Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more def...
details: https://anonhg.NetBSD.org/src/rev/7b0684438bc7
branches: trunk
changeset: 777476:7b0684438bc7
user: rmind <rmind%NetBSD.org@localhost>
date: Mon Feb 20 00:18:19 2012 +0000
description:
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
diffstat:
sys/net/npf/npf.c | 20 +++++++++---
sys/net/npf/npf_alg.c | 7 +--
sys/net/npf/npf_alg_icmp.c | 5 +-
sys/net/npf/npf_ctl.c | 13 +++++---
sys/net/npf/npf_handler.c | 64 +++++++++++++++++++++-------------------
sys/net/npf/npf_impl.h | 11 +++++-
sys/net/npf/npf_inet.c | 6 +-
sys/net/npf/npf_instr.c | 6 +-
sys/net/npf/npf_log.c | 6 +-
sys/net/npf/npf_nat.c | 6 +-
sys/net/npf/npf_processor.c | 9 +----
sys/net/npf/npf_rproc.c | 9 ++---
sys/net/npf/npf_ruleset.c | 12 +++---
sys/net/npf/npf_sendpkt.c | 6 +-
sys/net/npf/npf_session.c | 27 ++++++++++-------
sys/net/npf/npf_tableset.c | 6 +-
usr.sbin/npf/npfctl/npf_build.c | 7 +--
17 files changed, 119 insertions(+), 101 deletions(-)
diffs (truncated from 748 to 300 lines):
diff -r 56efa5260318 -r 7b0684438bc7 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Sun Feb 19 23:19:37 2012 +0000
+++ b/sys/net/npf/npf.c Mon Feb 20 00:18:19 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.8 2012/02/20 00:18:19 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.8 2012/02/20 00:18:19 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -70,6 +70,7 @@
npf_ruleset_t * n_rules;
npf_tableset_t * n_tables;
npf_ruleset_t * n_nat_rules;
+ bool n_default_pass;
} npf_core_t;
static void npf_core_destroy(npf_core_t *);
@@ -106,7 +107,7 @@
rset = npf_ruleset_create();
tset = npf_tableset_create();
nset = npf_ruleset_create();
- npf_reload(rset, tset, nset);
+ npf_reload(rset, tset, nset, true);
KASSERT(npf_core != NULL);
#ifdef _MODULE
@@ -265,12 +266,14 @@
* Then destroy old (unloaded) structures.
*/
void
-npf_reload(npf_ruleset_t *rset, npf_tableset_t *tset, npf_ruleset_t *nset)
+npf_reload(npf_ruleset_t *rset, npf_tableset_t *tset, npf_ruleset_t *nset,
+ bool flush)
{
npf_core_t *nc, *onc;
/* Setup a new core structure. */
- nc = kmem_alloc(sizeof(npf_core_t), KM_SLEEP);
+ nc = kmem_zalloc(sizeof(npf_core_t), KM_SLEEP);
+ nc->n_default_pass = flush;
nc->n_rules = rset;
nc->n_tables = tset;
nc->n_nat_rules = nset;
@@ -330,6 +333,13 @@
return rw_lock_held(&npf_lock);
}
+bool
+npf_default_pass(void)
+{
+ KASSERT(rw_lock_held(&npf_lock));
+ return npf_core->n_default_pass;
+}
+
/*
* NPF statistics interface.
*/
diff -r 56efa5260318 -r 7b0684438bc7 sys/net/npf/npf_alg.c
--- a/sys/net/npf/npf_alg.c Sun Feb 19 23:19:37 2012 +0000
+++ b/sys/net/npf/npf_alg.c Mon Feb 20 00:18:19 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.2 2010/11/11 06:30:39 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.3 2012/02/20 00:18:19 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -36,10 +36,9 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.2 2010/11/11 06:30:39 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.3 2012/02/20 00:18:19 rmind Exp $");
#include <sys/param.h>
-#include <sys/kernel.h>
#include <sys/kmem.h>
#include <sys/pool.h>
#include <net/pfil.h>
@@ -83,7 +82,7 @@
{
npf_alg_t *alg;
- alg = kmem_alloc(sizeof(npf_alg_t), KM_SLEEP);
+ alg = kmem_zalloc(sizeof(npf_alg_t), KM_SLEEP);
alg->na_bptr = alg;
alg->na_match_func = match;
alg->na_out_func = out;
diff -r 56efa5260318 -r 7b0684438bc7 sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Sun Feb 19 23:19:37 2012 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Mon Feb 20 00:18:19 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.9 2012/02/20 00:18:19 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,10 +34,9 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.9 2012/02/20 00:18:19 rmind Exp $");
#include <sys/param.h>
-#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/pool.h>
diff -r 56efa5260318 -r 7b0684438bc7 sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sun Feb 19 23:19:37 2012 +0000
+++ b/sys/net/npf/npf_ctl.c Mon Feb 20 00:18:19 2012 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: npf_ctl.c,v 1.12 2012/02/05 00:37:13 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.13 2012/02/20 00:18:19 rmind Exp $ */
/*-
- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -37,11 +37,10 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12 2012/02/05 00:37:13 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.13 2012/02/20 00:18:19 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
-#include <sys/kernel.h>
#include <prop/proplib.h>
@@ -479,7 +478,7 @@
* Finally - reload ruleset, tableset and NAT policies.
* Operation will be performed as a single transaction.
*/
- npf_reload(rlset, tblset, nset);
+ npf_reload(rlset, tblset, nset, flush);
/* Turn on/off session tracking accordingly. */
npf_session_tracking(!flush);
@@ -506,7 +505,9 @@
/* Error report. */
prop_dictionary_set_int32(errdict, "errno", error);
+#ifdef _KERNEL
prop_dictionary_copyout_ioctl(pref, cmd, errdict);
+#endif
prop_object_release(errdict);
return 0;
}
@@ -561,7 +562,9 @@
/* Error report. */
prop_dictionary_set_int32(errdict, "errno", error);
+#ifdef _KERNEL
prop_dictionary_copyout_ioctl(pref, cmd, errdict);
+#endif
prop_object_release(errdict);
return error;
}
diff -r 56efa5260318 -r 7b0684438bc7 sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Sun Feb 19 23:19:37 2012 +0000
+++ b/sys/net/npf/npf_handler.c Mon Feb 20 00:18:19 2012 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.14 2012/02/20 00:18:19 rmind Exp $ */
/*-
- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -34,10 +34,10 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.14 2012/02/20 00:18:19 rmind Exp $");
+#include <sys/types.h>
#include <sys/param.h>
-#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/mutex.h>
@@ -61,8 +61,6 @@
static struct pfil_head * npf_ph_inet = NULL;
static struct pfil_head * npf_ph_inet6 = NULL;
-static bool default_pass = true;
-
int npf_packet_handler(void *, struct mbuf **, ifnet_t *, int);
/*
@@ -89,26 +87,28 @@
npf_ruleset_t *rlset;
npf_rule_t *rl;
npf_rproc_t *rp;
- int retfl, error, ret;
+ int error, retfl;
+ int decision;
/*
* Initialise packet information cache.
* Note: it is enough to clear the info bits.
*/
npc.npc_info = 0;
+ decision = NPF_DECISION_BLOCK;
error = 0;
retfl = 0;
rp = NULL;
- ret = 0;
/* Cache everything. Determine whether it is an IP fragment. */
if (npf_cache_all(&npc, nbuf) & NPC_IPFRAG) {
+ int ret = -1;
+
/* Pass to IPv4 or IPv6 reassembly mechanism. */
if (npf_iscached(&npc, NPC_IP4)) {
struct ip *ip = nbuf_dataptr(*mp);
ret = ip_reass_packet(mp, ip);
- } else {
- KASSERT(npf_iscached(&npc, NPC_IP6));
+ } else if (npf_iscached(&npc, NPC_IP6)) {
#ifdef INET6
/*
* Note: frag6_input() offset is the start of the
@@ -116,11 +116,8 @@
*/
const u_int hlen = npf_cache_hlen(&npc);
ret = ip6_reass_packet(mp, hlen);
-#else
- ret = -1;
#endif
}
-
if (ret) {
error = EINVAL;
se = NULL;
@@ -137,7 +134,9 @@
*/
nbuf = (nbuf_t *)*mp;
npc.npc_info = 0;
- (void)npf_cache_all(&npc, nbuf);
+
+ ret = npf_cache_all(&npc, nbuf);
+ KASSERT((ret & NPC_IPFRAG) == 0);
}
/* Inspect the list of sessions. */
@@ -146,8 +145,10 @@
/* If "passing" session found - skip the ruleset inspection. */
if (se && npf_session_pass(se, &rp)) {
npf_stats_inc(NPF_STAT_PASS_SESSION);
+ KASSERT(error == 0);
goto pass;
- } else if (error) {
+ }
+ if (error) {
goto block;
}
@@ -156,13 +157,14 @@
rlset = npf_core_ruleset();
rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
if (rl == NULL) {
+ bool default_pass = npf_default_pass();
npf_core_exit();
+
if (default_pass) {
npf_stats_inc(NPF_STAT_PASS_DEFAULT);
goto pass;
}
npf_stats_inc(NPF_STAT_BLOCK_DEFAULT);
- error = ENETUNREACH;
goto block;
}
@@ -181,20 +183,21 @@
}
npf_stats_inc(NPF_STAT_PASS_RULESET);
- /* Establish a "pass" session, if required. */
+ /*
+ * Establish a "pass" session, if required. Just proceed, if session
+ * creation fails (e.g. due to unsupported protocol).
+ *
Home |
Main Index |
Thread Index |
Old Index