Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up revisions:
details: https://anonhg.NetBSD.org/src/rev/0666b7b2f412
branches: netbsd-6
changeset: 774359:0666b7b2f412
user: jdc <jdc%NetBSD.org@localhost>
date: Wed Jul 25 20:45:23 2012 +0000
description:
Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).
Add missing __dead.
teach npf ipv6-icmp
reviewed by rmind@
- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.
- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
diffstat:
sys/net/npf/npf.h | 10 +-
sys/net/npf/npf_alg_icmp.c | 139 ++++++++++++++------
sys/net/npf/npf_impl.h | 3 +-
sys/net/npf/npf_inet.c | 15 +-
sys/net/npf/npf_instr.c | 35 ++++-
sys/net/npf/npf_ncode.h | 13 +-
sys/net/npf/npf_processor.c | 10 +-
sys/net/npf/npf_session.c | 27 +++-
sys/net/npf/npf_state.c | 5 +-
sys/net/npf/npf_state_tcp.c | 20 +-
usr.sbin/npf/npfctl/npf_build.c | 19 ++-
usr.sbin/npf/npfctl/npf_data.c | 160 +++++++++++++++++------
usr.sbin/npf/npfctl/npf_disassemble.c | 6 +-
usr.sbin/npf/npfctl/npf_ncgen.c | 24 +++-
usr.sbin/npf/npfctl/npf_parse.y | 24 ++-
usr.sbin/npf/npfctl/npf_scan.l | 6 +-
usr.sbin/npf/npfctl/npf_var.h | 5 +-
usr.sbin/npf/npfctl/npfctl.c | 92 ++++++++-----
usr.sbin/npf/npfctl/npfctl.h | 11 +-
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c | 4 +-
usr.sbin/npf/npftest/npfstream.c | 13 +-
21 files changed, 450 insertions(+), 191 deletions(-)
diffs (truncated from 1229 to 300 lines):
diff -r fb0b10f3f2c1 -r 0666b7b2f412 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Wed Jul 25 20:33:28 2012 +0000
+++ b/sys/net/npf/npf.h Wed Jul 25 20:45:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.14.2.5 2012/07/16 22:13:26 riz Exp $ */
+/* $NetBSD: npf.h,v 1.14.2.6 2012/07/25 20:45:23 jdc Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -74,6 +74,7 @@
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
+#include <netinet/icmp6.h>
#define NPC_IP4 0x01 /* Indicates fetched IPv4 header. */
#define NPC_IP6 0x02 /* Indicates IPv6 header. */
@@ -104,9 +105,10 @@
} npc_ip;
/* TCP, UDP, ICMP. */
union {
- struct tcphdr tcp;
- struct udphdr udp;
- struct icmp icmp;
+ struct tcphdr tcp;
+ struct udphdr udp;
+ struct icmp icmp;
+ struct icmp6_hdr icmp6;
} npc_l4;
} npf_cache_t;
diff -r fb0b10f3f2c1 -r 0666b7b2f412 sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Wed Jul 25 20:33:28 2012 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Wed Jul 25 20:45:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.8.4.2 2012/07/16 22:13:26 riz Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.8.4.3 2012/07/25 20:45:23 jdc Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.2 2012/07/16 22:13:26 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.3 2012/07/25 20:45:23 jdc Exp $");
#include <sys/param.h>
#include <sys/module.h>
@@ -46,6 +46,7 @@
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
+#include <netinet/icmp6.h>
#include <net/pfil.h>
#include "npf_impl.h"
@@ -156,54 +157,102 @@
static bool
npf_icmp_uniqid(const int type, npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr)
{
- struct icmp *ic;
- u_int offby;
+ struct icmp *ic;
+ struct icmp6_hdr *ic6;
+ u_int offby;
- /* Per RFC 792. */
- switch (type) {
- case ICMP_UNREACH:
- case ICMP_SOURCEQUENCH:
- case ICMP_REDIRECT:
- case ICMP_TIMXCEED:
- case ICMP_PARAMPROB:
- /* Should contain original IP header. */
- offby = offsetof(struct icmp, icmp_ip);
- if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL) {
- return false;
- }
- /* Fetch into the cache. */
- if (!npf_fetch_ip(npc, nbuf, n_ptr)) {
- return false;
+ if (npf_iscached(npc, NPC_IP4)) {
+ /* Per RFC 792. */
+ switch (type) {
+ case ICMP_UNREACH:
+ case ICMP_SOURCEQUENCH:
+ case ICMP_REDIRECT:
+ case ICMP_TIMXCEED:
+ case ICMP_PARAMPROB:
+ /* Should contain original IP header. */
+ offby = offsetof(struct icmp, icmp_ip);
+ if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL) {
+ return false;
+ }
+ /* Fetch into the cache. */
+ if (!npf_fetch_ip(npc, nbuf, n_ptr)) {
+ return false;
+ }
+ switch (npf_cache_ipproto(npc)) {
+ case IPPROTO_TCP:
+ return npf_fetch_tcp(npc, nbuf, n_ptr);
+ case IPPROTO_UDP:
+ return npf_fetch_udp(npc, nbuf, n_ptr);
+ default:
+ return false;
+ }
+ return true;
+
+ case ICMP_ECHOREPLY:
+ case ICMP_ECHO:
+ case ICMP_TSTAMP:
+ case ICMP_TSTAMPREPLY:
+ case ICMP_IREQ:
+ case ICMP_IREQREPLY:
+ /* Should contain ICMP query ID. */
+ ic = &npc->npc_l4.icmp;
+ offby = offsetof(struct icmp, icmp_id);
+ if (nbuf_advfetch(&nbuf, &n_ptr, offby,
+ sizeof(uint16_t), &ic->icmp_id)) {
+ return false;
+ }
+ npc->npc_info |= NPC_ICMP_ID;
+ return true;
+ default:
+ break;
}
- switch (npf_cache_ipproto(npc)) {
- case IPPROTO_TCP:
- return npf_fetch_tcp(npc, nbuf, n_ptr);
- case IPPROTO_UDP:
- return npf_fetch_udp(npc, nbuf, n_ptr);
- default:
- return false;
- }
- return true;
+ /* No unique IDs. */
+ return false;
+ }
+ if (npf_iscached(npc, NPC_IP6)) {
+ switch (type) {
+ /* Per RFC 4443. */
+ case ICMP6_DST_UNREACH:
+ case ICMP6_PACKET_TOO_BIG:
+ case ICMP6_TIME_EXCEEDED:
+ case ICMP6_PARAM_PROB:
+ /* Should contain original IP header. */
+ offby = sizeof(struct icmp6_hdr);
+ if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL) {
+ return false;
+ }
+ /* Fetch into the cache. */
+ if (!npf_fetch_ip(npc, nbuf, n_ptr)) {
+ return false;
+ }
+ switch (npf_cache_ipproto(npc)) {
+ case IPPROTO_TCP:
+ return npf_fetch_tcp(npc, nbuf, n_ptr);
+ case IPPROTO_UDP:
+ return npf_fetch_udp(npc, nbuf, n_ptr);
+ default:
+ return false;
+ }
+ return true;
- case ICMP_ECHOREPLY:
- case ICMP_ECHO:
- case ICMP_TSTAMP:
- case ICMP_TSTAMPREPLY:
- case ICMP_IREQ:
- case ICMP_IREQREPLY:
- /* Should contain ICMP query ID. */
- ic = &npc->npc_l4.icmp;
- offby = offsetof(struct icmp, icmp_id);
- if (nbuf_advfetch(&nbuf, &n_ptr, offby,
- sizeof(uint16_t), &ic->icmp_id)) {
- return false;
+ case ICMP6_ECHO_REQUEST:
+ case ICMP6_ECHO_REPLY:
+ /* Should contain ICMP query ID. */
+ ic6 = &npc->npc_l4.icmp6;
+ offby = offsetof(struct icmp6_hdr, icmp6_id);
+ if (nbuf_advfetch(&nbuf, &n_ptr, offby,
+ sizeof(uint16_t), &ic6->icmp6_id)) {
+ return false;
+ }
+ npc->npc_info |= NPC_ICMP_ID;
+ return true;
+ default:
+ break;
}
- npc->npc_info |= NPC_ICMP_ID;
- return true;
- default:
- break;
+ /* No unique IDs. */
+ return false;
}
- /* No unique IDs. */
+ /* Whatever protocol that may have been ... */
return false;
}
diff -r fb0b10f3f2c1 -r 0666b7b2f412 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h Wed Jul 25 20:33:28 2012 +0000
+++ b/sys/net/npf/npf_impl.h Wed Jul 25 20:45:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.10.2.5 2012/07/16 22:13:27 riz Exp $ */
+/* $NetBSD: npf_impl.h,v 1.10.2.6 2012/07/25 20:45:23 jdc Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -208,6 +208,7 @@
int npf_match_udp_ports(npf_cache_t *, nbuf_t *, void *,
const int, const uint32_t);
int npf_match_icmp4(npf_cache_t *, nbuf_t *, void *, uint32_t);
+int npf_match_icmp6(npf_cache_t *, nbuf_t *, void *, uint32_t);
int npf_match_tcpfl(npf_cache_t *, nbuf_t *, void *, uint32_t);
/* Tableset interface. */
diff -r fb0b10f3f2c1 -r 0666b7b2f412 sys/net/npf/npf_inet.c
--- a/sys/net/npf/npf_inet.c Wed Jul 25 20:33:28 2012 +0000
+++ b/sys/net/npf/npf_inet.c Wed Jul 25 20:45:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_inet.c,v 1.10.4.4 2012/07/16 22:13:25 riz Exp $ */
+/* $NetBSD: npf_inet.c,v 1.10.4.5 2012/07/25 20:45:23 jdc Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.10.4.4 2012/07/16 22:13:25 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.10.4.5 2012/07/25 20:45:23 jdc Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -277,7 +277,7 @@
if (nbuf_advfetch(&nbuf, &n_ptr, 1, sizeof(val), &val)) {
return false;
}
- if (val < 2 || val >= topts_len) {
+ if (val < 2 || val > topts_len) {
return false;
}
topts_len -= val;
@@ -463,14 +463,18 @@
if (!npf_iscached(npc, NPC_IP46) && !npf_fetch_ip(npc, nbuf, n_ptr)) {
return false;
}
- if (npf_cache_ipproto(npc) != IPPROTO_ICMP) {
+ if (npf_cache_ipproto(npc) != IPPROTO_ICMP &&
+ npf_cache_ipproto(npc) != IPPROTO_ICMPV6) {
return false;
}
ic = &npc->npc_l4.icmp;
hlen = npf_cache_hlen(npc);
/* Fetch basic ICMP header, up to the "data" point. */
- iclen = offsetof(struct icmp, icmp_data);
+ CTASSERT(offsetof(struct icmp, icmp_void) ==
+ offsetof(struct icmp6_hdr, icmp6_data32));
+
+ iclen = offsetof(struct icmp, icmp_void);
if (nbuf_advfetch(&nbuf, &n_ptr, hlen, iclen, ic)) {
return false;
}
@@ -503,6 +507,7 @@
(void)npf_fetch_udp(npc, nbuf, n_ptr);
break;
case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
(void)npf_fetch_icmp(npc, nbuf, n_ptr);
break;
}
diff -r fb0b10f3f2c1 -r 0666b7b2f412 sys/net/npf/npf_instr.c
--- a/sys/net/npf/npf_instr.c Wed Jul 25 20:33:28 2012 +0000
+++ b/sys/net/npf/npf_instr.c Wed Jul 25 20:45:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_instr.c,v 1.9.2.4 2012/07/16 22:13:26 riz Exp $ */
+/* $NetBSD: npf_instr.c,v 1.9.2.5 2012/07/25 20:45:23 jdc Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.9.2.4 2012/07/16 22:13:26 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.9.2.5 2012/07/25 20:45:23 jdc Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -237,6 +237,37 @@
}
/*
+ * npf_match_icmp6: match ICMPv6 packet.
+ */
Home |
Main Index |
Thread Index |
Old Index