Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net/npf - Increase copyin buffer size to 4M
details: https://anonhg.NetBSD.org/src/rev/c79b2ceb3ccc
branches: trunk
changeset: 350970:c79b2ceb3ccc
user: christos <christos%NetBSD.org@localhost>
date: Sun Jan 29 00:15:54 2017 +0000
description:
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
diffstat:
sys/net/npf/if_npflog.c | 7 ++-
sys/net/npf/if_npflog.h | 63 +++++++++++++++++++++++++++++++++++++++++
sys/net/npf/npf.h | 11 +++++-
sys/net/npf/npf_conn.c | 11 ++++--
sys/net/npf/npf_conn.h | 9 +++-
sys/net/npf/npf_ctl.c | 7 ++-
sys/net/npf/npf_ext_log.c | 51 +++++++++++++++++++++++++++-----
sys/net/npf/npf_ext_normalize.c | 7 ++-
sys/net/npf/npf_ext_rndblock.c | 7 ++-
sys/net/npf/npf_handler.c | 27 +++++++++-------
sys/net/npf/npf_impl.h | 7 ++-
sys/net/npf/npf_rproc.c | 7 ++-
sys/net/npf/npf_ruleset.c | 11 ++++--
13 files changed, 174 insertions(+), 51 deletions(-)
diffs (truncated from 594 to 300 lines):
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/if_npflog.c
--- a/sys/net/npf/if_npflog.c Sat Jan 28 23:59:15 2017 +0000
+++ b/sys/net/npf/if_npflog.c Sun Jan 29 00:15:54 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/module.h>
@@ -53,6 +53,7 @@
#endif
#include "npf_impl.h"
+#include "if_npflog.h"
MODULE(MODULE_CLASS_DRIVER, if_npflog, NULL);
@@ -128,7 +129,7 @@
KERNEL_LOCK(1, NULL);
if_attach(ifp);
if_alloc_sadl(ifp);
- bpf_attach(ifp, DLT_NULL, 0);
+ bpf_attach(ifp, DLT_NPFLOG, NPFLOG_HDRLEN);
LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
KERNEL_UNLOCK_ONE(NULL);
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/if_npflog.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/net/npf/if_npflog.h Sun Jan 29 00:15:54 2017 +0000
@@ -0,0 +1,63 @@
+/* $NetBSD: if_npflog.h,v 1.1 2017/01/29 00:15:54 christos Exp $ */
+
+/*
+ * Copyright 2001 Niels Provos <provos%citi.umich.edu@localhost>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _NET_NPF_IF_NPFLOG_H_
+#define _NET_NPF_IF_NPFLOG_H_
+
+#ifndef _KERNEL
+#error "not supposed to be exposed to userland"
+#endif
+
+#define NPFLOG_RULESET_NAME_SIZE 16
+
+/*
+ * For now, we use a header compatible with pflog.
+ * This will be improved in the future.
+ */
+
+struct npfloghdr {
+ uint8_t length;
+ sa_family_t af;
+ uint8_t action;
+ uint8_t reason;
+ char ifname[IFNAMSIZ];
+ char ruleset[NPFLOG_RULESET_NAME_SIZE];
+ uint32_t rulenr;
+ uint32_t subrulenr;
+ uint32_t uid;
+ uint32_t pid;
+ uint32_t rule_uid;
+ uint32_t rule_pid;
+ uint8_t dir;
+ uint8_t pad[3];
+};
+
+#define DLT_NPFLOG DLT_PFLOG
+
+#define NPFLOG_HDRLEN sizeof(struct npfloghdr)
+#define NPFLOG_REAL_HDRLEN offsetof(struct npfloghdr, pad)
+
+#endif /* _NET_NPF_IF_NPFLOG_H_ */
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sat Jan 28 23:59:15 2017 +0000
+++ b/sys/net/npf/npf.h Sun Jan 29 00:15:54 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.53 2016/12/26 23:39:18 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.54 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -196,11 +196,18 @@
typedef struct npf_rproc npf_rproc_t;
typedef struct {
+ uint64_t mi_rid;
+ u_int mi_retfl;
+ u_int mi_di;
+} npf_match_info_t;
+
+typedef struct {
unsigned int version;
void * ctx;
int (*ctor)(npf_rproc_t *, prop_dictionary_t);
void (*dtor)(npf_rproc_t *, void *);
- bool (*proc)(npf_cache_t *, void *, int *);
+ bool (*proc)(npf_cache_t *, void *, const npf_match_info_t *,
+ int *);
} npf_ext_ops_t;
void * npf_ext_register(npf_t *, const char *, const npf_ext_ops_t *);
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/npf_conn.c
--- a/sys/net/npf/npf_conn.c Sat Jan 28 23:59:15 2017 +0000
+++ b/sys/net/npf/npf_conn.c Sun Jan 29 00:15:54 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -100,7 +100,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -723,10 +723,11 @@
* npf_conn_pass: return true if connection is "pass" one, otherwise false.
*/
bool
-npf_conn_pass(const npf_conn_t *con, npf_rproc_t **rp)
+npf_conn_pass(const npf_conn_t *con, npf_match_info_t *mi, npf_rproc_t **rp)
{
KASSERT(con->c_refcnt > 0);
if (__predict_true(con->c_flags & CONN_PASS)) {
+ *mi = con->c_mi;
*rp = con->c_rproc;
return true;
}
@@ -738,7 +739,7 @@
* rule procedure with it.
*/
void
-npf_conn_setpass(npf_conn_t *con, npf_rproc_t *rp)
+npf_conn_setpass(npf_conn_t *con, const npf_match_info_t *mi, npf_rproc_t *rp)
{
KASSERT((con->c_flags & CONN_ACTIVE) == 0);
KASSERT(con->c_refcnt > 0);
@@ -751,6 +752,8 @@
*/
atomic_or_uint(&con->c_flags, CONN_PASS);
con->c_rproc = rp;
+ if (rp)
+ con->c_mi = *mi;
}
/*
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/npf_conn.h
--- a/sys/net/npf/npf_conn.h Sat Jan 28 23:59:15 2017 +0000
+++ b/sys/net/npf/npf_conn.h Sun Jan 29 00:15:54 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.11 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_conn.h,v 1.12 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -88,6 +88,7 @@
npf_state_t c_state;
u_int c_refcnt;
uint64_t c_atime;
+ npf_match_info_t c_mi;
};
#endif
@@ -106,8 +107,10 @@
npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool);
void npf_conn_release(npf_conn_t *);
void npf_conn_expire(npf_conn_t *);
-bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **);
-void npf_conn_setpass(npf_conn_t *, npf_rproc_t *);
+bool npf_conn_pass(const npf_conn_t *, npf_match_info_t *,
+ npf_rproc_t **);
+void npf_conn_setpass(npf_conn_t *, const npf_match_info_t *,
+ npf_rproc_t *);
int npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
npf_nat_t *, u_int);
npf_nat_t * npf_conn_getnat(npf_conn_t *, const int, bool *);
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sat Jan 28 23:59:15 2017 +0000
+++ b/sys/net/npf/npf_ctl.c Sun Jan 29 00:15:54 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -513,7 +513,8 @@
/* Retrieve the dictionary. */
#if !defined(_NPF_TESTING) && !defined(_NPF_STANDALONE)
- error = prop_dictionary_copyin_ioctl(pref, cmd, &npf_dict);
+ error = prop_dictionary_copyin_ioctl_size(pref, cmd, &npf_dict,
+ 4 * 1024 * 1024);
if (error)
return error;
#else
diff -r 7ff9d867fc90 -r c79b2ceb3ccc sys/net/npf/npf_ext_log.c
--- a/sys/net/npf/npf_ext_log.c Sat Jan 28 23:59:15 2017 +0000
+++ b/sys/net/npf/npf_ext_log.c Sun Jan 29 00:15:54 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/module.h>
@@ -52,6 +52,7 @@
#endif
#include "npf_impl.h"
+#include "if_npflog.h"
NPF_EXT_MODULE(npf_ext_log, "");
@@ -81,21 +82,54 @@
}
static bool
-npf_log(npf_cache_t *npc, void *meta, int *decision)
+npf_log(npf_cache_t *npc, void *meta, const npf_match_info_t *mi, int *decision)
{
struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf);
const npf_ext_log_t *log = meta;
struct psref psref;
ifnet_t *ifp;
- int family;
+ struct npfloghdr hdr;
+ memset(&hdr, 0, sizeof(hdr));
/* Set the address family. */
if (npf_iscached(npc, NPC_IP4)) {
- family = AF_INET;
+ hdr.af = AF_INET;
} else if (npf_iscached(npc, NPC_IP6)) {
- family = AF_INET6;
+ hdr.af = AF_INET6;
} else {
- family = AF_UNSPEC;
+ hdr.af = AF_UNSPEC;
+ }
+
+ hdr.length = NPFLOG_REAL_HDRLEN;
+ hdr.action = *decision == NPF_DECISION_PASS ?
+ 0 /* pass */ : 1 /* block */;
+ hdr.reason = 0; /* match */
+ struct nbuf *nb = npc->npc_nbuf;
+ const char *ifname = nb && nb->nb_ifid ?
+ npf_ifmap_getname(npc->npc_ctx, nb->nb_ifid) : "???";
+
+ strlcpy(hdr.ifname, ifname, sizeof(hdr.ifname));
Home |
Main Index |
Thread Index |
Old Index