Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Major NPF improvements:
details: https://anonhg.NetBSD.org/src/rev/1079842192d8
branches: trunk
changeset: 447638:1079842192d8
user: rmind <rmind%NetBSD.org@localhost>
date: Sat Jan 19 21:19:31 2019 +0000
description:
Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
diffstat:
lib/libnpf/libnpf.3 | 121 +++-
lib/libnpf/npf.c | 80 ++-
lib/libnpf/npf.h | 20 +-
sys/net/npf/npf.c | 4 +-
sys/net/npf/npf.h | 20 +-
sys/net/npf/npf_alg.c | 38 +-
sys/net/npf/npf_conn.c | 145 +---
sys/net/npf/npf_conn.h | 38 +-
sys/net/npf/npf_conndb.c | 354 +++++++-----
sys/net/npf/npf_ctl.c | 52 +-
sys/net/npf/npf_ifaddr.c | 4 +-
sys/net/npf/npf_impl.h | 6 +-
sys/net/npf/npf_inet.c | 40 +-
sys/net/npf/npf_nat.c | 192 +++++--
sys/net/npf/npf_tableset.c | 394 +++++++++-----
sys/net/npf/npf_worker.c | 34 +-
usr.sbin/npf/npf.7 | 8 +-
usr.sbin/npf/npfctl/npf.conf.5 | 88 ++-
usr.sbin/npf/npfctl/npf_build.c | 210 +++++-
usr.sbin/npf/npfctl/npf_data.c | 9 +-
usr.sbin/npf/npfctl/npf_parse.y | 111 ++-
usr.sbin/npf/npfctl/npf_scan.l | 6 +
usr.sbin/npf/npfctl/npf_show.c | 112 ++-
usr.sbin/npf/npfctl/npf_var.c | 6 +-
usr.sbin/npf/npfctl/npfctl.8 | 12 +-
usr.sbin/npf/npfctl/npfctl.c | 9 +-
usr.sbin/npf/npfctl/npfctl.h | 4 +
usr.sbin/npf/npftest/libnpftest/Makefile | 1 +
usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c | 174 ++++++
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c | 5 +-
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c | 14 +-
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c | 2 -
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c | 26 +-
usr.sbin/npf/npftest/libnpftest/npf_state_test.c | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_table_test.c | 615 +++++++++++++++-------
usr.sbin/npf/npftest/libnpftest/npf_test.h | 12 +-
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c | 4 +-
usr.sbin/npf/npftest/npfstream.c | 11 +-
usr.sbin/npf/npftest/npftest.c | 10 +-
usr.sbin/npf/npftest/npftest.conf | 15 +-
usr.sbin/npf/npftest/npftest.h | 2 +
43 files changed, 2000 insertions(+), 1020 deletions(-)
diffs (truncated from 5273 to 300 lines):
diff -r 3ee5856b7e95 -r 1079842192d8 lib/libnpf/libnpf.3
--- a/lib/libnpf/libnpf.3 Sat Jan 19 20:56:03 2019 +0000
+++ b/lib/libnpf/libnpf.3 Sat Jan 19 21:19:31 2019 +0000
@@ -1,6 +1,6 @@
-.\" $NetBSD: libnpf.3,v 1.6 2018/09/29 14:41:36 rmind Exp $
+.\" $NetBSD: libnpf.3,v 1.7 2019/01/19 21:19:31 rmind Exp $
.\"
-.\" Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2018 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd June 10, 2018
+.Dd December 29, 2018
.Dt LIBNPF 3
.Os
.Sh NAME
@@ -43,49 +43,57 @@
.Ft int
.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo"
.Ft nl_config_t *
-.Fn npf_config_retrieve "int fd" "bool *active" "bool *loaded"
+.Fn npf_config_retrieve "int fd"
.Ft int
.Fn npf_config_flush "int fd"
.Ft void
-.Fn npf_config_export "const nl_config_t *ncf" "size_t *len"
+.Fn npf_config_export "nl_config_t *ncf" "size_t *len"
.Ft nl_config_t *
.Fn npf_config_import "const void *blob" "size_t len"
.Ft bool
.Fn npf_config_active_p "nl_config_t *ncf"
+.Ft bool
+.Fn npf_config_loaded_p "nl_config_t *ncf"
.Ft void
.Fn npf_config_destroy "nl_config_t *ncf"
.\" ---
.Ft nl_rule_t *
-.Fn npf_rule_create "char *name" "uint32_t attr" "const char *ifname"
+.Fn npf_rule_create "const char *name" "uint32_t attr" "const char *ifname"
.Ft int
.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len"
.Ft int
-.Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len"
+.Fn npf_rule_setkey "nl_rule_t *rl" "const void *key" "size_t len"
.Ft int
.Fn npf_rule_setinfo "nl_rule_t *rl" "const void *info" "size_t len"
-.Ft bool
-.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name"
.Ft int
.Fn npf_rule_setprio "nl_rule_t *rl" "int pri"
.Ft int
-.Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name"
+.Fn npf_rule_setproc "nl_rule_t *rl" "const char *name"
.Ft int
.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl"
+.Ft bool
+.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name"
.Ft void *
.Fn npf_rule_export "nl_rule_t *rl" "size_t *length"
.Ft void
.Fn npf_rule_destroy "nl_rule_t *rl"
.\" ---
.Ft nl_rproc_t *
-.Fn npf_rproc_create "char *name"
+.Fn npf_rproc_create "const char *name"
+.Ft int
+.Fn npf_rproc_extcall "nl_rproc_t *rp" "nl_ext_t *ext"
.Ft bool
.Fn npf_rproc_exists_p "nl_config_t *ncf" "const char *name"
.Ft int
.Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp"
.\" ---
.Ft nl_nat_t *
-.Fn npf_nat_create "int type" "u_int flags" "const char *ifname" \
-"npf_addr_t *addr" "int af" "in_port_t port"
+.Fn npf_nat_create "int type" "unsigned flags" "const char *ifname"
+.Ft int
+.Fn npf_nat_setaddr "nl_nat_t *nt" "int af" "npf_addr_t *addr" \
+"npf_netmask_t mask"
+.Ft int
+.Fn npf_nat_setport "nl_nat_t *nt" "in_port_t port"
.Ft int
.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri"
.\" ---
@@ -93,7 +101,7 @@
.Fn npf_table_create "const char *name" "u_int id" "int type"
.Ft int
.Fn npf_table_add_entry "nl_table_t *tl" "int af" \
-"in_addr_t addr" "in_addr_t mask"
+"const npf_addr_t *addr" "const npf_netmask_t mask"
.Ft int
.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl"
.Ft void
@@ -118,8 +126,8 @@
On failure, the error information is written into the structure
specified by
.Fa errinfo .
-.It Fn npf_config_export "fd" "len"
-Serialize the current configuration and return the binary object as
+.It Fn npf_config_export "ncf" "len"
+Serialize the given configuration and return the binary object as
well as its length in
.Fa len
parameter.
@@ -130,11 +138,14 @@
unserialize, and return the configuration object.
.It Fn npf_config_flush "fd"
Flush the current configuration.
-.It Fn npf_config_retrieve "fd" "active" "loaded"
+.It Fn npf_config_retrieve "fd"
Retrieve and return the loaded configuration from the kernel.
.It Fn npf_config_active_p "ncf"
-Indicate whether the retrieved configuration is active (true if yes
-and false otherwise).
+Indicate whether the retrieved configuration is active i.e. packet
+filtering is enabled (true if yes and false otherwise).
+.It Fn npf_config_loaded_p "ncf"
+Indicate whether the retrieved configuration is loaded i.e. has any
+rules (true if yes and false otherwise).
.It Fn npf_config_destroy "ncf"
Destroy the configuration object, specified by
.Fa ncf .
@@ -143,7 +154,7 @@
.Ss Rule interface
.Bl -tag -width 4n
.It Fn npf_rule_create "name" "attr" "ifname"
-Create a rule with a given name, attribute and priorty.
+Create a rule with a given name, attributes and priority.
If the name is specified, then it should be unique within the
configuration object.
Otherwise, the name can be
@@ -208,7 +219,7 @@
.Dv NPF_CODE_BPF
constant should be passed.
.\" ---
-.It Fn npf_rule_setkey "rl" "type" "key" "len"
+.It Fn npf_rule_setkey "rl" "key" "len"
Assign a key for the rule specified by
.Fa rl .
The binary key is specified by
@@ -245,7 +256,7 @@
All rules inserted using these constants will have the priority 0
assigned and will share this level in the ordered way.
.\" ---
-.It Fn npf_rule_setproc "ncf" "rl" "name"
+.It Fn npf_rule_setproc "rl" "name"
Set a procedure for the specified rule.
.\" ---
.It Fn npf_rule_insert "ncf" "parent" "rl"
@@ -258,6 +269,9 @@
then insert into the main ruleset.
The rule must not be referenced after insertion.
.\" ---
+.It Fn npf_rule_exists_p "ncf" "name"
+Check whether the rule with a given name is already in the configuration.
+.\" ---
.It Fn npf_rule_export "rl" "length"
Serialize the rule (including the byte-code), return a binary object
and set its
@@ -282,7 +296,7 @@
.\" -----
.Ss Translation interface
.Bl -tag -width 4n
-.It Fn npf_nat_create "type" "flags" "ifname" "addr" "af" "port"
+.It Fn npf_nat_create "type" "flags" "ifname"
Create a NAT policy of a specified type.
There are two types:
.Bl -tag -width "NPF_NAT_PORTMAP "
@@ -315,7 +329,11 @@
flag is set.
.El
.Pp
-The translation address is specified by
+The network interface on which the policy will be applicable is specified by
+.Fa ifname .
+.\" ---
+.It Fn npf_nat_setaddr "nt" "af" "addr" "mask"
+Set the translation address, as specified by
.Fa addr ,
and its family by
.Fa af .
@@ -324,12 +342,36 @@
for IPv4 or
.Dv AF_INET6
for IPv6 address.
+Additionally,
+.Fa mask
+may be specified to indicate the translation network.
+In such case, a custom algorithm may need to be specified using the
+.Fn npf_nat_setalgo
+function.
+.\" ---
+.It Fn npf_nat_setport "nt" "port"
+Set the translation port, specified by
+.Fa port .
.\" ---
.It Fn npf_nat_setalgo "nt" "algo"
Set a particular NAT algorithm.
-Currently, only
-.Dv NPF_ALGO_NPT66
-algorithm is supported for NPTv6 (RFC 6296).
+Currently, the following algorithms are supported with dynamic NAT:
+.Bl -tag -width "NPF_ALGO_IPHASH"
+.It Dv NPF_ALGO_IPHASH
+Hash of the source and destination addresses.
+.It Dv NPF_ALGO_RR
+Round-robin for the translation addresses.
+.El
+.Pp
+The following are support with static NAT:
+.Bl -tag -width "NPF_ALGO_NETMAP"
+.It Dv NPF_ALGO_NETMAP
+Network-to-network map where the translation network prefix (address
+after applying the mask) is bitwise OR-ed with the host part of the
+original address (zero bits of the mask).
+.It Dv NPF_ALGO_NPT66
+IPv6-to-IPv6 Network Prefix Translation (NPTv6, defined in RFC 6296).
+.El
.\" ---
.It Fn npf_nat_insert "ncf" "nt" "pri"
Insert NAT policy, its rule, into the specified configuration.
@@ -348,17 +390,20 @@
.Dv NPF_MAX_TABLES .
.Pp
The following types are supported:
-.Bl -tag -width "NPF_TABLE_HASH"
-.It Dv NPF_TABLE_HASH
-Indicates to use a hash table for storage.
-.It Dv NPF_TABLE_TREE
-Indicates to use a tree for storage, supporting the longest
-prefix match.
-.It Dv NPF_TABLE_CDB
-Indicates to use constant database for storage, typically using
-a perfect hash table, which will be generated on table insertion
-into the configuration.
-Such table will be immutable.
+.Bl -tag -width "NPF_TABLE_IPSET"
+.It Dv NPF_TABLE_IPSET
+Indicates to use a regular associative array for storage of IP sets.
+Currently implemented as a hashmap.
+.It Dv NPF_TABLE_LPM
+Indicates to the table can contain networks (as well as hosts) and the
+longest prefix match should be performed on lookup.
+.It Dv NPF_TABLE_CONST
+Indicates that the table contents will be constant and the table can be
+considered immutable (no inserts/removes after load).
+If such constraint is acceptable, this table type will provide the best
+performance.
+It is currently implemented as a perfect hash table, generated on table
+insertion into the configuration.
.El
.\" ---
.It Fn npf_table_add_entry "tl" "af" "addr" "mask"
diff -r 3ee5856b7e95 -r 1079842192d8 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sat Jan 19 20:56:03 2019 +0000
+++ b/lib/libnpf/npf.c Sat Jan 19 21:19:31 2019 +0000
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.44 2018/09/29 14:41:36 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.45 2019/01/19 21:19:31 rmind Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -736,8 +736,7 @@
*/
nl_nat_t *
-npf_nat_create(int type, unsigned flags, const char *ifname,
- int af, npf_addr_t *addr, npf_netmask_t mask, in_port_t port)
+npf_nat_create(int type, unsigned flags, const char *ifname)
{
nl_rule_t *rl;
nvlist_t *rule_dict;
@@ -756,17 +755,6 @@
/* Translation type and flags. */
nvlist_add_number(rule_dict, "type", type);
nvlist_add_number(rule_dict, "flags", flags);
-
- /* Translation IP and mask. */
- if (!_npf_add_addr(rule_dict, "nat-ip", af, addr)) {
- npf_rule_destroy(rl);
- return NULL;
- }
- nvlist_add_number(rule_dict, "nat-mask", (uint32_t)mask);
-
- /* Translation port (for redirect case). */
- nvlist_add_number(rule_dict, "nat-port", port);
-
return (nl_nat_t *)rl;
}
@@ -788,6 +776,32 @@
}
Home |
Main Index |
Thread Index |
Old Index