Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src - Extend npftest: add ruleset inspection testing from the co...



details:   https://anonhg.NetBSD.org/src/rev/47a2cb980e76
branches:  trunk
changeset: 780928:47a2cb980e76
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sun Aug 12 03:35:13 2012 +0000

description:
- Extend npftest: add ruleset inspection testing from the config generated
  by npfctl debug functionality.  Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
  share between the entries and thus fix the handling of them.  Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.

diffstat:

 lib/libnpf/npf.c                                |   73 ++++++++-
 lib/libnpf/npf.h                                |    7 +-
 sys/modules/npf/Makefile                        |    5 +-
 sys/net/npf/npf_handler.c                       |    8 +-
 sys/net/npf/npf_impl.h                          |   16 +-
 sys/net/npf/npf_nat.c                           |   11 +-
 sys/net/npf/npf_ruleset.c                       |    6 +-
 sys/net/npf/npf_session.c                       |  118 ++++++++----
 sys/net/npf/npf_state.c                         |    8 +-
 sys/net/npf/npf_tableset.c                      |   10 +-
 usr.sbin/npf/npfctl/npf_build.c                 |  193 +++++++++++----------
 usr.sbin/npf/npfctl/npf_data.c                  |   20 +-
 usr.sbin/npf/npfctl/npf_parse.y                 |    8 +-
 usr.sbin/npf/npfctl/npfctl.c                    |   10 +-
 usr.sbin/npf/npfctl/npfctl.h                    |    7 +-
 usr.sbin/npf/npftest/README                     |   29 +++
 usr.sbin/npf/npftest/libnpftest/Makefile        |    2 +
 usr.sbin/npf/npftest/libnpftest/npf_nat_test.c  |  210 ++++++++++++++++++++++++
 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c |  130 ++++++++++++++
 usr.sbin/npf/npftest/libnpftest/npf_test.h      |    5 +
 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c |   28 +++-
 usr.sbin/npf/npftest/npfstream.c                |    8 +-
 usr.sbin/npf/npftest/npftest.c                  |   95 ++++++----
 usr.sbin/npf/npftest/npftest.conf               |   41 ++++
 usr.sbin/npf/npftest/npftest.h                  |    5 +
 25 files changed, 829 insertions(+), 224 deletions(-)

diffs (truncated from 1880 to 300 lines):

diff -r 13a3f4bef282 -r 47a2cb980e76 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c  Sun Aug 12 02:51:18 2012 +0000
+++ b/lib/libnpf/npf.c  Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.c,v 1.10 2012/07/15 00:22:59 rmind Exp $   */
+/*     $NetBSD: npf.c,v 1.11 2012/08/12 03:35:14 rmind Exp $   */
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,11 +30,12 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.10 2012/07/15 00:22:59 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.11 2012/08/12 03:35:14 rmind Exp $");
 
 #include <sys/types.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
+#include <net/if.h>
 #include <prop/proplib.h>
 
 #include <stdlib.h>
@@ -56,6 +57,8 @@
        /* Priority counters. */
        pri_t                   ncf_rule_pri;
        pri_t                   ncf_nat_pri;
+       /* Debug information. */
+       prop_dictionary_t       ncf_debug;
        /* Error report. */
        prop_dictionary_t       ncf_err;
        /* Custom file to externalise property-list. */
@@ -113,6 +116,9 @@
        if (npf_dict == NULL) {
                return ENOMEM;
        }
+       if (ncf->ncf_debug) {
+               prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
+       }
        prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
        prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
        prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
@@ -213,6 +219,9 @@
        if (ncf->ncf_err) {
                prop_object_release(ncf->ncf_err);
        }
+       if (ncf->ncf_debug) {
+               prop_object_release(ncf->ncf_debug);
+       }
        free(ncf);
 }
 
@@ -753,3 +762,63 @@
        prop_object_release(sdict);
        return error;
 }
+
+static prop_dictionary_t
+_npf_debug_initonce(nl_config_t *ncf)
+{
+       if (!ncf->ncf_debug) {
+               prop_array_t iflist = prop_array_create();
+               ncf->ncf_debug = prop_dictionary_create();
+               prop_dictionary_set(ncf->ncf_debug, "interfaces", iflist);
+               prop_object_release(iflist);
+       }
+       return ncf->ncf_debug;
+}
+
+void
+_npf_debug_addif(nl_config_t *ncf, struct ifaddrs *ifa, u_int if_idx)
+{
+       prop_dictionary_t ifdict, dbg = _npf_debug_initonce(ncf);
+       prop_array_t iflist = prop_dictionary_get(dbg, "interfaces");
+
+       if (_npf_prop_array_lookup(iflist, "name", ifa->ifa_name)) {
+               return;
+       }
+
+       ifdict = prop_dictionary_create();
+       prop_dictionary_set_cstring(ifdict, "name", ifa->ifa_name);
+       prop_dictionary_set_uint32(ifdict, "flags", ifa->ifa_flags);
+       if (!if_idx) {
+               if_idx = if_nametoindex(ifa->ifa_name);
+       }
+       prop_dictionary_set_uint32(ifdict, "idx", if_idx);
+
+       const struct sockaddr *sa = ifa->ifa_addr;
+       npf_addr_t addr;
+       size_t alen = 0;
+
+       switch (sa ? sa->sa_family : -1) {
+       case AF_INET: {
+               const struct sockaddr_in *sin = (const void *)sa;
+               alen = sizeof(sin->sin_addr);
+               memcpy(&addr, &sin->sin_addr, alen);
+               break;
+       }
+       case AF_INET6: {
+               const struct sockaddr_in6 *sin6 = (const void *)sa;
+               alen = sizeof(sin6->sin6_addr);
+               memcpy(&addr, &sin6->sin6_addr, alen);
+               break;
+       }
+       default:
+               break;
+       }
+
+       if (alen) {
+               prop_data_t addrdata = prop_data_create_data(&addr, alen);
+               prop_dictionary_set(ifdict, "addr", addrdata);
+               prop_object_release(addrdata);
+       }
+       prop_array_add(iflist, ifdict);
+       prop_object_release(ifdict);
+}
diff -r 13a3f4bef282 -r 47a2cb980e76 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h  Sun Aug 12 02:51:18 2012 +0000
+++ b/lib/libnpf/npf.h  Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.9 2012/07/15 00:22:59 rmind Exp $    */
+/*     $NetBSD: npf.h,v 1.10 2012/08/12 03:35:14 rmind Exp $   */
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -107,6 +107,9 @@
 int            npf_sessions_recv(int, const char *);
 
 #ifdef _NPF_PRIVATE
+
+#include <ifaddrs.h>
+
 void           _npf_config_error(nl_config_t *, nl_error_t *);
 void           _npf_config_setsubmit(nl_config_t *, const char *);
 int            _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
@@ -120,6 +123,8 @@
 int            _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
 int            _npf_rproc_setlog(nl_rproc_t *, u_int);
 void           _npf_table_foreach(nl_config_t *, nl_table_callback_t);
+
+void           _npf_debug_addif(nl_config_t *, struct ifaddrs *, u_int);
 #endif
 
 __END_DECLS
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile  Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/modules/npf/Makefile  Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.9 2012/02/06 23:30:14 rmind Exp $
+# $NetBSD: Makefile,v 1.10 2012/08/12 03:35:14 rmind Exp $
 
 .include "../Makefile.inc"
 
@@ -9,7 +9,8 @@
 SRCS=          npf.c npf_alg.c npf_ctl.c npf_handler.c
 SRCS+=         npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
 SRCS+=         npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
-SRCS+=         npf_session.c npf_state.c npf_state_tcp.c npf_tableset.c
+SRCS+=         npf_session.c npf_state.c npf_state_tcp.c
+SRCS+=         npf_tableset.c npf_tableset_ptree.c
 
 CPPFLAGS+=     -DINET6
 
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_handler.c Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_handler.c,v 1.20 2012/07/15 00:23:00 rmind Exp $   */
+/*     $NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.20 2012/07/15 00:23:00 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -142,7 +142,7 @@
        }
 
        /* Inspect the list of sessions. */
-       se = npf_session_inspect(&npc, nbuf, di, &error);
+       se = npf_session_inspect(&npc, nbuf, ifp, di, &error);
 
        /* If "passing" session found - skip the ruleset inspection. */
        if (se && npf_session_pass(se, &rp)) {
@@ -193,7 +193,7 @@
         * session.  It will be released on session destruction.
         */
        if ((retfl & NPF_RULE_STATEFUL) != 0 && !se) {
-               se = npf_session_establish(&npc, nbuf, di);
+               se = npf_session_establish(&npc, nbuf, ifp, di);
                if (se) {
                        npf_session_setpass(se, rp);
                }
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h    Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_impl.h    Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_impl.h,v 1.20 2012/07/28 00:43:24 matt Exp $       */
+/*     $NetBSD: npf_impl.h,v 1.21 2012/08/12 03:35:14 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -124,9 +124,9 @@
 
 #if defined(_NPF_TESTING)
 void           npf_state_sample(npf_state_t *, bool);
-#define        NPF_TCP_STATE_SAMPLE(n, r)      npf_state_sample(n, r)
+#define        NPF_STATE_SAMPLE(n, r)  npf_state_sample(n, r)
 #else
-#define        NPF_TCP_STATE_SAMPLE(n, r)
+#define        NPF_STATE_SAMPLE(n, r)
 #endif
 
 /*
@@ -248,7 +248,7 @@
 void           npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
 
 npf_rule_t *   npf_ruleset_inspect(npf_cache_t *, nbuf_t *, npf_ruleset_t *,
-                   ifnet_t *, const int, const int);
+                   const ifnet_t *, const int, const int);
 int            npf_rule_apply(npf_cache_t *, nbuf_t *, npf_rule_t *, int *);
 
 /* Rule interface. */
@@ -273,8 +273,10 @@
 void           sess_htable_destroy(npf_sehash_t *);
 void           sess_htable_reload(npf_sehash_t *);
 
-npf_session_t *        npf_session_inspect(npf_cache_t *, nbuf_t *, const int, int *);
-npf_session_t *        npf_session_establish(const npf_cache_t *, nbuf_t *, const int);
+npf_session_t *        npf_session_inspect(npf_cache_t *, nbuf_t *,
+                   const ifnet_t *, const int, int *);
+npf_session_t *        npf_session_establish(const npf_cache_t *, nbuf_t *,
+                   const ifnet_t *, const int);
 void           npf_session_release(npf_session_t *);
 void           npf_session_expire(npf_session_t *);
 bool           npf_session_pass(const npf_session_t *, npf_rproc_t **);
@@ -305,7 +307,7 @@
 void           npf_nat_freealg(npf_natpolicy_t *, npf_alg_t *);
 
 int            npf_do_nat(npf_cache_t *, npf_session_t *, nbuf_t *,
-                   ifnet_t *, const int);
+                   const ifnet_t *, const int);
 void           npf_nat_expire(npf_nat_t *);
 void           npf_nat_getorig(npf_nat_t *, npf_addr_t **, in_port_t *);
 void           npf_nat_gettrans(npf_nat_t *, npf_addr_t **, in_port_t *);
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_nat.c
--- a/sys/net/npf/npf_nat.c     Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_nat.c     Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_nat.c,v 1.15 2012/07/15 00:23:00 rmind Exp $       */
+/*     $NetBSD: npf_nat.c,v 1.16 2012/08/12 03:35:14 rmind Exp $       */
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.15 2012/07/15 00:23:00 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.16 2012/08/12 03:35:14 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -417,7 +417,8 @@
  * npf_nat_inspect: inspect packet against NAT ruleset and return a policy.
  */
 static npf_natpolicy_t *
-npf_nat_inspect(npf_cache_t *npc, nbuf_t *nbuf, ifnet_t *ifp, const int di)
+npf_nat_inspect(npf_cache_t *npc, nbuf_t *nbuf, const ifnet_t *ifp,
+    const int di)
 {
        npf_ruleset_t *rlset;
        npf_natpolicy_t *np;
@@ -582,7 +583,7 @@
  */
 int
 npf_do_nat(npf_cache_t *npc, npf_session_t *se, nbuf_t *nbuf,
-    ifnet_t *ifp, const int di)
+    const ifnet_t *ifp, const int di)
 {
        npf_session_t *nse = NULL;
        npf_natpolicy_t *np;
@@ -643,7 +644,7 @@
         * stream depends on other, stateless filtering rules.
         */
        if (se == NULL) {
-               nse = npf_session_establish(npc, nbuf, di);
+               nse = npf_session_establish(npc, nbuf, ifp, di);
                if (nse == NULL) {
                        error = ENOMEM;
                        goto out;
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_ruleset.c
--- a/sys/net/npf/npf_ruleset.c Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_ruleset.c Sun Aug 12 03:35:13 2012 +0000



Home | Main Index | Thread Index | Old Index