Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src NPF checkpoint:
details: https://anonhg.NetBSD.org/src/rev/3a277001193b
branches: trunk
changeset: 757711:3a277001193b
user: rmind <rmind%NetBSD.org@localhost>
date: Thu Sep 16 04:53:27 2010 +0000
description:
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
diffstat:
share/man/man9/npf_ncode.9 | 31 +-
sys/modules/npf/Makefile | 4 +-
sys/net/npf/files.npf | 7 +-
sys/net/npf/npf.h | 16 +-
sys/net/npf/npf_alg_icmp.c | 11 +-
sys/net/npf/npf_ctl.c | 32 ++-
sys/net/npf/npf_handler.c | 83 ++++---
sys/net/npf/npf_impl.h | 29 +-
sys/net/npf/npf_inet.c | 24 +-
sys/net/npf/npf_instr.c | 42 +++-
sys/net/npf/npf_mbuf.c | 10 +-
sys/net/npf/npf_nat.c | 410 +++++++++++++++++++++++---------------
sys/net/npf/npf_ncode.h | 3 +-
sys/net/npf/npf_processor.c | 22 +-
sys/net/npf/npf_ruleset.c | 69 +++---
sys/net/npf/npf_sendpkt.c | 202 +++++++++++++++++++
sys/net/npf/npf_session.c | 206 ++++++++++++-------
usr.sbin/npf/npfctl/npf.conf.5 | 16 +-
usr.sbin/npf/npfctl/npf_data.c | 203 ++++++++++++++----
usr.sbin/npf/npfctl/npf_ncgen.c | 47 +++-
usr.sbin/npf/npfctl/npf_parser.c | 133 +++++++++++-
usr.sbin/npf/npfctl/npfctl.h | 10 +-
22 files changed, 1129 insertions(+), 481 deletions(-)
diffs (truncated from 2894 to 300 lines):
diff -r 52014f8e1911 -r 3a277001193b share/man/man9/npf_ncode.9
--- a/share/man/man9/npf_ncode.9 Thu Sep 16 02:38:50 2010 +0000
+++ b/share/man/man9/npf_ncode.9 Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf_ncode.9,v 1.3 2010/08/24 23:55:05 rmind Exp $
+.\" $NetBSD: npf_ncode.9,v 1.4 2010/09/16 04:53:27 rmind Exp $
.\"
.\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 22, 2010
+.Dd September 16, 2010
.Dt NPF_NCODE 9
.Os
.Sh NAME
@@ -220,12 +220,16 @@
Value of the first argument indicates whether source (if 0x1) or
destination (if 0x0) address should be matched.
.\" -
-.It Sy 0x92 NPF_OPCODE_ICMP4 <type> <code>
-Match ICMP type and code of the packet, unless a value of ~0 (all bits set)
-is passed, which indicates that comparison should not be performed.
+.It Sy 0x92 NPF_OPCODE_ICMP4 <type/code>
+Match that packet is ICMP and compare type and code values, if required.
+Highest 32nd and 31st bits indicate whether the type and code values,
+accordingly, should be compared.
+If comparison is required, the type and code values are represented by
+lower 16 bits.
+The higher 8 bits represent type, and the lower 8 bits code number.
.\" -
.It Sy 0xa0 NPF_OPCODE_TCP_PORT <s/d>, <port range>
-Match the source or destination port with a specified port range.
+Match the TCP source or destination port with a specified port range.
The higher 16 bits of the second argument represent the "from" and
the lower 16 bits represent the "to" values of the range.
The 32-bit port range value is in host byte order, however the actual
@@ -234,13 +238,14 @@
destination (if 0x0) port should be matched.
.\" -
.It Sy 0xa1 NPF_OPCODE_UDP_PORT <s/d>, <port range>
-Match the source or destination port with a specified port range.
-The higher 16 bits of the second argument represent the "from" and
-the lower 16 bits represent the "to" values of range.
-The 32-bit port range value is in host byte order, however the actual
-"from" and "to" values should be in network byte order.
-The value of the first argument indicates whether source (if 0x1) or
-destination (if 0x0) port should be matched.
+Equivalent of
+.Dv NPF_OPCODE_TCP_PORT ,
+but for UDP protocol.
+.\" -
+.It Sy 0xa2 NPF_OPCODE_TCP_FLAGS <fl/mask>
+Match the TCP flags with the a specified flags and mask,
+represented by the lower 16 bits.
+The higher 8 bits represent flags and the lower 8 bits mask to apply.
.El
.\" -----
.Sh CODE REFERENCES
diff -r 52014f8e1911 -r 3a277001193b sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile Thu Sep 16 02:38:50 2010 +0000
+++ b/sys/modules/npf/Makefile Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.1 2010/08/22 18:56:22 rmind Exp $
+# $NetBSD: Makefile,v 1.2 2010/09/16 04:53:27 rmind Exp $
.include "../Makefile.inc"
@@ -8,6 +8,6 @@
SRCS= npf.c npf_ctl.c npf_handler.c npf_instr.c npf_mbuf.c
SRCS+= npf_processor.c npf_ruleset.c npf_tableset.c npf_inet.c
-SRCS+= npf_session.c npf_nat.c npf_alg.c
+SRCS+= npf_session.c npf_nat.c npf_sendpkt.c npf_alg.c
.include <bsd.kmodule.mk>
diff -r 52014f8e1911 -r 3a277001193b sys/net/npf/files.npf
--- a/sys/net/npf/files.npf Thu Sep 16 02:38:50 2010 +0000
+++ b/sys/net/npf/files.npf Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.1 2010/08/22 18:56:22 rmind Exp $
+# $NetBSD: files.npf,v 1.2 2010/09/16 04:53:27 rmind Exp $
#
# Public Domain.
#
@@ -9,6 +9,7 @@
defpseudo npf: ifnet
+# Core
file net/npf/npf.c npf
file net/npf/npf_ctl.c npf
file net/npf/npf_handler.c npf
@@ -21,3 +22,7 @@
file net/npf/npf_session.c npf
file net/npf/npf_nat.c npf
file net/npf/npf_alg.c npf
+file net/npf/npf_sendpkt.c npf
+
+# ALGs
+file net/npf/npf_alg_icmp.c npf
diff -r 52014f8e1911 -r 3a277001193b sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Thu Sep 16 02:38:50 2010 +0000
+++ b/sys/net/npf/npf.h Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.1 2010/08/22 18:56:22 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.2 2010/09/16 04:53:27 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -81,7 +81,6 @@
typedef struct {
uint32_t npc_info;
int npc_dir;
- uint8_t npc_elen;
/* NPC_IP46 */
uint8_t npc_proto;
uint16_t npc_hlen;
@@ -127,7 +126,7 @@
void (*)(const npf_cache_t *, void *), void *);
void npf_hook_unregister(npf_rule_t *, npf_hook_t *);
-#endif
+#endif /* _KERNEL */
/* Rule attributes. */
#define NPF_RULE_PASS 0x0001
@@ -136,11 +135,20 @@
#define NPF_RULE_LOG 0x0008
#define NPF_RULE_DEFAULT 0x0010
#define NPF_RULE_KEEPSTATE 0x0020
+#define NPF_RULE_RETRST 0x0040
+#define NPF_RULE_RETICMP 0x0080
#define NPF_RULE_IN 0x1000
#define NPF_RULE_OUT 0x2000
#define NPF_RULE_DIMASK 0x3000
+/* Address translation types and flags. */
+#define NPF_NATIN 1
+#define NPF_NATOUT 2
+
+#define NPF_NAT_PORTS 0x01
+#define NPF_NAT_PORTMAP 0x02
+
/* Table types. */
#define NPF_TABLE_HASH 1
#define NPF_TABLE_RBTREE 2
@@ -176,4 +184,4 @@
#define IOC_NPF_RELOAD _IOW('N', 102, struct plistref)
#define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table)
-#endif
+#endif /* _NPF_H_ */
diff -r 52014f8e1911 -r 3a277001193b sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Thu Sep 16 02:38:50 2010 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.1 2010/08/22 18:56:22 rmind Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.2 2010/09/16 04:53:27 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -228,11 +228,6 @@
/* Advance to ICMP header. */
n_ptr = nbuf_dataptr(nbuf);
-#ifdef _NPF_TESTING
- if (npc->npc_elen && /* XXX */
- (n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_elen)) == NULL)
- return false;
-#endif
if ((n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_hlen)) == NULL) {
return false;
}
@@ -317,7 +312,7 @@
in_addr_t addr;
in_port_t port;
- npf_nat_getlocal(nt, &addr, &port);
+ npf_nat_getorig(nt, &addr, &port);
if (!npf_rwrip(&enpc, nbuf, n_ptr, PFIL_OUT, addr)) {
return false;
diff -r 52014f8e1911 -r 3a277001193b sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Thu Sep 16 02:38:50 2010 +0000
+++ b/sys/net/npf/npf_ctl.c Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.1 2010/08/22 18:56:22 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.2 2010/09/16 04:53:27 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -41,7 +41,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -328,7 +328,9 @@
prop_object_t obj;
npf_natpolicy_t *np;
npf_rule_t *rl;
- in_addr_t gip;
+ in_addr_t taddr;
+ in_port_t tport;
+ int type, flags;
/* NAT policy - dictionary. */
if (prop_object_type(natdict) != PROP_TYPE_DICTIONARY) {
@@ -336,9 +338,21 @@
break;
}
- /* Gateway IP. */
- obj = prop_dictionary_get(natdict, "gateway_ip");
- gip = (in_addr_t)prop_number_integer_value(obj);
+ /* Translation type. */
+ obj = prop_dictionary_get(natdict, "type");
+ type = prop_number_integer_value(obj);
+
+ /* Translation type. */
+ obj = prop_dictionary_get(natdict, "flags");
+ flags = prop_number_integer_value(obj);
+
+ /* Translation IP. */
+ obj = prop_dictionary_get(natdict, "translation_ip");
+ taddr = (in_addr_t)prop_number_integer_value(obj);
+
+ /* Translation port (for redirect case). */
+ obj = prop_dictionary_get(natdict, "translation_port");
+ tport = (in_addr_t)prop_number_integer_value(obj);
/*
* NAT policies are standard rules, plus additional
@@ -349,7 +363,7 @@
break;
/* Allocate a new NAT policy and assign to the rule. */
- np = npf_nat_newpolicy(gip);
+ np = npf_nat_newpolicy(type, flags, taddr, tport);
if (np == NULL) {
error = ENOMEM;
break;
@@ -402,7 +416,7 @@
/* NAT policies. */
nset = npf_ruleset_create();
- natlist = prop_dictionary_get(dict, "nat");
+ natlist = prop_dictionary_get(dict, "translation");
error = npf_mk_natlist(nset, natlist);
if (error)
goto fail;
@@ -455,7 +469,7 @@
}
/*
- * npf_table_ctl: add, remove or query entries in the specified table.
+ * npfctl_table: add, remove or query entries in the specified table.
*
* For maximum performance, interface is avoiding proplib(3)'s overhead.
*/
diff -r 52014f8e1911 -r 3a277001193b sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Thu Sep 16 02:38:50 2010 +0000
+++ b/sys/net/npf/npf_handler.c Thu Sep 16 04:53:27 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.1 2010/08/22 18:56:22 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.2 2010/09/16 04:53:27 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -56,6 +56,8 @@
static struct pfil_head * npf_ph_if = NULL;
static struct pfil_head * npf_ph_inet = NULL;
+static bool default_pass = true;
+
Home |
Main Index |
Thread Index |
Old Index