Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-6]: src Pull up following revision(s) (requested by rmind in tick...



details:   https://anonhg.NetBSD.org/src/rev/eea6e7994fb9
branches:  netbsd-6
changeset: 774310:eea6e7994fb9
user:      riz <riz%NetBSD.org@localhost>
date:      Thu Jul 05 17:48:41 2012 +0000

description:
Pull up following revision(s) (requested by rmind in ticket #399):
        sys/net/npf/npf_session.c: revision 1.14
        sys/net/npf/npf_tableset.c: revision 1.12
        sys/net/npf/npf_state_tcp.c: revision 1.8
        usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
        usr.sbin/npf/npfctl/npf_data.c: revision 1.14
        sys/net/npf/npf_inet.c: revision 1.13
        sys/net/npf/npf_ruleset.c: revision 1.12
        sys/net/npf/npf.h: revision 1.18
        usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
        usr.sbin/npf/npfctl/npfctl.8: revision 1.7
        usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
        usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
        usr.sbin/npf/npfctl/npfctl.8: revision 1.8
        sys/net/npf/npf_instr.c: revision 1.12
        usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
        usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
        usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
        sys/net/npf/npf_state.c: revision 1.9
        sys/net/npf/npf_processor.c: revision 1.11
        usr.sbin/npf/npfctl/npfctl.c: revision 1.13
        usr.sbin/npf/npfctl/npfctl.c: revision 1.14
        usr.sbin/npf/npfctl/npf_build.c: revision 1.10
        lib/libnpf/npf.3: revision 1.5
        lib/libnpf/npf.h: revision 1.8
        share/man/man9/npf_ncode.9: revision 1.9
        usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
        lib/libnpf/npf.c: revision 1.9
        usr.sbin/npf/npfctl/npfctl.h: revision 1.16
        sys/net/npf/npf_nat.c: revision 1.14
        usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
        usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
        sys/net/npf/npf_impl.h: revision 1.17
        sys/net/npf/npf_handler.c: revision 1.18
        sys/net/npf/npf_handler.c: revision 1.19
        usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
        sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.

diffstat:

 lib/libnpf/npf.3                                     |    6 +-
 lib/libnpf/npf.c                                     |   45 ++++-
 lib/libnpf/npf.h                                     |   34 +-
 share/man/man9/npf_ncode.9                           |   14 +-
 sys/net/npf/npf.h                                    |    4 +-
 sys/net/npf/npf_handler.c                            |   27 +-
 sys/net/npf/npf_impl.h                               |   20 +-
 sys/net/npf/npf_inet.c                               |  137 ++++++-------
 sys/net/npf/npf_instr.c                              |   44 +++-
 sys/net/npf/npf_nat.c                                |   22 +-
 sys/net/npf/npf_ncode.h                              |   12 +-
 sys/net/npf/npf_processor.c                          |   37 ++-
 sys/net/npf/npf_ruleset.c                            |   10 +-
 sys/net/npf/npf_session.c                            |  190 ++++++++++++------
 sys/net/npf/npf_state.c                              |    9 +-
 sys/net/npf/npf_state_tcp.c                          |   66 ++++--
 sys/net/npf/npf_tableset.c                           |   90 ++++----
 usr.sbin/npf/npfctl/npf.conf.5                       |   34 +-
 usr.sbin/npf/npfctl/npf_build.c                      |   96 ++++++--
 usr.sbin/npf/npfctl/npf_data.c                       |   21 +-
 usr.sbin/npf/npfctl/npf_disassemble.c                |   55 +++++-
 usr.sbin/npf/npfctl/npf_ncgen.c                      |   23 ++-
 usr.sbin/npf/npfctl/npf_parse.y                      |   49 ++--
 usr.sbin/npf/npfctl/npf_scan.l                       |    3 +-
 usr.sbin/npf/npfctl/npfctl.8                         |   12 +-
 usr.sbin/npf/npfctl/npfctl.c                         |   12 +-
 usr.sbin/npf/npfctl/npfctl.h                         |    4 +-
 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c      |   65 +++++-
 usr.sbin/npf/npftest/libnpftest/npf_processor_test.c |   72 ++++++-
 usr.sbin/npf/npftest/libnpftest/npf_state_test.c     |   16 +-
 usr.sbin/npf/npftest/libnpftest/npf_table_test.c     |    7 +-
 usr.sbin/npf/npftest/libnpftest/npf_test.h           |    1 +
 32 files changed, 815 insertions(+), 422 deletions(-)

diffs (truncated from 2836 to 300 lines):

diff -r c0f7cf401971 -r eea6e7994fb9 lib/libnpf/npf.3
--- a/lib/libnpf/npf.3  Thu Jul 05 17:43:49 2012 +0000
+++ b/lib/libnpf/npf.3  Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.3,v 1.4 2012/01/15 00:49:47 rmind Exp $
+.\"    $NetBSD: npf.3,v 1.4.2.1 2012/07/05 17:48:44 riz Exp $
 .\"
 .\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 14, 2012
+.Dd July 1, 2012
 .Dt NPF 3
 .Os
 .Sh NAME
@@ -136,7 +136,7 @@
 .It Dv NPF_RULE_FINAL
 Indicates that on rule match, further processing of the
 ruleset should be stopped and this rule applied instantly.
-.It Dv NPF_RULE_KEEPSTATE
+.It Dv NPF_RULE_STATEFUL
 Create a state (session) on match, track the connection and
 therefore pass the backwards stream without inspection.
 .It Dv NPF_RULE_RETRST
diff -r c0f7cf401971 -r eea6e7994fb9 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c  Thu Jul 05 17:43:49 2012 +0000
+++ b/lib/libnpf/npf.c  Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:54 riz Exp $  */
+/*     $NetBSD: npf.c,v 1.7.2.2 2012/07/05 17:48:45 riz Exp $  */
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:54 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.2 2012/07/05 17:48:45 riz Exp $");
 
 #include <sys/types.h>
 #include <netinet/in_systm.h>
@@ -554,6 +554,29 @@
        return 0;
 }
 
+int
+_npf_nat_foreach(nl_config_t *ncf, nl_rule_callback_t func)
+{
+
+       return _npf_rule_foreach1(ncf->ncf_nat_list, 0, func);
+}
+
+void
+_npf_nat_getinfo(nl_nat_t *nt, int *type, u_int *flags, npf_addr_t *addr,
+    size_t *alen, in_port_t *port)
+{
+       prop_dictionary_t rldict = nt->nrl_dict;
+
+       prop_dictionary_get_int32(rldict, "type", type);
+       prop_dictionary_get_uint32(rldict, "flags", flags);
+
+       prop_object_t obj = prop_dictionary_get(rldict, "translation-ip");
+       *alen = prop_data_size(obj);
+       memcpy(addr, prop_data_data_nocopy(obj), *alen);
+
+       prop_dictionary_get_uint16(rldict, "translation-port", port);
+}
+
 /*
  * TABLE INTERFACE.
  */
@@ -654,6 +677,24 @@
        free(tl);
 }
 
+void
+_npf_table_foreach(nl_config_t *ncf, nl_table_callback_t func)
+{
+       prop_dictionary_t tldict;
+       prop_object_iterator_t it;
+
+       it = prop_array_iterator(ncf->ncf_table_list);
+       while ((tldict = prop_object_iterator_next(it)) != NULL) {
+               u_int id;
+               int type;
+
+               prop_dictionary_get_uint32(tldict, "id", &id);
+               prop_dictionary_get_int32(tldict, "type", &type);
+               (*func)(id, type);
+       }
+       prop_object_iterator_release(it);
+}
+
 /*
  * MISC.
  */
diff -r c0f7cf401971 -r eea6e7994fb9 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h  Thu Jul 05 17:43:49 2012 +0000
+++ b/lib/libnpf/npf.h  Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.6.2.1 2012/04/03 17:22:54 riz Exp $  */
+/*     $NetBSD: npf.h,v 1.6.2.2 2012/07/05 17:48:44 riz Exp $  */
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -64,6 +64,7 @@
 } nl_error_t;
 
 typedef void (*nl_rule_callback_t)(nl_rule_t *, unsigned);
+typedef void (*nl_table_callback_t)(unsigned, int);
 
 #endif
 
@@ -79,33 +80,18 @@
 void           npf_config_destroy(nl_config_t *);
 nl_config_t *  npf_config_retrieve(int, bool *, bool *);
 int            npf_config_flush(int);
-#ifdef _NPF_PRIVATE
-void           _npf_config_error(nl_config_t *, nl_error_t *);
-void           _npf_config_setsubmit(nl_config_t *, const char *);
-#endif
 
 nl_rule_t *    npf_rule_create(const char *, uint32_t, u_int);
 int            npf_rule_setcode(nl_rule_t *, int, const void *, size_t);
 int            npf_rule_setproc(nl_config_t *, nl_rule_t *, const char *);
 bool           npf_rule_exists_p(nl_config_t *, const char *);
 int            npf_rule_insert(nl_config_t *, nl_rule_t *, nl_rule_t *, pri_t);
-#ifdef _NPF_PRIVATE
-int            _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
-pri_t          _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *, u_int *);
-const void *   _npf_rule_ncode(nl_rule_t *, size_t *);
-const char *   _npf_rule_rproc(nl_rule_t *);
-#endif
 void           npf_rule_destroy(nl_rule_t *);
 
 nl_rproc_t *   npf_rproc_create(const char *);
 bool           npf_rproc_exists_p(nl_config_t *, const char *);
 int            npf_rproc_insert(nl_config_t *, nl_rproc_t *);
 
-#ifdef _NPF_PRIVATE
-int            _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
-int            _npf_rproc_setlog(nl_rproc_t *, u_int);
-#endif
-
 nl_nat_t *     npf_nat_create(int, u_int, u_int, npf_addr_t *, int, in_port_t);
 int            npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
 
@@ -119,6 +105,22 @@
 int            npf_sessions_send(int, const char *);
 int            npf_sessions_recv(int, const char *);
 
+#ifdef _NPF_PRIVATE
+void           _npf_config_error(nl_config_t *, nl_error_t *);
+void           _npf_config_setsubmit(nl_config_t *, const char *);
+int            _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
+pri_t          _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *,
+                   u_int *);
+const void *   _npf_rule_ncode(nl_rule_t *, size_t *);
+const char *   _npf_rule_rproc(nl_rule_t *);
+int            _npf_nat_foreach(nl_config_t *, nl_rule_callback_t);
+void           _npf_nat_getinfo(nl_nat_t *, int *, u_int *, npf_addr_t *,
+                   size_t *, in_port_t *);
+int            _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
+int            _npf_rproc_setlog(nl_rproc_t *, u_int);
+void           _npf_table_foreach(nl_config_t *, nl_table_callback_t);
+#endif
+
 __END_DECLS
 
 #endif /* _NPF_LIB_H_ */
diff -r c0f7cf401971 -r eea6e7994fb9 share/man/man9/npf_ncode.9
--- a/share/man/man9/npf_ncode.9        Thu Jul 05 17:43:49 2012 +0000
+++ b/share/man/man9/npf_ncode.9        Thu Jul 05 17:48:41 2012 +0000
@@ -1,6 +1,6 @@
-.\"    $NetBSD: npf_ncode.9,v 1.8 2011/12/23 20:53:31 rmind Exp $
+.\"    $NetBSD: npf_ncode.9,v 1.8.2.1 2012/07/05 17:48:45 riz Exp $
 .\"
-.\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 23, 2011
+.Dd July 1, 2012
 .Dt NPF_NCODE 9
 .Os
 .Sh NAME
@@ -222,6 +222,14 @@
 the value passed in the argument.
 Return value to advance to layer 3 header in R3.
 .\" -
+.It Sy 0x81 NPF_OPCODE_PROTO <protocol>
+Match the IP address length and the protocol.
+The values for both are represented by lower 16 bits.
+The higher 8 bits represent IP address length.
+If zero is specified, the length is not matched.
+The lower 8 bits represent the protocol.
+If 0xff is specified, the protocol is not matched.
+.\" -
 .It Sy 0x90 NPF_OPCODE_IP4MASK <s/d>, <network address>, <subnet>
 Match passed network address with subnet against source or destination
 address in the IPv4 header.
diff -r c0f7cf401971 -r eea6e7994fb9 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Thu Jul 05 17:43:49 2012 +0000
+++ b/sys/net/npf/npf.h Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.14.2.3 2012/06/26 14:49:10 riz Exp $ */
+/*     $NetBSD: npf.h,v 1.14.2.4 2012/07/05 17:48:42 riz Exp $ */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -148,7 +148,7 @@
 #define        NPF_RULE_PASS                   0x0001
 #define        NPF_RULE_DEFAULT                0x0002
 #define        NPF_RULE_FINAL                  0x0004
-#define        NPF_RULE_KEEPSTATE              0x0008
+#define        NPF_RULE_STATEFUL               0x0008
 #define        NPF_RULE_RETRST                 0x0010
 #define        NPF_RULE_RETICMP                0x0020
 
diff -r c0f7cf401971 -r eea6e7994fb9 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Thu Jul 05 17:43:49 2012 +0000
+++ b/sys/net/npf/npf_handler.c Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_handler.c,v 1.13.2.2 2012/06/26 00:07:16 riz Exp $ */
+/*     $NetBSD: npf_handler.c,v 1.13.2.3 2012/07/05 17:48:42 riz Exp $ */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13.2.2 2012/06/26 00:07:16 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13.2.3 2012/07/05 17:48:42 riz Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -54,7 +54,7 @@
 #include "npf_impl.h"
 
 /*
- * If npf_ph_if != NULL, pfil hooks are registers.  If NULL, not registered.
+ * If npf_ph_if != NULL, pfil hooks are registered.  If NULL, not registered.
  * Used to check the state.  Locked by: softnet_lock + KERNEL_LOCK (XXX).
  */
 static struct pfil_head *      npf_ph_if = NULL;
@@ -100,24 +100,25 @@
 
        /* Cache everything.  Determine whether it is an IP fragment. */
        if (npf_cache_all(&npc, nbuf) & NPC_IPFRAG) {
-               int ret = -1;
+               /*
+                * Pass to IPv4 or IPv6 reassembly mechanism.
+                */
+               error = EINVAL;
 
-               /* Pass to IPv4 or IPv6 reassembly mechanism. */
                if (npf_iscached(&npc, NPC_IP4)) {
                        struct ip *ip = nbuf_dataptr(*mp);
-                       ret = ip_reass_packet(mp, ip);
+                       error = ip_reass_packet(mp, ip);
                } else if (npf_iscached(&npc, NPC_IP6)) {
 #ifdef INET6
                        /*
-                        * Note: frag6_input() offset is the start of the
-                        * fragment header.
+                        * Note: ip6_reass_packet() offset is the start of
+                        * the fragment header.
                         */
                        const u_int hlen = npf_cache_hlen(&npc);
-                       ret = ip6_reass_packet(mp, hlen);
+                       error = ip6_reass_packet(mp, hlen);
 #endif
                }
-               if (ret) {
-                       error = EINVAL;
+               if (error) {
                        se = NULL;
                        goto out;
                }
@@ -133,7 +134,7 @@
                nbuf = (nbuf_t *)*mp;
                npc.npc_info = 0;
 
-               ret = npf_cache_all(&npc, nbuf);
+               int ret __unused = npf_cache_all(&npc, nbuf);
                KASSERT((ret & NPC_IPFRAG) == 0);
        }
 
@@ -188,7 +189,7 @@
         * Note: the reference on the rule procedure is transfered to the



Home | Main Index | Thread Index | Old Index