Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up following revision(s) (requested by rmind in tick...
details: https://anonhg.NetBSD.org/src/rev/eea6e7994fb9
branches: netbsd-6
changeset: 774310:eea6e7994fb9
user: riz <riz%NetBSD.org@localhost>
date: Thu Jul 05 17:48:41 2012 +0000
description:
Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
diffstat:
lib/libnpf/npf.3 | 6 +-
lib/libnpf/npf.c | 45 ++++-
lib/libnpf/npf.h | 34 +-
share/man/man9/npf_ncode.9 | 14 +-
sys/net/npf/npf.h | 4 +-
sys/net/npf/npf_handler.c | 27 +-
sys/net/npf/npf_impl.h | 20 +-
sys/net/npf/npf_inet.c | 137 ++++++-------
sys/net/npf/npf_instr.c | 44 +++-
sys/net/npf/npf_nat.c | 22 +-
sys/net/npf/npf_ncode.h | 12 +-
sys/net/npf/npf_processor.c | 37 ++-
sys/net/npf/npf_ruleset.c | 10 +-
sys/net/npf/npf_session.c | 190 ++++++++++++------
sys/net/npf/npf_state.c | 9 +-
sys/net/npf/npf_state_tcp.c | 66 ++++--
sys/net/npf/npf_tableset.c | 90 ++++----
usr.sbin/npf/npfctl/npf.conf.5 | 34 +-
usr.sbin/npf/npfctl/npf_build.c | 96 ++++++--
usr.sbin/npf/npfctl/npf_data.c | 21 +-
usr.sbin/npf/npfctl/npf_disassemble.c | 55 +++++-
usr.sbin/npf/npfctl/npf_ncgen.c | 23 ++-
usr.sbin/npf/npfctl/npf_parse.y | 49 ++--
usr.sbin/npf/npfctl/npf_scan.l | 3 +-
usr.sbin/npf/npfctl/npfctl.8 | 12 +-
usr.sbin/npf/npfctl/npfctl.c | 12 +-
usr.sbin/npf/npfctl/npfctl.h | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c | 65 +++++-
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c | 72 ++++++-
usr.sbin/npf/npftest/libnpftest/npf_state_test.c | 16 +-
usr.sbin/npf/npftest/libnpftest/npf_table_test.c | 7 +-
usr.sbin/npf/npftest/libnpftest/npf_test.h | 1 +
32 files changed, 815 insertions(+), 422 deletions(-)
diffs (truncated from 2836 to 300 lines):
diff -r c0f7cf401971 -r eea6e7994fb9 lib/libnpf/npf.3
--- a/lib/libnpf/npf.3 Thu Jul 05 17:43:49 2012 +0000
+++ b/lib/libnpf/npf.3 Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.3,v 1.4 2012/01/15 00:49:47 rmind Exp $
+.\" $NetBSD: npf.3,v 1.4.2.1 2012/07/05 17:48:44 riz Exp $
.\"
.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 14, 2012
+.Dd July 1, 2012
.Dt NPF 3
.Os
.Sh NAME
@@ -136,7 +136,7 @@
.It Dv NPF_RULE_FINAL
Indicates that on rule match, further processing of the
ruleset should be stopped and this rule applied instantly.
-.It Dv NPF_RULE_KEEPSTATE
+.It Dv NPF_RULE_STATEFUL
Create a state (session) on match, track the connection and
therefore pass the backwards stream without inspection.
.It Dv NPF_RULE_RETRST
diff -r c0f7cf401971 -r eea6e7994fb9 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Thu Jul 05 17:43:49 2012 +0000
+++ b/lib/libnpf/npf.c Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:54 riz Exp $ */
+/* $NetBSD: npf.c,v 1.7.2.2 2012/07/05 17:48:45 riz Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.1 2012/04/03 17:22:54 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.2 2012/07/05 17:48:45 riz Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -554,6 +554,29 @@
return 0;
}
+int
+_npf_nat_foreach(nl_config_t *ncf, nl_rule_callback_t func)
+{
+
+ return _npf_rule_foreach1(ncf->ncf_nat_list, 0, func);
+}
+
+void
+_npf_nat_getinfo(nl_nat_t *nt, int *type, u_int *flags, npf_addr_t *addr,
+ size_t *alen, in_port_t *port)
+{
+ prop_dictionary_t rldict = nt->nrl_dict;
+
+ prop_dictionary_get_int32(rldict, "type", type);
+ prop_dictionary_get_uint32(rldict, "flags", flags);
+
+ prop_object_t obj = prop_dictionary_get(rldict, "translation-ip");
+ *alen = prop_data_size(obj);
+ memcpy(addr, prop_data_data_nocopy(obj), *alen);
+
+ prop_dictionary_get_uint16(rldict, "translation-port", port);
+}
+
/*
* TABLE INTERFACE.
*/
@@ -654,6 +677,24 @@
free(tl);
}
+void
+_npf_table_foreach(nl_config_t *ncf, nl_table_callback_t func)
+{
+ prop_dictionary_t tldict;
+ prop_object_iterator_t it;
+
+ it = prop_array_iterator(ncf->ncf_table_list);
+ while ((tldict = prop_object_iterator_next(it)) != NULL) {
+ u_int id;
+ int type;
+
+ prop_dictionary_get_uint32(tldict, "id", &id);
+ prop_dictionary_get_int32(tldict, "type", &type);
+ (*func)(id, type);
+ }
+ prop_object_iterator_release(it);
+}
+
/*
* MISC.
*/
diff -r c0f7cf401971 -r eea6e7994fb9 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Thu Jul 05 17:43:49 2012 +0000
+++ b/lib/libnpf/npf.h Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.6.2.1 2012/04/03 17:22:54 riz Exp $ */
+/* $NetBSD: npf.h,v 1.6.2.2 2012/07/05 17:48:44 riz Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -64,6 +64,7 @@
} nl_error_t;
typedef void (*nl_rule_callback_t)(nl_rule_t *, unsigned);
+typedef void (*nl_table_callback_t)(unsigned, int);
#endif
@@ -79,33 +80,18 @@
void npf_config_destroy(nl_config_t *);
nl_config_t * npf_config_retrieve(int, bool *, bool *);
int npf_config_flush(int);
-#ifdef _NPF_PRIVATE
-void _npf_config_error(nl_config_t *, nl_error_t *);
-void _npf_config_setsubmit(nl_config_t *, const char *);
-#endif
nl_rule_t * npf_rule_create(const char *, uint32_t, u_int);
int npf_rule_setcode(nl_rule_t *, int, const void *, size_t);
int npf_rule_setproc(nl_config_t *, nl_rule_t *, const char *);
bool npf_rule_exists_p(nl_config_t *, const char *);
int npf_rule_insert(nl_config_t *, nl_rule_t *, nl_rule_t *, pri_t);
-#ifdef _NPF_PRIVATE
-int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
-pri_t _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *, u_int *);
-const void * _npf_rule_ncode(nl_rule_t *, size_t *);
-const char * _npf_rule_rproc(nl_rule_t *);
-#endif
void npf_rule_destroy(nl_rule_t *);
nl_rproc_t * npf_rproc_create(const char *);
bool npf_rproc_exists_p(nl_config_t *, const char *);
int npf_rproc_insert(nl_config_t *, nl_rproc_t *);
-#ifdef _NPF_PRIVATE
-int _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
-int _npf_rproc_setlog(nl_rproc_t *, u_int);
-#endif
-
nl_nat_t * npf_nat_create(int, u_int, u_int, npf_addr_t *, int, in_port_t);
int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
@@ -119,6 +105,22 @@
int npf_sessions_send(int, const char *);
int npf_sessions_recv(int, const char *);
+#ifdef _NPF_PRIVATE
+void _npf_config_error(nl_config_t *, nl_error_t *);
+void _npf_config_setsubmit(nl_config_t *, const char *);
+int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
+pri_t _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *,
+ u_int *);
+const void * _npf_rule_ncode(nl_rule_t *, size_t *);
+const char * _npf_rule_rproc(nl_rule_t *);
+int _npf_nat_foreach(nl_config_t *, nl_rule_callback_t);
+void _npf_nat_getinfo(nl_nat_t *, int *, u_int *, npf_addr_t *,
+ size_t *, in_port_t *);
+int _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
+int _npf_rproc_setlog(nl_rproc_t *, u_int);
+void _npf_table_foreach(nl_config_t *, nl_table_callback_t);
+#endif
+
__END_DECLS
#endif /* _NPF_LIB_H_ */
diff -r c0f7cf401971 -r eea6e7994fb9 share/man/man9/npf_ncode.9
--- a/share/man/man9/npf_ncode.9 Thu Jul 05 17:43:49 2012 +0000
+++ b/share/man/man9/npf_ncode.9 Thu Jul 05 17:48:41 2012 +0000
@@ -1,6 +1,6 @@
-.\" $NetBSD: npf_ncode.9,v 1.8 2011/12/23 20:53:31 rmind Exp $
+.\" $NetBSD: npf_ncode.9,v 1.8.2.1 2012/07/05 17:48:45 riz Exp $
.\"
-.\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 23, 2011
+.Dd July 1, 2012
.Dt NPF_NCODE 9
.Os
.Sh NAME
@@ -222,6 +222,14 @@
the value passed in the argument.
Return value to advance to layer 3 header in R3.
.\" -
+.It Sy 0x81 NPF_OPCODE_PROTO <protocol>
+Match the IP address length and the protocol.
+The values for both are represented by lower 16 bits.
+The higher 8 bits represent IP address length.
+If zero is specified, the length is not matched.
+The lower 8 bits represent the protocol.
+If 0xff is specified, the protocol is not matched.
+.\" -
.It Sy 0x90 NPF_OPCODE_IP4MASK <s/d>, <network address>, <subnet>
Match passed network address with subnet against source or destination
address in the IPv4 header.
diff -r c0f7cf401971 -r eea6e7994fb9 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Thu Jul 05 17:43:49 2012 +0000
+++ b/sys/net/npf/npf.h Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.14.2.3 2012/06/26 14:49:10 riz Exp $ */
+/* $NetBSD: npf.h,v 1.14.2.4 2012/07/05 17:48:42 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -148,7 +148,7 @@
#define NPF_RULE_PASS 0x0001
#define NPF_RULE_DEFAULT 0x0002
#define NPF_RULE_FINAL 0x0004
-#define NPF_RULE_KEEPSTATE 0x0008
+#define NPF_RULE_STATEFUL 0x0008
#define NPF_RULE_RETRST 0x0010
#define NPF_RULE_RETICMP 0x0020
diff -r c0f7cf401971 -r eea6e7994fb9 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Thu Jul 05 17:43:49 2012 +0000
+++ b/sys/net/npf/npf_handler.c Thu Jul 05 17:48:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.13.2.2 2012/06/26 00:07:16 riz Exp $ */
+/* $NetBSD: npf_handler.c,v 1.13.2.3 2012/07/05 17:48:42 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13.2.2 2012/06/26 00:07:16 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13.2.3 2012/07/05 17:48:42 riz Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -54,7 +54,7 @@
#include "npf_impl.h"
/*
- * If npf_ph_if != NULL, pfil hooks are registers. If NULL, not registered.
+ * If npf_ph_if != NULL, pfil hooks are registered. If NULL, not registered.
* Used to check the state. Locked by: softnet_lock + KERNEL_LOCK (XXX).
*/
static struct pfil_head * npf_ph_if = NULL;
@@ -100,24 +100,25 @@
/* Cache everything. Determine whether it is an IP fragment. */
if (npf_cache_all(&npc, nbuf) & NPC_IPFRAG) {
- int ret = -1;
+ /*
+ * Pass to IPv4 or IPv6 reassembly mechanism.
+ */
+ error = EINVAL;
- /* Pass to IPv4 or IPv6 reassembly mechanism. */
if (npf_iscached(&npc, NPC_IP4)) {
struct ip *ip = nbuf_dataptr(*mp);
- ret = ip_reass_packet(mp, ip);
+ error = ip_reass_packet(mp, ip);
} else if (npf_iscached(&npc, NPC_IP6)) {
#ifdef INET6
/*
- * Note: frag6_input() offset is the start of the
- * fragment header.
+ * Note: ip6_reass_packet() offset is the start of
+ * the fragment header.
*/
const u_int hlen = npf_cache_hlen(&npc);
- ret = ip6_reass_packet(mp, hlen);
+ error = ip6_reass_packet(mp, hlen);
#endif
}
- if (ret) {
- error = EINVAL;
+ if (error) {
se = NULL;
goto out;
}
@@ -133,7 +134,7 @@
nbuf = (nbuf_t *)*mp;
npc.npc_info = 0;
- ret = npf_cache_all(&npc, nbuf);
+ int ret __unused = npf_cache_all(&npc, nbuf);
KASSERT((ret & NPC_IPFRAG) == 0);
}
@@ -188,7 +189,7 @@
* Note: the reference on the rule procedure is transfered to the
Home |
Main Index |
Thread Index |
Old Index