Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Import NPF - a packet filter. Some features:
details: https://anonhg.NetBSD.org/src/rev/a6ad47b63237
branches: trunk
changeset: 757277:a6ad47b63237
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Aug 22 18:56:18 2010 +0000
description:
Import NPF - a packet filter. Some features:
- Designed to be fully MP-safe and highly efficient.
- Tables/IP sets (hash or red-black tree) for high performance lookups.
- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).
- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.
- Convenient userland utility npfctl(8) with npf.conf(8).
NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.
Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
diffstat:
distrib/sets/lists/base/mi | 3 +-
distrib/sets/lists/comp/mi | 8 +-
distrib/sets/lists/man/mi | 8 +-
etc/MAKEDEV.tmpl | 9 +-
etc/Makefile | 4 +-
share/man/man9/Makefile | 4 +-
share/man/man9/npf_ncode.9 | 259 +++++++++++
share/mk/bsd.README | 5 +-
share/mk/bsd.own.mk | 3 +-
sys/arch/amd64/conf/GENERIC | 7 +-
sys/arch/i386/conf/ALL | 7 +-
sys/arch/i386/conf/GENERIC | 7 +-
sys/arch/i386/conf/MONOLITHIC | 5 +-
sys/conf/files | 6 +-
sys/conf/majors | 3 +-
sys/modules/npf/Makefile | 13 +
sys/net/Makefile | 4 +-
sys/net/npf/Makefile | 9 +
sys/net/npf/files.npf | 23 +
sys/net/npf/npf.c | 216 +++++++++
sys/net/npf/npf.h | 179 ++++++++
sys/net/npf/npf_alg.c | 168 +++++++
sys/net/npf/npf_alg_icmp.c | 341 +++++++++++++++
sys/net/npf/npf_ctl.c | 485 ++++++++++++++++++++++
sys/net/npf/npf_handler.c | 206 +++++++++
sys/net/npf/npf_impl.h | 214 +++++++++
sys/net/npf/npf_inet.c | 410 ++++++++++++++++++
sys/net/npf/npf_instr.c | 209 +++++++++
sys/net/npf/npf_mbuf.c | 227 ++++++++++
sys/net/npf/npf_nat.c | 550 +++++++++++++++++++++++++
sys/net/npf/npf_ncode.h | 107 ++++
sys/net/npf/npf_processor.c | 533 ++++++++++++++++++++++++
sys/net/npf/npf_ruleset.c | 467 +++++++++++++++++++++
sys/net/npf/npf_session.c | 843 +++++++++++++++++++++++++++++++++++++++
sys/net/npf/npf_tableset.c | 559 +++++++++++++++++++++++++
usr.sbin/Makefile | 7 +-
usr.sbin/npf/Makefile | 5 +
usr.sbin/npf/Makefile.inc | 7 +
usr.sbin/npf/npfctl/Makefile | 14 +
usr.sbin/npf/npfctl/npf.conf.8 | 169 +++++++
usr.sbin/npf/npfctl/npf_data.c | 579 ++++++++++++++++++++++++++
usr.sbin/npf/npfctl/npf_ncgen.c | 218 ++++++++++
usr.sbin/npf/npfctl/npf_parser.c | 621 ++++++++++++++++++++++++++++
usr.sbin/npf/npfctl/npfctl.8 | 123 +++++
usr.sbin/npf/npfctl/npfctl.c | 229 ++++++++++
usr.sbin/npf/npfctl/npfctl.h | 109 +++++
46 files changed, 8158 insertions(+), 24 deletions(-)
diffs (truncated from 8608 to 300 lines):
diff -r f58b12cddabb -r a6ad47b63237 distrib/sets/lists/base/mi
--- a/distrib/sets/lists/base/mi Sun Aug 22 18:01:01 2010 +0000
+++ b/distrib/sets/lists/base/mi Sun Aug 22 18:56:18 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.879 2010/08/21 06:38:59 christos Exp $
+# $NetBSD: mi,v 1.880 2010/08/22 18:56:18 rmind Exp $
#
# Note: Don't delete entries from here - mark them as "obsolete" instead,
# unless otherwise stated below.
@@ -1239,6 +1239,7 @@
./usr/sbin/netgroup_mkdb base-nis-bin
./usr/sbin/nfsd base-nfsserver-bin
./usr/sbin/nfsiod base-obsolete obsolete
+./usr/sbin/npfctl base-npf-bin npf
./usr/sbin/nslookup base-obsolete obsolete
./usr/sbin/nsquery base-obsolete obsolete
./usr/sbin/nstest base-obsolete obsolete
diff -r f58b12cddabb -r a6ad47b63237 distrib/sets/lists/comp/mi
--- a/distrib/sets/lists/comp/mi Sun Aug 22 18:01:01 2010 +0000
+++ b/distrib/sets/lists/comp/mi Sun Aug 22 18:56:18 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1498 2010/08/21 10:32:35 jruoho Exp $
+# $NetBSD: mi,v 1.1499 2010/08/22 18:56:19 rmind Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -1474,6 +1474,8 @@
./usr/include/net/if_vlanvar.h comp-c-include
./usr/include/net/net_stats.h comp-c-include
./usr/include/net/netisr.h comp-c-include
+./usr/include/net/npf.h comp-npf-include npf
+./usr/include/net/npf_ncode.h comp-npf-include npf
./usr/include/net/pfil.h comp-c-include
./usr/include/net/pfkeyv2.h comp-c-include
./usr/include/net/pfvar.h comp-c-include
@@ -3632,6 +3634,7 @@
./usr/libdata/debug/usr/sbin/ndp.debug comp-netutil-debug inet6,debug
./usr/libdata/debug/usr/sbin/netgroup_mkdb.debug comp-nis-debug debug
./usr/libdata/debug/usr/sbin/nfsd.debug comp-nfsserver-debug debug
+./usr/libdata/debug/usr/sbin/npfctl.debug comp-npf-debug npf,debug
./usr/libdata/debug/usr/sbin/ntp-keygen.debug comp-ntp-debug crypto,debug
./usr/libdata/debug/usr/sbin/ntpd.debug comp-ntp-debug debug
./usr/libdata/debug/usr/sbin/ntpdate.debug comp-ntp-debug debug
@@ -9406,6 +9409,7 @@
./usr/share/man/cat9/nanouptime.0 comp-sys-catman .cat
./usr/share/man/cat9/need_resched.0 comp-obsolete obsolete
./usr/share/man/cat9/nextrunqueue.0 comp-obsolete obsolete
+./usr/share/man/cat9/npf_ncode.0 comp-sys-catman .cat
./usr/share/man/cat9/nullop.0 comp-sys-catman .cat
./usr/share/man/cat9/old_sysctl.0 comp-sys-catman .cat
./usr/share/man/cat9/opencrypto.0 comp-sys-catman .cat
@@ -15209,6 +15213,7 @@
./usr/share/man/html9/namei.html comp-sys-htmlman html
./usr/share/man/html9/nanotime.html comp-sys-htmlman html
./usr/share/man/html9/nanouptime.html comp-sys-htmlman html
+./usr/share/man/html9/npf_ncode.html comp-sys-htmlman html
./usr/share/man/html9/nullop.html comp-sys-htmlman html
./usr/share/man/html9/old_sysctl.html comp-sys-htmlman html
./usr/share/man/html9/opencrypto.html comp-sys-htmlman html
@@ -21179,6 +21184,7 @@
./usr/share/man/man9/nanouptime.9 comp-sys-man .man
./usr/share/man/man9/need_resched.9 comp-obsolete obsolete
./usr/share/man/man9/nextrunqueue.9 comp-obsolete obsolete
+./usr/share/man/man9/npf_ncode.9 comp-sys-man .man
./usr/share/man/man9/nullop.9 comp-sys-man .man
./usr/share/man/man9/old_sysctl.9 comp-sys-man .man
./usr/share/man/man9/opencrypto.9 comp-sys-man .man
diff -r f58b12cddabb -r a6ad47b63237 distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Sun Aug 22 18:01:01 2010 +0000
+++ b/distrib/sets/lists/man/mi Sun Aug 22 18:56:18 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1233 2010/08/06 17:00:12 jruoho Exp $
+# $NetBSD: mi,v 1.1234 2010/08/22 18:56:20 rmind Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -2419,6 +2419,8 @@
./usr/share/man/cat8/nfsiod.0 man-obsolete obsolete
./usr/share/man/cat8/nis.0 man-nis-catman .cat
./usr/share/man/cat8/nologin.0 man-sysutil-catman .cat
+./usr/share/man/cat8/npf.conf.0 man-npf-catman .cat
+./usr/share/man/cat8/npfctl.0 man-npf-catman .cat
./usr/share/man/cat8/nqmgr.0 man-obsolete obsolete
./usr/share/man/cat8/nslookup.0 man-netutil-catman .cat
./usr/share/man/cat8/nsupdate.0 man-obsolete obsolete
@@ -4876,6 +4878,8 @@
./usr/share/man/html8/nfsd.html man-nfsserver-htmlman html
./usr/share/man/html8/nis.html man-nis-htmlman html
./usr/share/man/html8/nologin.html man-sysutil-htmlman html
+./usr/share/man/html8/npf.conf.html man-npf-htmlman html
+./usr/share/man/html8/npfctl.html man-npf-htmlman html
./usr/share/man/html8/nslookup.html man-netutil-htmlman html
./usr/share/man/html8/nsupdate.html man-obsolete obsolete
./usr/share/man/html8/ntalkd.html man-netutil-htmlman html
@@ -7555,6 +7559,8 @@
./usr/share/man/man8/nfsiod.8 man-obsolete obsolete
./usr/share/man/man8/nis.8 man-nis-man .man
./usr/share/man/man8/nologin.8 man-sysutil-man .man
+./usr/share/man/man8/npf.conf.8 man-npf-man .man
+./usr/share/man/man8/npfctl.8 man-npf-man .man
./usr/share/man/man8/nqmgr.8 man-obsolete obsolete
./usr/share/man/man8/nslookup.8 man-netutil-man .man
./usr/share/man/man8/nsupdate.8 man-obsolete obsolete
diff -r f58b12cddabb -r a6ad47b63237 etc/MAKEDEV.tmpl
--- a/etc/MAKEDEV.tmpl Sun Aug 22 18:01:01 2010 +0000
+++ b/etc/MAKEDEV.tmpl Sun Aug 22 18:56:18 2010 +0000
@@ -1,5 +1,5 @@
#!/bin/sh -
-# $NetBSD: MAKEDEV.tmpl,v 1.134 2010/04/19 04:34:42 pooka Exp $
+# $NetBSD: MAKEDEV.tmpl,v 1.135 2010/08/22 18:56:20 rmind Exp $
#
# Copyright (c) 2003,2007,2008 The NetBSD Foundation, Inc.
# All rights reserved.
@@ -255,6 +255,7 @@
# mlx* Mylex DAC960 control interface
# mly* Mylex AcceleRAID/eXtremeRAID control interface
# np* UNIBUS Ethernet co-processor interface, for downloading.
+# npf NPF packet filter
# nsmb* SMB requester
# openfirm OpenFirmware accessor
# pad* Pseudo-audio device driver
@@ -732,7 +733,7 @@
makedev md0 md1
makedev raid0 raid1 raid2 raid3 raid4 raid5 raid6 raid7
makedev vnd0 vnd1 vnd2 vnd3
- makedev bpf
+ makedev bpf npf
makedev tun0 tun1 tun2 tun3
makedev ipl pf crypto random
makedev lockstat clockctl cpuctl
@@ -1261,6 +1262,10 @@
lndev bpf bpf0
;;
+npf)
+ mkdev npf c %npf_chr% 0
+ ;;
+
bthub)
mkdev bthub c %bthub_chr% 0
;;
diff -r f58b12cddabb -r a6ad47b63237 etc/Makefile
--- a/etc/Makefile Sun Aug 22 18:01:01 2010 +0000
+++ b/etc/Makefile Sun Aug 22 18:56:18 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.380 2010/02/05 09:44:23 roy Exp $
+# $NetBSD: Makefile,v 1.381 2010/08/22 18:56:20 rmind Exp $
# from: @(#)Makefile 8.7 (Berkeley) 5/25/95
# Environment variables without default values:
@@ -192,7 +192,7 @@
MKGCC MKGCCCMDS MKGDB \
MKHESIOD MKHOSTOBJ MKHTML MKIEEEFP MKINET6 MKINFO MKIPFILTER \
MKKERBEROS MKLDAP MKLINKLIB MKLINT \
- MKMAN MKMANZ MKMDNS MKNLS MKNVI MKOBJ MKOBJDIRS \
+ MKMAN MKMANZ MKMDNS MKNLS MKNPF MKNVI MKOBJ MKOBJDIRS \
MKPAM MKPF MKPIC MKPICINSTALL MKPICLIB MKPOSTFIX MKPROFILE \
MKSHARE MKSKEY MKSOFTFLOAT MKSTATICLIB \
MKUNPRIVED MKUPDATE MKX11 MKYP \
diff -r f58b12cddabb -r a6ad47b63237 share/man/man9/Makefile
--- a/share/man/man9/Makefile Sun Aug 22 18:01:01 2010 +0000
+++ b/share/man/man9/Makefile Sun Aug 22 18:56:18 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.341 2010/08/21 10:11:35 jruoho Exp $
+# $NetBSD: Makefile,v 1.342 2010/08/22 18:56:20 rmind Exp $
# Makefile for section 9 (kernel function and variable) manual pages.
@@ -36,7 +36,7 @@
memmove.9 memset.9 \
microtime.9 microuptime.9 mi_switch.9 module.9 \
mstohz.9 mutex.9 m_tag.9 namecache.9 \
- namei.9 nullop.9 opencrypto.9 optstr.9 \
+ namei.9 npf_ncode.9 nullop.9 opencrypto.9 optstr.9 \
panic.9 pci.9 pci_configure_bus.9 pci_intr.9 pckbport.9 \
pcmcia.9 pcq.9 percpu.9 pfil.9 physio.9 pmap.9 pmatch.9 \
pmc.9 pmf.9 pool.9 pool_cache.9 powerhook_establish.9 ppsratecheck.9 \
diff -r f58b12cddabb -r a6ad47b63237 share/man/man9/npf_ncode.9
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man9/npf_ncode.9 Sun Aug 22 18:56:18 2010 +0000
@@ -0,0 +1,259 @@
+.\" $NetBSD: npf_ncode.9,v 1.1 2010/08/22 18:56:20 rmind Exp $
+.\"
+.\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This material is based upon work partially supported by The
+.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 22, 2010
+.Dt NPF_NCODE 9
+.Os
+.Sh NAME
+.Nm npf_ncode
+.Nd NPF n-code processor
+.Sh SYNOPSIS
+.In net/npf_ncode.h
+.Ft int
+.Fn npf_ncode_process \
+"npf_cache_t *npc" "const void *ncode" "nbuf_t *nbuf" "int layer"
+.Ft int
+.Fn npf_ncode_validate "const void *ncode" "size_t sz" "int *errat"
+.\" -----
+.Sh DESCRIPTION
+The NPF n-code processor is a general purpose engine to inspect network
+packets, which are abstracted as chained buffers.
+.Pp
+.Sh FUNCTIONS
+.Fn npf_ncode_process
+performs n-code processing using data of the specified packet.
+.Fa ncode
+is address to a validated n-code memory block.
+N-code memory address should be 32 bit word aligned.
+.Fa nbuf
+is an opaque network buffer on which n-code processor will operate.
+.Fa layer
+specifies at which network layer buffer is passed, it can be either
+NPF_LAYER_L2 or NPF_LAYER_L3.
+This value is initally set in R0 register and can be checked by the
+n-code.
+Contents of other registers are unspecified.
+.Pp
+Function returns a value from the n-code.
+.Pp
+.Fn npf_ncode_validate
+performs n-code validation.
+.Fa ncode
+is address to a n-code memory block.
+.Fa sz
+is the size of memory block.
+.Fa errat
+is the word number in the n-code where error is detected.
+If no error, this value is undefined.
+.Pp
+On successful validation, function returns 0.
+Otherwise, may return one of the following error codes:
+.Bl -tag -width [NPF_ERR_OPCODE]
+.It Bq Er NPF_ERR_OPCODE
+Invalid instruction (unknown opcode).
+.It Bq Er NPF_ERR_JUMP
+Invalid jump, e.g. not to the instruction or out of range.
+.It Bq Er NPF_ERR_REG
+Invalid register, i.e. incorrect index number.
+.It Bq Er NPF_ERR_INVAL
+Invalid argument value.
+.It Bq Er NPF_ERR_RANGE
+Processing out of range, e.g. missing return path.
+.El
+.Pp
+Any untrusted n-code, for example generated by userspace, should be
+validated (once) before allowing to process it.
+.Pp
+.\" -----
+.Sh PROCESSING
+There are two instruction sets: RISC-like and CISC-like.
+Processing is done in words, therefore both instructions (their codes) and
+arguments are always 32 bit long words.
+.Pp
+There are four general purpose registers: R0, R1, R2, R3.
+Each can store 32 bit long words.
+Registers are mainly to store values for operations using RISC-like
+instructions.
+CISC-like instructions, however, use them to store return values.
+.Pp
+Processing begins from the first word until it reaches
+NPF_OPCODE_RET
+instruction with a return value.
+Instruction pointer can be changed using jump operations, which always
+take relative address, in words.
+Result of last comparison is tracked internally and jump operations should
+be performed immediately after comparison or certain CISC-like instructions.
+.Pp
+CISC-like instructions and
+NPF_OPCODE_LOAD
+can be used to load data from network buffer.
+They operate at current network buffer offset, which is initially at
+the beginning of network buffer.
+NPF_OPCODE_ADVR
+instruction can be used to advance the current network buffer offset.
Home |
Main Index |
Thread Index |
Old Index