Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src NPF checkpoint:
details: https://anonhg.NetBSD.org/src/rev/80c4c9cd778e
branches: trunk
changeset: 761596:80c4c9cd778e
user: rmind <rmind%NetBSD.org@localhost>
date: Wed Feb 02 02:20:24 2011 +0000
description:
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
diffstat:
dist/pf/usr.sbin/ftp-proxy/filter.c | 68 +--
dist/pf/usr.sbin/ftp-proxy/filter.h | 45 +-
dist/pf/usr.sbin/ftp-proxy/ftp-proxy.c | 94 +++--
dist/pf/usr.sbin/ftp-proxy/ipf.c | 27 +-
dist/pf/usr.sbin/ftp-proxy/npf.c | 337 ++++++++++++++++++++
distrib/sets/lists/base/ad.mips64eb | 6 +-
distrib/sets/lists/base/ad.mips64el | 6 +-
distrib/sets/lists/base/md.amd64 | 4 +-
distrib/sets/lists/base/md.sparc64 | 4 +-
distrib/sets/lists/base/shl.mi | 5 +-
distrib/sets/lists/comp/ad.mips64eb | 10 +-
distrib/sets/lists/comp/ad.mips64el | 10 +-
distrib/sets/lists/comp/md.amd64 | 8 +-
distrib/sets/lists/comp/md.sparc64 | 7 +-
distrib/sets/lists/comp/mi | 10 +-
distrib/sets/lists/comp/shl.mi | 3 +-
distrib/sets/lists/etc/mi | 3 +-
etc/defaults/rc.conf | 3 +-
etc/mtree/special | 3 +-
etc/rc.d/Makefile | 4 +-
etc/rc.d/npf | 61 +++
lib/Makefile | 6 +-
lib/libnpf/Makefile | 20 +
lib/libnpf/npf.3 | 290 +++++++++++++++++
lib/libnpf/npf.c | 544 +++++++++++++++++++++++++++++++++
lib/libnpf/npf.h | 98 +++++
lib/libnpf/shlib_version | 5 +
sys/net/npf/npf.c | 7 +-
sys/net/npf/npf.h | 53 +-
sys/net/npf/npf_ctl.c | 187 +++++++----
sys/net/npf/npf_handler.c | 13 +-
sys/net/npf/npf_impl.h | 26 +-
sys/net/npf/npf_nat.c | 63 ++-
sys/net/npf/npf_ruleset.c | 155 ++++----
sys/net/npf/npf_session.c | 12 +-
sys/net/npf/npf_tableset.c | 20 +-
usr.sbin/npf/npfctl/Makefile | 6 +-
usr.sbin/npf/npfctl/npf.conf.5 | 52 ++-
usr.sbin/npf/npfctl/npf_data.c | 346 ++------------------
usr.sbin/npf/npfctl/npf_parser.c | 213 +++++++-----
usr.sbin/npf/npfctl/npfctl.c | 18 +-
usr.sbin/npf/npfctl/npfctl.h | 37 +-
usr.sbin/pf/ftp-proxy/Makefile | 9 +-
43 files changed, 2091 insertions(+), 807 deletions(-)
diffs (truncated from 4624 to 300 lines):
diff -r 808695cc7168 -r 80c4c9cd778e dist/pf/usr.sbin/ftp-proxy/filter.c
--- a/dist/pf/usr.sbin/ftp-proxy/filter.c Tue Feb 01 23:40:12 2011 +0000
+++ b/dist/pf/usr.sbin/ftp-proxy/filter.c Wed Feb 02 02:20:24 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: filter.c,v 1.2 2008/06/18 09:06:26 yamt Exp $ */
+/* $NetBSD: filter.c,v 1.3 2011/02/02 02:20:26 rmind Exp $ */
/* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */
/*
@@ -36,16 +36,26 @@
#include "filter.h"
-#if defined(__NetBSD__) && defined(WITH_IPF)
-#include "ipf.h"
-#endif /* __NetBSD__ && WITH_IPF */
-
/* From netinet/in.h, but only _KERNEL_ gets them. */
#define satosin(sa) ((struct sockaddr_in *)(sa))
#define satosin6(sa) ((struct sockaddr_in6 *)(sa))
+#define FTP_PROXY_ANCHOR "ftp-proxy"
+
enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE };
+int add_filter(u_int32_t, u_int8_t, struct sockaddr *, struct sockaddr *,
+ u_int16_t);
+int add_nat(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
+ struct sockaddr *, u_int16_t, u_int16_t);
+int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
+ struct sockaddr *, u_int16_t);
+int do_commit(void);
+int do_rollback(void);
+void init_filter(char *, char *, int);
+int prepare_commit(u_int32_t);
+int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
+
int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *,
u_int16_t);
int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
@@ -60,14 +70,21 @@
static int dev, rule_log;
static char *qname, *tagname;
+const ftp_proxy_ops_t pf_fprx_ops = {
+ .init_filter = init_filter,
+ .add_filter = add_filter,
+ .add_nat = add_nat,
+ .add_rdr = add_rdr,
+ .server_lookup = server_lookup,
+ .prepare_commit = prepare_commit,
+ .do_commit = do_commit,
+ .do_rollback = do_rollback
+};
+
int
add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
struct sockaddr *dst, u_int16_t d_port)
{
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_add_filter(id, dir, src, dst, d_port);
-#endif /* __NetBSD__ && WITH_IPF */
if (!src || !dst || !d_port) {
errno = EINVAL;
@@ -89,11 +106,6 @@
u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low,
u_int16_t nat_range_high)
{
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_add_nat(id, src, dst, d_port, nat, nat_range_low,
- nat_range_high);
-#endif /* __NetBSD__ && WITH_IPF */
if (!src || !dst || !d_port || !nat || !nat_range_low ||
(src->sa_family != nat->sa_family)) {
@@ -128,10 +140,6 @@
add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port)
{
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_add_rdr(id, src, dst, d_port, rdr, rdr_port);
-#endif /* __NetBSD__ && WITH_IPF */
if (!src || !dst || !d_port || !rdr || !rdr_port ||
(src->sa_family != rdr->sa_family)) {
@@ -164,10 +172,6 @@
int
do_commit(void)
{
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_do_commit();
-#endif /* __NetBSD__ && WITH_IPF */
if (ioctl(dev, DIOCXCOMMIT, &pft) == -1)
return (-1);
@@ -178,10 +182,6 @@
int
do_rollback(void)
{
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_do_rollback();
-#endif /* __NetBSD__ && WITH_IPF */
if (ioctl(dev, DIOCXROLLBACK, &pft) == -1)
return (-1);
@@ -194,13 +194,6 @@
{
struct pf_status status;
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled) {
- ipf_init_filter(opt_qname, opt_tagname, opt_verbose);
- return;
- }
-#endif /* __NetBSD__ && WITH_IPF */
-
qname = opt_qname;
tagname = opt_tagname;
@@ -224,11 +217,6 @@
char an[PF_ANCHOR_NAME_SIZE];
int i;
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_prepare_commit(id);
-#endif /* __NetBSD__ && WITH_IPF */
-
memset(&pft, 0, sizeof pft);
pft.size = TRANS_SIZE;
pft.esize = sizeof pfte[0];
@@ -364,10 +352,6 @@
server_lookup(struct sockaddr *client, struct sockaddr *proxy,
struct sockaddr *server)
{
-#if defined(__NetBSD__) && defined(WITH_IPF)
- if (ipf_enabled)
- return ipf_server_lookup(client, proxy, server);
-#endif /* __NetBSD__ && WITH_IPF */
if (client->sa_family == AF_INET)
return (server_lookup4(satosin(client), satosin(proxy),
diff -r 808695cc7168 -r 80c4c9cd778e dist/pf/usr.sbin/ftp-proxy/filter.h
--- a/dist/pf/usr.sbin/ftp-proxy/filter.h Tue Feb 01 23:40:12 2011 +0000
+++ b/dist/pf/usr.sbin/ftp-proxy/filter.h Wed Feb 02 02:20:24 2011 +0000
@@ -1,5 +1,4 @@
-/* $NetBSD: filter.h,v 1.2 2008/06/18 09:06:26 yamt Exp $ */
-/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
+/* $NetBSD: filter.h,v 1.3 2011/02/02 02:20:26 rmind Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd%sentia.nl@localhost>
@@ -17,16 +16,34 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#define FTP_PROXY_ANCHOR "ftp-proxy"
+#ifndef _FTP_PROXY_FILTER_H_
+#define _FTP_PROXY_FILTER_H_
-int add_filter(u_int32_t, u_int8_t, struct sockaddr *, struct sockaddr *,
- u_int16_t);
-int add_nat(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
- struct sockaddr *, u_int16_t, u_int16_t);
-int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
- struct sockaddr *, u_int16_t);
-int do_commit(void);
-int do_rollback(void);
-void init_filter(char *, char *, int);
-int prepare_commit(u_int32_t);
-int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
+typedef struct {
+ void (*init_filter)(char *, char *, int);
+ int (*add_filter)(uint32_t, uint8_t, struct sockaddr *,
+ struct sockaddr *, uint16_t);
+ int (*add_nat)(uint32_t, struct sockaddr *, struct sockaddr *,
+ uint16_t, struct sockaddr *, u_int16_t, u_int16_t);
+ int (*add_rdr)(uint32_t, struct sockaddr *, struct sockaddr *,
+ uint16_t, struct sockaddr *, uint16_t);
+ int (*server_lookup)(struct sockaddr *, struct sockaddr *,
+ struct sockaddr *);
+ int (*prepare_commit)(u_int32_t);
+ int (*do_commit)(void);
+ int (*do_rollback)(void);
+} ftp_proxy_ops_t;
+
+extern const ftp_proxy_ops_t pf_fprx_ops;
+
+#if defined(__NetBSD__) && defined(WITH_NPF)
+extern const ftp_proxy_ops_t npf_fprx_ops;
+extern const char * netif;
+#endif
+
+#if defined(__NetBSD__) && defined(WITH_IPF)
+extern const ftp_proxy_ops_t ipf_fprx_ops;
+extern char * npfopts;
+#endif
+
+#endif
diff -r 808695cc7168 -r 80c4c9cd778e dist/pf/usr.sbin/ftp-proxy/ftp-proxy.c
--- a/dist/pf/usr.sbin/ftp-proxy/ftp-proxy.c Tue Feb 01 23:40:12 2011 +0000
+++ b/dist/pf/usr.sbin/ftp-proxy/ftp-proxy.c Wed Feb 02 02:20:24 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ftp-proxy.c,v 1.3 2009/07/13 19:05:39 roy Exp $ */
+/* $NetBSD: ftp-proxy.c,v 1.4 2011/02/02 02:20:26 rmind Exp $ */
/* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */
/*
@@ -45,10 +45,6 @@
#include "filter.h"
-#if defined(__NetBSD__) && defined(WITH_IPF)
-#include "ipf.h"
-#endif /* __NetBSD__ && WITH_IPF */
-
#define CONNECT_TIMEOUT 30
#define MIN_PORT 1024
#define MAX_LINE 500
@@ -134,9 +130,8 @@
rfc_mode, session_count, timeout, verbose;
extern char *__progname;
-#if defined(__NetBSD__) && defined(WITH_IPF)
-int ipf_enabled = 0;
-#endif /* __NetBSD__ && WITH_IPF */
+/* Default: PF operations. */
+static const ftp_proxy_ops_t * fops = &pf_fprx_ops;
void
client_error(struct bufferevent *bufev, short what, void *arg)
@@ -321,11 +316,11 @@
/* Remove rulesets by commiting empty ones. */
error = 0;
- if (prepare_commit(s->id) == -1)
+ if (fops->prepare_commit(s->id) == -1)
error = errno;
- else if (do_commit() == -1) {
+ else if (fops->do_commit() == -1) {
error = errno;
- do_rollback();
+ fops->do_rollback();
}
if (error)
logmsg(LOG_ERR, "#%d pf rule removal failed: %s", s->id,
@@ -451,7 +446,7 @@
strerror(errno));
goto fail;
}
- if (server_lookup(client_sa, client_to_proxy_sa, server_sa) != 0) {
+ if (fops->server_lookup(client_sa, client_to_proxy_sa, server_sa)) {
logmsg(LOG_CRIT, "#%d server lookup failed (no rdr?)", s->id);
goto fail;
}
@@ -643,11 +638,12 @@
id_count = 1;
session_count = 0;
-#if defined(__NetBSD__) && defined(WITH_IPF)
- while ((ch = getopt(argc, argv, "6Aa:b:D:di:m:P:p:q:R:rT:t:v")) != -1) {
-#else
- while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
-#endif /* __NetBSD__ && WITH_IPF */
+#if defined(__NetBSD__)
+/* Note: both for IPFilter and NPF. */
+#define NBSD_OPTS "i:N:"
+#endif
+ while ((ch = getopt(argc, argv,
+ "6Aa:b:D:d" NBSD_OPTS "m:P:p:q:R:rT:t:v")) != -1) {
switch (ch) {
case '6':
ipv6_mode = 1;
@@ -670,17 +666,23 @@
case 'd':
daemonize = 0;
break;
+ case 'i':
#if defined(__NetBSD__) && defined(WITH_IPF)
- case 'i':
- ipf_enabled = 1;
+ fops = &ipf_fprx_ops;
netif = optarg;
+#endif
break;
-#endif /* __NetBSD__ && WITH_IPF */
case 'm':
max_sessions = strtonum(optarg, 1, 500, &errstr);
if (errstr)
errx(1, "max sessions %s", errstr);
break;
+ case 'N':
+#if defined(__NetBSD__) && defined(WITH_NPF)
+ fops = &npf_fprx_ops;
Home |
Main Index |
Thread Index |
Old Index