Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src libnpf/npfctl: support dynamic NAT rulesets using a name pre...
details: https://anonhg.NetBSD.org/src/rev/9f7a9e010ffb
branches: trunk
changeset: 1003777:9f7a9e010ffb
user: rmind <rmind%NetBSD.org@localhost>
date: Mon Sep 30 00:37:11 2019 +0000
description:
libnpf/npfctl: support dynamic NAT rulesets using a name prefix.
diffstat:
lib/libnpf/libnpf.3 | 53 ++++++++++++++++++++++++++++++++++++--
lib/libnpf/npf.c | 30 +++++++++++++++++++++-
lib/libnpf/npf.h | 6 ++++
sys/net/npf/npf_ctl.c | 8 ++--
usr.sbin/npf/npfctl/npf.conf.5 | 15 ++++++++--
usr.sbin/npf/npfctl/npf_build.c | 49 ++++++++++++++++++++++++++++-------
usr.sbin/npf/npfctl/npf_parse.y | 28 +++++++++++--------
usr.sbin/npf/npfctl/npf_scan.l | 27 ++++++++++++++++--
usr.sbin/npf/npfctl/npfctl.c | 41 +++++++++++++++++++-----------
usr.sbin/npf/npfctl/npfctl.h | 9 +++++-
usr.sbin/npf/npftest/npftest.conf | 4 +-
11 files changed, 213 insertions(+), 57 deletions(-)
diffs (truncated from 694 to 300 lines):
diff -r 04b900469cce -r 9f7a9e010ffb lib/libnpf/libnpf.3
--- a/lib/libnpf/libnpf.3 Mon Sep 30 00:06:02 2019 +0000
+++ b/lib/libnpf/libnpf.3 Mon Sep 30 00:37:11 2019 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: libnpf.3,v 1.10 2019/08/21 21:45:47 rmind Exp $
+.\" $NetBSD: libnpf.3,v 1.11 2019/09/30 00:37:11 rmind Exp $
.\"
.\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 21, 2019
+.Dd August 25, 2019
.Dt LIBNPF 3
.Os
.Sh NAME
@@ -108,6 +108,15 @@
.Fn npf_table_replace "int fd" "nl_table_t *tl" "npf_error_t *errinfo"
.Ft void
.Fn npf_table_destroy "nl_table_t *tl"
+.\" ---
+.Ft int
+.Fn npf_ruleset_add "int fd" "const char *name" "nl_rule_t *rl" "uint64_t *id"
+.Ft int
+.Fn npf_ruleset_remove "int fd" "const char *name" "uint64_t id"
+.Ft int
+.Fn npf_ruleset_remkey "int fd" "const char *name" "const void *key" "size_t len"
+.Ft int
+.Fn npf_ruleset_flush "int fd" "const char *name"
.\" -----
.Sh DESCRIPTION
The
@@ -352,7 +361,9 @@
may be specified to indicate the translation network;
otherwise, it should be set to
.Dv NPF_NO_NETMASK .
-In such case, a custom algorithm may need to be specified using the
+.Pp
+In order to use the translation network, a custom algorithm may need to
+be specified using the
.Fn npf_nat_setalgo
function.
.\" ---
@@ -368,6 +379,9 @@
Hash of the source and destination addresses.
.It Dv NPF_ALGO_RR
Round-robin for the translation addresses.
+.It Dv NPF_ALGO_NETMAP
+Network-to-network map as described below, but with state tracking.
+It is used when it is necessary to translate the ports.
.El
.Pp
The following are support with static NAT:
@@ -450,6 +464,39 @@
Destroy the specified table.
.El
.\" -----
+.Ss Ruleset interface
+.Bl -tag -width 4n
+.It Fn npf_ruleset_add "fd" "name" "rl" "id"
+Add a given rule, specified by
+.Fa rl ,
+into the dynamic ruleset named
+.Fa name .
+On success, return 0 and a unique rule ID in the
+.Fa id
+parameter.
+.It Fn npf_ruleset_remove "fd" "name" "id"
+Remove a rule from the dynamic ruleset, specified by
+.Fa name .
+The rule is specified by its unique ID in the
+.Fa id
+parameter.
+.It Fn npf_ruleset_remkey "fd" "name" "key" "len"
+Remove a rule from the dynamic ruleset, specified by
+.Fa name .
+The rule is specified by its key, in the
+.Fa key
+and
+.Fa len
+parameters.
+The key for the rule must have been set during its construction, using the
+.Fn npf_rule_setkey
+routine.
+.It Fn npf_ruleset_flush "fd" "name"
+Clear the dynamic ruleset, specified by
+.Fa name ,
+by removing all its rules.
+.El
+.\" -----
.Sh SEE ALSO
.Xr bpf 4 ,
.Xr npf 7 ,
diff -r 04b900469cce -r 9f7a9e010ffb lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Mon Sep 30 00:06:02 2019 +0000
+++ b/lib/libnpf/npf.c Mon Sep 30 00:37:11 2019 +0000
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.47 2019/08/21 21:45:47 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.48 2019/09/30 00:37:11 rmind Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -401,14 +401,31 @@
* DYNAMIC RULESET INTERFACE.
*/
+static inline bool
+_npf_nat_ruleset_p(const char *name)
+{
+ return strncmp(name, NPF_RULESET_MAP_PREF,
+ sizeof(NPF_RULESET_MAP_PREF) - 1) == 0;
+}
+
int
npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uint64_t *id)
{
+ const bool natset = _npf_nat_ruleset_p(rname);
nvlist_t *rule_dict = rl->rule_dict;
nvlist_t *ret_dict;
+ nvlist_add_number(rule_dict, "attr",
+ NPF_RULE_DYNAMIC | nvlist_take_number(rule_dict, "attr"));
+
+ if (natset && !dnvlist_get_bool(rule_dict, "nat-rule", false)) {
+ errno = EINVAL;
+ return errno;
+ }
nvlist_add_string(rule_dict, "ruleset-name", rname);
+ nvlist_add_bool(rule_dict, "nat-ruleset", natset);
nvlist_add_number(rule_dict, "command", NPF_CMD_RULE_ADD);
+
if (nvlist_xfer_ioctl(fd, IOC_NPF_RULE, rule_dict, &ret_dict) == -1) {
return errno;
}
@@ -419,11 +436,14 @@
int
npf_ruleset_remove(int fd, const char *rname, uint64_t id)
{
+ const bool natset = _npf_nat_ruleset_p(rname);
nvlist_t *rule_dict = nvlist_create(0);
nvlist_add_string(rule_dict, "ruleset-name", rname);
+ nvlist_add_bool(rule_dict, "nat-ruleset", natset);
nvlist_add_number(rule_dict, "command", NPF_CMD_RULE_REMOVE);
nvlist_add_number(rule_dict, "id", id);
+
if (nvlist_send_ioctl(fd, IOC_NPF_RULE, rule_dict) == -1) {
return errno;
}
@@ -433,11 +453,14 @@
int
npf_ruleset_remkey(int fd, const char *rname, const void *key, size_t len)
{
+ const bool natset = _npf_nat_ruleset_p(rname);
nvlist_t *rule_dict = nvlist_create(0);
nvlist_add_string(rule_dict, "ruleset-name", rname);
+ nvlist_add_bool(rule_dict, "nat-ruleset", natset);
nvlist_add_number(rule_dict, "command", NPF_CMD_RULE_REMKEY);
nvlist_add_binary(rule_dict, "key", key, len);
+
if (nvlist_send_ioctl(fd, IOC_NPF_RULE, rule_dict) == -1) {
return errno;
}
@@ -447,10 +470,13 @@
int
npf_ruleset_flush(int fd, const char *rname)
{
+ const bool natset = _npf_nat_ruleset_p(rname);
nvlist_t *rule_dict = nvlist_create(0);
nvlist_add_string(rule_dict, "ruleset-name", rname);
+ nvlist_add_bool(rule_dict, "nat-ruleset", natset);
nvlist_add_number(rule_dict, "command", NPF_CMD_RULE_FLUSH);
+
if (nvlist_send_ioctl(fd, IOC_NPF_RULE, rule_dict) == -1) {
return errno;
}
@@ -678,10 +704,12 @@
int
_npf_ruleset_list(int fd, const char *rname, nl_config_t *ncf)
{
+ const bool natset = _npf_nat_ruleset_p(rname);
nvlist_t *req, *ret;
req = nvlist_create(0);
nvlist_add_string(req, "ruleset-name", rname);
+ nvlist_add_bool(req, "nat-ruleset", natset);
nvlist_add_number(req, "command", NPF_CMD_RULE_LIST);
if (nvlist_xfer_ioctl(fd, IOC_NPF_RULE, req, &ret) == -1) {
diff -r 04b900469cce -r 9f7a9e010ffb lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Mon Sep 30 00:06:02 2019 +0000
+++ b/lib/libnpf/npf.h Mon Sep 30 00:37:11 2019 +0000
@@ -56,6 +56,12 @@
typedef signed long nl_iter_t;
/*
+ * Ruleset prefix(es).
+ */
+
+#define NPF_RULESET_MAP_PREF "map:"
+
+/*
* Extensions API types.
*/
typedef int (*npfext_initfunc_t)(void);
diff -r 04b900469cce -r 9f7a9e010ffb sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Mon Sep 30 00:06:02 2019 +0000
+++ b/sys/net/npf/npf_ctl.c Mon Sep 30 00:37:11 2019 +0000
@@ -36,7 +36,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.58 2019/08/25 17:38:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.59 2019/09/30 00:37:11 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -196,7 +196,7 @@
goto out;
}
- t = npf_table_create(name, (u_int)tid, type, blob, size);
+ t = npf_table_create(name, (unsigned)tid, type, blob, size);
if (t == NULL) {
NPF_ERR_DEBUG(errdict);
error = ENOMEM;
@@ -473,7 +473,7 @@
KASSERT(rl != NULL);
*rlp = rl;
- /* If rule is named, it is a group with NAT policies. */
+ /* If this rule is named, then it is a group with NAT policies. */
if (dnvlist_get_string(nat, "name", NULL)) {
return 0;
}
@@ -816,7 +816,7 @@
return error;
}
rcmd = dnvlist_get_number(npf_rule, "command", 0);
- natset = dnvlist_get_bool(npf_rule, "nat-rule", false);
+ natset = dnvlist_get_bool(npf_rule, "nat-ruleset", false);
ruleset_name = dnvlist_get_string(npf_rule, "ruleset-name", NULL);
if (!ruleset_name) {
error = EINVAL;
diff -r 04b900469cce -r 9f7a9e010ffb usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Mon Sep 30 00:06:02 2019 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Mon Sep 30 00:37:11 2019 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.88 2019/07/23 14:20:22 wiz Exp $
+.\" $NetBSD: npf.conf.5,v 1.89 2019/09/30 00:37:11 rmind Exp $
.\"
.\" Copyright (c) 2009-2019 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd May 19, 2019
+.Dd August 25, 2019
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -356,6 +356,11 @@
.Pp
.Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
.Pp
+In the regular dynamic NAT case, it is also possible to disable port
+translation using the
+.Cm no-ports
+flag.
+.Pp
The translation address can also be dynamic, based on the interface.
The following would select the IPv4 address(es) currently assigned to the
interface:
@@ -528,13 +533,15 @@
# Mapping for address translation.
-map = "map" interface
+map = map-common | map-ruleset
+map-common = "map" interface
( "static" [ "algo" map-algo ] | "dynamic" )
[ map-flags ] [ proto ]
map-seg ( "->" | "<-" | "<->" ) map-seg
[ "pass" [ proto ] filt-opts ]
+map-ruleset = "map" "ruleset" group-opts
-map-algo = "npt66"
+map-algo = "ip-hash" | "round-robin" | "netmap" | "npt66"
map-flags = "no-ports"
map-seg = ( addr-mask | interface ) [ port-opts ]
diff -r 04b900469cce -r 9f7a9e010ffb usr.sbin/npf/npfctl/npf_build.c
Home |
Main Index |
Thread Index |
Old Index