014/02/17 02:38:46 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.13 2014/07/19 18:24:16 rmind Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.12 2014/02/17 02:38:46 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.13 2014/07/19 18:24:16 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -226,10 +226,10 @@
pserialize_read_exit(s);
}
-npf_session_t *
-npf_alg_session(npf_cache_t *npc, nbuf_t *nbuf, int di)
+npf_conn_t *
+npf_alg_conn(npf_cache_t *npc, nbuf_t *nbuf, int di)
{
- npf_session_t *se = NULL;
+ npf_conn_t *con = NULL;
int s;
s = pserialize_read_enter();
@@ -238,9 +238,9 @@
if (!f->inspect)
continue;
- if ((se = f->inspect(npc, nbuf, di)) != NULL)
+ if ((con = f->inspect(npc, nbuf, di)) != NULL)
break;
}
pserialize_read_exit(s);
- return se;
+ return con;
}
diff -r ce80b5357c46 -r 77806978db37 sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Sat Jul 19 18:18:31 2014 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Sat Jul 19 18:24:16 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.21 2014/06/08 12:12:56 spz Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.22 2014/07/19 18:24:16 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.21 2014/06/08 12:12:56 spz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.22 2014/07/19 18:24:16 rmind Exp $");
#include <sys/param.h>
#include <sys/module.h>
@@ -49,6 +49,7 @@
#include <net/pfil.h>
#include "npf_impl.h"
+#include "npf_conn.h"
MODULE(MODULE_CLASS_MISC, npf_alg_icmp, "npf");
@@ -195,7 +196,7 @@
}
/*
- * npfa_icmp_session: ALG ICMP inspector.
+ * npfa_icmp_inspect: ALG ICMP inspector.
*
* => Returns true if "enpc" is filled.
*/
@@ -241,8 +242,8 @@
return true;
}
-static npf_session_t *
-npfa_icmp_session(npf_cache_t *npc, nbuf_t *nbuf, int di)
+static npf_conn_t *
+npfa_icmp_conn(npf_cache_t *npc, nbuf_t *nbuf, int di)
{
npf_cache_t enpc;
@@ -294,8 +295,8 @@
return false;
}
- /* Lookup for a session using embedded packet. */
- return npf_session_lookup(&enpc, nbuf, di, &forw);
+ /* Lookup a connection using the embedded packet. */
+ return npf_conn_lookup(&enpc, nbuf, di, &forw);
}
/*
@@ -414,7 +415,7 @@
static const npfa_funcs_t icmp = {
.match = npfa_icmp_match,
.translate = npfa_icmp_nat,
- .inspect = npfa_icmp_session,
+ .inspect = npfa_icmp_conn,
};
alg_icmp = npf_alg_register("icmp", &icmp);
return alg_icmp ? 0 : ENOMEM;
diff -r ce80b5357c46 -r 77806978db37 sys/net/npf/npf_conn.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/net/npf/npf_conn.c Sat Jul 19 18:24:16 2014 +0000
@@ -0,0 +1,982 @@
+/* $NetBSD: npf_conn.c,v 1.1 2014/07/19 18:24:16 rmind Exp $ */
+
+/*-
+ * Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
+ * Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This material is based upon work partially supported by The
+ * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * NPF connection tracking for stateful filtering and translation.
+ *
+ * Overview
+ *
+ * Connection direction is identified by the direction of its first
+ * packet. Packets can be incoming or outgoing with respect to an
+ * interface. To describe the packet in the context of connection
+ * direction we will use the terms "forwards stream" and "backwards
+ * stream". All connections have two keys and thus two entries:
+ *
+ * npf_conn_t::c_forw_entry for the forwards stream and
+ * npf_conn_t::c_back_entry for the backwards stream.
+ *
+ * The keys are formed from the 5-tuple (source/destination address,
+ * source/destination port and the protocol). Additional matching
+ * is performed for the interface (a common behaviour is equivalent
+ * to the 6-tuple lookup including the interface ID). Note that the
+ * key may be formed using translated values in a case of NAT.
+ *
Home |
Main Index |
Thread Index |
Old Index