Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys - Rework and improve TCP state tracking.
details: https://anonhg.NetBSD.org/src/rev/dc8e01bc1e5f
branches: trunk
changeset: 771707:dc8e01bc1e5f
user: rmind <rmind%NetBSD.org@localhost>
date: Tue Nov 29 20:05:30 2011 +0000
description:
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.
Note: npfctl(8) rework will come soon.
diffstat:
sys/modules/npf/Makefile | 4 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.h | 11 +-
sys/net/npf/npf_alg_icmp.c | 10 +-
sys/net/npf/npf_ctl.c | 26 +-
sys/net/npf/npf_handler.c | 18 +-
sys/net/npf/npf_impl.h | 25 +-
sys/net/npf/npf_inet.c | 74 +++---
sys/net/npf/npf_instr.c | 26 +-
sys/net/npf/npf_processor.c | 32 ++-
sys/net/npf/npf_sendpkt.c | 18 +-
sys/net/npf/npf_session.c | 15 +-
sys/net/npf/npf_state.c | 392 +++++++------------------------------
sys/net/npf/npf_state_tcp.c | 455 ++++++++++++++++++++++++++++++++++++++++++++
sys/net/npf/npf_tableset.c | 47 ++--
15 files changed, 707 insertions(+), 449 deletions(-)
diffs (truncated from 1927 to 300 lines):
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/modules/npf/Makefile Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2011/11/06 13:04:44 tron Exp $
+# $NetBSD: Makefile,v 1.8 2011/11/29 20:05:30 rmind Exp $
.include "../Makefile.inc"
@@ -9,7 +9,7 @@
SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c
SRCS+= npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
SRCS+= npf_processor.c npf_ruleset.c npf_sendpkt.c npf_session.c
-SRCS+= npf_state.c npf_tableset.c
+SRCS+= npf_state.c npf_state_tcp.c npf_tableset.c
CPPFLAGS+= -DINET6
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/net/npf/files.npf
--- a/sys/net/npf/files.npf Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/net/npf/files.npf Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.4 2010/12/18 01:07:25 rmind Exp $
+# $NetBSD: files.npf,v 1.5 2011/11/29 20:05:30 rmind Exp $
#
# Public Domain.
#
@@ -21,6 +21,7 @@
file net/npf/npf_inet.c npf
file net/npf/npf_session.c npf
file net/npf/npf_state.c npf
+file net/npf/npf_state_tcp.c npf
file net/npf/npf_nat.c npf
file net/npf/npf_alg.c npf
file net/npf/npf_sendpkt.c npf
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/net/npf/npf.h Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.10 2011/11/06 02:49:03 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.11 2011/11/29 20:05:30 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -59,6 +59,7 @@
typedef struct in6_addr npf_addr_t;
typedef uint8_t npf_netmask_t;
+#define NPF_MAX_NETMASK (128)
#define NPF_NO_NETMASK ((npf_netmask_t)~0)
#if defined(_KERNEL) || defined(_NPF_TESTING)
@@ -101,7 +102,7 @@
npf_addr_t * npc_dstip;
/* Size (v4 or v6) of IP addresses. */
int npc_ipsz;
- size_t npc_hlen;
+ u_int npc_hlen;
int npc_next_proto;
/* IPv4, IPv6. */
union {
@@ -122,7 +123,7 @@
uint_fast8_t length = omask;
/* Note: maximum length is 32 for IPv4 and 128 for IPv6. */
- KASSERT(length <= 128);
+ KASSERT(length <= NPF_MAX_NETMASK);
for (int i = 0; i < 4; i++) {
if (length >= 32) {
@@ -196,8 +197,8 @@
return npc->npc_next_proto;
}
-static inline int
-npf_cache_hlen(const npf_cache_t *npc, nbuf_t *nbuf)
+static inline u_int
+npf_cache_hlen(const npf_cache_t *npc)
{
KASSERT(npf_iscached(npc, NPC_IP46));
return npc->npc_hlen;
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.7 2011/11/04 01:00:27 zoltan Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.7 2011/11/04 01:00:27 zoltan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -249,7 +249,7 @@
/* Advance to ICMP header. */
void *n_ptr = nbuf_dataptr(nbuf);
- const size_t hlen = npf_cache_hlen(npc, nbuf);
+ const u_int hlen = npf_cache_hlen(npc);
if ((n_ptr = nbuf_advance(&nbuf, n_ptr, hlen)) == NULL) {
return false;
@@ -333,7 +333,7 @@
* to the embedded IP header after ICMP header.
*/
void *n_ptr = nbuf_dataptr(nbuf), *cnbuf = nbuf, *cnptr = n_ptr;
- u_int offby = npf_cache_hlen(npc, nbuf) + offsetof(struct icmp, icmp_ip);
+ u_int offby = npf_cache_hlen(npc) + offsetof(struct icmp, icmp_ip);
if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL) {
return false;
@@ -367,7 +367,7 @@
}
cksum = npf_fixup16_cksum(cksum, ecksum, eip->ip_sum);
- offby = npf_cache_hlen(npc, nbuf) + offsetof(struct icmp, icmp_cksum);
+ offby = npf_cache_hlen(npc) + offsetof(struct icmp, icmp_cksum);
if (nbuf_advstore(&cnbuf, &cnptr, offby, sizeof(uint16_t), &cksum)) {
return false;
}
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/net/npf/npf_ctl.c Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.9 2011/11/06 02:49:03 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.9 2011/11/06 02:49:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -392,23 +392,26 @@
nset = npf_ruleset_create();
natlist = prop_dictionary_get(dict, "translation");
error = npf_mk_natlist(nset, natlist);
- if (error)
+ if (error) {
goto fail;
+ }
/* Tables. */
tblset = npf_tableset_create();
tables = prop_dictionary_get(dict, "tables");
error = npf_mk_tables(tblset, tables);
- if (error)
+ if (error) {
goto fail;
+ }
/* Rules and rule procedures. */
rlset = npf_ruleset_create();
rprocs = prop_dictionary_get(dict, "rprocs");
rules = prop_dictionary_get(dict, "rules");
error = npf_mk_rules(rlset, rules, rprocs);
- if (error)
+ if (error) {
goto fail;
+ }
/*
* Finally - reload ruleset, tableset and NAT policies.
@@ -597,24 +600,23 @@
npfctl_table(void *data)
{
npf_ioctl_table_t *nct = data;
+ npf_tableset_t *tblset;
int error;
npf_core_enter(); /* XXXSMP */
+ tblset = npf_core_tableset();
switch (nct->nct_action) {
case NPF_IOCTL_TBLENT_ADD:
- error = npf_table_add_cidr(NULL, nct->nct_tid,
+ error = npf_table_add_cidr(tblset, nct->nct_tid,
&nct->nct_addr, nct->nct_mask);
break;
case NPF_IOCTL_TBLENT_REM:
- error = npf_table_rem_cidr(NULL, nct->nct_tid,
+ error = npf_table_rem_cidr(tblset, nct->nct_tid,
&nct->nct_addr, nct->nct_mask);
break;
default:
- /* XXX */
- error = npf_table_match_addr(nct->nct_tid, &nct->nct_addr);
- if (error) {
- error = EINVAL;
- }
+ error = npf_table_match_addr(tblset, nct->nct_tid,
+ &nct->nct_addr);
}
npf_core_exit(); /* XXXSMP */
return error;
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/net/npf/npf_handler.c Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.10 2011/11/06 02:49:03 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.10 2011/11/06 02:49:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -102,9 +102,7 @@
ret = 0;
/* Cache everything. Determine whether it is an IP fragment. */
- npf_cache_all(&npc, nbuf);
-
- if (npf_iscached(&npc, NPC_IPFRAG)) {
+ if (npf_cache_all(&npc, nbuf) & NPC_IPFRAG) {
/* Pass to IPv4 or IPv6 reassembly mechanism. */
if (npf_iscached(&npc, NPC_IP4)) {
struct ip *ip = nbuf_dataptr(*mp);
@@ -116,7 +114,7 @@
* Note: frag6_input() offset is the start of the
* fragment header.
*/
- size_t hlen = npf_cache_hlen(&npc, nbuf);
+ const u_int hlen = npf_cache_hlen(&npc);
ret = ip6_reass_packet(mp, hlen);
#else
ret = -1;
@@ -135,20 +133,22 @@
/*
* Reassembly is complete, we have the final packet.
- * Cache again, since layer 3 daya is accessible now.
+ * Cache again, since layer 4 data is accessible now.
*/
nbuf = (nbuf_t *)*mp;
npc.npc_info = 0;
- npf_cache_all(&npc, nbuf);
+ (void)npf_cache_all(&npc, nbuf);
}
/* Inspect the list of sessions. */
- se = npf_session_inspect(&npc, nbuf, di);
+ se = npf_session_inspect(&npc, nbuf, di, &error);
/* If "passing" session found - skip the ruleset inspection. */
if (se && npf_session_pass(se, &rp)) {
npf_stats_inc(NPF_STAT_PASS_SESSION);
goto pass;
+ } else if (error) {
+ goto block;
}
/* Acquire the lock, inspect the ruleset using this packet. */
diff -r 64603823dbc5 -r dc8e01bc1e5f sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h Tue Nov 29 19:17:03 2011 +0000
+++ b/sys/net/npf/npf_impl.h Tue Nov 29 20:05:30 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.8 2011/11/04 01:00:27 zoltan Exp $ */
+/* $NetBSD: npf_impl.h,v 1.9 2011/11/29 20:05:30 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -100,11 +100,14 @@
* SESSION STATE STRUCTURES
*/
+#define NPF_FLOW_FORW 0
+#define NPF_FLOW_BACK 1
+
typedef struct {
- uint32_t nst_seqend; /* SEQ number + length. */
- uint32_t nst_ackend; /* ACK sequence number + window. */
- uint32_t nst_maxwin; /* Maximum window seen. */
- int nst_wscale; /* Window Scale. */
+ uint32_t nst_end;
+ uint32_t nst_maxend;
+ uint32_t nst_maxwin;
+ int nst_wscale;
} npf_tcpstate_t;
typedef struct {
@@ -148,7 +151,7 @@
bool npf_fetch_tcp(npf_cache_t *, nbuf_t *, void *);
bool npf_fetch_udp(npf_cache_t *, nbuf_t *, void *);
Home |
Main Index |
Thread Index |
Old Index