Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up following revision(s) (requested by rmind in tick...
details: https://anonhg.NetBSD.org/src/rev/8085002381ab
branches: netbsd-6
changeset: 775681:8085002381ab
user: riz <riz%NetBSD.org@localhost>
date: Mon Feb 11 21:49:47 2013 +0000
description:
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
diffstat:
lib/libnpf/npf.3 | 58 +-
lib/libnpf/npf.c | 295 +++++++++--
lib/libnpf/npf.h | 24 +-
sys/modules/npf/Makefile | 4 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.c | 161 +-----
sys/net/npf/npf.h | 94 ++-
sys/net/npf/npf_alg.c | 13 +-
sys/net/npf/npf_alg_icmp.c | 12 +-
sys/net/npf/npf_conf.c | 243 +++++++++
sys/net/npf/npf_ctl.c | 474 ++++++++++--------
sys/net/npf/npf_handler.c | 47 +-
sys/net/npf/npf_impl.h | 60 +-
sys/net/npf/npf_inet.c | 12 +-
sys/net/npf/npf_instr.c | 9 +-
sys/net/npf/npf_nat.c | 51 +-
sys/net/npf/npf_ncode.h | 6 +-
sys/net/npf/npf_processor.c | 18 +-
sys/net/npf/npf_rproc.c | 65 ++-
sys/net/npf/npf_ruleset.c | 600 ++++++++++++++++++-----
sys/net/npf/npf_sendpkt.c | 6 +-
sys/net/npf/npf_session.c | 15 +-
sys/net/npf/npf_state.c | 8 +-
sys/net/npf/npf_tableset.c | 19 +-
sys/rump/net/lib/libnpf/Makefile | 6 +-
usr.sbin/npf/npfctl/Makefile | 4 +-
usr.sbin/npf/npfctl/npf.conf.5 | 8 +-
usr.sbin/npf/npfctl/npf_build.c | 134 +++-
usr.sbin/npf/npfctl/npf_disassemble.c | 61 +-
usr.sbin/npf/npfctl/npf_parse.y | 73 ++-
usr.sbin/npf/npfctl/npf_scan.l | 40 +-
usr.sbin/npf/npfctl/npfctl.8 | 29 +-
usr.sbin/npf/npfctl/npfctl.c | 215 ++++++-
usr.sbin/npf/npfctl/npfctl.h | 18 +-
usr.sbin/npf/npftest/Makefile | 1 +
usr.sbin/npf/npftest/README | 4 +-
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c | 61 ++-
usr.sbin/npf/npftest/npftest.conf | 3 +-
usr.sbin/pf/ftp-proxy/Makefile | 8 +-
39 files changed, 2036 insertions(+), 926 deletions(-)
diffs (truncated from 5184 to 300 lines):
diff -r 23ccb88a42c3 -r 8085002381ab lib/libnpf/npf.3
--- a/lib/libnpf/npf.3 Mon Feb 11 21:44:22 2013 +0000
+++ b/lib/libnpf/npf.3 Mon Feb 11 21:49:47 2013 +0000
@@ -1,6 +1,6 @@
-.\" $NetBSD: npf.3,v 1.4.2.2 2013/01/07 16:51:08 riz Exp $
+.\" $NetBSD: npf.3,v 1.4.2.3 2013/02/11 21:49:48 riz Exp $
.\"
-.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 23, 2012
+.Dd January 5, 2013
.Dt NPF 3
.Os
.Sh NAME
@@ -50,12 +50,15 @@
.Ft nl_rule_t *
.Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx"
.Ft int
-.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t sz"
+.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len"
+.Ft int
+.Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len"
.Ft bool
.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name"
.Ft int
-.Fn npf_rule_insert "nl_config_t *ncf" " nl_rule_t *parent" \
-"nl_rule_t *rl" "pri_t pri"
+.Fn npf_rule_insert "nl_config_t *ncf" " nl_rule_t *parent" "nl_rule_t *rl"
+.Ft int
+.Fn npf_rule_setprio "nl_rule_t *rl" "pri_t pri"
.Ft int
.Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name"
.Ft void
@@ -123,10 +126,6 @@
Decision of this rule is "pass".
If this attribute is not
specified, then packet "block" (drop) is the default.
-.It Dv NPF_RULE_DEFAULT
-This a default rule in the ruleset.
-There can only be a
-single rule having this attribute set in the ruleset.
.It Dv NPF_RULE_FINAL
Indicates that on rule match, further processing of the
ruleset should be stopped and this rule applied instantly.
@@ -150,21 +149,31 @@
.Xr if_nametoindex 3 .
Zero indicates any interface.
.\" ---
-.It Fn npf_rule_setcode "rl" "type" "code" "sz"
+.It Fn npf_rule_setcode "rl" "type" "code" "len"
Assign compiled code for the rule specified by
.Fa rl ,
used for filter criteria.
Pointer to the binary code is specified by
.Fa code ,
and size of the memory area by
-.Fa sz .
+.Fa len .
Type of the code is specified by
.Fa type .
Currently, only n-code is supported and
-.Dv NPF_CODE_NCODE
+.Dv NPF_CODE_NC
should be passed.
.\" ---
-.It Fn npf_rule_insert "ncf" "parent" "rl" "pri"
+.It Fn npf_rule_setkey "rl" "type" "key" "len"
+Assign a key for the rule specified by
+.Fa rl .
+Binary key is specified by
+.Fa key ,
+and its size by
+.Fa len .
+The size shall not exceed
+.Dv NPF_RULE_MAXKEYLEN .
+.\" ---
+.It Fn npf_rule_insert "ncf" "parent" "rl"
Insert the rule into the set of parent rule specified by
.Fa parent .
If value of
@@ -172,15 +181,26 @@
is
.Dv NULL ,
then insert into the main ruleset.
+.\" ---
+.It Fn npf_rule_setprio "rl" "pri"
+Set priority to the rule.
+Negative priorities are invalid.
.Pp
Priority is the order of the rule in the ruleset.
Lower value means first to process, higher value - last to process.
-If multiple rules have the same priority - order is unspecified.
-A special constant
-.Dv NPF_PRI_NEXT
-may be passed to use the value of last used priority incremented by 1.
+If multiple rules are inserted with the same priority,
+the order is unspecified.
+.Pp
+The special constants
+.Dv NPF_PRI_FIRST
+and
+.Dv NPF_PRI_LAST
+can be passed to indicate that the rule should be inserted into the
+beginning or the end of the priority level 0 in the ruleset.
+All rules inserted using these constants will have the priority 0
+assigned and will share this level in the ordered way.
.It Fn npf_rule_setproc "ncf" "rl" "name"
-Set procedure for the specified rule.
+Set a procedure for the specified rule.
.It Fn npf_rule_destroy "rl"
Destroy the given rule.
.El
diff -r 23ccb88a42c3 -r 8085002381ab lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Mon Feb 11 21:44:22 2013 +0000
+++ b/lib/libnpf/npf.c Mon Feb 11 21:49:47 2013 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: npf.c,v 1.7.2.8 2013/01/07 16:51:08 riz Exp $ */
+/* $NetBSD: npf.c,v 1.7.2.9 2013/02/11 21:49:48 riz Exp $ */
/*-
- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.8 2013/01/07 16:51:08 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.9 2013/02/11 21:49:48 riz Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -54,9 +54,6 @@
prop_array_t ncf_rproc_list;
prop_array_t ncf_table_list;
prop_array_t ncf_nat_list;
- /* Priority counters. */
- pri_t ncf_rule_pri;
- pri_t ncf_nat_pri;
/* Debug information. */
prop_dictionary_t ncf_debug;
/* Error report. */
@@ -83,6 +80,8 @@
prop_dictionary_t nxt_dict;
};
+static prop_array_t _npf_ruleset_transform(prop_array_t);
+
/*
* CONFIGURATION INTERFACE.
*/
@@ -101,9 +100,6 @@
ncf->ncf_table_list = prop_array_create();
ncf->ncf_nat_list = prop_array_create();
- ncf->ncf_rule_pri = 1;
- ncf->ncf_nat_pri = 1;
-
ncf->ncf_plist = NULL;
ncf->ncf_flush = false;
@@ -115,6 +111,7 @@
{
const char *plist = ncf->ncf_plist;
prop_dictionary_t npf_dict;
+ prop_array_t rlset;
int error = 0;
npf_dict = prop_dictionary_create();
@@ -122,7 +119,15 @@
return ENOMEM;
}
prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
- prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
+
+ rlset = _npf_ruleset_transform(ncf->ncf_rules_list);
+ if (rlset == NULL) {
+ prop_object_release(npf_dict);
+ return ENOMEM;
+ }
+ prop_dictionary_set(npf_dict, "rules", rlset);
+ prop_object_release(rlset);
+
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
@@ -205,9 +210,9 @@
prop_dictionary_get_uint32(ncf->ncf_err,
"source-line", &ne->ne_source_line);
prop_dictionary_get_int32(ncf->ncf_err,
- "ncode-error", &ne->ne_ncode_error);
+ "code-error", &ne->ne_ncode_error);
prop_dictionary_get_int32(ncf->ncf_err,
- "ncode-errat", &ne->ne_ncode_errat);
+ "code-errat", &ne->ne_ncode_errat);
}
void
@@ -254,6 +259,124 @@
}
/*
+ * DYNAMIC RULESET INTERFACE.
+ */
+
+int
+npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uintptr_t *id)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ prop_dictionary_t ret;
+ uint64_t id64;
+ int error;
+
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_ADD);
+ error = prop_dictionary_sendrecv_ioctl(rldict, fd, IOC_NPF_RULE, &ret);
+ if (!error) {
+ prop_dictionary_get_uint64(ret, "id", &id64);
+ *id = (uintptr_t)id64;
+ }
+ return error;
+}
+
+int
+npf_ruleset_remove(int fd, const char *rname, uintptr_t id)
+{
+ prop_dictionary_t rldict;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMOVE);
+ __CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t));
+ prop_dictionary_set_uint64(rldict, "id", (uint64_t)id);
+ return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+int
+npf_ruleset_remkey(int fd, const char *rname, const void *key, size_t len)
+{
+ prop_dictionary_t rldict;
+ prop_data_t keyobj;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMKEY);
+
+ keyobj = prop_data_create_data(key, len);
+ if (keyobj == NULL) {
+ prop_object_release(rldict);
+ return ENOMEM;
+ }
+ prop_dictionary_set(rldict, "key", keyobj);
+ prop_object_release(keyobj);
+
+ return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+int
+npf_ruleset_flush(int fd, const char *rname)
+{
+ prop_dictionary_t rldict;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_FLUSH);
+ return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
+/*
+ * _npf_ruleset_transform: transform the ruleset representing nested
+ * rules with lists into an array.
+ */
+
+static void
+_npf_ruleset_transform1(prop_array_t rlset, prop_array_t rules)
+{
+ prop_object_iterator_t it;
+ prop_dictionary_t rldict;
+ prop_array_t subrlset;
+
+ it = prop_array_iterator(rules);
+ while ((rldict = prop_object_iterator_next(it)) != NULL) {
Home |
Main Index |
Thread Index |
Old Index