Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys - Split NPF rule procedure code into a separate module (...



details:   https://anonhg.NetBSD.org/src/rev/b29b720a6a8d
branches:  trunk
changeset: 773572:b29b720a6a8d
user:      rmind <rmind%NetBSD.org@localhost>
date:      Mon Feb 06 23:30:14 2012 +0000

description:
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.

diffstat:

 sys/modules/npf/Makefile  |    6 +-
 sys/net/npf/files.npf     |    3 +-
 sys/net/npf/npf.h         |   11 +--
 sys/net/npf/npf_handler.c |   62 +++++++++------
 sys/net/npf/npf_impl.h    |    5 +-
 sys/net/npf/npf_rproc.c   |  133 ++++++++++++++++++++++++++++++++++
 sys/net/npf/npf_ruleset.c |  178 +++++----------------------------------------
 7 files changed, 198 insertions(+), 200 deletions(-)

diffs (truncated from 626 to 300 lines):

diff -r ce083acd4661 -r b29b720a6a8d sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile  Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/modules/npf/Makefile  Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.8 2011/11/29 20:05:30 rmind Exp $
+# $NetBSD: Makefile,v 1.9 2012/02/06 23:30:14 rmind Exp $
 
 .include "../Makefile.inc"
 
@@ -8,8 +8,8 @@
 
 SRCS=          npf.c npf_alg.c npf_ctl.c npf_handler.c
 SRCS+=         npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
-SRCS+=         npf_processor.c npf_ruleset.c npf_sendpkt.c npf_session.c
-SRCS+=         npf_state.c npf_state_tcp.c npf_tableset.c
+SRCS+=         npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
+SRCS+=         npf_session.c npf_state.c npf_state_tcp.c npf_tableset.c
 
 CPPFLAGS+=     -DINET6
 
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/files.npf
--- a/sys/net/npf/files.npf     Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/files.npf     Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.5 2011/11/29 20:05:30 rmind Exp $
+# $NetBSD: files.npf,v 1.6 2012/02/06 23:30:14 rmind Exp $
 #
 # Public Domain.
 #
@@ -17,6 +17,7 @@
 file   net/npf/npf_mbuf.c                      npf
 file   net/npf/npf_processor.c                 npf
 file   net/npf/npf_ruleset.c                   npf
+file   net/npf/npf_rproc.c                     npf
 file   net/npf/npf_tableset.c                  npf
 file   net/npf/npf_inet.c                      npf
 file   net/npf/npf_session.c                   npf
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/npf.h Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.13 2012/02/05 00:37:13 rmind Exp $   */
+/*     $NetBSD: npf.h,v 1.14 2012/02/06 23:30:14 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -68,10 +68,7 @@
 typedef void                   nbuf_t;
 
 struct npf_rproc;
-struct npf_hook;
-
 typedef struct npf_rproc       npf_rproc_t;
-typedef struct npf_hook                npf_hook_t;
 
 /*
  * Packet information cache.
@@ -215,12 +212,6 @@
 int            nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
 int            nbuf_find_tag(nbuf_t *, uint32_t, void **);
 
-#if 0
-npf_hook_t *   npf_hook_register(npf_rule_t *,
-                   void (*)(npf_cache_t *, nbuf_t *, void *), void *);
-void           npf_hook_unregister(npf_rule_t *, npf_hook_t *);
-#endif
-
 #endif /* _KERNEL */
 
 /* Rule attributes. */
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/npf_handler.c Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $   */
+/*     $NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -166,9 +166,12 @@
                goto block;
        }
 
-       /* Get rule procedure for assocation and/or execution. */
+       /*
+        * Get the rule procedure (acquires a reference) for assocation
+        * with a session (if any) and execution.
+        */
        KASSERT(rp == NULL);
-       rp = npf_rproc_return(rl);
+       rp = npf_rule_getrproc(rl);
 
        /* Apply the rule, release the lock. */
        error = npf_rule_apply(&npc, nbuf, rl, &retfl);
@@ -185,6 +188,10 @@
                        error = ENOMEM;
                        goto out;
                }
+               /*
+                * Note: the reference to the rule procedure is transfered to
+                * the session.  It will be released on session destruction.
+                */
                npf_session_setpass(se, rp);
        }
 pass:
@@ -195,44 +202,47 @@
        error = npf_do_nat(&npc, se, nbuf, ifp, di);
 block:
        /*
-        * Perform rule procedure, if any.
+        * Execute rule procedure, if any.
         */
        if (rp) {
                npf_rproc_run(&npc, nbuf, rp, error);
        }
 out:
-       /* Release the reference on session, or rule procedure. */
+       /*
+        * Release the reference on a session.  Release the reference on a
+        * rule procedure only if there was no association.
+        */
        if (se) {
                npf_session_release(se);
        } else if (rp) {
-               npf_rproc_release(rp); /* XXXkmem */
+               npf_rproc_release(rp);
        }
 
-       /*
-        * If error is set - drop the packet.
-        * Normally, ENETUNREACH is used for "block".
-        */
-       if (error) {
-               /*
-                * Depending on flags and protocol, return TCP reset (RST)
-                * or ICMP destination unreachable
-                */
-               if (retfl) {
-                       npf_return_block(&npc, nbuf, retfl);
-               }
-               if (error != ENETUNREACH) {
-                       NPF_PRINTF(("NPF: error in handler '%d'\n", error));
-                       npf_stats_inc(NPF_STAT_ERROR);
-               }
-               m_freem(*mp);
-               *mp = NULL;
-       } else {
+       /* Pass the packet, if no error. */
+       if (!error) {
                /*
                 * XXX: Disable for now, it will be set accordingly later,
                 * for optimisations (to reduce inspection).
                 */
                (*mp)->m_flags &= ~M_CANFASTFWD;
+               return 0;
        }
+
+       /*
+        * Block the packet.  ENETUNREACH is used to indicate blocking.
+        * Depending on the flags and protocol, return TCP reset (RST) or
+        * ICMP destination unreachable.
+        */
+       if (retfl) {
+               npf_return_block(&npc, nbuf, retfl);
+       }
+       if (error != ENETUNREACH) {
+               NPF_PRINTF(("NPF: error in handler '%d'\n", error));
+               npf_stats_inc(NPF_STAT_ERROR);
+       }
+       m_freem(*mp);
+       *mp = NULL;
+
        return error;
 }
 
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h    Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/npf_impl.h    Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_impl.h,v 1.9 2011/11/29 20:05:30 rmind Exp $       */
+/*     $NetBSD: npf_impl.h,v 1.10 2012/02/06 23:30:14 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -226,9 +226,10 @@
 npf_ruleset_t *        npf_rule_subset(npf_rule_t *);
 npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *);
 void           npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *);
+npf_rproc_t *  npf_rule_getrproc(npf_rule_t *);
 
 npf_rproc_t *  npf_rproc_create(prop_dictionary_t);
-npf_rproc_t *  npf_rproc_return(npf_rule_t *);
+void           npf_rproc_acquire(npf_rproc_t *);
 void           npf_rproc_release(npf_rproc_t *);
 void           npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int);
 
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf_rproc.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/net/npf/npf_rproc.c   Mon Feb 06 23:30:14 2012 +0000
@@ -0,0 +1,133 @@
+/*     $NetBSD: npf_rproc.c,v 1.1 2012/02/06 23:30:14 rmind Exp $      */
+
+/*-
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This material is based upon work partially supported by The
+ * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * NPF rule procedure interface.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD");
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+
+#include <sys/atomic.h>
+#include <sys/kmem.h>
+#include <sys/types.h>
+
+#include "npf_impl.h"
+
+#define        NPF_RNAME_LEN           16
+
+/* Rule procedure structure. */
+struct npf_rproc {
+       /* Name. */
+       char                    rp_name[NPF_RNAME_LEN];
+       /* Reference count. */
+       u_int                   rp_refcnt;
+       uint32_t                rp_flags;
+       /* Normalisation options. */
+       bool                    rp_rnd_ipid;
+       bool                    rp_no_df;
+       u_int                   rp_minttl;
+       u_int                   rp_maxmss;
+       /* Logging interface. */
+       u_int                   rp_log_ifid;
+};
+
+npf_rproc_t *
+npf_rproc_create(prop_dictionary_t rpdict)
+{
+       npf_rproc_t *rp;
+       const char *rname;
+
+       rp = kmem_zalloc(sizeof(npf_rproc_t), KM_SLEEP);
+       rp->rp_refcnt = 1;
+
+       /* Name and flags. */
+       prop_dictionary_get_cstring_nocopy(rpdict, "name", &rname);
+       strlcpy(rp->rp_name, rname, NPF_RNAME_LEN);
+       prop_dictionary_get_uint32(rpdict, "flags", &rp->rp_flags);
+
+       /* Logging interface ID (integer). */
+       prop_dictionary_get_uint32(rpdict, "log-interface", &rp->rp_log_ifid);
+
+       /* IP ID randomisation and IP_DF flag cleansing. */
+       prop_dictionary_get_bool(rpdict, "randomize-id", &rp->rp_rnd_ipid);
+       prop_dictionary_get_bool(rpdict, "no-df", &rp->rp_no_df);
+
+       /* Minimum IP TTL and maximum TCP MSS. */
+       prop_dictionary_get_uint32(rpdict, "min-ttl", &rp->rp_minttl);
+       prop_dictionary_get_uint32(rpdict, "max-mss", &rp->rp_maxmss);
+
+       return rp;



Home | Main Index | Thread Index | Old Index