Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys - Split NPF rule procedure code into a separate module (...
details: https://anonhg.NetBSD.org/src/rev/b29b720a6a8d
branches: trunk
changeset: 773572:b29b720a6a8d
user: rmind <rmind%NetBSD.org@localhost>
date: Mon Feb 06 23:30:14 2012 +0000
description:
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
diffstat:
sys/modules/npf/Makefile | 6 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.h | 11 +--
sys/net/npf/npf_handler.c | 62 +++++++++------
sys/net/npf/npf_impl.h | 5 +-
sys/net/npf/npf_rproc.c | 133 ++++++++++++++++++++++++++++++++++
sys/net/npf/npf_ruleset.c | 178 +++++----------------------------------------
7 files changed, 198 insertions(+), 200 deletions(-)
diffs (truncated from 626 to 300 lines):
diff -r ce083acd4661 -r b29b720a6a8d sys/modules/npf/Makefile
--- a/sys/modules/npf/Makefile Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/modules/npf/Makefile Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.8 2011/11/29 20:05:30 rmind Exp $
+# $NetBSD: Makefile,v 1.9 2012/02/06 23:30:14 rmind Exp $
.include "../Makefile.inc"
@@ -8,8 +8,8 @@
SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c
SRCS+= npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
-SRCS+= npf_processor.c npf_ruleset.c npf_sendpkt.c npf_session.c
-SRCS+= npf_state.c npf_state_tcp.c npf_tableset.c
+SRCS+= npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
+SRCS+= npf_session.c npf_state.c npf_state_tcp.c npf_tableset.c
CPPFLAGS+= -DINET6
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/files.npf
--- a/sys/net/npf/files.npf Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/files.npf Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.5 2011/11/29 20:05:30 rmind Exp $
+# $NetBSD: files.npf,v 1.6 2012/02/06 23:30:14 rmind Exp $
#
# Public Domain.
#
@@ -17,6 +17,7 @@
file net/npf/npf_mbuf.c npf
file net/npf/npf_processor.c npf
file net/npf/npf_ruleset.c npf
+file net/npf/npf_rproc.c npf
file net/npf/npf_tableset.c npf
file net/npf/npf_inet.c npf
file net/npf/npf_session.c npf
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/npf.h Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.13 2012/02/05 00:37:13 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.14 2012/02/06 23:30:14 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -68,10 +68,7 @@
typedef void nbuf_t;
struct npf_rproc;
-struct npf_hook;
-
typedef struct npf_rproc npf_rproc_t;
-typedef struct npf_hook npf_hook_t;
/*
* Packet information cache.
@@ -215,12 +212,6 @@
int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
int nbuf_find_tag(nbuf_t *, uint32_t, void **);
-#if 0
-npf_hook_t * npf_hook_register(npf_rule_t *,
- void (*)(npf_cache_t *, nbuf_t *, void *), void *);
-void npf_hook_unregister(npf_rule_t *, npf_hook_t *);
-#endif
-
#endif /* _KERNEL */
/* Rule attributes. */
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/npf_handler.c Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -166,9 +166,12 @@
goto block;
}
- /* Get rule procedure for assocation and/or execution. */
+ /*
+ * Get the rule procedure (acquires a reference) for assocation
+ * with a session (if any) and execution.
+ */
KASSERT(rp == NULL);
- rp = npf_rproc_return(rl);
+ rp = npf_rule_getrproc(rl);
/* Apply the rule, release the lock. */
error = npf_rule_apply(&npc, nbuf, rl, &retfl);
@@ -185,6 +188,10 @@
error = ENOMEM;
goto out;
}
+ /*
+ * Note: the reference to the rule procedure is transfered to
+ * the session. It will be released on session destruction.
+ */
npf_session_setpass(se, rp);
}
pass:
@@ -195,44 +202,47 @@
error = npf_do_nat(&npc, se, nbuf, ifp, di);
block:
/*
- * Perform rule procedure, if any.
+ * Execute rule procedure, if any.
*/
if (rp) {
npf_rproc_run(&npc, nbuf, rp, error);
}
out:
- /* Release the reference on session, or rule procedure. */
+ /*
+ * Release the reference on a session. Release the reference on a
+ * rule procedure only if there was no association.
+ */
if (se) {
npf_session_release(se);
} else if (rp) {
- npf_rproc_release(rp); /* XXXkmem */
+ npf_rproc_release(rp);
}
- /*
- * If error is set - drop the packet.
- * Normally, ENETUNREACH is used for "block".
- */
- if (error) {
- /*
- * Depending on flags and protocol, return TCP reset (RST)
- * or ICMP destination unreachable
- */
- if (retfl) {
- npf_return_block(&npc, nbuf, retfl);
- }
- if (error != ENETUNREACH) {
- NPF_PRINTF(("NPF: error in handler '%d'\n", error));
- npf_stats_inc(NPF_STAT_ERROR);
- }
- m_freem(*mp);
- *mp = NULL;
- } else {
+ /* Pass the packet, if no error. */
+ if (!error) {
/*
* XXX: Disable for now, it will be set accordingly later,
* for optimisations (to reduce inspection).
*/
(*mp)->m_flags &= ~M_CANFASTFWD;
+ return 0;
}
+
+ /*
+ * Block the packet. ENETUNREACH is used to indicate blocking.
+ * Depending on the flags and protocol, return TCP reset (RST) or
+ * ICMP destination unreachable.
+ */
+ if (retfl) {
+ npf_return_block(&npc, nbuf, retfl);
+ }
+ if (error != ENETUNREACH) {
+ NPF_PRINTF(("NPF: error in handler '%d'\n", error));
+ npf_stats_inc(NPF_STAT_ERROR);
+ }
+ m_freem(*mp);
+ *mp = NULL;
+
return error;
}
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h Mon Feb 06 17:51:47 2012 +0000
+++ b/sys/net/npf/npf_impl.h Mon Feb 06 23:30:14 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.9 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.10 2012/02/06 23:30:14 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -226,9 +226,10 @@
npf_ruleset_t * npf_rule_subset(npf_rule_t *);
npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *);
void npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *);
+npf_rproc_t * npf_rule_getrproc(npf_rule_t *);
npf_rproc_t * npf_rproc_create(prop_dictionary_t);
-npf_rproc_t * npf_rproc_return(npf_rule_t *);
+void npf_rproc_acquire(npf_rproc_t *);
void npf_rproc_release(npf_rproc_t *);
void npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int);
diff -r ce083acd4661 -r b29b720a6a8d sys/net/npf/npf_rproc.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/net/npf/npf_rproc.c Mon Feb 06 23:30:14 2012 +0000
@@ -0,0 +1,133 @@
+/* $NetBSD: npf_rproc.c,v 1.1 2012/02/06 23:30:14 rmind Exp $ */
+
+/*-
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This material is based upon work partially supported by The
+ * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * NPF rule procedure interface.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD");
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+
+#include <sys/atomic.h>
+#include <sys/kmem.h>
+#include <sys/types.h>
+
+#include "npf_impl.h"
+
+#define NPF_RNAME_LEN 16
+
+/* Rule procedure structure. */
+struct npf_rproc {
+ /* Name. */
+ char rp_name[NPF_RNAME_LEN];
+ /* Reference count. */
+ u_int rp_refcnt;
+ uint32_t rp_flags;
+ /* Normalisation options. */
+ bool rp_rnd_ipid;
+ bool rp_no_df;
+ u_int rp_minttl;
+ u_int rp_maxmss;
+ /* Logging interface. */
+ u_int rp_log_ifid;
+};
+
+npf_rproc_t *
+npf_rproc_create(prop_dictionary_t rpdict)
+{
+ npf_rproc_t *rp;
+ const char *rname;
+
+ rp = kmem_zalloc(sizeof(npf_rproc_t), KM_SLEEP);
+ rp->rp_refcnt = 1;
+
+ /* Name and flags. */
+ prop_dictionary_get_cstring_nocopy(rpdict, "name", &rname);
+ strlcpy(rp->rp_name, rname, NPF_RNAME_LEN);
+ prop_dictionary_get_uint32(rpdict, "flags", &rp->rp_flags);
+
+ /* Logging interface ID (integer). */
+ prop_dictionary_get_uint32(rpdict, "log-interface", &rp->rp_log_ifid);
+
+ /* IP ID randomisation and IP_DF flag cleansing. */
+ prop_dictionary_get_bool(rpdict, "randomize-id", &rp->rp_rnd_ipid);
+ prop_dictionary_get_bool(rpdict, "no-df", &rp->rp_no_df);
+
+ /* Minimum IP TTL and maximum TCP MSS. */
+ prop_dictionary_get_uint32(rpdict, "min-ttl", &rp->rp_minttl);
+ prop_dictionary_get_uint32(rpdict, "max-mss", &rp->rp_maxmss);
+
+ return rp;
Home |
Main Index |
Thread Index |
Old Index