Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/net/npf - npf_config_load: if loading the connections, d...



details:   https://anonhg.NetBSD.org/src/rev/57ff867ed756
branches:  trunk
changeset: 804803:57ff867ed756
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sun Nov 30 01:37:53 2014 +0000

description:
- npf_config_load: if loading the connections, do not perform any actice
  NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.

diffstat:

 sys/net/npf/npf_conf.c    |  13 ++++++++-----
 sys/net/npf/npf_impl.h    |   4 ++--
 sys/net/npf/npf_nat.c     |   7 +++++--
 sys/net/npf/npf_ruleset.c |  14 +++++++++++---
 4 files changed, 26 insertions(+), 12 deletions(-)

diffs (148 lines):

diff -r 56837772d067 -r 57ff867ed756 sys/net/npf/npf_conf.c
--- a/sys/net/npf/npf_conf.c    Sun Nov 30 00:40:55 2014 +0000
+++ b/sys/net/npf/npf_conf.c    Sun Nov 30 01:37:53 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $       */
+/*     $NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $       */
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -105,11 +105,13 @@
 void
 npf_config_fini(void)
 {
+       npf_conndb_t *cd = npf_conndb_create();
+
        /* Flush the connections. */
        mutex_enter(&npf_config_lock);
        npf_conn_tracking(false);
        pserialize_perform(npf_config_psz);
-       npf_conn_load(NULL, false);
+       npf_conn_load(cd, false);
        npf_ifmap_flush();
        mutex_exit(&npf_config_lock);
 
@@ -127,6 +129,7 @@
     npf_ruleset_t *nset, npf_rprocset_t *rpset,
     npf_conndb_t *conns, bool flush)
 {
+       const bool load = conns != NULL;
        npf_config_t *nc, *onc;
 
        nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
@@ -143,9 +146,9 @@
         */
        mutex_enter(&npf_config_lock);
        if ((onc = npf_config) != NULL) {
-               npf_ruleset_reload(rset, onc->n_rules);
+               npf_ruleset_reload(rset, onc->n_rules, load);
                npf_tableset_reload(tset, onc->n_tables);
-               npf_ruleset_reload(nset, onc->n_nat_rules);
+               npf_ruleset_reload(nset, onc->n_nat_rules, load);
        }
 
        /*
diff -r 56837772d067 -r 57ff867ed756 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h    Sun Nov 30 00:40:55 2014 +0000
+++ b/sys/net/npf/npf_impl.h    Sun Nov 30 01:37:53 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $      */
+/*     $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -254,7 +254,7 @@
 npf_ruleset_t *        npf_ruleset_create(size_t);
 void           npf_ruleset_destroy(npf_ruleset_t *);
 void           npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *);
-void           npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *);
+void           npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *, bool);
 npf_rule_t *   npf_ruleset_sharepm(npf_ruleset_t *, npf_natpolicy_t *);
 npf_natpolicy_t *npf_ruleset_findnat(npf_ruleset_t *, uint64_t);
 void           npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
diff -r 56837772d067 -r 57ff867ed756 sys/net/npf/npf_nat.c
--- a/sys/net/npf/npf_nat.c     Sun Nov 30 00:40:55 2014 +0000
+++ b/sys/net/npf/npf_nat.c     Sun Nov 30 01:37:53 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $       */
+/*     $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $       */
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -71,7 +71,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -364,6 +364,8 @@
        npf_portmap_t *pm, *mpm;
 
        KASSERT(np && mnp && np != mnp);
+       KASSERT(LIST_EMPTY(&mnp->n_nat_list));
+       KASSERT(mnp->n_refcnt == 0);
 
        /* Using port map and having equal translation address? */
        if ((np->n_flags & mnp->n_flags & NPF_NAT_PORTMAP) == 0) {
@@ -889,6 +891,7 @@
                pool_cache_put(nat_cache, nt);
                return NULL;
        }
+       npf_stats_inc(NPF_STAT_NAT_CREATE);
 
        /*
         * Associate, take a reference and insert.  Unlocked since
diff -r 56837772d067 -r 57ff867ed756 sys/net/npf/npf_ruleset.c
--- a/sys/net/npf/npf_ruleset.c Sun Nov 30 00:40:55 2014 +0000
+++ b/sys/net/npf/npf_ruleset.c Sun Nov 30 01:37:53 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_ruleset.c,v 1.39 2014/11/30 00:40:55 rmind Exp $   */
+/*     $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $   */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.39 2014/11/30 00:40:55 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -449,7 +449,7 @@
  * => The active (old) ruleset should be exclusively locked.
  */
 void
-npf_ruleset_reload(npf_ruleset_t *newset, npf_ruleset_t *oldset)
+npf_ruleset_reload(npf_ruleset_t *newset, npf_ruleset_t *oldset, bool load)
 {
        npf_rule_t *rg, *rl;
        uint64_t nid = 0;
@@ -486,6 +486,14 @@
        }
 
        /*
+        * If performing the load of connections then NAT policies may
+        * already have translated connections associated with them and
+        * we should not share or inherit anything.
+        */
+       if (load)
+               return;
+
+       /*
         * Scan all rules in the new ruleset and share NAT policies.
         * Also, assign a unique ID for each policy here.
         */



Home | Main Index | Thread Index | Old Index