Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net/npf Bye bye npf_session.c
details: https://anonhg.NetBSD.org/src/rev/c67070f2bd8d
branches: trunk
changeset: 330746:c67070f2bd8d
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Jul 20 00:43:47 2014 +0000
description:
Bye bye npf_session.c
diffstat:
sys/net/npf/npf_session.c | 1222 ---------------------------------------------
1 files changed, 0 insertions(+), 1222 deletions(-)
diffs (truncated from 1226 to 300 lines):
diff -r 778d8a22d9db -r c67070f2bd8d sys/net/npf/npf_session.c
--- a/sys/net/npf/npf_session.c Sun Jul 20 00:37:41 2014 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1222 +0,0 @@
-/* $NetBSD: npf_session.c,v 1.33 2014/07/19 18:24:16 rmind Exp $ */
-
-/*-
- * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This material is based upon work partially supported by The
- * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * NPF session tracking for stateful filtering and translation.
- *
- * Overview
- *
- * Session direction is identified by the direction of its first packet.
- * Packets can be incoming or outgoing with respect to an interface.
- * To describe the packet in the context of session direction, we will
- * use the terms "forwards stream" and "backwards stream". All sessions
- * have two embedded entries - npf_session_t::s_forw_entry for forwards
- * stream and npf_session_t::s_back_entry for backwards stream. These
- * entries (npf_sentry_t) contain source and destination identifiers.
- * Note that entry may contain translated values in a case of NAT.
- *
- * Sessions can serve two purposes: "pass" or "NAT". Sessions for the
- * former purpose are created according to the rules with "stateful"
- * attribute and are used for stateful filtering. Such sessions
- * indicate that the packet of the backwards stream should be passed
- * without inspection of the ruleset. Another purpose is to associate
- * NAT with a connection (which implies connection tracking). Such
- * sessions are created according to the NAT policies and they have a
- * relationship with NAT translation structure via npf_session_t::s_nat.
- * A single session can serve both purposes, which is a common case.
- *
- * Session life-cycle
- *
- * Sessions are established when a packet matches said rule or NAT policy.
- * Both entries of established session are inserted into the hashed tree.
- * A garbage collection thread periodically scans all session entries and
- * depending on session properties (e.g. last activity time, protocol)
- * removes session entries and expires the actual sessions.
- *
- * Each session has a reference count. Reference is acquired on lookup
- * and should be released by the caller. Reference guarantees that the
- * session will not be destroyed, although it may be expired.
- *
- * Synchronisation
- *
- * Session hash table is accessed in a lock-less manner by the main
- * operations: npf_session_inspect() and npf_session_establish().
- * Since they are always called from a software interrupt, the hash
- * table is protected using passive serialisation. The main place
- * which can destroy the hash table is npf_session_reload(). It has
- * to synchronise with other readers and writers using sess_lock,
- * primarily the G/C thread.
- *
- * ALG support
- *
- * Application-level gateways (ALGs) can override generic session
- * inspection (npf_alg_session() in npf_session_inspect() function)
- * by performing their own lookup using different identifiers.
- * Recursive call to npf_session_inspect() is not allowed, they
- * ought to use npf_session_lookup() for this purpose.
- *
- * Lock order
- *
- * sess_lock ->
- * [ npf_config_lock -> ]
- * npf_sehash_t::sh_lock ->
- * npf_state_t::nst_lock
- */
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.33 2014/07/19 18:24:16 rmind Exp $");
-
-#include <sys/param.h>
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <netinet/tcp.h>
-
-#include <sys/atomic.h>
-#include <sys/condvar.h>
-#include <sys/cprng.h>
-#include <sys/hash.h>
-#include <sys/kmem.h>
-#include <sys/kthread.h>
-#include <sys/mutex.h>
-#include <net/pfil.h>
-#include <sys/pool.h>
-#include <sys/rwlock.h>
-#include <sys/queue.h>
-#include <sys/systm.h>
-
-#include "npf_impl.h"
-#include "npf_conn.h"
-
-#define npf_session_t npf_conn_t
-#define npf_session npf_conn
-#define npf_sehash_t npf_conndb_t
-
-#define npf_session_sysinit npf_conn_sysinit
-#define npf_session_sysfini npf_conn_sysfini
-#define npf_session_tracking npf_conn_tracking
-#define npf_session_lookup npf_conn_lookup
-#define npf_session_inspect npf_conn_inspect
-#define npf_session_release npf_conn_release
-#define npf_session_establish npf_conn_establish
-#define npf_session_setnat npf_conn_setnat
-#define npf_session_expire npf_conn_expire
-#define npf_session_pass npf_conn_pass
-#define npf_session_setpass npf_conn_setpass
-#define npf_session_release npf_conn_release
-#define npf_session_retnat npf_conn_retnat
-#define npf_session_load npf_conn_load
-#define npf_session_save npf_conn_save
-#define npf_session_restore npf_conn_restore
-#define sess_htable_create npf_conndb_create
-#define sess_htable_destroy npf_conndb_destroy
-#define npf_alg_session npf_alg_conn
-
-/*
- * Session structures: entry for embedding and the main structure.
- * WARNING: update npf_session_restore() when adding fields.
- */
-
-struct npf_secomid;
-typedef struct npf_secomid npf_secomid_t;
-
-typedef struct {
- /* Session entry node and back-pointer to the actual session. */
- rb_node_t se_rbnode;
- union {
- npf_session_t * se_backptr;
- void * se_common_id;
- };
- /* Size of the addresses. */
- int se_alen;
- /* Source and destination addresses. */
- npf_addr_t se_src_addr;
- npf_addr_t se_dst_addr;
- /* Source and destination ports (TCP / UDP) or generic IDs. */
- uint16_t se_src_id;
- uint16_t se_dst_id;
-} npf_sentry_t;
-
-struct npf_conn {
- /* Session "forwards" and "backwards" entries. */
- npf_sentry_t s_forw_entry;
- npf_sentry_t s_back_entry;
- /* Entry in the session hash or G/C list. */
- LIST_ENTRY(npf_session) s_list;
- u_int s_refcnt;
- /* Protocol and interface (common IDs). */
- struct npf_secomid {
- uint16_t proto;
- uint16_t ifid;
- } s_common_id;
- /* Flags and the protocol state. */
- u_int s_flags;
- kmutex_t s_lock;
- npf_state_t s_state;
- /* Association of rule procedure data. */
- npf_rproc_t * s_rproc;
- /* NAT associated with this session (if any). */
- npf_nat_t * s_nat;
- /* Last activity time (used to calculate expiration time). */
- struct timespec s_atime;
-};
-
-#define SESS_HASH_BUCKETS 1024 /* XXX tune + make tunable */
-#define SESS_HASH_MASK (SESS_HASH_BUCKETS - 1)
-
-LIST_HEAD(npf_sesslist, npf_session);
-
-struct npf_conndb {
- rb_tree_t sh_tree;
- struct npf_sesslist sh_list;
- krwlock_t sh_lock;
- u_int sh_count;
-};
-
-/*
- * Session flags: PFIL_IN and PFIL_OUT values are reserved for direction.
- */
-CTASSERT(PFIL_ALL == (0x001 | 0x002));
-#define SE_ACTIVE 0x004 /* visible on inspection */
-#define SE_PASS 0x008 /* perform implicit passing */
-#define SE_EXPIRE 0x010 /* explicitly expire */
-
-/*
- * Flags to indicate removal of forwards/backwards session entries or
- * completion of session removal itself (i.e. both entries).
- */
-#define SE_REMFORW 0x020
-#define SE_REMBACK 0x040
-#define SE_REMOVED (SE_REMFORW | SE_REMBACK)
-
-/*
- * Session tracking state: disabled (off), enabled (on) or flush request.
- */
-enum { SESS_TRACKING_OFF, SESS_TRACKING_ON, SESS_TRACKING_FLUSH };
-static volatile int sess_tracking __cacheline_aligned;
-
-/* Session hash table, session cache and the lock. */
-static npf_sehash_t * sess_hashtbl __read_mostly;
-static pool_cache_t sess_cache __read_mostly;
-static kmutex_t sess_lock __cacheline_aligned;
-static kcondvar_t sess_cv __cacheline_aligned;
-static struct npf_sesslist sess_gc_list __cacheline_aligned;
-static uint32_t sess_hash_seed __read_mostly;
-
-static void npf_session_worker(void);
-static void npf_session_destroy(npf_session_t *);
-
-/*
- * npf_session_sys{init,fini}: initialise/destroy session handling structures.
- *
- * Session table is initialised when session tracking gets enabled via
- * npf_session_tracking() interface.
- */
-
-void
-npf_session_sysinit(void)
-{
- sess_cache = pool_cache_init(sizeof(npf_session_t), coherency_unit,
- 0, 0, "npfsespl", NULL, IPL_NET, NULL, NULL, NULL);
- mutex_init(&sess_lock, MUTEX_DEFAULT, IPL_NONE);
- cv_init(&sess_cv, "npfsecv");
- sess_tracking = SESS_TRACKING_OFF;
- LIST_INIT(&sess_gc_list);
- sess_hashtbl = NULL;
-
- sess_hash_seed = cprng_fast32();
- npf_worker_register(npf_session_worker);
-}
-
-void
-npf_session_sysfini(void)
-{
- /* Disable tracking, flush all sessions. */
- npf_session_tracking(false);
- npf_worker_unregister(npf_session_worker);
-
- KASSERT(sess_tracking == SESS_TRACKING_OFF);
- KASSERT(LIST_EMPTY(&sess_gc_list));
- KASSERT(sess_hashtbl == NULL);
-
- pool_cache_destroy(sess_cache);
- mutex_destroy(&sess_lock);
- cv_destroy(&sess_cv);
-}
-
-/*
- * Session hash table and RB-tree helper routines.
- * The order is (src.id, dst.id, src.addr, dst.addr, common_id),
- * where (node1 < node2) shall be negative.
- */
-
-static signed int
-sess_rbtree_cmp_nodes(void *ctx, const void *n1, const void *n2)
-{
- const npf_sentry_t * const sen1 = n1;
- const npf_sentry_t * const sen2 = n2;
- const int sz = sen1->se_alen;
- int ret;
-
- if (sen1->se_src_id != sen2->se_src_id) {
- return (sen1->se_src_id < sen2->se_src_id) ? -1 : 1;
- }
- if (sen1->se_dst_id != sen2->se_dst_id) {
- return (sen1->se_dst_id < sen2->se_dst_id) ? -1 : 1;
- }
- if (sen1->se_alen != sen2->se_alen) {
- return (sen1->se_alen < sen2->se_alen) ? -1 : 1;
Home |
Main Index |
Thread Index |
Old Index