Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up following revision(s) (requested by rmind in tick...
details: https://anonhg.NetBSD.org/src/rev/f478b98b7e17
branches: netbsd-6
changeset: 773978:f478b98b7e17
user: riz <riz%NetBSD.org@localhost>
date: Tue Apr 03 17:22:52 2012 +0000
description:
Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
diffstat:
lib/libnpf/npf.c | 111 +++++++++++++-
lib/libnpf/npf.h | 13 +-
sys/net/npf/npf.c | 51 ++++-
sys/net/npf/npf.h | 3 +-
sys/net/npf/npf_alg.c | 7 +-
sys/net/npf/npf_alg_icmp.c | 5 +-
sys/net/npf/npf_ctl.c | 55 ++++--
sys/net/npf/npf_handler.c | 78 +++++----
sys/net/npf/npf_impl.h | 19 +-
sys/net/npf/npf_inet.c | 6 +-
sys/net/npf/npf_instr.c | 6 +-
sys/net/npf/npf_log.c | 6 +-
sys/net/npf/npf_nat.c | 29 ++-
sys/net/npf/npf_ncode.h | 237 ++++++++++++++++++++++++++++++-
sys/net/npf/npf_processor.c | 9 +-
sys/net/npf/npf_rproc.c | 9 +-
sys/net/npf/npf_ruleset.c | 12 +-
sys/net/npf/npf_sendpkt.c | 6 +-
sys/net/npf/npf_session.c | 37 ++--
sys/net/npf/npf_tableset.c | 6 +-
usr.sbin/npf/npfctl/Makefile | 10 +-
usr.sbin/npf/npfctl/npf_build.c | 7 +-
usr.sbin/npf/npfctl/npf_disassemble.c | 263 ++++++++++++++++++++++++++++++++++
usr.sbin/npf/npfctl/npf_ncgen.c | 8 +-
usr.sbin/npf/npfctl/npf_parse.y | 69 ++++----
usr.sbin/npf/npfctl/npfctl.h | 3 +-
26 files changed, 870 insertions(+), 195 deletions(-)
diffs (truncated from 1992 to 300 lines):
diff -r 872741e654d2 -r f478b98b7e17 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Tue Apr 03 16:36:20 2012 +0000
+++ b/lib/libnpf/npf.c Tue Apr 03 17:22:52 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.7 2012/02/05 00:37:13 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:54 riz Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/02/05 00:37:13 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:54 riz Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -48,6 +48,7 @@
struct nl_config {
/* Rules, translations, tables, procedures. */
+ prop_dictionary_t ncf_dict;
prop_array_t ncf_rules_list;
prop_array_t ncf_rproc_list;
prop_array_t ncf_table_list;
@@ -139,6 +140,33 @@
return error;
}
+nl_config_t *
+npf_config_retrieve(int fd, bool *active, bool *loaded)
+{
+ prop_dictionary_t npf_dict;
+ nl_config_t *ncf;
+ int error;
+
+ error = prop_dictionary_recv_ioctl(fd, IOC_NPF_GETCONF, &npf_dict);
+ if (error) {
+ return NULL;
+ }
+ ncf = calloc(1, sizeof(*ncf));
+ if (ncf == NULL) {
+ prop_object_release(npf_dict);
+ return NULL;
+ }
+ ncf->ncf_dict = npf_dict;
+ ncf->ncf_rules_list = prop_dictionary_get(npf_dict, "rules");
+ ncf->ncf_rproc_list = prop_dictionary_get(npf_dict, "rprocs");
+ ncf->ncf_table_list = prop_dictionary_get(npf_dict, "tables");
+ ncf->ncf_nat_list = prop_dictionary_get(npf_dict, "translation");
+
+ prop_dictionary_get_bool(npf_dict, "active", active);
+ *loaded = (ncf->ncf_rules_list != NULL);
+ return ncf;
+}
+
int
npf_config_flush(int fd)
{
@@ -174,10 +202,14 @@
npf_config_destroy(nl_config_t *ncf)
{
- prop_object_release(ncf->ncf_rules_list);
- prop_object_release(ncf->ncf_rproc_list);
- prop_object_release(ncf->ncf_table_list);
- prop_object_release(ncf->ncf_nat_list);
+ if (ncf->ncf_dict == NULL) {
+ prop_object_release(ncf->ncf_rules_list);
+ prop_object_release(ncf->ncf_rproc_list);
+ prop_object_release(ncf->ncf_table_list);
+ prop_object_release(ncf->ncf_nat_list);
+ } else {
+ prop_object_release(ncf->ncf_dict);
+ }
if (ncf->ncf_err) {
prop_object_release(ncf->ncf_err);
}
@@ -304,6 +336,73 @@
return 0;
}
+static int
+_npf_rule_foreach1(prop_array_t rules, unsigned nlevel, nl_rule_callback_t func)
+{
+ prop_dictionary_t rldict;
+ prop_object_iterator_t it;
+
+ if (!rules || prop_object_type(rules) != PROP_TYPE_ARRAY) {
+ return ENOENT;
+ }
+ it = prop_array_iterator(rules);
+ if (it == NULL) {
+ return ENOMEM;
+ }
+ while ((rldict = prop_object_iterator_next(it)) != NULL) {
+ prop_array_t subrules;
+ nl_rule_t nrl;
+
+ nrl.nrl_dict = rldict;
+ (*func)(&nrl, nlevel);
+
+ subrules = prop_dictionary_get(rldict, "subrules");
+ (void)_npf_rule_foreach1(subrules, nlevel + 1, func);
+ }
+ prop_object_iterator_release(it);
+ return 0;
+}
+
+int
+_npf_rule_foreach(nl_config_t *ncf, nl_rule_callback_t func)
+{
+
+ return _npf_rule_foreach1(ncf->ncf_rules_list, 0, func);
+}
+
+pri_t
+_npf_rule_getinfo(nl_rule_t *nrl, const char **rname, uint32_t *attr,
+ u_int *if_idx)
+{
+ prop_dictionary_t rldict = nrl->nrl_dict;
+ pri_t prio;
+
+ prop_dictionary_get_cstring_nocopy(rldict, "name", rname);
+ prop_dictionary_get_uint32(rldict, "attributes", attr);
+ prop_dictionary_get_int32(rldict, "priority", &prio);
+ prop_dictionary_get_uint32(rldict, "interface", if_idx);
+ return prio;
+}
+
+const void *
+_npf_rule_ncode(nl_rule_t *nrl, size_t *size)
+{
+ prop_dictionary_t rldict = nrl->nrl_dict;
+ prop_object_t obj = prop_dictionary_get(rldict, "ncode");
+ *size = prop_data_size(obj);
+ return prop_data_data_nocopy(obj);
+}
+
+const char *
+_npf_rule_rproc(nl_rule_t *nrl)
+{
+ prop_dictionary_t rldict = nrl->nrl_dict;
+ const char *rpname = NULL;
+
+ prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rpname);
+ return rpname;
+}
+
void
npf_rule_destroy(nl_rule_t *rl)
{
diff -r 872741e654d2 -r f478b98b7e17 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Tue Apr 03 16:36:20 2012 +0000
+++ b/lib/libnpf/npf.h Tue Apr 03 17:22:52 2012 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: npf.h,v 1.6 2012/02/05 00:37:13 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.6.2.1 2012/04/03 17:22:54 riz Exp $ */
/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -63,6 +63,8 @@
int ne_ncode_errat;
} nl_error_t;
+typedef void (*nl_rule_callback_t)(nl_rule_t *, unsigned);
+
#endif
#define NPF_CODE_NCODE 1
@@ -75,6 +77,7 @@
nl_config_t * npf_config_create(void);
int npf_config_submit(nl_config_t *, int);
void npf_config_destroy(nl_config_t *);
+nl_config_t * npf_config_retrieve(int, bool *, bool *);
int npf_config_flush(int);
#ifdef _NPF_PRIVATE
void _npf_config_error(nl_config_t *, nl_error_t *);
@@ -86,6 +89,12 @@
int npf_rule_setproc(nl_config_t *, nl_rule_t *, const char *);
bool npf_rule_exists_p(nl_config_t *, const char *);
int npf_rule_insert(nl_config_t *, nl_rule_t *, nl_rule_t *, pri_t);
+#ifdef _NPF_PRIVATE
+int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
+pri_t _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *, u_int *);
+const void * _npf_rule_ncode(nl_rule_t *, size_t *);
+const char * _npf_rule_rproc(nl_rule_t *);
+#endif
void npf_rule_destroy(nl_rule_t *);
nl_rproc_t * npf_rproc_create(const char *);
diff -r 872741e654d2 -r f478b98b7e17 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Tue Apr 03 16:36:20 2012 +0000
+++ b/sys/net/npf/npf.c Tue Apr 03 17:22:52 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:53 riz Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:53 riz Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -70,6 +70,8 @@
npf_ruleset_t * n_rules;
npf_tableset_t * n_tables;
npf_ruleset_t * n_nat_rules;
+ prop_dictionary_t n_dict;
+ bool n_default_pass;
} npf_core_t;
static void npf_core_destroy(npf_core_t *);
@@ -92,6 +94,7 @@
#endif
npf_ruleset_t *rset, *nset;
npf_tableset_t *tset;
+ prop_dictionary_t dict;
int error = 0;
rw_init(&npf_lock);
@@ -103,10 +106,11 @@
npflogattach(1);
/* Load empty configuration. */
+ dict = prop_dictionary_create();
rset = npf_ruleset_create();
tset = npf_tableset_create();
nset = npf_ruleset_create();
- npf_reload(rset, tset, nset);
+ npf_reload(dict, rset, tset, nset, true);
KASSERT(npf_core != NULL);
#ifdef _MODULE
@@ -124,20 +128,20 @@
npf_fini(void)
{
- /*
- * At first, detach device, remove pfil hooks and unload existing
- * configuration, destroy structures.
- */
+ /* At first, detach device and remove pfil hooks. */
#ifdef _MODULE
devsw_detach(NULL, &npf_cdevsw);
#endif
- npf_unregister_pfil();
- npf_core_destroy(npf_core);
npflogdetach();
+ npf_pfil_unregister();
- /* Note: order is particular. */
+ /* Flush all sessions, destroy configuration (ruleset, etc). */
+ npf_session_tracking(false);
+ npf_core_destroy(npf_core);
+
+ /* Finally, safe to destroy the subsystems. */
+ npf_alg_sysfini();
npf_nat_sysfini();
- npf_alg_sysfini();
npf_session_sysfini();
npf_tableset_sysfini();
percpu_free(npf_stats_percpu, NPF_STATS_SIZE);
@@ -210,6 +214,9 @@
case IOC_NPF_RELOAD:
error = npfctl_reload(cmd, data);
break;
+ case IOC_NPF_GETCONF:
+ error = npfctl_getconf(cmd, data);
+ break;
case IOC_NPF_TABLE:
error = npfctl_table(data);
break;
@@ -254,6 +261,7 @@
npf_core_destroy(npf_core_t *nc)
{
+ prop_object_release(nc->n_dict);
npf_ruleset_destroy(nc->n_rules);
npf_ruleset_destroy(nc->n_nat_rules);
npf_tableset_destroy(nc->n_tables);
@@ -265,15 +273,18 @@
* Then destroy old (unloaded) structures.
*/
void
-npf_reload(npf_ruleset_t *rset, npf_tableset_t *tset, npf_ruleset_t *nset)
+npf_reload(prop_dictionary_t dict, npf_ruleset_t *rset,
+ npf_tableset_t *tset, npf_ruleset_t *nset, bool flush)
{
npf_core_t *nc, *onc;
Home |
Main Index |
Thread Index |
Old Index