Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src NPF:
details: https://anonhg.NetBSD.org/src/rev/a7dbcedb2c85
branches: trunk
changeset: 784770:a7dbcedb2c85
user: rmind <rmind%NetBSD.org@localhost>
date: Sat Feb 09 03:35:31 2013 +0000
description:
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
diffstat:
lib/libnpf/npf.3 | 58 +-
lib/libnpf/npf.c | 257 ++++++++---
lib/libnpf/npf.h | 22 +-
sys/modules/npf/Makefile | 4 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.c | 161 +------
sys/net/npf/npf.h | 93 ++-
sys/net/npf/npf_alg.c | 13 +-
sys/net/npf/npf_alg_icmp.c | 12 +-
sys/net/npf/npf_conf.c | 236 +++++++++++
sys/net/npf/npf_ctl.c | 466 +++++++++++----------
sys/net/npf/npf_handler.c | 47 +-
sys/net/npf/npf_impl.h | 56 +-
sys/net/npf/npf_inet.c | 12 +-
sys/net/npf/npf_instr.c | 9 +-
sys/net/npf/npf_nat.c | 51 +-
sys/net/npf/npf_ncode.h | 6 +-
sys/net/npf/npf_processor.c | 18 +-
sys/net/npf/npf_rproc.c | 65 ++-
sys/net/npf/npf_ruleset.c | 510 +++++++++++++++++------
sys/net/npf/npf_sendpkt.c | 6 +-
sys/net/npf/npf_session.c | 15 +-
sys/net/npf/npf_state.c | 8 +-
sys/net/npf/npf_tableset.c | 19 +-
sys/rump/net/lib/libnpf/Makefile | 6 +-
usr.sbin/npf/npfctl/Makefile | 4 +-
usr.sbin/npf/npfctl/npf.conf.5 | 8 +-
usr.sbin/npf/npfctl/npf_build.c | 97 +++-
usr.sbin/npf/npfctl/npf_disassemble.c | 45 +-
usr.sbin/npf/npfctl/npf_parse.y | 73 ++-
usr.sbin/npf/npfctl/npf_scan.l | 40 +-
usr.sbin/npf/npfctl/npfctl.8 | 29 +-
usr.sbin/npf/npfctl/npfctl.c | 205 +++++++-
usr.sbin/npf/npfctl/npfctl.h | 16 +-
usr.sbin/npf/npftest/Makefile | 1 +
usr.sbin/npf/npftest/README | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c | 61 ++-
usr.sbin/npf/npftest/npftest.conf | 3 +-
38 files changed, 1831 insertions(+), 908 deletions(-)
diffs (truncated from 4837 to 300 lines):
diff -r b932fd15641b -r a7dbcedb2c85 lib/libnpf/npf.3
--- a/lib/libnpf/npf.3 Sat Feb 09 02:49:36 2013 +0000
+++ b/lib/libnpf/npf.3 Sat Feb 09 03:35:31 2013 +0000
@@ -1,6 +1,6 @@
-.\" $NetBSD: npf.3,v 1.7 2012/12/24 00:35:56 wiz Exp $
+.\" $NetBSD: npf.3,v 1.8 2013/02/09 03:35:33 rmind Exp $
.\"
-.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 23, 2012
+.Dd January 5, 2013
.Dt NPF 3
.Os
.Sh NAME
@@ -50,12 +50,15 @@
.Ft nl_rule_t *
.Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx"
.Ft int
-.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t sz"
+.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len"
+.Ft int
+.Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len"
.Ft bool
.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name"
.Ft int
-.Fn npf_rule_insert "nl_config_t *ncf" " nl_rule_t *parent" \
-"nl_rule_t *rl" "pri_t pri"
+.Fn npf_rule_insert "nl_config_t *ncf" " nl_rule_t *parent" "nl_rule_t *rl"
+.Ft int
+.Fn npf_rule_setprio "nl_rule_t *rl" "pri_t pri"
.Ft int
.Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name"
.Ft void
@@ -123,10 +126,6 @@
Decision of this rule is "pass".
If this attribute is not
specified, then packet "block" (drop) is the default.
-.It Dv NPF_RULE_DEFAULT
-This a default rule in the ruleset.
-There can only be a
-single rule having this attribute set in the ruleset.
.It Dv NPF_RULE_FINAL
Indicates that on rule match, further processing of the
ruleset should be stopped and this rule applied instantly.
@@ -150,21 +149,31 @@
.Xr if_nametoindex 3 .
Zero indicates any interface.
.\" ---
-.It Fn npf_rule_setcode "rl" "type" "code" "sz"
+.It Fn npf_rule_setcode "rl" "type" "code" "len"
Assign compiled code for the rule specified by
.Fa rl ,
used for filter criteria.
Pointer to the binary code is specified by
.Fa code ,
and size of the memory area by
-.Fa sz .
+.Fa len .
Type of the code is specified by
.Fa type .
Currently, only n-code is supported and
-.Dv NPF_CODE_NCODE
+.Dv NPF_CODE_NC
should be passed.
.\" ---
-.It Fn npf_rule_insert "ncf" "parent" "rl" "pri"
+.It Fn npf_rule_setkey "rl" "type" "key" "len"
+Assign a key for the rule specified by
+.Fa rl .
+Binary key is specified by
+.Fa key ,
+and its size by
+.Fa len .
+The size shall not exceed
+.Dv NPF_RULE_MAXKEYLEN .
+.\" ---
+.It Fn npf_rule_insert "ncf" "parent" "rl"
Insert the rule into the set of parent rule specified by
.Fa parent .
If value of
@@ -172,15 +181,26 @@
is
.Dv NULL ,
then insert into the main ruleset.
+.\" ---
+.It Fn npf_rule_setprio "rl" "pri"
+Set priority to the rule.
+Negative priorities are invalid.
.Pp
Priority is the order of the rule in the ruleset.
Lower value means first to process, higher value - last to process.
-If multiple rules have the same priority - order is unspecified.
-A special constant
-.Dv NPF_PRI_NEXT
-may be passed to use the value of last used priority incremented by 1.
+If multiple rules are inserted with the same priority,
+the order is unspecified.
+.Pp
+The special constants
+.Dv NPF_PRI_FIRST
+and
+.Dv NPF_PRI_LAST
+can be passed to indicate that the rule should be inserted into the
+beginning or the end of the priority level 0 in the ruleset.
+All rules inserted using these constants will have the priority 0
+assigned and will share this level in the ordered way.
.It Fn npf_rule_setproc "ncf" "rl" "name"
-Set procedure for the specified rule.
+Set a procedure for the specified rule.
.It Fn npf_rule_destroy "rl"
Destroy the given rule.
.El
diff -r b932fd15641b -r a7dbcedb2c85 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sat Feb 09 02:49:36 2013 +0000
+++ b/lib/libnpf/npf.c Sat Feb 09 03:35:31 2013 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.16 2013/02/09 03:35:33 rmind Exp $ */
/*-
- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.16 2013/02/09 03:35:33 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -54,9 +54,6 @@
prop_array_t ncf_rproc_list;
prop_array_t ncf_table_list;
prop_array_t ncf_nat_list;
- /* Priority counters. */
- pri_t ncf_rule_pri;
- pri_t ncf_nat_pri;
/* Debug information. */
prop_dictionary_t ncf_debug;
/* Error report. */
@@ -83,6 +80,8 @@
prop_dictionary_t nxt_dict;
};
+static prop_array_t _npf_ruleset_transform(prop_array_t);
+
/*
* CONFIGURATION INTERFACE.
*/
@@ -101,9 +100,6 @@
ncf->ncf_table_list = prop_array_create();
ncf->ncf_nat_list = prop_array_create();
- ncf->ncf_rule_pri = 1;
- ncf->ncf_nat_pri = 1;
-
ncf->ncf_plist = NULL;
ncf->ncf_flush = false;
@@ -115,6 +111,7 @@
{
const char *plist = ncf->ncf_plist;
prop_dictionary_t npf_dict;
+ prop_array_t rlset;
int error = 0;
npf_dict = prop_dictionary_create();
@@ -122,7 +119,15 @@
return ENOMEM;
}
prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
- prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
+
+ rlset = _npf_ruleset_transform(ncf->ncf_rules_list);
+ if (rlset == NULL) {
+ prop_object_release(npf_dict);
+ return ENOMEM;
+ }
+ prop_dictionary_set(npf_dict, "rules", rlset);
+ prop_object_release(rlset);
+
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
@@ -205,9 +210,9 @@
prop_dictionary_get_uint32(ncf->ncf_err,
"source-line", &ne->ne_source_line);
prop_dictionary_get_int32(ncf->ncf_err,
- "ncode-error", &ne->ne_ncode_error);
+ "code-error", &ne->ne_ncode_error);
prop_dictionary_get_int32(ncf->ncf_err,
- "ncode-errat", &ne->ne_ncode_errat);
+ "code-errat", &ne->ne_ncode_errat);
}
void
@@ -254,6 +259,110 @@
}
/*
+ * DYNAMIC RULESET INTERFACE.
+ */
+
+int
+npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uintptr_t *id)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ prop_dictionary_t ret;
+ uint64_t id64;
+ int error;
+
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_ADD);
+ error = prop_dictionary_sendrecv_ioctl(rldict, fd, IOC_NPF_RULE, &ret);
+ if (!error) {
+ prop_dictionary_get_uint64(ret, "id", &id64);
+ *id = (uintptr_t)id64;
+ }
+ return error;
+}
+
+int
+npf_ruleset_remove(int fd, const char *rname, uintptr_t id)
+{
+ prop_dictionary_t rldict;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMOVE);
+ __CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t));
+ prop_dictionary_set_uint64(rldict, "id", (uint64_t)id);
+ return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+int
+npf_ruleset_remkey(int fd, const char *rname, const void *key, size_t len)
+{
+ prop_dictionary_t rldict;
+ prop_data_t keyobj;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMKEY);
+
+ keyobj = prop_data_create_data(key, len);
+ if (keyobj == NULL) {
+ prop_object_release(rldict);
+ return ENOMEM;
+ }
+ prop_dictionary_set(rldict, "key", keyobj);
+ prop_object_release(keyobj);
+
+ return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+/*
+ * _npf_ruleset_transform: transform the ruleset representing nested
+ * rules with lists into an array.
+ */
+
+static void
+_npf_ruleset_transform1(prop_array_t rlset, prop_array_t rules)
+{
+ prop_object_iterator_t it;
+ prop_dictionary_t rldict;
+ prop_array_t subrlset;
+
+ it = prop_array_iterator(rules);
+ while ((rldict = prop_object_iterator_next(it)) != NULL) {
+ unsigned idx;
+
+ /* Add rules to the array (reference is retained). */
+ prop_array_add(rlset, rldict);
+
+ subrlset = prop_dictionary_get(rldict, "subrules");
+ if (subrlset) {
+ /* Process subrules recursively. */
+ _npf_ruleset_transform1(rlset, subrlset);
+ /* Add the skip-to position. */
+ idx = prop_array_count(rlset);
+ prop_dictionary_set_uint32(rldict, "skip-to", idx);
+ prop_dictionary_remove(rldict, "subrules");
+ }
Home |
Main Index |
Thread Index |
Old Index