Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Rework NPF tables and fix support for IPv6. Implement tre...
details: https://anonhg.NetBSD.org/src/rev/3e7cad83105f
branches: trunk
changeset: 780194:3e7cad83105f
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Jul 15 00:22:58 2012 +0000
description:
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
diffstat:
lib/libnpf/npf.c | 11 +-
lib/libnpf/npf.h | 5 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.c | 9 +-
sys/net/npf/npf.h | 11 +-
sys/net/npf/npf_alg.c | 10 +-
sys/net/npf/npf_alg_icmp.c | 10 +-
sys/net/npf/npf_ctl.c | 25 +-
sys/net/npf/npf_handler.c | 11 +-
sys/net/npf/npf_impl.h | 22 +-
sys/net/npf/npf_inet.c | 22 +-
sys/net/npf/npf_instr.c | 16 +-
sys/net/npf/npf_nat.c | 22 +-
sys/net/npf/npf_ruleset.c | 24 +-
sys/net/npf/npf_sendpkt.c | 6 +-
sys/net/npf/npf_session.c | 74 +++--
sys/net/npf/npf_state_tcp.c | 8 +-
sys/net/npf/npf_tableset.c | 320 ++++++++++++----------
sys/net/npf/npf_tableset_ptree.c | 183 +++++++++++++
sys/rump/dev/lib/libnpf/Makefile | 5 +-
usr.sbin/npf/npfctl/npf_build.c | 26 +-
usr.sbin/npf/npfctl/npf_data.c | 56 ++-
usr.sbin/npf/npfctl/npf_disassemble.c | 5 +-
usr.sbin/npf/npfctl/npf_ncgen.c | 5 +-
usr.sbin/npf/npfctl/npf_parse.y | 3 +-
usr.sbin/npf/npfctl/npfctl.c | 113 +++++--
usr.sbin/npf/npfctl/npfctl.h | 5 +-
usr.sbin/npf/npftest/libnpftest/npf_table_test.c | 108 ++++++-
28 files changed, 759 insertions(+), 359 deletions(-)
diffs (truncated from 2277 to 300 lines):
diff -r 7492d4d71bd7 -r 3e7cad83105f lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sun Jul 15 00:16:28 2012 +0000
+++ b/lib/libnpf/npf.c Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.9 2012/07/01 23:21:07 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.10 2012/07/15 00:22:59 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.9 2012/07/01 23:21:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.10 2012/07/15 00:22:59 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -614,7 +614,8 @@
}
int
-npf_table_add_entry(nl_table_t *tl, npf_addr_t *addr, npf_netmask_t mask)
+npf_table_add_entry(nl_table_t *tl, const int alen,
+ const npf_addr_t *addr, const npf_netmask_t mask)
{
prop_dictionary_t tldict = tl->ntl_dict, entdict;
prop_array_t tblents;
@@ -622,10 +623,10 @@
/* Create the table entry. */
entdict = prop_dictionary_create();
- if (entdict) {
+ if (entdict == NULL) {
return ENOMEM;
}
- addrdata = prop_data_create_data(addr, sizeof(npf_addr_t));
+ addrdata = prop_data_create_data(addr, alen);
prop_dictionary_set(entdict, "addr", addrdata);
prop_dictionary_set_uint8(entdict, "mask", mask);
prop_object_release(addrdata);
diff -r 7492d4d71bd7 -r 3e7cad83105f lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Sun Jul 15 00:16:28 2012 +0000
+++ b/lib/libnpf/npf.h Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.8 2012/07/01 23:21:07 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.9 2012/07/15 00:22:59 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -96,7 +96,8 @@
int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
nl_table_t * npf_table_create(u_int, int);
-int npf_table_add_entry(nl_table_t *, npf_addr_t *, npf_netmask_t);
+int npf_table_add_entry(nl_table_t *, const int,
+ const npf_addr_t *, const npf_netmask_t);
bool npf_table_exists_p(nl_config_t *, u_int);
int npf_table_insert(nl_config_t *, nl_table_t *);
void npf_table_destroy(nl_table_t *);
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/files.npf
--- a/sys/net/npf/files.npf Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/files.npf Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.6 2012/02/06 23:30:14 rmind Exp $
+# $NetBSD: files.npf,v 1.7 2012/07/15 00:22:59 rmind Exp $
#
# Public Domain.
#
@@ -19,6 +19,7 @@
file net/npf/npf_ruleset.c npf
file net/npf/npf_rproc.c npf
file net/npf/npf_tableset.c npf
+file net/npf/npf_tableset_ptree.c npf
file net/npf/npf_inet.c npf
file net/npf/npf_session.c npf
file net/npf/npf_state.c npf
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/npf.c Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.11 2012/06/22 13:43:17 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.12 2012/07/15 00:23:00 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.11 2012/06/22 13:43:17 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.12 2012/07/15 00:23:00 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -170,6 +170,11 @@
return npf_init();
case MODULE_CMD_FINI:
return npf_fini();
+ case MODULE_CMD_AUTOUNLOAD:
+ if (npf_pfil_registered_p() || !npf_default_pass()) {
+ return EBUSY;
+ }
+ break;
default:
return ENOTTY;
}
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/npf.h Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.18 2012/07/01 23:21:06 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.19 2012/07/15 00:23:00 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 4
+#define NPF_VERSION 5
/*
* Public declarations and definitions.
@@ -94,7 +94,7 @@
npf_addr_t * npc_srcip;
npf_addr_t * npc_dstip;
/* Size (v4 or v6) of IP addresses. */
- int npc_ipsz;
+ int npc_alen;
u_int npc_hlen;
int npc_next_proto;
/* IPv4, IPv6. */
@@ -188,6 +188,7 @@
typedef struct npf_ioctl_table {
int nct_action;
u_int nct_tid;
+ int nct_alen;
npf_addr_t nct_addr;
npf_netmask_t nct_mask;
} npf_ioctl_table_t;
@@ -216,6 +217,10 @@
/* Rule procedure cases. */
NPF_STAT_RPROC_LOG,
NPF_STAT_RPROC_NORM,
+ /* Fragments. */
+ NPF_STAT_FRAGMENTS,
+ NPF_STAT_REASSEMBLY,
+ NPF_STAT_REASSFAIL,
/* Other errors. */
NPF_STAT_ERROR,
/* Count (last). */
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/npf_alg.c
--- a/sys/net/npf/npf_alg.c Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/npf_alg.c Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.4 2012/06/22 13:43:17 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.5 2012/07/15 00:23:00 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.4 2012/06/22 13:43:17 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.5 2012/07/15 00:23:00 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -115,9 +115,11 @@
pserialize_perform(nat_alg_psz);
mutex_exit(&nat_alg_lock);
- npf_nat_freealg(alg);
+ npf_core_enter();
+ npf_ruleset_freealg(npf_core_natset(), alg);
+ npf_core_exit();
+
kmem_free(alg, sizeof(npf_alg_t));
-
return 0;
}
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/npf_alg_icmp.c
--- a/sys/net/npf/npf_alg_icmp.c Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/npf_alg_icmp.c Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.9 2012/02/20 00:18:19 rmind Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.10 2012/07/15 00:23:00 rmind Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.9 2012/02/20 00:18:19 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.10 2012/07/15 00:23:00 rmind Exp $");
#include <sys/param.h>
#include <sys/module.h>
@@ -101,6 +101,8 @@
return npf_alg_icmp_init();
case MODULE_CMD_FINI:
return npf_alg_icmp_fini();
+ case MODULE_CMD_AUTOUNLOAD:
+ return EBUSY;
default:
return ENOTTY;
}
@@ -278,7 +280,7 @@
KASSERT(npf_iscached(key, NPC_IP46));
KASSERT(npf_iscached(key, NPC_LAYER4));
npfa_srcdst_invert(key);
- key->npc_ipsz = npc->npc_ipsz;
+ key->npc_alen = npc->npc_alen;
return true;
}
@@ -325,7 +327,7 @@
cksum = npf_fixup16_cksum(cksum, uh->uh_sport, port);
l4cksum = uh->uh_sum;
}
- cksum = npf_addr_cksum(cksum, enpc.npc_ipsz, enpc.npc_srcip, addr);
+ cksum = npf_addr_cksum(cksum, enpc.npc_alen, enpc.npc_srcip, addr);
/*
* Save the original pointers to the main IP header and then advance
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/npf_ctl.c Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.15 2012/05/30 21:38:03 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.16 2012/07/15 00:23:00 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.15 2012/05/30 21:38:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.16 2012/07/15 00:23:00 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -135,12 +135,15 @@
while ((ent = prop_object_iterator_next(eit)) != NULL) {
const npf_addr_t *addr;
npf_netmask_t mask;
+ int alen;
/* Get address and mask. Add a table entry. */
- addr = (const npf_addr_t *)prop_data_data_nocopy(
- prop_dictionary_get(ent, "addr"));
+ prop_object_t obj = prop_dictionary_get(ent, "addr");
+ addr = (const npf_addr_t *)prop_data_data_nocopy(obj);
prop_dictionary_get_uint8(ent, "mask", &mask);
- error = npf_table_add_cidr(tblset, tid, addr, mask);
+ alen = prop_data_size(obj);
+
+ error = npf_table_insert(tblset, tid, alen, addr, mask);
if (error)
break;
}
@@ -689,16 +692,16 @@
tblset = npf_core_tableset();
switch (nct->nct_action) {
case NPF_IOCTL_TBLENT_ADD:
- error = npf_table_add_cidr(tblset, nct->nct_tid,
- &nct->nct_addr, nct->nct_mask);
+ error = npf_table_insert(tblset, nct->nct_tid,
+ nct->nct_alen, &nct->nct_addr, nct->nct_mask);
break;
case NPF_IOCTL_TBLENT_REM:
- error = npf_table_rem_cidr(tblset, nct->nct_tid,
- &nct->nct_addr, nct->nct_mask);
+ error = npf_table_remove(tblset, nct->nct_tid,
+ nct->nct_alen, &nct->nct_addr, nct->nct_mask);
break;
default:
- error = npf_table_match_addr(tblset, nct->nct_tid,
- &nct->nct_addr);
+ error = npf_table_lookup(tblset, nct->nct_tid,
+ nct->nct_alen, &nct->nct_addr);
}
npf_core_exit(); /* XXXSMP */
return error;
diff -r 7492d4d71bd7 -r 3e7cad83105f sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Sun Jul 15 00:16:28 2012 +0000
+++ b/sys/net/npf/npf_handler.c Sun Jul 15 00:22:58 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.19 2012/07/02 06:55:58 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.20 2012/07/15 00:23:00 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
Home |
Main Index |
Thread Index |
Old Index