Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src - npfctl_load_nvlist: simplify the config loading logic.



details:   https://anonhg.NetBSD.org/src/rev/5b64750e81c0
branches:  trunk
changeset: 964987:5b64750e81c0
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sun Aug 25 13:21:03 2019 +0000

description:
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.

diffstat:

 sys/net/npf/npf.c                               |   12 +-
 sys/net/npf/npf_alg.c                           |   28 +++--
 sys/net/npf/npf_conf.c                          |  106 ++++++++++-----------
 sys/net/npf/npf_ctl.c                           |  117 ++++++++++-------------
 sys/net/npf/npf_handler.c                       |    9 +-
 sys/net/npf/npf_ifaddr.c                        |   11 +-
 sys/net/npf/npf_impl.h                          |   44 +++++---
 sys/net/npf/npf_nat.c                           |   18 ++-
 sys/net/npf/npf_os.c                            |   58 +++++++++++-
 usr.sbin/npf/npfctl/npf_bpf_comp.c              |   14 +-
 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c |    4 +-
 11 files changed, 239 insertions(+), 182 deletions(-)

diffs (truncated from 1118 to 300 lines):

diff -r f286360efa08 -r 5b64750e81c0 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Sun Aug 25 07:10:30 2019 +0000
+++ b/sys/net/npf/npf.c Sun Aug 25 13:21:03 2019 +0000
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.40 2019/08/11 20:26:33 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.41 2019/08/25 13:21:03 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -72,7 +72,7 @@
        npf_t *npf;
 
        npf = kmem_zalloc(sizeof(npf_t), KM_SLEEP);
-       npf->qsbr = pserialize_create();
+       npf->ebr = npf_ebr_create();
        npf->stats_percpu = percpu_alloc(NPF_STATS_SIZE);
        npf->mbufops = mbufops;
 
@@ -111,7 +111,7 @@
        npf_state_sysfini(npf);
        npf_param_fini(npf);
 
-       pserialize_destroy(npf->qsbr);
+       npf_ebr_destroy(npf->ebr);
        percpu_free(npf->stats_percpu, NPF_STATS_SIZE);
        kmem_free(npf, sizeof(npf_t));
 }
@@ -131,14 +131,14 @@
 __dso_public void
 npfk_thread_register(npf_t *npf)
 {
-       pserialize_register(npf->qsbr);
+       npf_ebr_register(npf->ebr);
 }
 
 __dso_public void
 npfk_thread_unregister(npf_t *npf)
 {
-       pserialize_perform(npf->qsbr);
-       pserialize_unregister(npf->qsbr);
+       npf_ebr_full_sync(npf->ebr);
+       npf_ebr_unregister(npf->ebr);
 }
 
 void
diff -r f286360efa08 -r 5b64750e81c0 sys/net/npf/npf_alg.c
--- a/sys/net/npf/npf_alg.c     Sun Aug 25 07:10:30 2019 +0000
+++ b/sys/net/npf/npf_alg.c     Sun Aug 25 13:21:03 2019 +0000
@@ -33,13 +33,12 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.20 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.21 2019/08/25 13:21:03 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
 
 #include <sys/kmem.h>
-#include <sys/pserialize.h>
 #include <sys/module.h>
 #endif
 
@@ -185,7 +184,7 @@
        afuncs->match = NULL;
        afuncs->translate = NULL;
        afuncs->inspect = NULL;
-       pserialize_perform(npf->qsbr);
+       npf_ebr_full_sync(npf->ebr);
 
        /* Finally, unregister the ALG. */
        npf_ruleset_freealg(npf_config_natset(npf), alg);
@@ -210,13 +209,14 @@
 bool
 npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di)
 {
-       npf_algset_t *aset = npc->npc_ctx->algset;
+       npf_t *npf = npc->npc_ctx;
+       npf_algset_t *aset = npf->algset;
        bool match = false;
        int s;
 
        KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
 
-       s = pserialize_read_enter();
+       s = npf_ebr_enter(npf->ebr);
        for (unsigned i = 0; i < aset->alg_count; i++) {
                const npfa_funcs_t *f = &aset->alg_funcs[i];
 
@@ -225,7 +225,7 @@
                        break;
                }
        }
-       pserialize_read_exit(s);
+       npf_ebr_exit(npf->ebr, s);
        return match;
 }
 
@@ -243,12 +243,13 @@
 void
 npf_alg_exec(npf_cache_t *npc, npf_nat_t *nt, bool forw)
 {
-       npf_algset_t *aset = npc->npc_ctx->algset;
+       npf_t *npf = npc->npc_ctx;
+       npf_algset_t *aset = npf->algset;
        int s;
 
        KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
 
-       s = pserialize_read_enter();
+       s = npf_ebr_enter(npf->ebr);
        for (unsigned i = 0; i < aset->alg_count; i++) {
                const npfa_funcs_t *f = &aset->alg_funcs[i];
 
@@ -256,11 +257,11 @@
                        f->translate(npc, nt, forw);
                }
        }
-       pserialize_read_exit(s);
+       npf_ebr_exit(npf->ebr, s);
 }
 
 /*
- * npf_alg_conn: query ALGs giving which may perform a custom state lookup.
+ * npf_alg_conn: query ALGs which may perform a custom state lookup.
  *
  *     The purpose of ALG connection inspection function is to provide
  *     ALGs with a mechanism to override the regular connection state
@@ -279,11 +280,12 @@
 npf_conn_t *
 npf_alg_conn(npf_cache_t *npc, int di)
 {
-       npf_algset_t *aset = npc->npc_ctx->algset;
+       npf_t *npf = npc->npc_ctx;
+       npf_algset_t *aset = npf->algset;
        npf_conn_t *con = NULL;
        int s;
 
-       s = pserialize_read_enter();
+       s = npf_ebr_enter(npf->ebr);
        for (unsigned i = 0; i < aset->alg_count; i++) {
                const npfa_funcs_t *f = &aset->alg_funcs[i];
 
@@ -292,7 +294,7 @@
                if ((con = f->inspect(npc, di)) != NULL)
                        break;
        }
-       pserialize_read_exit(s);
+       npf_ebr_exit(npf->ebr, s);
        return con;
 }
 
diff -r f286360efa08 -r 5b64750e81c0 sys/net/npf/npf_conf.c
--- a/sys/net/npf/npf_conf.c    Sun Aug 25 07:10:30 2019 +0000
+++ b/sys/net/npf/npf_conf.c    Sun Aug 25 13:21:03 2019 +0000
@@ -47,53 +47,57 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.14 2019/08/11 20:26:33 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.15 2019/08/25 13:21:03 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
 
 #include <sys/atomic.h>
 #include <sys/kmem.h>
-#include <sys/pserialize.h>
 #include <sys/mutex.h>
 #endif
 
 #include "npf_impl.h"
 #include "npf_conn.h"
 
-struct npf_config {
-       npf_ruleset_t *         n_rules;
-       npf_tableset_t *        n_tables;
-       npf_ruleset_t *         n_nat_rules;
-       npf_rprocset_t *        n_rprocs;
-       bool                    n_default_pass;
-};
-
 void
 npf_config_init(npf_t *npf)
 {
-       npf_ruleset_t *rlset, *nset;
-       npf_rprocset_t *rpset;
-       npf_tableset_t *tset;
+       npf_config_t *nc;
 
        mutex_init(&npf->config_lock, MUTEX_DEFAULT, IPL_SOFTNET);
+       nc = npf_config_create();
 
-       /* Load the empty configuration. */
-       tset = npf_tableset_create(0);
-       rpset = npf_rprocset_create();
-       rlset = npf_ruleset_create(0);
-       nset = npf_ruleset_create(0);
-       npf_config_load(npf, rlset, tset, nset, rpset, NULL, true);
+       /*
+        * Load an empty configuration.
+        */
+       nc->ruleset = npf_ruleset_create(0);
+       nc->nat_ruleset = npf_ruleset_create(0);
+       nc->rule_procs = npf_rprocset_create();
+       nc->tableset = npf_tableset_create(0);
+       nc->default_pass = true;
+
+       npf_config_load(npf, nc, NULL, true);
        KASSERT(npf->config != NULL);
 }
 
-static void
+npf_config_t *
+npf_config_create(void)
+{
+       return kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
+}
+
+void
 npf_config_destroy(npf_config_t *nc)
 {
-       npf_ruleset_destroy(nc->n_rules);
-       npf_ruleset_destroy(nc->n_nat_rules);
-       npf_rprocset_destroy(nc->n_rprocs);
-       npf_tableset_destroy(nc->n_tables);
+       /*
+        * Note: the rulesets must be destroyed first, in order to drop
+        * any references to the tableset.
+        */
+       npf_ruleset_destroy(nc->ruleset);
+       npf_ruleset_destroy(nc->nat_ruleset);
+       npf_rprocset_destroy(nc->rule_procs);
+       npf_tableset_destroy(nc->tableset);
        kmem_free(nc, sizeof(npf_config_t));
 }
 
@@ -105,7 +109,7 @@
        /* Flush the connections. */
        mutex_enter(&npf->config_lock);
        npf_conn_tracking(npf, false);
-       pserialize_perform(npf->qsbr);
+       npf_ebr_full_sync(npf->ebr);
        npf_conn_load(npf, cd, false);
        npf_ifmap_flush(npf);
        mutex_exit(&npf->config_lock);
@@ -119,19 +123,12 @@
  * Performs the necessary synchronisation and destroys the old config.
  */
 void
-npf_config_load(npf_t *npf, npf_ruleset_t *rset, npf_tableset_t *tset,
-    npf_ruleset_t *nset, npf_rprocset_t *rpset,
-    npf_conndb_t *conns, bool flush)
+npf_config_load(npf_t *npf, npf_config_t *nc, npf_conndb_t *conns, bool flush)
 {
        const bool load = conns != NULL;
-       npf_config_t *nc, *onc;
+       npf_config_t *onc;
 
-       nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
-       nc->n_rules = rset;
-       nc->n_tables = tset;
-       nc->n_nat_rules = nset;
-       nc->n_rprocs = rpset;
-       nc->n_default_pass = flush;
+       nc->default_pass = flush;
 
        /*
         * Acquire the lock and perform the first phase:
@@ -140,9 +137,9 @@
         */
        mutex_enter(&npf->config_lock);
        if ((onc = npf->config) != NULL) {
-               npf_ruleset_reload(npf, rset, onc->n_rules, load);
-               npf_tableset_reload(npf, tset, onc->n_tables);
-               npf_ruleset_reload(npf, nset, onc->n_nat_rules, load);
+               npf_ruleset_reload(npf, nc->ruleset, onc->ruleset, load);
+               npf_tableset_reload(npf, nc->tableset, onc->tableset);
+               npf_ruleset_reload(npf, nc->nat_ruleset, onc->nat_ruleset, load);
        }
 
        /*
@@ -167,7 +164,7 @@
        }
 
        /* Synchronise: drain all references. */
-       pserialize_perform(npf->qsbr);
+       npf_ebr_full_sync(npf->ebr);
        if (flush) {
                npf_portmap_flush(npf->portmap);
                npf_ifmap_flush(npf);
@@ -191,10 +188,11 @@
  * Writer-side exclusive locking.
  */
 
-void
+npf_config_t *



Home | Main Index | Thread Index | Old Index