Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src NPF:



details:   https://anonhg.NetBSD.org/src/rev/a7dbcedb2c85
branches:  trunk
changeset: 784770:a7dbcedb2c85
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sat Feb 09 03:35:31 2013 +0000

description:
NPF:
- Implement dynamic NPF rules.  Controlled through npf(3) library of via
  npfctl rule command.  A rule can be removed using a unique identifier,
  returned on addition, or using a key which is SHA1 hash of the rule.
  Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

diffstat:

 lib/libnpf/npf.3                                |   58 +-
 lib/libnpf/npf.c                                |  257 ++++++++---
 lib/libnpf/npf.h                                |   22 +-
 sys/modules/npf/Makefile                        |    4 +-
 sys/net/npf/files.npf                           |    3 +-
 sys/net/npf/npf.c                               |  161 +------
 sys/net/npf/npf.h                               |   93 ++-
 sys/net/npf/npf_alg.c                           |   13 +-
 sys/net/npf/npf_alg_icmp.c                      |   12 +-
 sys/net/npf/npf_conf.c                          |  236 +++++++++++
 sys/net/npf/npf_ctl.c                           |  466 +++++++++++----------
 sys/net/npf/npf_handler.c                       |   47 +-
 sys/net/npf/npf_impl.h                          |   56 +-
 sys/net/npf/npf_inet.c                          |   12 +-
 sys/net/npf/npf_instr.c                         |    9 +-
 sys/net/npf/npf_nat.c                           |   51 +-
 sys/net/npf/npf_ncode.h                         |    6 +-
 sys/net/npf/npf_processor.c                     |   18 +-
 sys/net/npf/npf_rproc.c                         |   65 ++-
 sys/net/npf/npf_ruleset.c                       |  510 +++++++++++++++++------
 sys/net/npf/npf_sendpkt.c                       |    6 +-
 sys/net/npf/npf_session.c                       |   15 +-
 sys/net/npf/npf_state.c                         |    8 +-
 sys/net/npf/npf_tableset.c                      |   19 +-
 sys/rump/net/lib/libnpf/Makefile                |    6 +-
 usr.sbin/npf/npfctl/Makefile                    |    4 +-
 usr.sbin/npf/npfctl/npf.conf.5                  |    8 +-
 usr.sbin/npf/npfctl/npf_build.c                 |   97 +++-
 usr.sbin/npf/npfctl/npf_disassemble.c           |   45 +-
 usr.sbin/npf/npfctl/npf_parse.y                 |   73 ++-
 usr.sbin/npf/npfctl/npf_scan.l                  |   40 +-
 usr.sbin/npf/npfctl/npfctl.8                    |   29 +-
 usr.sbin/npf/npfctl/npfctl.c                    |  205 +++++++-
 usr.sbin/npf/npfctl/npfctl.h                    |   16 +-
 usr.sbin/npf/npftest/Makefile                   |    1 +
 usr.sbin/npf/npftest/README                     |    4 +-
 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c |   61 ++-
 usr.sbin/npf/npftest/npftest.conf               |    3 +-
 38 files changed, 1831 insertions(+), 908 deletions(-)

diffs (truncated from 4837 to 300 lines):

diff -r b932fd15641b -r a7dbcedb2c85 lib/libnpf/npf.3
--- a/lib/libnpf/npf.3  Sat Feb 09 02:49:36 2013 +0000
+++ b/lib/libnpf/npf.3  Sat Feb 09 03:35:31 2013 +0000
@@ -1,6 +1,6 @@
-.\"    $NetBSD: npf.3,v 1.7 2012/12/24 00:35:56 wiz Exp $
+.\"    $NetBSD: npf.3,v 1.8 2013/02/09 03:35:33 rmind Exp $
 .\"
-.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 23, 2012
+.Dd January 5, 2013
 .Dt NPF 3
 .Os
 .Sh NAME
@@ -50,12 +50,15 @@
 .Ft nl_rule_t *
 .Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx"
 .Ft int
-.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t sz"
+.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len"
+.Ft int
+.Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len"
 .Ft bool
 .Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name"
 .Ft int
-.Fn npf_rule_insert "nl_config_t *ncf" " nl_rule_t *parent" \
-"nl_rule_t *rl" "pri_t pri"
+.Fn npf_rule_insert "nl_config_t *ncf" " nl_rule_t *parent" "nl_rule_t *rl"
+.Ft int
+.Fn npf_rule_setprio "nl_rule_t *rl" "pri_t pri"
 .Ft int
 .Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name"
 .Ft void
@@ -123,10 +126,6 @@
 Decision of this rule is "pass".
 If this attribute is not
 specified, then packet "block" (drop) is the default.
-.It Dv NPF_RULE_DEFAULT
-This a default rule in the ruleset.
-There can only be a
-single rule having this attribute set in the ruleset.
 .It Dv NPF_RULE_FINAL
 Indicates that on rule match, further processing of the
 ruleset should be stopped and this rule applied instantly.
@@ -150,21 +149,31 @@
 .Xr if_nametoindex 3 .
 Zero indicates any interface.
 .\" ---
-.It Fn npf_rule_setcode "rl" "type" "code" "sz"
+.It Fn npf_rule_setcode "rl" "type" "code" "len"
 Assign compiled code for the rule specified by
 .Fa rl ,
 used for filter criteria.
 Pointer to the binary code is specified by
 .Fa code ,
 and size of the memory area by
-.Fa sz .
+.Fa len .
 Type of the code is specified by
 .Fa type .
 Currently, only n-code is supported and
-.Dv NPF_CODE_NCODE
+.Dv NPF_CODE_NC
 should be passed.
 .\" ---
-.It Fn npf_rule_insert "ncf" "parent" "rl" "pri"
+.It Fn npf_rule_setkey "rl" "type" "key" "len"
+Assign a key for the rule specified by
+.Fa rl .
+Binary key is specified by
+.Fa key ,
+and its size by
+.Fa len .
+The size shall not exceed
+.Dv NPF_RULE_MAXKEYLEN .
+.\" ---
+.It Fn npf_rule_insert "ncf" "parent" "rl"
 Insert the rule into the set of parent rule specified by
 .Fa parent .
 If value of
@@ -172,15 +181,26 @@
 is
 .Dv NULL ,
 then insert into the main ruleset.
+.\" ---
+.It Fn npf_rule_setprio "rl" "pri"
+Set priority to the rule.
+Negative priorities are invalid.
 .Pp
 Priority is the order of the rule in the ruleset.
 Lower value means first to process, higher value - last to process.
-If multiple rules have the same priority - order is unspecified.
-A special constant
-.Dv NPF_PRI_NEXT
-may be passed to use the value of last used priority incremented by 1.
+If multiple rules are inserted with the same priority,
+the order is unspecified.
+.Pp
+The special constants
+.Dv NPF_PRI_FIRST
+and
+.Dv NPF_PRI_LAST
+can be passed to indicate that the rule should be inserted into the
+beginning or the end of the priority level 0 in the ruleset.
+All rules inserted using these constants will have the priority 0
+assigned and will share this level in the ordered way.
 .It Fn npf_rule_setproc "ncf" "rl" "name"
-Set procedure for the specified rule.
+Set a procedure for the specified rule.
 .It Fn npf_rule_destroy "rl"
 Destroy the given rule.
 .El
diff -r b932fd15641b -r a7dbcedb2c85 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c  Sat Feb 09 02:49:36 2013 +0000
+++ b/lib/libnpf/npf.c  Sat Feb 09 03:35:31 2013 +0000
@@ -1,7 +1,7 @@
-/*     $NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $   */
+/*     $NetBSD: npf.c,v 1.16 2013/02/09 03:35:33 rmind Exp $   */
 
 /*-
- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.16 2013/02/09 03:35:33 rmind Exp $");
 
 #include <sys/types.h>
 #include <netinet/in_systm.h>
@@ -54,9 +54,6 @@
        prop_array_t            ncf_rproc_list;
        prop_array_t            ncf_table_list;
        prop_array_t            ncf_nat_list;
-       /* Priority counters. */
-       pri_t                   ncf_rule_pri;
-       pri_t                   ncf_nat_pri;
        /* Debug information. */
        prop_dictionary_t       ncf_debug;
        /* Error report. */
@@ -83,6 +80,8 @@
        prop_dictionary_t       nxt_dict;
 };
 
+static prop_array_t    _npf_ruleset_transform(prop_array_t);
+
 /*
  * CONFIGURATION INTERFACE.
  */
@@ -101,9 +100,6 @@
        ncf->ncf_table_list = prop_array_create();
        ncf->ncf_nat_list = prop_array_create();
 
-       ncf->ncf_rule_pri = 1;
-       ncf->ncf_nat_pri = 1;
-
        ncf->ncf_plist = NULL;
        ncf->ncf_flush = false;
 
@@ -115,6 +111,7 @@
 {
        const char *plist = ncf->ncf_plist;
        prop_dictionary_t npf_dict;
+       prop_array_t rlset;
        int error = 0;
 
        npf_dict = prop_dictionary_create();
@@ -122,7 +119,15 @@
                return ENOMEM;
        }
        prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
-       prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
+
+       rlset = _npf_ruleset_transform(ncf->ncf_rules_list);
+       if (rlset == NULL) {
+               prop_object_release(npf_dict);
+               return ENOMEM;
+       }
+       prop_dictionary_set(npf_dict, "rules", rlset);
+       prop_object_release(rlset);
+
        prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
        prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
        prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
@@ -205,9 +210,9 @@
        prop_dictionary_get_uint32(ncf->ncf_err,
            "source-line", &ne->ne_source_line);
        prop_dictionary_get_int32(ncf->ncf_err,
-           "ncode-error", &ne->ne_ncode_error);
+           "code-error", &ne->ne_ncode_error);
        prop_dictionary_get_int32(ncf->ncf_err,
-           "ncode-errat", &ne->ne_ncode_errat);
+           "code-errat", &ne->ne_ncode_errat);
 }
 
 void
@@ -254,6 +259,110 @@
 }
 
 /*
+ * DYNAMIC RULESET INTERFACE.
+ */
+
+int
+npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uintptr_t *id)
+{
+       prop_dictionary_t rldict = rl->nrl_dict;
+       prop_dictionary_t ret;
+       uint64_t id64;
+       int error;
+
+       prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+       prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_ADD);
+       error = prop_dictionary_sendrecv_ioctl(rldict, fd, IOC_NPF_RULE, &ret);
+       if (!error) {
+               prop_dictionary_get_uint64(ret, "id", &id64);
+               *id = (uintptr_t)id64;
+       }
+       return error;
+}
+
+int
+npf_ruleset_remove(int fd, const char *rname, uintptr_t id)
+{
+       prop_dictionary_t rldict;
+
+       rldict = prop_dictionary_create();
+       if (rldict == NULL) {
+               return ENOMEM;
+       }
+       prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+       prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMOVE);
+       __CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t));
+       prop_dictionary_set_uint64(rldict, "id", (uint64_t)id);
+       return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+int
+npf_ruleset_remkey(int fd, const char *rname, const void *key, size_t len)
+{
+       prop_dictionary_t rldict;
+       prop_data_t keyobj;
+
+       rldict = prop_dictionary_create();
+       if (rldict == NULL) {
+               return ENOMEM;
+       }
+       prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+       prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMKEY);
+
+       keyobj = prop_data_create_data(key, len);
+       if (keyobj == NULL) {
+               prop_object_release(rldict);
+               return ENOMEM;
+       }
+       prop_dictionary_set(rldict, "key", keyobj);
+       prop_object_release(keyobj);
+
+       return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+/*
+ * _npf_ruleset_transform: transform the ruleset representing nested
+ * rules with lists into an array.
+ */
+
+static void
+_npf_ruleset_transform1(prop_array_t rlset, prop_array_t rules)
+{
+       prop_object_iterator_t it;
+       prop_dictionary_t rldict;
+       prop_array_t subrlset;
+
+       it = prop_array_iterator(rules);
+       while ((rldict = prop_object_iterator_next(it)) != NULL) {
+               unsigned idx;
+
+               /* Add rules to the array (reference is retained). */
+               prop_array_add(rlset, rldict);
+
+               subrlset = prop_dictionary_get(rldict, "subrules");
+               if (subrlset) {
+                       /* Process subrules recursively. */
+                       _npf_ruleset_transform1(rlset, subrlset);
+                       /* Add the skip-to position. */
+                       idx = prop_array_count(rlset);
+                       prop_dictionary_set_uint32(rldict, "skip-to", idx);
+                       prop_dictionary_remove(rldict, "subrules");
+               }



Home | Main Index | Thread Index | Old Index