[src/trunk]: src/sys/net/npf NPF: adjust the 'stateful-ends' mechanism to tag...

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6311625eb435
branches:  trunk
changeset: 349363:6311625eb435
user:      rmind <rmind%NetBSD.org@localhost>
date:      Thu Dec 08 23:07:11 2016 +0000

description:
NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces.  Per discussion with christos@.

diffstat:

 sys/net/npf/npf.h         |  10 +++++-----
 sys/net/npf/npf_conn.c    |  18 ++++++++++++++----
 sys/net/npf/npf_handler.c |  11 +++++++++--
 sys/net/npf/npf_mbuf.c    |  10 +++++-----
 4 files changed, 33 insertions(+), 16 deletions(-)

diffs (156 lines):

diff -r 7df06b6c5f01 -r 6311625eb435 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Thu Dec 08 21:42:42 2016 +0000
+++ b/sys/net/npf/npf.h Thu Dec 08 23:07:11 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $   */
+/*     $NetBSD: npf.h,v 1.48 2016/12/08 23:07:11 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -116,8 +116,8 @@
 void *         nbuf_ensure_writable(nbuf_t *, size_t);
 
 bool           nbuf_cksum_barrier(nbuf_t *, int);
-int            nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
-int            nbuf_find_tag(nbuf_t *, uint32_t, void **);
+int            nbuf_add_tag(nbuf_t *, uint32_t);
+int            nbuf_find_tag(nbuf_t *, uint32_t *);
 
 /*
  * Packet information cache.
@@ -259,8 +259,8 @@
 #define        NPF_LAYER_2                     2
 #define        NPF_LAYER_3                     3
 
-/* XXX mbuf.h: just for now. */
-#define        PACKET_TAG_NPF                  10
+/* Packet tags. */
+#define        NPF_NTAG_PASS                   0x0001
 
 /*
  * Rule commands (non-ioctl).
diff -r 7df06b6c5f01 -r 6311625eb435 sys/net/npf/npf_conn.c
--- a/sys/net/npf/npf_conn.c    Thu Dec 08 21:42:42 2016 +0000
+++ b/sys/net/npf/npf_conn.c    Thu Dec 08 23:07:11 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $      */
+/*     $NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $      */
 
 /*-
  * Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -99,7 +99,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -432,11 +432,21 @@
        ok = npf_state_inspect(npc, &con->c_state, forw);
        mutex_exit(&con->c_lock);
 
+       /* If invalid state: let the rules deal with it. */
        if (__predict_false(!ok)) {
-               /* Invalid: let the rules deal with it. */
                npf_conn_release(con);
                npf_stats_inc(NPF_STAT_INVALID_STATE);
-               con = NULL;
+               return NULL;
+       }
+
+       /*
+        * If this is multi-end state, then specially tag the packet
+        * so it will be just passed-through on other interfaces.
+        */
+       if (con->c_ifid == 0 && nbuf_add_tag(nbuf, NPF_NTAG_PASS) != 0) {
+               npf_conn_release(con);
+               *error = ENOMEM;
+               return NULL;
        }
        return con;
 }
diff -r 7df06b6c5f01 -r 6311625eb435 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Thu Dec 08 21:42:42 2016 +0000
+++ b/sys/net/npf/npf_handler.c Thu Dec 08 23:07:11 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_handler.c,v 1.33 2014/07/23 01:25:34 rmind Exp $   */
+/*     $NetBSD: npf_handler.c,v 1.34 2016/12/08 23:07:11 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.33 2014/07/23 01:25:34 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.34 2016/12/08 23:07:11 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -147,6 +147,7 @@
        npf_rule_t *rl;
        npf_rproc_t *rp;
        int error, retfl;
+       uint32_t ntag;
        int decision;
 
        /*
@@ -179,6 +180,12 @@
                }
        }
 
+       /* Just pass-through if specially tagged. */
+       if (nbuf_find_tag(&nbuf, &ntag) == 0 && (ntag & NPF_NTAG_PASS) != 0) {
+               con = NULL;
+               goto pass;
+       }
+
        /* Inspect the list of connections (if found, acquires a reference). */
        con = npf_conn_inspect(&npc, di, &error);
 
diff -r 7df06b6c5f01 -r 6311625eb435 sys/net/npf/npf_mbuf.c
--- a/sys/net/npf/npf_mbuf.c    Thu Dec 08 21:42:42 2016 +0000
+++ b/sys/net/npf/npf_mbuf.c    Thu Dec 08 23:07:11 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $        */
+/*     $NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -274,7 +274,7 @@
  * => Returns 0 on success or errno on failure.
  */
 int
-nbuf_add_tag(nbuf_t *nbuf, uint32_t key, uint32_t val)
+nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
 {
        struct mbuf *m = nbuf->nb_mbuf0;
        struct m_tag *mt;
@@ -298,7 +298,7 @@
  * => Returns 0 on success or errno on failure.
  */
 int
-nbuf_find_tag(nbuf_t *nbuf, uint32_t key, void **data)
+nbuf_find_tag(nbuf_t *nbuf, uint32_t *val)
 {
        struct mbuf *m = nbuf->nb_mbuf0;
        struct m_tag *mt;
@@ -309,6 +309,6 @@
        if (mt == NULL) {
                return EINVAL;
        }
-       *data = (void *)(mt + 1);
+       *val = *(uint32_t *)(mt + 1);
        return 0;
 }