Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Extend npftest: add ruleset inspection testing from the co...
details: https://anonhg.NetBSD.org/src/rev/47a2cb980e76
branches: trunk
changeset: 780928:47a2cb980e76
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Aug 12 03:35:13 2012 +0000
description:
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
diffstat:
lib/libnpf/npf.c | 73 ++++++++-
lib/libnpf/npf.h | 7 +-
sys/modules/npf/Makefile | 5 +-
sys/net/npf/npf_handler.c | 8 +-
sys/net/npf/npf_impl.h | 16 +-
sys/net/npf/npf_nat.c | 11 +-
sys/net/npf/npf_ruleset.c | 6 +-
sys/net/npf/npf_session.c | 118 ++++++++----
sys/net/npf/npf_state.c | 8 +-
sys/net/npf/npf_tableset.c | 10 +-
usr.sbin/npf/npfctl/npf_build.c | 193 +++++++++++----------
usr.sbin/npf/npfctl/npf_data.c | 20 +-
usr.sbin/npf/npfctl/npf_parse.y | 8 +-
usr.sbin/npf/npfctl/npfctl.c | 10 +-
usr.sbin/npf/npfctl/npfctl.h | 7 +-
usr.sbin/npf/npftest/README | 29 +++
usr.sbin/npf/npftest/libnpftest/Makefile | 2 +
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c | 210 ++++++++++++++++++++++++
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c | 130 ++++++++++++++
usr.sbin/npf/npftest/libnpftest/npf_test.h | 5 +
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c | 28 +++-
usr.sbin/npf/npftest/npfstream.c | 8 +-
usr.sbin/npf/npftest/npftest.c | 95 ++++++----
usr.sbin/npf/npftest/npftest.conf | 41 ++++
usr.sbin/npf/npftest/npftest.h | 5 +
25 files changed, 829 insertions(+), 224 deletions(-)
diffs (truncated from 1880 to 300 lines):
diff -r 13a3f4bef282 -r 47a2cb980e76 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sun Aug 12 02:51:18 2012 +0000
+++ b/lib/libnpf/npf.c Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.10 2012/07/15 00:22:59 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.11 2012/08/12 03:35:14 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,11 +30,12 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.10 2012/07/15 00:22:59 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.11 2012/08/12 03:35:14 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
+#include <net/if.h>
#include <prop/proplib.h>
#include <stdlib.h>
@@ -56,6 +57,8 @@
/* Priority counters. */
pri_t ncf_rule_pri;
pri_t ncf_nat_pri;
+ /* Debug information. */
+ prop_dictionary_t ncf_debug;
/* Error report. */
prop_dictionary_t ncf_err;
/* Custom file to externalise property-list. */
@@ -113,6 +116,9 @@
if (npf_dict == NULL) {
return ENOMEM;
}
+ if (ncf->ncf_debug) {
+ prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
+ }
prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
@@ -213,6 +219,9 @@
if (ncf->ncf_err) {
prop_object_release(ncf->ncf_err);
}
+ if (ncf->ncf_debug) {
+ prop_object_release(ncf->ncf_debug);
+ }
free(ncf);
}
@@ -753,3 +762,63 @@
prop_object_release(sdict);
return error;
}
+
+static prop_dictionary_t
+_npf_debug_initonce(nl_config_t *ncf)
+{
+ if (!ncf->ncf_debug) {
+ prop_array_t iflist = prop_array_create();
+ ncf->ncf_debug = prop_dictionary_create();
+ prop_dictionary_set(ncf->ncf_debug, "interfaces", iflist);
+ prop_object_release(iflist);
+ }
+ return ncf->ncf_debug;
+}
+
+void
+_npf_debug_addif(nl_config_t *ncf, struct ifaddrs *ifa, u_int if_idx)
+{
+ prop_dictionary_t ifdict, dbg = _npf_debug_initonce(ncf);
+ prop_array_t iflist = prop_dictionary_get(dbg, "interfaces");
+
+ if (_npf_prop_array_lookup(iflist, "name", ifa->ifa_name)) {
+ return;
+ }
+
+ ifdict = prop_dictionary_create();
+ prop_dictionary_set_cstring(ifdict, "name", ifa->ifa_name);
+ prop_dictionary_set_uint32(ifdict, "flags", ifa->ifa_flags);
+ if (!if_idx) {
+ if_idx = if_nametoindex(ifa->ifa_name);
+ }
+ prop_dictionary_set_uint32(ifdict, "idx", if_idx);
+
+ const struct sockaddr *sa = ifa->ifa_addr;
+ npf_addr_t addr;
+ size_t alen = 0;
+
+ switch (sa ? sa->sa_family : -1) {
+ case AF_INET: {
+ const struct sockaddr_in *sin = (const void *)sa;
+ alen = sizeof(sin->sin_addr);
+ memcpy(&addr, &sin->sin_addr, alen);
+ break;
+ }
+ case AF_INET6: {
+ const struct sockaddr_in6 *sin6 = (const void *)sa;
+ alen = sizeof(sin6->sin6_addr);
+ memcpy(&addr, &sin6->sin6_addr, alen);
+ break;
+ }
+ default:
+ break;
+ }
+
+ if (alen) {
+ prop_data_t addrdata = prop_data_create_data(&addr, alen);
+ prop_dictionary_set(ifdict, "addr", addrdata);
+ prop_object_release(addrdata);
+ }
+ prop_array_add(iflist, ifdict);
+ prop_object_release(ifdict);
+}
diff -r 13a3f4bef282 -r 47a2cb980e76 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Sun Aug 12 02:51:18 2012 +0000
+++ b/lib/libnpf/npf.h Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.9 2012/07/15 00:22:59 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.10 2012/08/12 03:35:14 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -107,6 +107,9 @@
int npf_sessions_recv(int, const char *);
#ifdef _NPF_PRIVATE
+
+#include <ifaddrs.h>
+
void _npf_config_error(nl_config_t *, nl_error_t *);
void _npf_config_setsubmit(nl_config_t *, const char *);
int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
@@ -120,6 +123,8 @@
int _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
int _npf_rproc_setlog(nl_rproc_t *, u_int);
void _npf_table_foreach(nl_config_t *, nl_table_callback_t);
+
+void _npf_debug_addif(nl_config_t *, struct ifaddrs *, u_int);
#endif
__END_DECLS
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/modules/npf/Makefile Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.9 2012/02/06 23:30:14 rmind Exp $
+# $NetBSD: Makefile,v 1.10 2012/08/12 03:35:14 rmind Exp $
.include "../Makefile.inc"
@@ -9,7 +9,8 @@
SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c
SRCS+= npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
SRCS+= npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
-SRCS+= npf_session.c npf_state.c npf_state_tcp.c npf_tableset.c
+SRCS+= npf_session.c npf_state.c npf_state_tcp.c
+SRCS+= npf_tableset.c npf_tableset_ptree.c
CPPFLAGS+= -DINET6
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_handler.c Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.20 2012/07/15 00:23:00 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.20 2012/07/15 00:23:00 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -142,7 +142,7 @@
}
/* Inspect the list of sessions. */
- se = npf_session_inspect(&npc, nbuf, di, &error);
+ se = npf_session_inspect(&npc, nbuf, ifp, di, &error);
/* If "passing" session found - skip the ruleset inspection. */
if (se && npf_session_pass(se, &rp)) {
@@ -193,7 +193,7 @@
* session. It will be released on session destruction.
*/
if ((retfl & NPF_RULE_STATEFUL) != 0 && !se) {
- se = npf_session_establish(&npc, nbuf, di);
+ se = npf_session_establish(&npc, nbuf, ifp, di);
if (se) {
npf_session_setpass(se, rp);
}
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_impl.h Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.20 2012/07/28 00:43:24 matt Exp $ */
+/* $NetBSD: npf_impl.h,v 1.21 2012/08/12 03:35:14 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -124,9 +124,9 @@
#if defined(_NPF_TESTING)
void npf_state_sample(npf_state_t *, bool);
-#define NPF_TCP_STATE_SAMPLE(n, r) npf_state_sample(n, r)
+#define NPF_STATE_SAMPLE(n, r) npf_state_sample(n, r)
#else
-#define NPF_TCP_STATE_SAMPLE(n, r)
+#define NPF_STATE_SAMPLE(n, r)
#endif
/*
@@ -248,7 +248,7 @@
void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
npf_rule_t * npf_ruleset_inspect(npf_cache_t *, nbuf_t *, npf_ruleset_t *,
- ifnet_t *, const int, const int);
+ const ifnet_t *, const int, const int);
int npf_rule_apply(npf_cache_t *, nbuf_t *, npf_rule_t *, int *);
/* Rule interface. */
@@ -273,8 +273,10 @@
void sess_htable_destroy(npf_sehash_t *);
void sess_htable_reload(npf_sehash_t *);
-npf_session_t * npf_session_inspect(npf_cache_t *, nbuf_t *, const int, int *);
-npf_session_t * npf_session_establish(const npf_cache_t *, nbuf_t *, const int);
+npf_session_t * npf_session_inspect(npf_cache_t *, nbuf_t *,
+ const ifnet_t *, const int, int *);
+npf_session_t * npf_session_establish(const npf_cache_t *, nbuf_t *,
+ const ifnet_t *, const int);
void npf_session_release(npf_session_t *);
void npf_session_expire(npf_session_t *);
bool npf_session_pass(const npf_session_t *, npf_rproc_t **);
@@ -305,7 +307,7 @@
void npf_nat_freealg(npf_natpolicy_t *, npf_alg_t *);
int npf_do_nat(npf_cache_t *, npf_session_t *, nbuf_t *,
- ifnet_t *, const int);
+ const ifnet_t *, const int);
void npf_nat_expire(npf_nat_t *);
void npf_nat_getorig(npf_nat_t *, npf_addr_t **, in_port_t *);
void npf_nat_gettrans(npf_nat_t *, npf_addr_t **, in_port_t *);
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_nat.c
--- a/sys/net/npf/npf_nat.c Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_nat.c Sun Aug 12 03:35:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.15 2012/07/15 00:23:00 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.16 2012/08/12 03:35:14 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.15 2012/07/15 00:23:00 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.16 2012/08/12 03:35:14 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -417,7 +417,8 @@
* npf_nat_inspect: inspect packet against NAT ruleset and return a policy.
*/
static npf_natpolicy_t *
-npf_nat_inspect(npf_cache_t *npc, nbuf_t *nbuf, ifnet_t *ifp, const int di)
+npf_nat_inspect(npf_cache_t *npc, nbuf_t *nbuf, const ifnet_t *ifp,
+ const int di)
{
npf_ruleset_t *rlset;
npf_natpolicy_t *np;
@@ -582,7 +583,7 @@
*/
int
npf_do_nat(npf_cache_t *npc, npf_session_t *se, nbuf_t *nbuf,
- ifnet_t *ifp, const int di)
+ const ifnet_t *ifp, const int di)
{
npf_session_t *nse = NULL;
npf_natpolicy_t *np;
@@ -643,7 +644,7 @@
* stream depends on other, stateless filtering rules.
*/
if (se == NULL) {
- nse = npf_session_establish(npc, nbuf, di);
+ nse = npf_session_establish(npc, nbuf, ifp, di);
if (nse == NULL) {
error = ENOMEM;
goto out;
diff -r 13a3f4bef282 -r 47a2cb980e76 sys/net/npf/npf_ruleset.c
--- a/sys/net/npf/npf_ruleset.c Sun Aug 12 02:51:18 2012 +0000
+++ b/sys/net/npf/npf_ruleset.c Sun Aug 12 03:35:13 2012 +0000
Home |
Main Index |
Thread Index |
Old Index