Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src Major NPF improvements (merge from upstream):



details:   https://anonhg.NetBSD.org/src/rev/892d0570fd88
branches:  trunk
changeset: 1010604:892d0570fd88
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sat May 30 14:16:56 2020 +0000

description:
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
  settings.  Users can now choose whether the connection state should be
  strictly per-interface or global at the configuration level.  Keep NAT
  logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
  more parameters.  Remove npf_nvlist_{copyin,copyout}() functions and
  refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
  a single entry point for operations.  Introduce npf_flow_t and clean up
  some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
  more informative; misc usability improvements and more user-friendly
  error messages.

- Amend and improve the manual pages.

diffstat:

 lib/libnpf/libnpf.3                              |   16 +-
 lib/libnpf/npf.c                                 |  405 +++++++++---
 lib/libnpf/npf.h                                 |    3 +-
 sys/net/npf/files.npf                            |    3 +-
 sys/net/npf/npf.c                                |   34 +-
 sys/net/npf/npf.h                                |   17 +-
 sys/net/npf/npf_alg.c                            |  103 ++-
 sys/net/npf/npf_alg_icmp.c                       |   21 +-
 sys/net/npf/npf_conf.c                           |   48 +-
 sys/net/npf/npf_conn.c                           |  337 ++++++----
 sys/net/npf/npf_conn.h                           |   37 +-
 sys/net/npf/npf_conndb.c                         |   96 ++-
 sys/net/npf/npf_connkey.c                        |  226 +++++-
 sys/net/npf/npf_ctl.c                            |  504 ++++++---------
 sys/net/npf/npf_ext_log.c                        |   45 +-
 sys/net/npf/npf_ext_normalize.c                  |   46 +-
 sys/net/npf/npf_ext_rndblock.c                   |   55 +-
 sys/net/npf/npf_handler.c                        |   47 +-
 sys/net/npf/npf_if.c                             |   21 +-
 sys/net/npf/npf_ifaddr.c                         |    6 +-
 sys/net/npf/npf_impl.h                           |   68 +-
 sys/net/npf/npf_inet.c                           |    8 +-
 sys/net/npf/npf_mbuf.c                           |   37 +-
 sys/net/npf/npf_nat.c                            |  249 ++++++--
 sys/net/npf/npf_os.c                             |   91 +-
 sys/net/npf/npf_params.c                         |   53 +-
 sys/net/npf/npf_portmap.c                        |   28 +-
 sys/net/npf/npf_rproc.c                          |   19 +-
 sys/net/npf/npf_ruleset.c                        |   84 +-
 sys/net/npf/npf_sendpkt.c                        |    4 +-
 sys/net/npf/npf_state.c                          |   22 +-
 sys/net/npf/npf_state_tcp.c                      |   15 +-
 sys/net/npf/npf_tableset.c                       |   18 +-
 sys/net/npf/npf_worker.c                         |  316 ++++++---
 sys/net/npf/npfkern.h                            |   42 +-
 usr.sbin/npf/npf-params.7                        |   54 +-
 usr.sbin/npf/npfctl/Makefile                     |    6 +-
 usr.sbin/npf/npfctl/npf.conf.5                   |   54 +-
 usr.sbin/npf/npfctl/npf_bpf_comp.c               |  150 +++-
 usr.sbin/npf/npfctl/npf_build.c                  |  269 +++++---
 usr.sbin/npf/npfctl/npf_cmd.c                    |  540 +++++++++++++++++
 usr.sbin/npf/npfctl/npf_parse.y                  |  131 ++-
 usr.sbin/npf/npfctl/npf_scan.l                   |    8 +-
 usr.sbin/npf/npfctl/npf_show.c                   |  396 ++++++++----
 usr.sbin/npf/npfctl/npf_var.c                    |  120 +--
 usr.sbin/npf/npfctl/npf_var.h                    |   12 +-
 usr.sbin/npf/npfctl/npfctl.8                     |   38 +-
 usr.sbin/npf/npfctl/npfctl.c                     |  705 +++++-----------------
 usr.sbin/npf/npfctl/npfctl.h                     |   38 +-
 usr.sbin/npf/npftest/libnpftest/Makefile         |    4 +-
 usr.sbin/npf/npftest/libnpftest/npf_conn_test.c  |  173 -----
 usr.sbin/npf/npftest/libnpftest/npf_gc_test.c    |  267 ++++++++
 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c  |    6 +-
 usr.sbin/npf/npftest/libnpftest/npf_nat_test.c   |    9 +-
 usr.sbin/npf/npftest/libnpftest/npf_state_test.c |    3 +-
 usr.sbin/npf/npftest/libnpftest/npf_test.h       |    8 +-
 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c  |   52 +-
 usr.sbin/npf/npftest/npftest.c                   |   10 +-
 usr.sbin/npf/npftest/npftest.conf                |    5 +-
 usr.sbin/npf/npftest/npftest.h                   |    6 +-
 60 files changed, 3771 insertions(+), 2417 deletions(-)

diffs (truncated from 11286 to 300 lines):

diff -r d79b7f81fd93 -r 892d0570fd88 lib/libnpf/libnpf.3
--- a/lib/libnpf/libnpf.3       Sat May 30 14:15:43 2020 +0000
+++ b/lib/libnpf/libnpf.3       Sat May 30 14:16:56 2020 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: libnpf.3,v 1.11 2019/09/30 00:37:11 rmind Exp $
+.\"    $NetBSD: libnpf.3,v 1.12 2020/05/30 14:16:56 rmind Exp $
 .\"
 .\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 25, 2019
+.Dd May 30, 2020
 .Dt LIBNPF 3
 .Os
 .Sh NAME
@@ -187,13 +187,12 @@
 .It Dv NPF_RULE_STATEFUL
 Create a state (session) on match, track the connection and pass the
 backwards stream (the returning packets) without the ruleset inspection.
-The state is uniquely identified by a 5-tuple (source and destination
-IP addresses, port numbers and an interface identifier).
+The state is uniquely identified by an n-tuple key.
 .It Dv NPF_RULE_GSTATEFUL
-Exclude the interface identifier from the state key i.e. use a 4-tuple.
+Exclude the interface identifier from the state key (n-tuple).
 This makes the state global with respect to the network interfaces.
-The state is also picked for packets travelling different direction than
-originally.
+The state is also picked for packets travelling in different direction
+than originally.
 .It Dv NPF_RULE_RETRST
 Return TCP RST packet in a case of packet block.
 .It Dv NPF_RULE_RETICMP
@@ -281,7 +280,8 @@
 is
 .Dv NULL ,
 then insert into the main ruleset.
-The rule must not be referenced after insertion.
+The rule will be consumed (the relevant resourced will be freed) and it
+must not be referenced after insertion.
 .\" ---
 .It Fn npf_rule_exists_p "ncf" "name"
 Check whether the rule with a given name is already in the configuration.
diff -r d79b7f81fd93 -r 892d0570fd88 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c  Sat May 30 14:15:43 2020 +0000
+++ b/lib/libnpf/npf.c  Sat May 30 14:16:56 2020 +0000
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2010-2019 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2020 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -28,11 +28,14 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.48 2019/09/30 00:37:11 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.49 2020/05/30 14:16:56 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
+#if !defined(_NPF_STANDALONE)
+#include <sys/ioctl.h>
+#endif
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <net/if.h>
@@ -227,6 +230,94 @@
 }
 
 /*
+ * npf_xfer_fd: transfer the given request and receive a response.
+ *
+ * => Sets the 'operation' key on the 'req' dictionary.
+ * => On success: returns 0 and valid nvlist in 'resp'.
+ * => On failure: returns an error number.
+ */
+static int
+_npf_xfer_fd(int fd, unsigned long cmd, nvlist_t *req, nvlist_t **resp)
+{
+       struct stat st;
+       int kernver;
+
+       /*
+        * Set the NPF version and operation.
+        */
+       if (!nvlist_exists(req, "version")) {
+               nvlist_add_number(req, "version", NPF_VERSION);
+       }
+       nvlist_add_number(req, "operation", cmd);
+
+       /*
+        * Determine the type of file descriptor:
+        * - If socket, then perform nvlist_send()/nvlist_recv().
+        * - If a character device, then use ioctl.
+        */
+       if (fstat(fd, &st) == -1) {
+               goto err;
+       }
+       switch (st.st_mode & S_IFMT) {
+#if !defined(__NetBSD__)
+       case S_IFSOCK:
+               if (nvlist_send(fd, req) == -1) {
+                       goto err;
+               }
+               if (resp && (*resp = nvlist_recv(fd, 0)) == NULL) {
+                       goto err;
+               }
+               break;
+#endif
+#if !defined(_NPF_STANDALONE)
+       case S_IFBLK:
+       case S_IFCHR:
+               if (ioctl(fd, IOC_NPF_VERSION, &kernver) == -1) {
+                       goto err;
+               }
+               if (kernver != NPF_VERSION) {
+                       errno = EPROGMISMATCH;
+                       goto err;
+               }
+               if (nvlist_xfer_ioctl(fd, cmd, req, resp) == -1) {
+                       goto err;
+               }
+               break;
+#else
+               (void)kernver;
+#endif
+       default:
+               errno = ENOTSUP;
+               goto err;
+       }
+       return 0;
+err:
+       return errno ? errno : EIO;
+}
+
+/*
+ * npf_xfer_fd_errno: same as npf_xfer_fd(), but:
+ *
+ * => After successful retrieval of the response, inspects it, extracts
+ *    the 'errno' value (if any) and returns it.
+ * => Destroys the response.
+ */
+static int
+_npf_xfer_fd_errno(int fd, unsigned long cmd, nvlist_t *req)
+{
+       nvlist_t *resp;
+       int error;
+
+       error = _npf_xfer_fd(fd, cmd, req, &resp);
+       if (error) {
+               return error;
+       }
+       error = _npf_extract_error(resp, NULL);
+       nvlist_destroy(resp);
+       return error;
+}
+
+/*
  * CONFIGURATION INTERFACE.
  */
 
@@ -247,18 +338,18 @@
 int
 npf_config_submit(nl_config_t *ncf, int fd, npf_error_t *errinfo)
 {
-       nvlist_t *errnv = NULL;
+       nvlist_t *resp = NULL;
        int error;
 
        /* Ensure the config is built. */
        (void)npf_config_build(ncf);
 
-       if (nvlist_xfer_ioctl(fd, IOC_NPF_LOAD, ncf->ncf_dict, &errnv) == -1) {
-               assert(errnv == NULL);
-               return errno;
+       error = _npf_xfer_fd(fd, IOC_NPF_LOAD, ncf->ncf_dict, &resp);
+       if (error) {
+               return error;
        }
-       error = _npf_extract_error(errnv, errinfo);
-       nvlist_destroy(errnv);
+       error = _npf_extract_error(resp, errinfo);
+       nvlist_destroy(resp);
        return error;
 }
 
@@ -266,15 +357,24 @@
 npf_config_retrieve(int fd)
 {
        nl_config_t *ncf;
+       nvlist_t *req, *resp = NULL;
+       int error;
 
        ncf = calloc(1, sizeof(nl_config_t));
        if (!ncf) {
                return NULL;
        }
-       if (nvlist_recv_ioctl(fd, IOC_NPF_SAVE, &ncf->ncf_dict) == -1) {
+
+       req = nvlist_create(0);
+       error = _npf_xfer_fd(fd, IOC_NPF_SAVE, req, &resp);
+       nvlist_destroy(req);
+
+       if (error || _npf_extract_error(resp, NULL) != 0) {
+               nvlist_destroy(resp);
                free(ncf);
                return NULL;
        }
+       ncf->ncf_dict = resp;
        return ncf;
 }
 
@@ -332,7 +432,7 @@
        return nvlist_exists_nvlist_array(ncf->ncf_dict, "rules");
 }
 
-void *
+const void *
 npf_config_build(nl_config_t *ncf)
 {
        _npf_rules_process(ncf, ncf->ncf_dict, "__rules");
@@ -397,6 +497,43 @@
        return 0;
 }
 
+const char *
+npf_param_iterate(nl_config_t *ncf, nl_iter_t *iter, int *val, int *defval)
+{
+       void *cookie = (void *)(intptr_t)*iter;
+       const nvlist_t *params, *dparams;
+       const char *name;
+       int type;
+
+       assert(sizeof(nl_iter_t) >= sizeof(void *));
+
+       params = dnvlist_get_nvlist(ncf->ncf_dict, "params", NULL);
+       if (params == NULL) {
+               return NULL;
+       }
+skip:
+       if ((name = nvlist_next(params, &type, &cookie)) == NULL) {
+               *iter = NPF_ITER_BEGIN;
+               return NULL;
+       }
+       if (type != NV_TYPE_NUMBER) {
+               goto skip; // should never happen, though
+       }
+       if (defval) {
+               dparams = dnvlist_get_nvlist(ncf->ncf_dict,
+                   "params-defaults", NULL);
+               if (dparams == NULL) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+               *defval = (int)nvlist_get_number(dparams, name);
+       }
+
+       *val = (int)nvlist_get_number(params, name);
+       *iter = (intptr_t)cookie;
+       return name;
+}
+
 /*
  * DYNAMIC RULESET INTERFACE.
  */
@@ -412,24 +549,26 @@
 npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uint64_t *id)
 {
        const bool natset = _npf_nat_ruleset_p(rname);
-       nvlist_t *rule_dict = rl->rule_dict;
-       nvlist_t *ret_dict;
+       nvlist_t *rule_nvl = rl->rule_dict, *resp;
+       int error;
 
-       nvlist_add_number(rule_dict, "attr",
-           NPF_RULE_DYNAMIC | nvlist_take_number(rule_dict, "attr"));
+       nvlist_add_number(rule_nvl, "attr",
+           NPF_RULE_DYNAMIC | nvlist_take_number(rule_nvl, "attr"));
 
-       if (natset && !dnvlist_get_bool(rule_dict, "nat-rule", false)) {
+       if (natset && !dnvlist_get_bool(rule_nvl, "nat-rule", false)) {
                errno = EINVAL;
                return errno;
        }
-       nvlist_add_string(rule_dict, "ruleset-name", rname);
-       nvlist_add_bool(rule_dict, "nat-ruleset", natset);
-       nvlist_add_number(rule_dict, "command", NPF_CMD_RULE_ADD);
+       nvlist_add_string(rule_nvl, "ruleset-name", rname);
+       nvlist_add_bool(rule_nvl, "nat-ruleset", natset);
+       nvlist_add_number(rule_nvl, "command", NPF_CMD_RULE_ADD);
 
-       if (nvlist_xfer_ioctl(fd, IOC_NPF_RULE, rule_dict, &ret_dict) == -1) {
-               return errno;
+       error = _npf_xfer_fd(fd, IOC_NPF_RULE, rule_nvl, &resp);



Home | Main Index | Thread Index | Old Index