Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Add npf_ruleset_export(), npf_rule_export() and npf_nat_po...
details: https://anonhg.NetBSD.org/src/rev/00cd863a8c3a
branches: trunk
changeset: 331426:00cd863a8c3a
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Aug 10 19:09:43 2014 +0000
description:
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
diffstat:
lib/libnpf/npf.c | 38 +++---
sys/net/npf/npf.h | 4 +-
sys/net/npf/npf_conn.c | 80 +++++++++-----
sys/net/npf/npf_conn.h | 5 +-
sys/net/npf/npf_ctl.c | 35 ++++--
sys/net/npf/npf_if.c | 19 ++-
sys/net/npf/npf_impl.h | 9 +-
sys/net/npf/npf_mbuf.c | 6 +-
sys/net/npf/npf_nat.c | 38 +++++-
sys/net/npf/npf_ruleset.c | 133 +++++++++++++++++------
usr.sbin/npf/npf.7 | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c | 4 +-
12 files changed, 256 insertions(+), 119 deletions(-)
diffs (truncated from 900 to 300 lines):
diff -r 203b0e7e96a7 -r 00cd863a8c3a lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sun Aug 10 18:59:57 2014 +0000
+++ b/lib/libnpf/npf.c Sun Aug 10 19:09:43 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.31 2014/07/23 05:00:38 htodd Exp $ */
+/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.31 2014/07/23 05:00:38 htodd Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -152,7 +152,7 @@
prop_dictionary_set(npf_dict, "algs", ncf->ncf_alg_list);
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
- prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
+ prop_dictionary_set(npf_dict, "nat", ncf->ncf_nat_list);
prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
if (ncf->ncf_debug) {
prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
@@ -193,7 +193,7 @@
ncf->ncf_rules_list = prop_dictionary_get(npf_dict, "rules");
ncf->ncf_rproc_list = prop_dictionary_get(npf_dict, "rprocs");
ncf->ncf_table_list = prop_dictionary_get(npf_dict, "tables");
- ncf->ncf_nat_list = prop_dictionary_get(npf_dict, "translation");
+ ncf->ncf_nat_list = prop_dictionary_get(npf_dict, "nat");
return ncf;
}
@@ -502,10 +502,10 @@
if (name) {
prop_dictionary_set_cstring(rldict, "name", name);
}
- prop_dictionary_set_uint32(rldict, "attributes", attr);
+ prop_dictionary_set_uint32(rldict, "attr", attr);
if (ifname) {
- prop_dictionary_set_cstring(rldict, "interface", ifname);
+ prop_dictionary_set_cstring(rldict, "ifname", ifname);
}
rl->nrl_dict = rldict;
return rl;
@@ -566,7 +566,7 @@
{
prop_dictionary_t rldict = rl->nrl_dict;
- prop_dictionary_set_int32(rldict, "priority", pri);
+ prop_dictionary_set_int32(rldict, "prio", pri);
return 0;
}
@@ -675,7 +675,7 @@
prop_dictionary_t rldict = rl->nrl_dict;
uint32_t attr = 0;
- prop_dictionary_get_uint32(rldict, "attributes", &attr);
+ prop_dictionary_get_uint32(rldict, "attr", &attr);
return attr;
}
@@ -685,7 +685,7 @@
prop_dictionary_t rldict = rl->nrl_dict;
const char *ifname = NULL;
- prop_dictionary_get_cstring_nocopy(rldict, "interface", &ifname);
+ prop_dictionary_get_cstring_nocopy(rldict, "ifname", &ifname);
return ifname;
}
@@ -845,7 +845,7 @@
}
/*
- * TRANSLATION INTERFACE.
+ * NAT INTERFACE.
*/
nl_nat_t *
@@ -869,7 +869,7 @@
attr = NPF_RULE_PASS | NPF_RULE_FINAL |
(type == NPF_NATOUT ? NPF_RULE_OUT : NPF_RULE_IN);
- /* Create a rule for NAT policy. Next, will add translation data. */
+ /* Create a rule for NAT policy. Next, will add NAT data. */
rl = npf_rule_create(NULL, attr, ifname);
if (rl == NULL) {
return NULL;
@@ -886,12 +886,12 @@
npf_rule_destroy(rl);
return NULL;
}
- prop_dictionary_set(rldict, "translation-ip", addrdat);
- prop_dictionary_set_uint32(rldict, "translation-mask", mask);
+ prop_dictionary_set(rldict, "nat-ip", addrdat);
+ prop_dictionary_set_uint32(rldict, "nat-mask", mask);
prop_object_release(addrdat);
/* Translation port (for redirect case). */
- prop_dictionary_set_uint16(rldict, "translation-port", port);
+ prop_dictionary_set_uint16(rldict, "nat-port", port);
return (nl_nat_t *)rl;
}
@@ -901,7 +901,7 @@
{
prop_dictionary_t rldict = nt->nrl_dict;
- prop_dictionary_set_int32(rldict, "priority", NPF_PRI_LAST);
+ prop_dictionary_set_int32(rldict, "prio", NPF_PRI_LAST);
prop_array_add(ncf->ncf_nat_list, rldict);
return 0;
}
@@ -917,7 +917,7 @@
npf_nat_setalgo(nl_nat_t *nt, u_int algo)
{
prop_dictionary_t rldict = nt->nrl_dict;
- prop_dictionary_set_uint32(rldict, "translation-algo", algo);
+ prop_dictionary_set_uint32(rldict, "nat-algo", algo);
return 0;
}
@@ -930,7 +930,7 @@
if ((error = npf_nat_setalgo(nt, NPF_ALGO_NPT66)) != 0) {
return error;
}
- prop_dictionary_set_uint16(rldict, "npt66-adjustment", adj);
+ prop_dictionary_set_uint16(rldict, "npt66-adj", adj);
return 0;
}
@@ -958,13 +958,13 @@
npf_nat_getmap(nl_nat_t *nt, npf_addr_t *addr, size_t *alen, in_port_t *port)
{
prop_dictionary_t rldict = nt->nrl_dict;
- prop_object_t obj = prop_dictionary_get(rldict, "translation-ip");
+ prop_object_t obj = prop_dictionary_get(rldict, "nat-ip");
*alen = prop_data_size(obj);
memcpy(addr, prop_data_data_nocopy(obj), *alen);
*port = 0;
- prop_dictionary_get_uint16(rldict, "translation-port", port);
+ prop_dictionary_get_uint16(rldict, "nat-port", port);
}
/*
diff -r 203b0e7e96a7 -r 00cd863a8c3a sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sun Aug 10 18:59:57 2014 +0000
+++ b/sys/net/npf/npf.h Sun Aug 10 19:09:43 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.46 2014/07/23 01:48:05 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 16
+#define NPF_VERSION 17
/*
* Public declarations and definitions.
diff -r 203b0e7e96a7 -r 00cd863a8c3a sys/net/npf/npf_conn.c
--- a/sys/net/npf/npf_conn.c Sun Aug 10 18:59:57 2014 +0000
+++ b/sys/net/npf/npf_conn.c Sun Aug 10 19:09:43 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -99,7 +99,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -809,11 +809,11 @@
}
/*
- * npf_conn_export: construct a list of connections prepared for saving.
+ * npf_conndb_export: construct a list of connections prepared for saving.
* Note: this is expected to be an expensive operation.
*/
int
-npf_conn_export(prop_array_t conlist)
+npf_conndb_export(prop_array_t conlist)
{
npf_conn_t *con, *prev;
@@ -830,33 +830,12 @@
con = npf_conndb_getlist(conn_db);
while (con) {
npf_conn_t *next = con->c_next;
- prop_data_t d;
-
- if ((con->c_flags & (CONN_ACTIVE|CONN_EXPIRE)) != CONN_ACTIVE)
- goto skip;
-
- prop_dictionary_t cdict = prop_dictionary_create();
- prop_dictionary_set_uint32(cdict, "flags", con->c_flags);
- prop_dictionary_set_uint32(cdict, "proto", con->c_proto);
- /* FIXME: interface-id */
-
- d = prop_data_create_data(&con->c_state, sizeof(npf_state_t));
- prop_dictionary_set_and_rel(cdict, "state", d);
+ prop_dictionary_t cdict;
- const uint32_t *fkey = con->c_forw_entry.ck_key;
- d = prop_data_create_data(fkey, NPF_CONN_MAXKEYLEN);
- prop_dictionary_set_and_rel(cdict, "forw-key", d);
-
- const uint32_t *bkey = con->c_back_entry.ck_key;
- d = prop_data_create_data(bkey, NPF_CONN_MAXKEYLEN);
- prop_dictionary_set_and_rel(cdict, "back-key", d);
-
- if (con->c_nat) {
- npf_nat_export(cdict, con->c_nat);
+ if ((cdict = npf_conn_export(con)) != NULL) {
+ prop_array_add(conlist, cdict);
+ prop_object_release(cdict);
}
- prop_array_add(conlist, cdict);
- prop_object_release(cdict);
-skip:
prev = con;
con = next;
}
@@ -866,6 +845,43 @@
}
/*
+ * npf_conn_export: serialise a single connection.
+ */
+prop_dictionary_t
+npf_conn_export(const npf_conn_t *con)
+{
+ prop_dictionary_t cdict;
+ prop_data_t d;
+
+ if ((con->c_flags & (CONN_ACTIVE|CONN_EXPIRE)) != CONN_ACTIVE) {
+ return NULL;
+ }
+ cdict = prop_dictionary_create();
+ prop_dictionary_set_uint32(cdict, "flags", con->c_flags);
+ prop_dictionary_set_uint32(cdict, "proto", con->c_proto);
+ if (con->c_ifid) {
+ const char *ifname = npf_ifmap_getname(con->c_ifid);
+ prop_dictionary_set_cstring(cdict, "ifname", ifname);
+ }
+
+ d = prop_data_create_data(&con->c_state, sizeof(npf_state_t));
+ prop_dictionary_set_and_rel(cdict, "state", d);
+
+ const uint32_t *fkey = con->c_forw_entry.ck_key;
+ d = prop_data_create_data(fkey, NPF_CONN_MAXKEYLEN);
+ prop_dictionary_set_and_rel(cdict, "forw-key", d);
+
+ const uint32_t *bkey = con->c_back_entry.ck_key;
+ d = prop_data_create_data(bkey, NPF_CONN_MAXKEYLEN);
+ prop_dictionary_set_and_rel(cdict, "back-key", d);
+
+ if (con->c_nat) {
+ npf_nat_export(cdict, con->c_nat);
+ }
+ return cdict;
+}
+
+/*
* npf_conn_import: fully reconstruct a single connection from a
* directory and insert into the given database.
*/
@@ -876,6 +892,7 @@
npf_conn_t *con;
npf_connkey_t *fw, *bk;
prop_object_t obj;
+ const char *ifname;
const void *d;
/* Allocate a connection and initialise it (clear first). */
@@ -888,6 +905,11 @@
con->c_flags &= PFIL_ALL | CONN_ACTIVE | CONN_PASS;
getnanouptime(&con->c_atime);
+ if (prop_dictionary_get_cstring_nocopy(cdict, "ifname", &ifname) &&
+ (con->c_ifid = npf_ifmap_register(ifname)) == 0) {
+ goto err;
Home |
Main Index |
Thread Index |
Old Index