Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src NPF checkpoint:
details: https://anonhg.NetBSD.org/src/rev/21b942249a69
branches: trunk
changeset: 758608:21b942249a69
user: rmind <rmind%NetBSD.org@localhost>
date: Thu Nov 11 06:30:39 2010 +0000
description:
NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
diffstat:
sys/modules/npf/Makefile | 4 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.h | 98 +++-
sys/net/npf/npf_alg.c | 33 +-
sys/net/npf/npf_alg_icmp.c | 196 +++++-----
sys/net/npf/npf_ctl.c | 38 +-
sys/net/npf/npf_handler.c | 34 +-
sys/net/npf/npf_impl.h | 82 +++-
sys/net/npf/npf_inet.c | 673 ++++++++++++++++++++++++++------------
sys/net/npf/npf_instr.c | 72 ++--
sys/net/npf/npf_mbuf.c | 29 +-
sys/net/npf/npf_nat.c | 123 +++---
sys/net/npf/npf_ncode.h | 13 +-
sys/net/npf/npf_processor.c | 6 +-
sys/net/npf/npf_ruleset.c | 51 ++-
sys/net/npf/npf_sendpkt.c | 89 +---
sys/net/npf/npf_session.c | 348 +++++++++----------
sys/net/npf/npf_state.c | 316 ++++++++++++++++++
sys/net/npf/npf_tableset.c | 6 +-
usr.sbin/npf/npfctl/npf_data.c | 28 +-
usr.sbin/npf/npfctl/npf_ncgen.c | 7 +-
usr.sbin/npf/npfctl/npf_parser.c | 69 +++-
usr.sbin/npf/npfctl/npfctl.c | 17 +-
usr.sbin/npf/npfctl/npfctl.h | 5 +-
24 files changed, 1541 insertions(+), 799 deletions(-)
diffs (truncated from 3871 to 300 lines):
diff -r 947cf09b28cb -r 21b942249a69 sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile Thu Nov 11 04:51:18 2010 +0000
+++ b/sys/modules/npf/Makefile Thu Nov 11 06:30:39 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.2 2010/09/16 04:53:27 rmind Exp $
+# $NetBSD: Makefile,v 1.3 2010/11/11 06:30:39 rmind Exp $
.include "../Makefile.inc"
@@ -8,6 +8,6 @@
SRCS= npf.c npf_ctl.c npf_handler.c npf_instr.c npf_mbuf.c
SRCS+= npf_processor.c npf_ruleset.c npf_tableset.c npf_inet.c
-SRCS+= npf_session.c npf_nat.c npf_sendpkt.c npf_alg.c
+SRCS+= npf_session.c npf_state.c npf_nat.c npf_alg.c npf_sendpkt.c
.include <bsd.kmodule.mk>
diff -r 947cf09b28cb -r 21b942249a69 sys/net/npf/files.npf
--- a/sys/net/npf/files.npf Thu Nov 11 04:51:18 2010 +0000
+++ b/sys/net/npf/files.npf Thu Nov 11 06:30:39 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.2 2010/09/16 04:53:27 rmind Exp $
+# $NetBSD: files.npf,v 1.3 2010/11/11 06:30:39 rmind Exp $
#
# Public Domain.
#
@@ -20,6 +20,7 @@
file net/npf/npf_tableset.c npf
file net/npf/npf_inet.c npf
file net/npf/npf_session.c npf
+file net/npf/npf_state.c npf
file net/npf/npf_nat.c npf
file net/npf/npf_alg.c npf
file net/npf/npf_sendpkt.c npf
diff -r 947cf09b28cb -r 21b942249a69 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Thu Nov 11 04:51:18 2010 +0000
+++ b/sys/net/npf/npf.h Thu Nov 11 06:30:39 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.3 2010/09/25 00:25:31 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.4 2010/11/11 06:30:39 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -66,36 +66,57 @@
typedef void nbuf_t;
+#if defined(_KERNEL) || defined(_NPF_TESTING)
+
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+
+/*
+ * Storage of address, both IPv4 and IPv6.
+ */
+typedef struct in6_addr npf_addr_t;
+
/*
* Packet information cache.
*/
-#define NPC_IP46 0x01 /* IPv4,6 packet with known protocol. */
-#define NPC_IP6VER 0x02 /* If NPI_IP46, then: 0 - IPv4, 1 - IPv6. */
-#define NPC_ADDRS 0x04 /* Known source and destination addresses. */
-#define NPC_PORTS 0x08 /* Known ports (for TCP/UDP cases). */
-#define NPC_ICMP 0x10 /* ICMP with known type and code. */
-#define NPC_ICMP_ID 0x20 /* ICMP with query ID. */
+#define NPC_IP4 0x01 /* Indicates fetched IPv4 header. */
+#define NPC_IP6 0x02 /* Indicates IPv6 header. */
+#define NPC_IPFRAG 0x04 /* IPv4 fragment. */
+#define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */
-/* XXX: Optimise later, pack in unions, perhaps bitfields, etc. */
+#define NPC_TCP 0x10 /* TCP header. */
+#define NPC_UDP 0x20 /* UDP header. */
+#define NPC_ICMP 0x40 /* ICMP header. */
+#define NPC_ICMP_ID 0x80 /* ICMP with query ID. */
+
+#define NPC_IP46 (NPC_IP4|NPC_IP6)
+
typedef struct {
+ /* Information flags and packet direction. */
uint32_t npc_info;
- int npc_dir;
- /* NPC_IP46 */
- uint8_t npc_proto;
- uint16_t npc_hlen;
- uint16_t npc_ipsum;
- /* NPC_ADDRS */
- in_addr_t npc_srcip;
- in_addr_t npc_dstip;
- /* NPC_PORTS */
- in_port_t npc_sport;
- in_port_t npc_dport;
- uint8_t npc_tcp_flags;
- /* NPC_ICMP */
- uint8_t npc_icmp_type;
- uint8_t npc_icmp_code;
- uint16_t npc_icmp_id;
+ int npc_di;
+ /* Pointers to the IP v4/v6 addresses. */
+ npf_addr_t * npc_srcip;
+ npf_addr_t * npc_dstip;
+ /* Size (v4 or v6) of IP addresses. */
+ int npc_ipsz;
+ /* IPv4, IPv6. */
+ union {
+ struct ip v4;
+ struct ip6_hdr v6;
+ } npc_ip;
+ /* TCP, UDP, ICMP. */
+ union {
+ struct tcphdr tcp;
+ struct udphdr udp;
+ struct icmp icmp;
+ } npc_l4;
} npf_cache_t;
static inline bool
@@ -105,12 +126,20 @@
return __predict_true((npc->npc_info & inf) != 0);
}
-#if defined(_KERNEL) || defined(_NPF_TESTING)
+static inline int
+npf_cache_ipproto(const npf_cache_t *npc)
+{
+ const struct ip *ip = &npc->npc_ip.v4;
+
+ KASSERT(npf_iscached(npc, NPC_IP46));
+ return ip->ip_p;
+}
/* Network buffer interface. */
void * nbuf_dataptr(void *);
void * nbuf_advance(nbuf_t **, void *, u_int);
int nbuf_advfetch(nbuf_t **, void **, u_int, size_t, void *);
+int nbuf_advstore(nbuf_t **, void **, u_int, size_t, void *);
int nbuf_fetch_datum(nbuf_t *, void *, size_t, void *);
int nbuf_store_datum(nbuf_t *, void *, size_t, void *);
@@ -118,30 +147,31 @@
int nbuf_find_tag(nbuf_t *, uint32_t, void **);
/* Ruleset interface. */
-npf_rule_t * npf_rule_alloc(int, pri_t, int, void *, size_t);
+npf_rule_t * npf_rule_alloc(int, pri_t, int, void *, size_t, bool, int, int);
void npf_rule_free(npf_rule_t *);
void npf_activate_rule(npf_rule_t *);
void npf_deactivate_rule(npf_rule_t *);
npf_hook_t * npf_hook_register(npf_rule_t *,
- void (*)(const npf_cache_t *, void *), void *);
+ void (*)(npf_cache_t *, nbuf_t *, void *), void *);
void npf_hook_unregister(npf_rule_t *, npf_hook_t *);
#endif /* _KERNEL */
/* Rule attributes. */
#define NPF_RULE_PASS 0x0001
-#define NPF_RULE_COUNT 0x0002
+#define NPF_RULE_DEFAULT 0x0002
#define NPF_RULE_FINAL 0x0004
-#define NPF_RULE_LOG 0x0008
-#define NPF_RULE_DEFAULT 0x0010
-#define NPF_RULE_KEEPSTATE 0x0020
+#define NPF_RULE_KEEPSTATE 0x0008
+#define NPF_RULE_COUNT 0x0010
+#define NPF_RULE_LOG 0x0020
#define NPF_RULE_RETRST 0x0040
#define NPF_RULE_RETICMP 0x0080
+#define NPF_RULE_NORMALIZE 0x0100
-#define NPF_RULE_IN 0x1000
-#define NPF_RULE_OUT 0x2000
-#define NPF_RULE_DIMASK 0x3000
+#define NPF_RULE_IN 0x10000000
+#define NPF_RULE_OUT 0x20000000
+#define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT)
/* Address translation types and flags. */
#define NPF_NATIN 1
diff -r 947cf09b28cb -r 21b942249a69 sys/net/npf/npf_alg.c
--- a/sys/net/npf/npf_alg.c Thu Nov 11 04:51:18 2010 +0000
+++ b/sys/net/npf/npf_alg.c Thu Nov 11 06:30:39 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.1 2010/08/22 18:56:22 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.2 2010/11/11 06:30:39 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -31,16 +31,15 @@
/*
* NPF interface for application level gateways (ALGs).
+ *
+ * XXX: locking
*/
-#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.2 2010/11/11 06:30:39 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
-#endif
-
#include <sys/kmem.h>
#include <sys/pool.h>
#include <net/pfil.h>
@@ -50,14 +49,14 @@
/* NAT ALG structure for registration. */
struct npf_alg {
LIST_ENTRY(npf_alg) na_entry;
- void * na_ptr;
+ npf_alg_t * na_bptr;
npf_algfunc_t na_match_func;
npf_algfunc_t na_out_func;
npf_algfunc_t na_in_func;
npf_algfunc_t na_seid_func;
};
-static LIST_HEAD(, npf_alg) nat_alg_list;
+static LIST_HEAD(, npf_alg) nat_alg_list __read_mostly;
void
npf_alg_sysinit(void)
@@ -85,7 +84,7 @@
npf_alg_t *alg;
alg = kmem_alloc(sizeof(npf_alg_t), KM_SLEEP);
- alg->na_ptr = alg;
+ alg->na_bptr = alg;
alg->na_match_func = match;
alg->na_out_func = out;
alg->na_in_func = in;
@@ -114,7 +113,10 @@
return 0;
}
-void
+/*
+ * npf_alg_match: call ALG matching inspectors, determine if any ALG matches.
+ */
+bool
npf_alg_match(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt)
{
npf_alg_t *alg;
@@ -122,15 +124,15 @@
LIST_FOREACH(alg, &nat_alg_list, na_entry) {
func = alg->na_match_func;
- if (__predict_true(func != NULL)) {
- func(npc, nbuf, nt);
- return;
+ if (func && func(npc, nbuf, nt)) {
+ return true;
}
}
+ return false;
}
/*
- * npf_alg_exec: execute in/out inspection hooks of each ALG.
+ * npf_alg_exec: execute ALG hooks for translation.
*/
void
npf_alg_exec(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, const int di)
@@ -157,10 +159,7 @@
LIST_FOREACH(alg, &nat_alg_list, na_entry) {
func = alg->na_seid_func;
- if (__predict_true(func == NULL)) {
- continue;
- }
- if (func(npc, nbuf, key)) {
+ if (func && func(npc, nbuf, (npf_nat_t *)key)) {
return true;
}
}
diff -r 947cf09b28cb -r 21b942249a69 sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Thu Nov 11 04:51:18 2010 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Thu Nov 11 06:30:39 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.3 2010/09/25 00:25:31 rmind Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.4 2010/11/11 06:30:39 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -33,13 +33,11 @@
* NPF ALG for ICMP and traceroute translations.
*/
-#ifdef _KERNEL
Home |
Main Index |
Thread Index |
Old Index