Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src NPF improvements:



details:   https://anonhg.NetBSD.org/src/rev/61d41ba010e7
branches:  trunk
changeset: 1000329:61d41ba010e7
user:      rmind <rmind%NetBSD.org@localhost>
date:      Tue Jul 23 00:52:01 2019 +0000

description:
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
  userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.

diffstat:

 lib/libnpf/libnpf.3                              |   19 +-
 lib/libnpf/npf.c                                 |  120 +++-
 lib/libnpf/npf.h                                 |   89 ++-
 sys/net/npf/files.npf                            |    5 +-
 sys/net/npf/npf.c                                |   25 +-
 sys/net/npf/npf.h                                |    7 +-
 sys/net/npf/npf_alg.c                            |   77 ++-
 sys/net/npf/npf_alg_icmp.c                       |   22 +-
 sys/net/npf/npf_conf.c                           |    3 +-
 sys/net/npf/npf_conn.c                           |  389 +++++-----------
 sys/net/npf/npf_conn.h                           |   90 ++-
 sys/net/npf/npf_conndb.c                         |  118 +++-
 sys/net/npf/npf_connkey.c                        |  274 +++++++++++
 sys/net/npf/npf_ctl.c                            |  170 +++++-
 sys/net/npf/npf_handler.c                        |    6 +-
 sys/net/npf/npf_impl.h                           |   70 ++-
 sys/net/npf/npf_inet.c                           |   22 +-
 sys/net/npf/npf_nat.c                            |  347 ++++-----------
 sys/net/npf/npf_os.c                             |   15 +-
 sys/net/npf/npf_params.c                         |  202 ++++++++
 sys/net/npf/npf_portmap.c                        |  528 +++++++++++++++++++++++
 sys/net/npf/npf_rproc.c                          |    2 +-
 sys/net/npf/npf_ruleset.c                        |   41 +-
 sys/net/npf/npf_state.c                          |   70 ++-
 sys/net/npf/npf_state_tcp.c                      |  164 +++++-
 sys/net/npf/npf_tableset.c                       |   37 +-
 sys/net/npf/npfkern.h                            |   10 +
 sys/rump/net/lib/libnpf/Makefile                 |    5 +-
 usr.sbin/npf/npf-params.7                        |  130 +++++
 usr.sbin/npf/npfctl/npf.conf.5                   |   32 +-
 usr.sbin/npf/npfctl/npf_bpf_comp.c               |    2 +-
 usr.sbin/npf/npfctl/npf_build.c                  |   98 +++-
 usr.sbin/npf/npfctl/npf_parse.y                  |   33 +-
 usr.sbin/npf/npfctl/npf_scan.l                   |    8 +-
 usr.sbin/npf/npfctl/npf_show.c                   |   38 +-
 usr.sbin/npf/npfctl/npfctl.c                     |   38 +-
 usr.sbin/npf/npfctl/npfctl.h                     |    2 +
 usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c   |   55 +-
 usr.sbin/npf/npftest/libnpftest/npf_conn_test.c  |   39 +-
 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c  |   74 +++
 usr.sbin/npf/npftest/libnpftest/npf_nat_test.c   |   55 +-
 usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c  |   41 +-
 usr.sbin/npf/npftest/libnpftest/npf_perf_test.c  |   26 +-
 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c  |  139 +++--
 usr.sbin/npf/npftest/libnpftest/npf_state_test.c |   18 +-
 usr.sbin/npf/npftest/libnpftest/npf_table_test.c |    3 -
 usr.sbin/npf/npftest/libnpftest/npf_test.h       |   10 +
 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c  |    5 +-
 usr.sbin/npf/npftest/npfstream.c                 |    4 +-
 usr.sbin/npf/npftest/npftest.c                   |    4 +-
 usr.sbin/npf/npftest/npftest.conf                |    3 +-
 51 files changed, 2583 insertions(+), 1201 deletions(-)

diffs (truncated from 6430 to 300 lines):

diff -r 3bbee17f9183 -r 61d41ba010e7 lib/libnpf/libnpf.3
--- a/lib/libnpf/libnpf.3       Tue Jul 23 00:49:16 2019 +0000
+++ b/lib/libnpf/libnpf.3       Tue Jul 23 00:52:01 2019 +0000
@@ -1,6 +1,6 @@
-.\"    $NetBSD: libnpf.3,v 1.7 2019/01/19 21:19:31 rmind Exp $
+.\"    $NetBSD: libnpf.3,v 1.8 2019/07/23 00:52:01 rmind Exp $
 .\"
-.\" Copyright (c) 2011-2018 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 29, 2018
+.Dd April 14, 2019
 .Dt LIBNPF 3
 .Os
 .Sh NAME
@@ -95,10 +95,10 @@
 .Ft int
 .Fn npf_nat_setport "nl_nat_t *nt" "in_port_t port"
 .Ft int
-.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri"
+.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt"
 .\" ---
 .Ft nl_table_t *
-.Fn npf_table_create "const char *name" "u_int id" "int type"
+.Fn npf_table_create "const char *name" "unsigned id" "int type"
 .Ft int
 .Fn npf_table_add_entry "nl_table_t *tl" "int af" \
 "const npf_addr_t *addr" "const npf_netmask_t mask"
@@ -178,8 +178,11 @@
 backwards stream (the returning packets) without the ruleset inspection.
 The state is uniquely identified by a 5-tuple (source and destination
 IP addresses, port numbers and an interface identifier).
-.It Dv NPF_RULE_MULTIENDS
+.It Dv NPF_RULE_GSTATEFUL
 Exclude the interface identifier from the state key i.e. use a 4-tuple.
+This makes the state global with the respect network interfaces.
+The state is also picked on packet travelling different direction that
+originally.
 .It Dv NPF_RULE_RETRST
 Return TCP RST packet in a case of packet block.
 .It Dv NPF_RULE_RETICMP
@@ -373,8 +376,8 @@
 IPv6-to-IPv6 Network Prefix Translation (NPTv6, defined in RFC 6296).
 .El
 .\" ---
-.It Fn npf_nat_insert "ncf" "nt" "pri"
-Insert NAT policy, its rule, into the specified configuration.
+.It Fn npf_nat_insert "ncf" "nt"
+Insert the NAT policy, its rule, into the specified configuration.
 The NAT rule must not be referenced after insertion.
 .El
 .\" -----
diff -r 3bbee17f9183 -r 61d41ba010e7 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c  Tue Jul 23 00:49:16 2019 +0000
+++ b/lib/libnpf/npf.c  Tue Jul 23 00:52:01 2019 +0000
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2010-2018 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2019 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.45 2019/01/19 21:19:31 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.46 2019/07/23 00:52:01 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/mman.h>
@@ -80,16 +80,11 @@
        unsigned        ncf_rule_count;
 
        /* Iterators. */
-       unsigned        ncf_rule_iter;
        unsigned        ncf_reduce[16];
        unsigned        ncf_nlevel;
-       unsigned        ncf_counter;
+
        nl_rule_t       ncf_cur_rule;
-
-       unsigned        ncf_table_iter;
        nl_table_t      ncf_cur_table;
-
-       unsigned        ncf_rproc_iter;
        nl_rproc_t      ncf_cur_rproc;
 };
 
@@ -242,6 +237,8 @@
        if (error && errinfo) {
                memset(errinfo, 0, sizeof(npf_error_t));
                errinfo->id = dnvlist_get_number(errnv, "id", 0);
+               errinfo->error_msg =
+                   dnvlist_take_string(errnv, "error-msg", NULL);
                errinfo->source_file =
                    dnvlist_take_string(errnv, "source-file", NULL);
                errinfo->source_line =
@@ -346,6 +343,47 @@
 }
 
 /*
+ * PARAMETERS.
+ */
+
+int
+npf_param_get(nl_config_t *ncf, const char *name, int *valp)
+{
+       const nvlist_t *params;
+
+       params = dnvlist_get_nvlist(ncf->ncf_dict, "params", NULL);
+       if (params == NULL || !nvlist_exists(params, name)) {
+               return ENOENT;
+       }
+       *valp = (int)dnvlist_get_number(params, name, 0);
+       return 0;
+}
+
+int
+npf_param_set(nl_config_t *ncf, const char *name, int val)
+{
+       nvlist_t *params;
+
+       /* Ensure params dictionary. */
+       if (nvlist_exists(ncf->ncf_dict, "params")) {
+               params = nvlist_take_nvlist(ncf->ncf_dict, "params");
+       } else {
+               params = nvlist_create(0);
+       }
+
+       /*
+        * If the parameter is already set, then free it first.
+        * Set the parameter.  Note: values can be negative.
+        */
+       if (nvlist_exists(params, name)) {
+               nvlist_free_number(params, name);
+       }
+       nvlist_add_number(params, name, (uint64_t)val);
+       nvlist_add_nvlist(ncf->ncf_dict, "params", params);
+       return 0;
+}
+
+/*
  * DYNAMIC RULESET INTERFACE.
  */
 
@@ -539,9 +577,10 @@
 }
 
 static nl_rule_t *
-_npf_rule_iterate1(nl_config_t *ncf, const char *key, unsigned *level)
+_npf_rule_iterate1(nl_config_t *ncf, const char *key,
+    nl_iter_t *iter, unsigned *level)
 {
-       unsigned i = ncf->ncf_rule_iter++;
+       unsigned i = *iter;
        const nvlist_t *rule_dict;
        uint32_t skipto;
 
@@ -549,16 +588,14 @@
                /* Initialise the iterator. */
                ncf->ncf_nlevel = 0;
                ncf->ncf_reduce[0] = 0;
-               ncf->ncf_counter = 0;
        }
 
        rule_dict = _npf_dataset_getelement(ncf->ncf_dict, key, i);
        if (!rule_dict) {
-               /* Reset the iterator. */
-               ncf->ncf_rule_iter = 0;
+               *iter = NPF_ITER_BEGIN;
                return NULL;
        }
-       ncf->ncf_cur_rule.rule_dict = __UNCONST(rule_dict); // XXX
+       *iter = i + 1; // next
        *level = ncf->ncf_nlevel;
 
        skipto = dnvlist_get_number(rule_dict, "skip-to", 0);
@@ -566,17 +603,19 @@
                ncf->ncf_nlevel++;
                ncf->ncf_reduce[ncf->ncf_nlevel] = skipto;
        }
-       if (ncf->ncf_reduce[ncf->ncf_nlevel] == ++ncf->ncf_counter) {
+       if (ncf->ncf_reduce[ncf->ncf_nlevel] == (i + 1)) {
                assert(ncf->ncf_nlevel > 0);
                ncf->ncf_nlevel--;
        }
+
+       ncf->ncf_cur_rule.rule_dict = __UNCONST(rule_dict); // XXX
        return &ncf->ncf_cur_rule;
 }
 
 nl_rule_t *
-npf_rule_iterate(nl_config_t *ncf, unsigned *level)
+npf_rule_iterate(nl_config_t *ncf, nl_iter_t *iter, unsigned *level)
 {
-       return _npf_rule_iterate1(ncf, "rules", level);
+       return _npf_rule_iterate1(ncf, "rules", iter, level);
 }
 
 const char *
@@ -710,17 +749,17 @@
 }
 
 nl_rproc_t *
-npf_rproc_iterate(nl_config_t *ncf)
+npf_rproc_iterate(nl_config_t *ncf, nl_iter_t *iter)
 {
        const nvlist_t *rproc_dict;
-       unsigned i = ncf->ncf_rproc_iter++;
+       unsigned i = *iter;
 
        rproc_dict = _npf_dataset_getelement(ncf->ncf_dict, "rprocs", i);
        if (!rproc_dict) {
-               /* Reset the iterator. */
-               ncf->ncf_rproc_iter = 0;
+               *iter = NPF_ITER_BEGIN;
                return NULL;
        }
+       *iter = i + 1; // next
        ncf->ncf_cur_rproc.rproc_dict = __UNCONST(rproc_dict); // XXX
        return &ncf->ncf_cur_rproc;
 }
@@ -755,13 +794,13 @@
        /* Translation type and flags. */
        nvlist_add_number(rule_dict, "type", type);
        nvlist_add_number(rule_dict, "flags", flags);
+       nvlist_add_bool(rule_dict, "nat-rule", true);
        return (nl_nat_t *)rl;
 }
 
 int
-npf_nat_insert(nl_config_t *ncf, nl_nat_t *nt, int pri __unused)
+npf_nat_insert(nl_config_t *ncf, nl_nat_t *nt)
 {
-       nvlist_add_number(nt->rule_dict, "prio", (uint64_t)NPF_PRI_LAST);
        nvlist_append_nvlist_array(ncf->ncf_dict, "nat", nt->rule_dict);
        nvlist_destroy(nt->rule_dict);
        free(nt);
@@ -769,17 +808,17 @@
 }
 
 nl_nat_t *
-npf_nat_iterate(nl_config_t *ncf)
+npf_nat_iterate(nl_config_t *ncf, nl_iter_t *iter)
 {
        unsigned level;
-       return _npf_rule_iterate1(ncf, "nat", &level);
+       return _npf_rule_iterate1(ncf, "nat", iter, &level);
 }
 
 int
 npf_nat_setaddr(nl_nat_t *nt, int af, npf_addr_t *addr, npf_netmask_t mask)
 {
        /* Translation IP and mask. */
-       if (!_npf_add_addr(nt->rule_dict, "nat-ip", af, addr)) {
+       if (!_npf_add_addr(nt->rule_dict, "nat-addr", af, addr)) {
                return nvlist_error(nt->rule_dict);
        }
        nvlist_add_number(nt->rule_dict, "nat-mask", (uint32_t)mask);
@@ -797,6 +836,9 @@
 int
 npf_nat_settable(nl_nat_t *nt, unsigned tid)
 {
+       /*
+        * Translation table ID; the address/mask will then serve as a filter.
+        */
        nvlist_add_number(nt->rule_dict, "nat-table-id", tid);
        return nvlist_error(nt->rule_dict);
 }
@@ -843,8 +885,8 @@
 {
        const void *data;
 
-       if (nvlist_exists(nt->rule_dict, "nat-ip")) {
-               data = nvlist_get_binary(nt->rule_dict, "nat-ip", alen);
+       if (nvlist_exists(nt->rule_dict, "nat-addr")) {
+               data = nvlist_get_binary(nt->rule_dict, "nat-addr", alen);
                *mask = nvlist_get_number(nt->rule_dict, "nat-mask");
        } else {
                data = NULL;
@@ -892,7 +934,6 @@
 {
        nvlist_t *entry;
 
-       /* Create the table entry. */
        entry = nvlist_create(0);
        if (!entry) {
                return ENOMEM;
@@ -946,7 +987,7 @@
        }
 
        /*
-        * Produce the constant database into a temporary file.



Home | Main Index | Thread Index | Old Index