Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.sbin/npf/npfctl npfctl_build_code: generate TCP/UDP chec...



details:   https://anonhg.NetBSD.org/src/rev/2e05bb4ffde4
branches:  trunk
changeset: 796404:2e05bb4ffde4
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sat May 31 22:41:37 2014 +0000

description:
npfctl_build_code: generate TCP/UDP check for ports case when other blocks
do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.

diffstat:

 usr.sbin/npf/npfctl/npf_bpf_comp.c |  21 ++++++++++++++-------
 usr.sbin/npf/npfctl/npf_build.c    |  15 ++++++++++++---
 usr.sbin/npf/npfctl/npf_show.c     |   6 +++---
 3 files changed, 29 insertions(+), 13 deletions(-)

diffs (176 lines):

diff -r ffd58a821860 -r 2e05bb4ffde4 usr.sbin/npf/npfctl/npf_bpf_comp.c
--- a/usr.sbin/npf/npfctl/npf_bpf_comp.c        Sat May 31 22:40:30 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_bpf_comp.c        Sat May 31 22:41:37 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_bpf_comp.c,v 1.5 2014/05/15 02:34:29 rmind Exp $   */
+/*     $NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $   */
 
 /*-
  * Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.5 2014/05/15 02:34:29 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $");
 
 #include <stdlib.h>
 #include <stdbool.h>
@@ -62,7 +62,8 @@
  * something other than L4 header offset.  Generally, when BPF_LDX is used.
  */
 #define        FETCHED_L3              0x01
-#define        X_EQ_L4OFF              0x02
+#define        CHECKED_L4              0x02
+#define        X_EQ_L4OFF              0x04
 
 struct npf_bpf {
        /*
@@ -283,8 +284,8 @@
        }
 
        /*
-        * Fetch L3 information.  The coprocessor populates the following
-        * words in the scratch memory store:
+        * Call NPF_COP_L3 to fetch L3 information.  The coprocessor
+        * populates the following words in the scratch memory store:
         * - BPF_MW_IPVER: IP version (4 or 6).
         * - BPF_MW_L4OFF: L4 header offset.
         * - BPF_MW_L4PROTO: L4 protocol.
@@ -369,6 +370,7 @@
 
        uint32_t mwords[] = { BM_PROTO, 1, proto };
        done_block(ctx, mwords, sizeof(mwords));
+       ctx->flags |= CHECKED_L4;
 }
 
 /*
@@ -471,6 +473,7 @@
        /* TCP and UDP port offsets are the same. */
        assert(sport_off == offsetof(struct tcphdr, th_sport));
        assert(dport_off == offsetof(struct tcphdr, th_dport));
+       assert(ctx->flags & CHECKED_L4);
 
        assert(((opts & MATCH_SRC) != 0) ^ ((opts & MATCH_DST) != 0));
        off = (opts & MATCH_SRC) ? sport_off : dport_off;
@@ -516,11 +519,12 @@
 npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp)
 {
        const u_int tcpfl_off = offsetof(struct tcphdr, th_flags);
+       const bool usingmask = tf_mask != tf;
 
        /* X <- IP header length */
        fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF);
        if (checktcp) {
-               const u_int jf = (tf_mask != tf) ? 3 : 2;
+               const u_int jf = usingmask ? 3 : 2;
                assert(ctx->ingroup == false);
 
                /* A <- L4 protocol; A == TCP?  If not, jump out. */
@@ -529,6 +533,8 @@
                        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, jf),
                };
                add_insns(ctx, insns_tcp, __arraycount(insns_tcp));
+       } else {
+               assert(ctx->flags & CHECKED_L4);
        }
 
        struct bpf_insn insns_tf[] = {
@@ -537,7 +543,7 @@
        };
        add_insns(ctx, insns_tf, __arraycount(insns_tf));
 
-       if (tf_mask != tf) {
+       if (usingmask) {
                /* A <- (A & mask) */
                struct bpf_insn insns_mask[] = {
                        BPF_STMT(BPF_ALU+BPF_AND+BPF_K, tf_mask),
@@ -567,6 +573,7 @@
        const u_int type_off = offsetof(struct icmp, icmp_type);
        const u_int code_off = offsetof(struct icmp, icmp_code);
 
+       assert(ctx->flags & CHECKED_L4);
        assert(offsetof(struct icmp6_hdr, icmp6_type) == type_off);
        assert(offsetof(struct icmp6_hdr, icmp6_code) == code_off);
        assert(type != -1 || code != -1);
diff -r ffd58a821860 -r 2e05bb4ffde4 usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c   Sat May 31 22:40:30 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c   Sat May 31 22:41:37 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_build.c,v 1.37 2014/05/15 02:34:29 rmind Exp $     */
+/*     $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $     */
 
 /*-
  * Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.37 2014/05/15 02:34:29 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/mman.h>
@@ -293,10 +293,10 @@
 npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op,
     const filt_opts_t *fopts)
 {
+       bool noproto, noaddrs, noports, need_tcpudp = false;
        const addr_port_t *apfrom = &fopts->fo_from;
        const addr_port_t *apto = &fopts->fo_to;
        const int proto = op->op_proto;
-       bool noproto, noaddrs, noports;
        npf_bpf_t *bc;
        size_t len;
 
@@ -317,7 +317,9 @@
                switch (proto) {
                case IPPROTO_TCP:
                case IPPROTO_UDP:
+                       break;
                case -1:
+                       need_tcpudp = true;
                        break;
                default:
                        yyerror("invalid filter options for protocol %d", proto);
@@ -344,6 +346,13 @@
        npfctl_build_vars(bc, family, apto->ap_netaddr, MATCH_DST);
 
        /* Build port-range blocks. */
+       if (need_tcpudp) {
+               /* TCP/UDP check for the ports. */
+               npfctl_bpf_group(bc);
+               npfctl_bpf_proto(bc, AF_UNSPEC, IPPROTO_TCP);
+               npfctl_bpf_proto(bc, AF_UNSPEC, IPPROTO_UDP);
+               npfctl_bpf_endgroup(bc);
+       }
        npfctl_build_vars(bc, family, apfrom->ap_portrange, MATCH_SRC);
        npfctl_build_vars(bc, family, apto->ap_portrange, MATCH_DST);
 
diff -r ffd58a821860 -r 2e05bb4ffde4 usr.sbin/npf/npfctl/npf_show.c
--- a/usr.sbin/npf/npfctl/npf_show.c    Sat May 31 22:40:30 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_show.c    Sat May 31 22:41:37 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_show.c,v 1.13 2014/03/14 11:29:45 rmind Exp $      */
+/*     $NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $      */
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.13 2014/03/14 11:29:45 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $");
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -248,7 +248,7 @@
        u_int           fwords;
 } mark_keyword_map[] = {
        { BM_IPVER,     "family %s",    NULL,           print_family,   1 },
-       { BM_PROTO,     "proto %s",     NULL,           print_proto,    1 },
+       { BM_PROTO,     "proto %s",     ", ",           print_proto,    1 },
        { BM_TCPFL,     "flags %s",     NULL,           print_tcpflags, 2 },
        { BM_ICMP_TYPE, "icmp-type %s", NULL,           print_number,   1 },
        { BM_ICMP_CODE, "code %s",      NULL,           print_number,   1 },



Home | Main Index | Thread Index | Old Index