Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/npf/npfctl npfctl_build_code: generate TCP/UDP chec...
details: https://anonhg.NetBSD.org/src/rev/2e05bb4ffde4
branches: trunk
changeset: 796404:2e05bb4ffde4
user: rmind <rmind%NetBSD.org@localhost>
date: Sat May 31 22:41:37 2014 +0000
description:
npfctl_build_code: generate TCP/UDP check for ports case when other blocks
do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
diffstat:
usr.sbin/npf/npfctl/npf_bpf_comp.c | 21 ++++++++++++++-------
usr.sbin/npf/npfctl/npf_build.c | 15 ++++++++++++---
usr.sbin/npf/npfctl/npf_show.c | 6 +++---
3 files changed, 29 insertions(+), 13 deletions(-)
diffs (176 lines):
diff -r ffd58a821860 -r 2e05bb4ffde4 usr.sbin/npf/npfctl/npf_bpf_comp.c
--- a/usr.sbin/npf/npfctl/npf_bpf_comp.c Sat May 31 22:40:30 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_bpf_comp.c Sat May 31 22:41:37 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf_comp.c,v 1.5 2014/05/15 02:34:29 rmind Exp $ */
+/* $NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.5 2014/05/15 02:34:29 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $");
#include <stdlib.h>
#include <stdbool.h>
@@ -62,7 +62,8 @@
* something other than L4 header offset. Generally, when BPF_LDX is used.
*/
#define FETCHED_L3 0x01
-#define X_EQ_L4OFF 0x02
+#define CHECKED_L4 0x02
+#define X_EQ_L4OFF 0x04
struct npf_bpf {
/*
@@ -283,8 +284,8 @@
}
/*
- * Fetch L3 information. The coprocessor populates the following
- * words in the scratch memory store:
+ * Call NPF_COP_L3 to fetch L3 information. The coprocessor
+ * populates the following words in the scratch memory store:
* - BPF_MW_IPVER: IP version (4 or 6).
* - BPF_MW_L4OFF: L4 header offset.
* - BPF_MW_L4PROTO: L4 protocol.
@@ -369,6 +370,7 @@
uint32_t mwords[] = { BM_PROTO, 1, proto };
done_block(ctx, mwords, sizeof(mwords));
+ ctx->flags |= CHECKED_L4;
}
/*
@@ -471,6 +473,7 @@
/* TCP and UDP port offsets are the same. */
assert(sport_off == offsetof(struct tcphdr, th_sport));
assert(dport_off == offsetof(struct tcphdr, th_dport));
+ assert(ctx->flags & CHECKED_L4);
assert(((opts & MATCH_SRC) != 0) ^ ((opts & MATCH_DST) != 0));
off = (opts & MATCH_SRC) ? sport_off : dport_off;
@@ -516,11 +519,12 @@
npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp)
{
const u_int tcpfl_off = offsetof(struct tcphdr, th_flags);
+ const bool usingmask = tf_mask != tf;
/* X <- IP header length */
fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF);
if (checktcp) {
- const u_int jf = (tf_mask != tf) ? 3 : 2;
+ const u_int jf = usingmask ? 3 : 2;
assert(ctx->ingroup == false);
/* A <- L4 protocol; A == TCP? If not, jump out. */
@@ -529,6 +533,8 @@
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, jf),
};
add_insns(ctx, insns_tcp, __arraycount(insns_tcp));
+ } else {
+ assert(ctx->flags & CHECKED_L4);
}
struct bpf_insn insns_tf[] = {
@@ -537,7 +543,7 @@
};
add_insns(ctx, insns_tf, __arraycount(insns_tf));
- if (tf_mask != tf) {
+ if (usingmask) {
/* A <- (A & mask) */
struct bpf_insn insns_mask[] = {
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, tf_mask),
@@ -567,6 +573,7 @@
const u_int type_off = offsetof(struct icmp, icmp_type);
const u_int code_off = offsetof(struct icmp, icmp_code);
+ assert(ctx->flags & CHECKED_L4);
assert(offsetof(struct icmp6_hdr, icmp6_type) == type_off);
assert(offsetof(struct icmp6_hdr, icmp6_code) == code_off);
assert(type != -1 || code != -1);
diff -r ffd58a821860 -r 2e05bb4ffde4 usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c Sat May 31 22:40:30 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c Sat May 31 22:41:37 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.37 2014/05/15 02:34:29 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $ */
/*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.37 2014/05/15 02:34:29 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -293,10 +293,10 @@
npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op,
const filt_opts_t *fopts)
{
+ bool noproto, noaddrs, noports, need_tcpudp = false;
const addr_port_t *apfrom = &fopts->fo_from;
const addr_port_t *apto = &fopts->fo_to;
const int proto = op->op_proto;
- bool noproto, noaddrs, noports;
npf_bpf_t *bc;
size_t len;
@@ -317,7 +317,9 @@
switch (proto) {
case IPPROTO_TCP:
case IPPROTO_UDP:
+ break;
case -1:
+ need_tcpudp = true;
break;
default:
yyerror("invalid filter options for protocol %d", proto);
@@ -344,6 +346,13 @@
npfctl_build_vars(bc, family, apto->ap_netaddr, MATCH_DST);
/* Build port-range blocks. */
+ if (need_tcpudp) {
+ /* TCP/UDP check for the ports. */
+ npfctl_bpf_group(bc);
+ npfctl_bpf_proto(bc, AF_UNSPEC, IPPROTO_TCP);
+ npfctl_bpf_proto(bc, AF_UNSPEC, IPPROTO_UDP);
+ npfctl_bpf_endgroup(bc);
+ }
npfctl_build_vars(bc, family, apfrom->ap_portrange, MATCH_SRC);
npfctl_build_vars(bc, family, apto->ap_portrange, MATCH_DST);
diff -r ffd58a821860 -r 2e05bb4ffde4 usr.sbin/npf/npfctl/npf_show.c
--- a/usr.sbin/npf/npfctl/npf_show.c Sat May 31 22:40:30 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_show.c Sat May 31 22:41:37 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.13 2014/03/14 11:29:45 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.13 2014/03/14 11:29:45 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $");
#include <sys/socket.h>
#include <netinet/in.h>
@@ -248,7 +248,7 @@
u_int fwords;
} mark_keyword_map[] = {
{ BM_IPVER, "family %s", NULL, print_family, 1 },
- { BM_PROTO, "proto %s", NULL, print_proto, 1 },
+ { BM_PROTO, "proto %s", ", ", print_proto, 1 },
{ BM_TCPFL, "flags %s", NULL, print_tcpflags, 2 },
{ BM_ICMP_TYPE, "icmp-type %s", NULL, print_number, 1 },
{ BM_ICMP_CODE, "code %s", NULL, print_number, 1 },
Home |
Main Index |
Thread Index |
Old Index