Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up following revision(s) (requested by rmind in tick...
details: https://anonhg.NetBSD.org/src/rev/f6b345cf50b7
branches: netbsd-6
changeset: 775511:f6b345cf50b7
user: riz <riz%NetBSD.org@localhost>
date: Sat Nov 24 04:34:41 2012 +0000
description:
Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see "Reflection Scan: an Off-Path Attack
on TCP" by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
diffstat:
sys/net/npf/npf.c | 8 +-
sys/net/npf/npf.h | 24 +-
sys/net/npf/npf_ctl.c | 23 +-
sys/net/npf/npf_impl.h | 11 +-
sys/net/npf/npf_state_tcp.c | 29 +-
sys/net/npf/npf_tableset.c | 238 ++++++++++++++--------
usr.sbin/npf/npfctl/npf_disassemble.c | 31 +--
usr.sbin/npf/npfctl/npfctl.8 | 21 +-
usr.sbin/npf/npfctl/npfctl.c | 151 +++++++++++---
usr.sbin/npf/npfctl/npfctl.h | 3 +-
usr.sbin/npf/npftest/libnpftest/npf_table_test.c | 54 ++--
11 files changed, 371 insertions(+), 222 deletions(-)
diffs (truncated from 1117 to 300 lines):
diff -r 253d231e9706 -r f6b345cf50b7 sys/net/npf/npf.c
--- a/sys/net/npf/npf.c Sat Nov 24 04:23:27 2012 +0000
+++ b/sys/net/npf/npf.c Sat Nov 24 04:34:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.7.2.5 2012/11/19 09:44:42 msaitoh Exp $ */
+/* $NetBSD: npf.c,v 1.7.2.6 2012/11/24 04:34:42 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.5 2012/11/19 09:44:42 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.6 2012/11/24 04:34:42 riz Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -303,7 +303,9 @@
rw_enter(&npf_lock, RW_WRITER);
onc = atomic_swap_ptr(&npf_core, nc);
if (onc) {
- /* Reload only necessary NAT policies. */
+ /* Reload only the static tables. */
+ npf_tableset_reload(tset, onc->n_tables);
+ /* Reload only the necessary NAT policies. */
npf_ruleset_natreload(nset, onc->n_nat_rules);
}
/* Unlock. Everything goes "live" now. */
diff -r 253d231e9706 -r f6b345cf50b7 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sat Nov 24 04:23:27 2012 +0000
+++ b/sys/net/npf/npf.h Sat Nov 24 04:34:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.14.2.7 2012/11/18 22:38:26 riz Exp $ */
+/* $NetBSD: npf.h,v 1.14.2.8 2012/11/24 04:34:42 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 6
+#define NPF_VERSION 7
/*
* Public declarations and definitions.
@@ -211,15 +211,29 @@
* IOCTL structures.
*/
+#define NPF_IOCTL_TBLENT_LOOKUP 0
#define NPF_IOCTL_TBLENT_ADD 1
#define NPF_IOCTL_TBLENT_REM 2
+#define NPF_IOCTL_TBLENT_LIST 3
+
+typedef struct npf_ioctl_ent {
+ int alen;
+ npf_addr_t addr;
+ npf_netmask_t mask;
+} npf_ioctl_ent_t;
+
+typedef struct npf_ioctl_buf {
+ void * buf;
+ size_t len;
+} npf_ioctl_buf_t;
typedef struct npf_ioctl_table {
int nct_action;
u_int nct_tid;
- int nct_alen;
- npf_addr_t nct_addr;
- npf_netmask_t nct_mask;
+ union {
+ npf_ioctl_ent_t ent;
+ npf_ioctl_buf_t buf;
+ } nct_data;
} npf_ioctl_table_t;
typedef enum {
diff -r 253d231e9706 -r f6b345cf50b7 sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sat Nov 24 04:23:27 2012 +0000
+++ b/sys/net/npf/npf_ctl.c Sat Nov 24 04:34:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.12.2.5 2012/11/18 22:38:26 riz Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.12.2.6 2012/11/24 04:34:42 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.5 2012/11/18 22:38:26 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.6 2012/11/24 04:34:42 riz Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -710,24 +710,33 @@
int
npfctl_table(void *data)
{
- npf_ioctl_table_t *nct = data;
+ const npf_ioctl_table_t *nct = data;
npf_tableset_t *tblset;
int error;
npf_core_enter(); /* XXXSMP */
tblset = npf_core_tableset();
switch (nct->nct_action) {
+ case NPF_IOCTL_TBLENT_LOOKUP:
+ error = npf_table_lookup(tblset, nct->nct_tid,
+ nct->nct_data.ent.alen, &nct->nct_data.ent.addr);
case NPF_IOCTL_TBLENT_ADD:
error = npf_table_insert(tblset, nct->nct_tid,
- nct->nct_alen, &nct->nct_addr, nct->nct_mask);
+ nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
+ nct->nct_data.ent.mask);
break;
case NPF_IOCTL_TBLENT_REM:
error = npf_table_remove(tblset, nct->nct_tid,
- nct->nct_alen, &nct->nct_addr, nct->nct_mask);
+ nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
+ nct->nct_data.ent.mask);
+ break;
+ case NPF_IOCTL_TBLENT_LIST:
+ error = npf_table_list(tblset, nct->nct_tid,
+ nct->nct_data.buf.buf, nct->nct_data.buf.len);
break;
default:
- error = npf_table_lookup(tblset, nct->nct_tid,
- nct->nct_alen, &nct->nct_addr);
+ error = EINVAL;
+ break;
}
npf_core_exit(); /* XXXSMP */
return error;
diff -r 253d231e9706 -r f6b345cf50b7 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h Sat Nov 24 04:23:27 2012 +0000
+++ b/sys/net/npf/npf_impl.h Sat Nov 24 04:34:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.10.2.9 2012/11/18 22:38:26 riz Exp $ */
+/* $NetBSD: npf_impl.h,v 1.10.2.10 2012/11/24 04:34:42 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -81,11 +81,9 @@
typedef struct npf_session npf_session_t;
struct npf_sehash;
-struct npf_tblent;
struct npf_table;
typedef struct npf_sehash npf_sehash_t;
-typedef struct npf_tblent npf_tblent_t;
typedef struct npf_table npf_table_t;
typedef npf_table_t * npf_tableset_t;
@@ -208,15 +206,11 @@
npf_tableset_t *npf_tableset_create(void);
void npf_tableset_destroy(npf_tableset_t *);
int npf_tableset_insert(npf_tableset_t *, npf_table_t *);
-npf_tableset_t *npf_tableset_reload(npf_tableset_t *);
+void npf_tableset_reload(npf_tableset_t *, npf_tableset_t *);
npf_table_t * npf_table_create(u_int, int, size_t);
void npf_table_destroy(npf_table_t *);
-void npf_table_ref(npf_table_t *);
-void npf_table_unref(npf_table_t *);
-npf_table_t * npf_table_get(npf_tableset_t *, u_int);
-void npf_table_put(npf_table_t *);
int npf_table_check(const npf_tableset_t *, u_int, int);
int npf_table_insert(npf_tableset_t *, u_int,
const int, const npf_addr_t *, const npf_netmask_t);
@@ -224,6 +218,7 @@
const int, const npf_addr_t *, const npf_netmask_t);
int npf_table_lookup(npf_tableset_t *, u_int,
const int, const npf_addr_t *);
+int npf_table_list(npf_tableset_t *, u_int, void *, size_t);
/* Ruleset interface. */
npf_ruleset_t * npf_ruleset_create(void);
diff -r 253d231e9706 -r f6b345cf50b7 sys/net/npf/npf_state_tcp.c
--- a/sys/net/npf/npf_state_tcp.c Sat Nov 24 04:23:27 2012 +0000
+++ b/sys/net/npf/npf_state_tcp.c Sat Nov 24 04:34:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_state_tcp.c,v 1.3.2.5 2012/07/25 20:45:24 jdc Exp $ */
+/* $NetBSD: npf_state_tcp.c,v 1.3.2.6 2012/11/24 04:34:42 riz Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.3.2.5 2012/07/25 20:45:24 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.3.2.6 2012/11/24 04:34:42 riz Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -94,6 +94,8 @@
[NPF_TCPS_TIME_WAIT] = 60 * 2 * 2,
};
+static bool npf_strict_order_rst __read_mostly = false;
+
#define NPF_TCP_MAXACKWIN 66000
/*
@@ -391,17 +393,20 @@
/* Workaround for some TCP stacks. */
ack = tstate->nst_end;
}
- if (seq == end) {
- /* If packet contains no data - assume it is valid. */
- end = fstate->nst_end;
- seq = end;
+
+ if (__predict_false(tcpfl & TH_RST)) {
+ /* RST to the initial SYN may have zero SEQ - fix it up. */
+ if (seq == 0 && nst->nst_state == NPF_TCPS_SYN_SENT) {
+ end = fstate->nst_end;
+ seq = end;
+ }
+
+ /* Strict in-order sequence for RST packets. */
+ if (npf_strict_order_rst && (fstate->nst_end - seq) > 1) {
+ return false;
+ }
}
-#if 0
- /* Strict in-order sequence for RST packets. */
- if ((tcpfl & TH_RST) != 0 && (fstate->nst_end - seq) > 1) {
- return false;
- }
-#endif
+
/*
* Determine whether the data is within previously noted window,
* that is, upper boundary for valid data (I).
diff -r 253d231e9706 -r f6b345cf50b7 sys/net/npf/npf_tableset.c
--- a/sys/net/npf/npf_tableset.c Sat Nov 24 04:23:27 2012 +0000
+++ b/sys/net/npf/npf_tableset.c Sat Nov 24 04:34:41 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_tableset.c,v 1.9.2.5 2012/08/13 17:49:52 riz Exp $ */
+/* $NetBSD: npf_tableset.c,v 1.9.2.6 2012/11/24 04:34:41 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -32,13 +32,16 @@
/*
* NPF tableset module.
*
- * TODO:
- * - Dynamic hash growing/shrinking (i.e. re-hash functionality), maybe?
- * - Dynamic array resize.
+ * Notes
+ *
+ * The tableset is an array of tables. After the creation, the array
+ * is immutable. The caller is responsible to synchronise the access
+ * to the tableset. The table can either be a hash or a tree. Its
+ * entries are protected by a read-write lock.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9.2.5 2012/08/13 17:49:52 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9.2.6 2012/11/24 04:34:41 riz Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -58,14 +61,14 @@
* Table structures.
*/
-struct npf_tblent {
+typedef struct npf_tblent {
union {
LIST_ENTRY(npf_tblent) hashq;
pt_node_t node;
} te_entry;
int te_alen;
npf_addr_t te_addr;
-};
+} npf_tblent_t;
LIST_HEAD(npf_hashl, npf_tblent);
@@ -74,12 +77,15 @@
/* Lock and reference count. */
krwlock_t t_lock;
u_int t_refcnt;
+ /* Total number of items. */
+ u_int t_nitems;
/* Table ID. */
u_int t_id;
/* The storage type can be: a) hash b) tree. */
int t_type;
struct npf_hashl * t_hashl;
u_long t_hashmask;
Home |
Main Index |
Thread Index |
Old Index