Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src NPF: rework of the connection saving and restoring:
details: https://anonhg.NetBSD.org/src/rev/b763de1070c3
branches: trunk
changeset: 330821:b763de1070c3
user: rmind <rmind%NetBSD.org@localhost>
date: Wed Jul 23 01:25:34 2014 +0000
description:
NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
diffstat:
lib/libnpf/npf.c | 105 +++++-----
lib/libnpf/npf.h | 10 +-
sys/net/npf/npf.c | 21 +-
sys/net/npf/npf.h | 18 +-
sys/net/npf/npf_conf.c | 31 ++-
sys/net/npf/npf_conn.c | 192 +++++++++-----------
sys/net/npf/npf_conn.h | 14 +-
sys/net/npf/npf_conndb.c | 10 +-
sys/net/npf/npf_ctl.c | 225 ++++++++++-------------
sys/net/npf/npf_handler.c | 6 +-
sys/net/npf/npf_impl.h | 23 +-
sys/net/npf/npf_nat.c | 180 ++++++++----------
sys/net/npf/npf_ruleset.c | 57 ++++--
usr.sbin/npf/npfctl/npfctl.8 | 36 +--
usr.sbin/npf/npfctl/npfctl.c | 99 ++++++---
usr.sbin/npf/npfctl/npfctl.h | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c | 4 +-
17 files changed, 512 insertions(+), 523 deletions(-)
diffs (truncated from 1955 to 300 lines):
diff -r 57155d7d14f4 -r b763de1070c3 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Tue Jul 22 23:06:29 2014 +0000
+++ b/lib/libnpf/npf.c Wed Jul 23 01:25:34 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.29 2014/05/19 18:47:19 jakllsch Exp $ */
+/* $NetBSD: npf.c,v 1.30 2014/07/23 01:25:34 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.29 2014/05/19 18:47:19 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.30 2014/07/23 01:25:34 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -167,7 +167,7 @@
}
if (fd) {
error = prop_dictionary_sendrecv_ioctl(npf_dict, fd,
- IOC_NPF_RELOAD, &ncf->ncf_err);
+ IOC_NPF_LOAD, &ncf->ncf_err);
if (error) {
prop_object_release(npf_dict);
assert(ncf->ncf_err == NULL);
@@ -179,20 +179,13 @@
return error;
}
-nl_config_t *
-npf_config_retrieve(int fd, bool *active, bool *loaded)
+static nl_config_t *
+_npf_config_consdict(prop_dictionary_t npf_dict)
{
- prop_dictionary_t npf_dict;
nl_config_t *ncf;
- int error;
- error = prop_dictionary_recv_ioctl(fd, IOC_NPF_GETCONF, &npf_dict);
- if (error) {
- return NULL;
- }
ncf = calloc(1, sizeof(*ncf));
if (ncf == NULL) {
- prop_object_release(npf_dict);
return NULL;
}
ncf->ncf_dict = npf_dict;
@@ -201,13 +194,61 @@
ncf->ncf_rproc_list = prop_dictionary_get(npf_dict, "rprocs");
ncf->ncf_table_list = prop_dictionary_get(npf_dict, "tables");
ncf->ncf_nat_list = prop_dictionary_get(npf_dict, "translation");
+ return ncf;
+}
+nl_config_t *
+npf_config_retrieve(int fd, bool *active, bool *loaded)
+{
+ prop_dictionary_t npf_dict;
+ nl_config_t *ncf;
+ int error;
+
+ error = prop_dictionary_recv_ioctl(fd, IOC_NPF_SAVE, &npf_dict);
+ if (error) {
+ return NULL;
+ }
+ ncf = _npf_config_consdict(npf_dict);
+ if (ncf == NULL) {
+ prop_object_release(npf_dict);
+ return NULL;
+ }
prop_dictionary_get_bool(npf_dict, "active", active);
*loaded = (ncf->ncf_rules_list != NULL);
return ncf;
}
int
+npf_config_export(const nl_config_t *ncf, const char *path)
+{
+ prop_dictionary_t npf_dict = ncf->ncf_dict;
+ int error = 0;
+
+ if (!prop_dictionary_externalize_to_file(npf_dict, path)) {
+ error = errno;
+ }
+ return 0;
+}
+
+nl_config_t *
+npf_config_import(const char *path)
+{
+ prop_dictionary_t npf_dict;
+ nl_config_t *ncf;
+
+ npf_dict = prop_dictionary_internalize_from_file(path);
+ if (npf_dict) {
+ return NULL;
+ }
+ ncf = _npf_config_consdict(npf_dict);
+ if (ncf == NULL) {
+ prop_object_release(npf_dict);
+ return NULL;
+ }
+ return ncf;
+}
+
+int
npf_config_flush(int fd)
{
nl_config_t *ncf;
@@ -1136,46 +1177,6 @@
* MISC.
*/
-int
-npf_sessions_recv(int fd, const char *fpath)
-{
- prop_dictionary_t sdict;
- int error;
-
- error = prop_dictionary_recv_ioctl(fd, IOC_NPF_SESSIONS_SAVE, &sdict);
- if (error) {
- return error;
- }
- if (!prop_dictionary_externalize_to_file(sdict, fpath)) {
- error = errno;
- }
- prop_object_release(sdict);
- return error;
-}
-
-int
-npf_sessions_send(int fd, const char *fpath)
-{
- prop_dictionary_t sdict;
- int error;
-
- if (fpath) {
- sdict = prop_dictionary_internalize_from_file(fpath);
- if (sdict == NULL) {
- return errno;
- }
- } else {
- /* Empty: will flush the sessions. */
- prop_array_t selist = prop_array_create();
- sdict = prop_dictionary_create();
- prop_dictionary_set(sdict, "session-list", selist);
- prop_object_release(selist);
- }
- error = prop_dictionary_send_ioctl(sdict, fd, IOC_NPF_SESSIONS_LOAD);
- prop_object_release(sdict);
- return error;
-}
-
static prop_dictionary_t
_npf_debug_initonce(nl_config_t *ncf)
{
diff -r 57155d7d14f4 -r b763de1070c3 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Tue Jul 22 23:06:29 2014 +0000
+++ b/lib/libnpf/npf.h Wed Jul 23 01:25:34 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.26 2014/05/19 18:47:19 jakllsch Exp $ */
+/* $NetBSD: npf.h,v 1.27 2014/07/23 01:25:34 rmind Exp $ */
/*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -74,9 +74,12 @@
#define NPF_MAX_TABLE_ID (16)
nl_config_t * npf_config_create(void);
+void npf_config_destroy(nl_config_t *);
+
int npf_config_submit(nl_config_t *, int);
-void npf_config_destroy(nl_config_t *);
nl_config_t * npf_config_retrieve(int, bool *, bool *);
+nl_config_t * npf_config_import(const char *);
+int npf_config_export(const nl_config_t *, const char *);
int npf_config_flush(int);
int npf_ruleset_add(int, const char *, nl_rule_t *, uint64_t *);
@@ -120,9 +123,6 @@
#include <ifaddrs.h>
-int npf_sessions_send(int, const char *);
-int npf_sessions_recv(int, const char *);
-
nl_rule_t * npf_rule_iterate(nl_config_t *, unsigned *);
const char * npf_rule_getname(nl_rule_t *);
uint32_t npf_rule_getattr(nl_rule_t *);
diff -r 57155d7d14f4 -r b763de1070c3 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Tue Jul 22 23:06:29 2014 +0000
+++ b/sys/net/npf/npf.c Wed Jul 23 01:25:34 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.20 2014/07/19 18:24:16 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.21 2014/07/23 01:25:34 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.20 2014/07/19 18:24:16 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.21 2014/07/23 01:25:34 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -129,9 +129,6 @@
devsw_detach(NULL, &npf_cdevsw);
#endif
npf_pfil_unregister(true);
-
- /* Flush all connections, destroy configuration (ruleset, etc). */
- npf_conn_tracking(false);
npf_config_fini();
/* Finally, safe to destroy the subsystems. */
@@ -220,23 +217,17 @@
case IOC_NPF_RULE:
error = npfctl_rule(cmd, data);
break;
- case IOC_NPF_GETCONF:
- error = npfctl_getconf(cmd, data);
- break;
case IOC_NPF_STATS:
error = npfctl_stats(data);
break;
- case IOC_NPF_SESSIONS_SAVE:
- error = npfctl_conn_save(cmd, data);
- break;
- case IOC_NPF_SESSIONS_LOAD:
- error = npfctl_conn_load(cmd, data);
+ case IOC_NPF_SAVE:
+ error = npfctl_save(cmd, data);
break;
case IOC_NPF_SWITCH:
error = npfctl_switch(data);
break;
- case IOC_NPF_RELOAD:
- error = npfctl_reload(cmd, data);
+ case IOC_NPF_LOAD:
+ error = npfctl_load(cmd, data);
break;
case IOC_NPF_VERSION:
*(int *)data = NPF_VERSION;
diff -r 57155d7d14f4 -r b763de1070c3 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Tue Jul 22 23:06:29 2014 +0000
+++ b/sys/net/npf/npf.h Wed Jul 23 01:25:34 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.44 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.45 2014/07/23 01:25:34 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 15
+#define NPF_VERSION 16
/*
* Public declarations and definitions.
@@ -308,13 +308,11 @@
#define IOC_NPF_VERSION _IOR('N', 100, int)
#define IOC_NPF_SWITCH _IOW('N', 101, int)
-#define IOC_NPF_RELOAD _IOWR('N', 102, struct plistref)
+#define IOC_NPF_LOAD _IOWR('N', 102, struct plistref)
#define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table)
#define IOC_NPF_STATS _IOW('N', 104, void *)
-#define IOC_NPF_SESSIONS_SAVE _IOR('N', 105, struct plistref)
-#define IOC_NPF_SESSIONS_LOAD _IOW('N', 106, struct plistref)
+#define IOC_NPF_SAVE _IOR('N', 105, struct plistref)
#define IOC_NPF_RULE _IOWR('N', 107, struct plistref)
-#define IOC_NPF_GETCONF _IOR('N', 108, struct plistref)
/*
* Statistics counters.
@@ -324,13 +322,13 @@
/* Packets passed. */
NPF_STAT_PASS_DEFAULT,
NPF_STAT_PASS_RULESET,
- NPF_STAT_PASS_SESSION,
+ NPF_STAT_PASS_CONN,
/* Packets blocked. */
NPF_STAT_BLOCK_DEFAULT,
NPF_STAT_BLOCK_RULESET,
/* Connection and NAT entries. */
- NPF_STAT_SESSION_CREATE,
- NPF_STAT_SESSION_DESTROY,
+ NPF_STAT_CONN_CREATE,
+ NPF_STAT_CONN_DESTROY,
NPF_STAT_NAT_CREATE,
NPF_STAT_NAT_DESTROY,
/* Invalid state cases. */
@@ -339,7 +337,7 @@
Home |
Main Index |
Thread Index |
Old Index