Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Expire all sessions on flush.
details: https://anonhg.NetBSD.org/src/rev/a3862d524816
branches: trunk
changeset: 772752:a3862d524816
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Jan 15 00:49:47 2012 +0000
description:
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
diffstat:
lib/libnpf/npf.3 | 20 ++++++++++++--------
lib/libnpf/npf.c | 26 ++++++++++++++++++++++----
lib/libnpf/npf.h | 3 ++-
sys/net/npf/npf.c | 7 ++-----
sys/net/npf/npf.h | 4 ++--
sys/net/npf/npf_ctl.c | 11 +++++++++--
sys/net/npf/npf_handler.c | 5 +++--
sys/net/npf/npf_instr.c | 13 ++++---------
sys/net/npf/npf_nat.c | 5 +++--
sys/net/npf/npf_processor.c | 11 ++++++-----
sys/net/npf/npf_ruleset.c | 10 +++-------
sys/net/npf/npf_tableset.c | 18 +++++++++---------
usr.sbin/npf/npfctl/npf_build.c | 19 ++-----------------
usr.sbin/npf/npfctl/npf_parse.y | 4 ++--
usr.sbin/npf/npfctl/npf_var.c | 11 ++++++-----
usr.sbin/npf/npfctl/npfctl.c | 6 +++---
usr.sbin/npf/npfctl/npfctl.h | 3 +--
17 files changed, 91 insertions(+), 85 deletions(-)
diffs (truncated from 656 to 300 lines):
diff -r 2a0651b6ff0b -r a3862d524816 lib/libnpf/npf.3
--- a/lib/libnpf/npf.3 Sun Jan 15 00:25:33 2012 +0000
+++ b/lib/libnpf/npf.3 Sun Jan 15 00:49:47 2012 +0000
@@ -1,6 +1,6 @@
-.\" $NetBSD: npf.3,v 1.3 2011/03/22 07:28:41 jruoho Exp $
+.\" $NetBSD: npf.3,v 1.4 2012/01/15 00:49:47 rmind Exp $
.\"
-.\" Copyright (c) 2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd March 22, 2011
+.Dd January 14, 2012
.Dt NPF 3
.Os
.Sh NAME
@@ -44,6 +44,8 @@
.Fn npf_config_submit "nl_config_t *ncf" "int fd"
.Ft void
.Fn npf_config_destroy "nl_config_t *ncf"
+.Ft int
+.Fn npf_config_flush "int fd"
.\" ---
.Ft nl_rule_t *
.Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx"
@@ -67,13 +69,13 @@
.Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp"
.\" ---
.Ft nl_nat_t *
-.Fn npf_nat_create "int type" "int flags" "u_int if_idx" \
+.Fn npf_nat_create "int type" "u_int flags" "u_int if_idx" \
"npf_addr_t *addr" "int af" "in_port_t port"
.Ft int
.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri"
.\" ---
.Ft nl_table_t *
-.Fn npf_table_create "int index" "int type"
+.Fn npf_table_create "u_int id" "int type"
.Ft int
.Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
.Ft bool
@@ -84,7 +86,7 @@
.Fn npf_table_destroy "nl_table_t *tl"
.\" ---
.Ft int
-.Fn npf_update_rule "int fd" "char *rname" "nl_rule_t *rl"
+.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
.Ft int
.Fn npf_sessions_send "int fd" "const char *fpath"
.Ft int
@@ -109,6 +111,8 @@
.It Fn npf_config_destroy "ncf"
Destroy the configuration
.Fa ncf .
+.It Fn npf_config_flush "fd"
+Flush the current configuration.
.El
.\" ---
.Ss Rule interface
@@ -247,10 +251,10 @@
.It Fn npf_table_create "index" "type"
Create NPF table of specified type.
The following types are supported:
-.Bl -tag -width "NPF_TABLE_RBTREE "
+.Bl -tag -width "NPF_TABLE_TREE "
.It Dv NPF_TABLE_HASH
Indicates to use hash table for storage.
-.It Dv NPF_TABLE_RBTREE
+.It Dv NPF_TABLE_TREE
Indicates to use red-black tree for storage.
Table is identified by
.Fa index ,
diff -r 2a0651b6ff0b -r a3862d524816 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sun Jan 15 00:25:33 2012 +0000
+++ b/lib/libnpf/npf.c Sun Jan 15 00:49:47 2012 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $ */
+/* $NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $ */
/*-
- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -56,6 +56,7 @@
pri_t ncf_nat_pri;
/* Custom file to externalise property-list. */
const char * ncf_plist;
+ bool ncf_flush;
};
struct nl_rule {
@@ -92,6 +93,7 @@
ncf->ncf_nat_pri = 1;
ncf->ncf_plist = NULL;
+ ncf->ncf_flush = false;
return ncf;
}
@@ -111,6 +113,7 @@
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
+ prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
if (plist) {
if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
@@ -123,6 +126,22 @@
return error;
}
+int
+npf_config_flush(int fd)
+{
+ nl_config_t *ncf;
+ int error;
+
+ ncf = npf_config_create();
+ if (ncf == NULL) {
+ return ENOMEM;
+ }
+ ncf->ncf_flush = true;
+ error = npf_config_submit(ncf, fd);
+ npf_config_destroy(ncf);
+ return error;
+}
+
void
npf_config_destroy(nl_config_t *ncf)
{
@@ -510,7 +529,6 @@
*/
int
-/*ARGSUSED*/
npf_update_rule(int fd, const char *rname __unused, nl_rule_t *rl)
{
prop_dictionary_t rldict = rl->nrl_dict;
diff -r 2a0651b6ff0b -r a3862d524816 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Sun Jan 15 00:25:33 2012 +0000
+++ b/lib/libnpf/npf.h Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.4 2011/11/26 23:42:27 christos Exp $ */
+/* $NetBSD: npf.h,v 1.5 2012/01/15 00:49:47 rmind Exp $ */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -63,6 +63,7 @@
nl_config_t * npf_config_create(void);
int npf_config_submit(nl_config_t *, int);
void npf_config_destroy(nl_config_t *);
+int npf_config_flush(int);
#ifdef _NPF_PRIVATE
void _npf_config_setsubmit(nl_config_t *, const char *);
#endif
diff -r 2a0651b6ff0b -r a3862d524816 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf.c Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $ */
+/* $NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -285,9 +285,6 @@
/* Unlock. Everything goes "live" now. */
rw_exit(&npf_lock);
- /* Turn on/off session tracking accordingly. */
- npf_session_tracking(true);
-
if (onc) {
/* Destroy unloaded structures. */
npf_core_destroy(onc);
diff -r 2a0651b6ff0b -r a3862d524816 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf.h Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.11 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.12 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -248,7 +248,7 @@
/* Table types. */
#define NPF_TABLE_HASH 1
-#define NPF_TABLE_RBTREE 2
+#define NPF_TABLE_TREE 2
/* Layers. */
#define NPF_LAYER_2 2
diff -r 2a0651b6ff0b -r a3862d524816 sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_ctl.c Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -376,6 +376,7 @@
npf_ruleset_t *rlset = NULL;
npf_ruleset_t *nset = NULL;
prop_dictionary_t dict;
+ bool flush;
int error;
/* Retrieve the dictionary. */
@@ -413,12 +414,18 @@
goto fail;
}
+ flush = false;
+ prop_dictionary_get_bool(dict, "flush", &flush);
+
/*
* Finally - reload ruleset, tableset and NAT policies.
* Operation will be performed as a single transaction.
*/
npf_reload(rlset, tblset, nset);
+ /* Turn on/off session tracking accordingly. */
+ npf_session_tracking(!flush);
+
/* Done. Since data is consumed now, we shall not destroy it. */
tblset = NULL;
rlset = NULL;
diff -r 2a0651b6ff0b -r a3862d524816 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_handler.c Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -156,6 +156,7 @@
rlset = npf_core_ruleset();
rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
if (rl == NULL) {
+ npf_core_exit();
if (default_pass) {
npf_stats_inc(NPF_STAT_PASS_DEFAULT);
goto pass;
diff -r 2a0651b6ff0b -r a3862d524816 sys/net/npf/npf_instr.c
--- a/sys/net/npf/npf_instr.c Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_instr.c Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
Home |
Main Index |
Thread Index |
Old Index