Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Add NPF version check in proplist as well, not only ioctl....
details: https://anonhg.NetBSD.org/src/rev/56f0d12154d5
branches: trunk
changeset: 783465:56f0d12154d5
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Dec 23 21:01:03 2012 +0000
description:
- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
diffstat:
lib/libnpf/npf.3 | 38 +++++++++++++-------------------------
lib/libnpf/npf.c | 29 +++++++++++++++++++++--------
lib/libnpf/npf.h | 12 ++++++------
sys/net/npf/npf.h | 4 ++--
sys/net/npf/npf_ctl.c | 13 ++++++++++---
usr.sbin/npf/npfctl/npf.conf.5 | 7 +++++--
usr.sbin/npf/npfctl/npf_build.c | 7 ++++---
usr.sbin/npf/npfctl/npfctl.c | 6 +++---
8 files changed, 64 insertions(+), 52 deletions(-)
diffs (truncated from 356 to 300 lines):
diff -r a28fac44e45d -r 56f0d12154d5 lib/libnpf/npf.3
--- a/lib/libnpf/npf.3 Sun Dec 23 18:34:01 2012 +0000
+++ b/lib/libnpf/npf.3 Sun Dec 23 21:01:03 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.3,v 1.5 2012/07/01 23:21:07 rmind Exp $
+.\" $NetBSD: npf.3,v 1.6 2012/12/23 21:01:05 rmind Exp $
.\"
.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd July 1, 2012
+.Dd December 23, 2012
.Dt NPF 3
.Os
.Sh NAME
@@ -77,20 +77,14 @@
.Ft nl_table_t *
.Fn npf_table_create "u_int id" "int type"
.Ft int
-.Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
+.Fn npf_table_add_entry "nl_table_t *tl" "int "af" \
+"in_addr_t addr" "in_addr_t mask"
.Ft bool
.Fn npf_table_exists_p "nl_config_t *ncf" "u_int tid"
.Ft int
.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl"
.Ft void
.Fn npf_table_destroy "nl_table_t *tl"
-.\" ---
-.Ft int
-.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
-.Ft int
-.Fn npf_sessions_send "int fd" "const char *fpath"
-.Ft int
-.Fn npf_sessions_recv "int fd" "const char *fpath"
.\" -----
.Sh DESCRIPTION
The
@@ -261,13 +255,20 @@
which should be in the range between 1 and
.Dv NPF_MAX_TABLE_ID .
.El
-.It Fn npf_table_add_entry "tl" "addr" "mask"
-Add an entry of IPv4 address and mask, specified by
+.It Fn npf_table_add_entry "tl" "af" "addr" "mask"
+Add an entry of IP address and mask, specified by
.Fa addr
and
.Fa mask ,
to the table specified by
.Fa tl .
+Family, specified by
+.Fa fa ,
+must be either
+.Dv AF_INET
+for IPv4 or
+.Dv AF_INET6
+for IPv6 address.
.It Fn npf_table_exists_p "ncf" "name"
Determine whether table with ID
.Fa tid
@@ -285,19 +286,6 @@
Destroy the specified table.
.El
.\" -----
-.Ss Session interface
-.Bl -tag -width 4n
-.It Fn npf_update_rule "fd" "rname" "rl"
-.It Fn npf_sessions_send "fd" "fpath"
-Read the file specified by
-.Fa fpath ,
-and send sessions saved in it to the kernel.
-.It Fn npf_sessions_recv "fd" "fpath"
-Receive currently loaded session from the kernel, and save them to a file
-specified by
-.Fa fpath .
-.El
-.\" -----
.Sh SEE ALSO
.Xr npfctl 8 ,
.Xr npf_ncode 9
diff -r a28fac44e45d -r 56f0d12154d5 lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sun Dec 23 18:34:01 2012 +0000
+++ b/lib/libnpf/npf.c Sun Dec 23 21:01:03 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.14 2012/10/28 16:27:20 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.14 2012/10/28 16:27:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -121,14 +121,15 @@
if (npf_dict == NULL) {
return ENOMEM;
}
- if (ncf->ncf_debug) {
- prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
- }
+ prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
+ if (ncf->ncf_debug) {
+ prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
+ }
if (plist) {
if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
@@ -664,24 +665,36 @@
}
int
-npf_table_add_entry(nl_table_t *tl, const int alen,
- const npf_addr_t *addr, const npf_netmask_t mask)
+npf_table_add_entry(nl_table_t *tl, int af, const npf_addr_t *addr,
+ const npf_netmask_t mask)
{
prop_dictionary_t tldict = tl->ntl_dict, entdict;
prop_array_t tblents;
prop_data_t addrdata;
+ unsigned alen;
/* Create the table entry. */
entdict = prop_dictionary_create();
if (entdict == NULL) {
return ENOMEM;
}
+
+ switch (af) {
+ case AF_INET:
+ alen = sizeof(struct in_addr);
+ break;
+ case AF_INET6:
+ alen = sizeof(struct in6_addr);
+ break;
+ default:
+ return EINVAL;
+ }
+
addrdata = prop_data_create_data(addr, alen);
prop_dictionary_set(entdict, "addr", addrdata);
prop_dictionary_set_uint8(entdict, "mask", mask);
prop_object_release(addrdata);
- /* Insert the entry. */
tblents = prop_dictionary_get(tldict, "entries");
prop_array_add(tblents, entdict);
prop_object_release(entdict);
diff -r a28fac44e45d -r 56f0d12154d5 lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Sun Dec 23 18:34:01 2012 +0000
+++ b/lib/libnpf/npf.h Sun Dec 23 21:01:03 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.11 2012/09/16 13:47:42 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.12 2012/12/23 21:01:05 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -103,20 +103,20 @@
int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
nl_table_t * npf_table_create(u_int, int);
-int npf_table_add_entry(nl_table_t *, const int,
+int npf_table_add_entry(nl_table_t *, int,
const npf_addr_t *, const npf_netmask_t);
bool npf_table_exists_p(nl_config_t *, u_int);
int npf_table_insert(nl_config_t *, nl_table_t *);
void npf_table_destroy(nl_table_t *);
+#ifdef _NPF_PRIVATE
+
+#include <ifaddrs.h>
+
int npf_update_rule(int, const char *, nl_rule_t *);
int npf_sessions_send(int, const char *);
int npf_sessions_recv(int, const char *);
-#ifdef _NPF_PRIVATE
-
-#include <ifaddrs.h>
-
void _npf_config_error(nl_config_t *, nl_error_t *);
void _npf_config_setsubmit(nl_config_t *, const char *);
int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
diff -r a28fac44e45d -r 56f0d12154d5 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sun Dec 23 18:34:01 2012 +0000
+++ b/sys/net/npf/npf.h Sun Dec 23 21:01:03 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.23 2012/12/10 01:11:13 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.24 2012/12/23 21:01:03 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 7
+#define NPF_VERSION 8
/*
* Public declarations and definitions.
diff -r a28fac44e45d -r 56f0d12154d5 sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sun Dec 23 18:34:01 2012 +0000
+++ b/sys/net/npf/npf_ctl.c Sun Dec 23 21:01:03 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.19 2012/10/29 02:27:12 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.20 2012/12/23 21:01:03 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.19 2012/10/29 02:27:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.20 2012/12/23 21:01:03 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -458,6 +458,7 @@
npf_tableset_t *tblset = NULL;
npf_ruleset_t *rlset = NULL;
npf_ruleset_t *nset = NULL;
+ uint32_t ver = 0;
bool flush;
int error;
@@ -470,8 +471,13 @@
npf_dict = (prop_dictionary_t)pref;
#endif
- /* Dictionary for error reporting. */
+ /* Dictionary for error reporting and version check. */
errdict = prop_dictionary_create();
+ prop_dictionary_get_uint32(npf_dict, "version", &ver);
+ if (ver != NPF_VERSION) {
+ error = EPROGMISMATCH;
+ goto fail;
+ }
/* NAT policies. */
nset = npf_ruleset_create();
@@ -720,6 +726,7 @@
case NPF_IOCTL_TBLENT_LOOKUP:
error = npf_table_lookup(tblset, nct->nct_tid,
nct->nct_data.ent.alen, &nct->nct_data.ent.addr);
+ break;
case NPF_IOCTL_TBLENT_ADD:
error = npf_table_insert(tblset, nct->nct_tid,
nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
diff -r a28fac44e45d -r 56f0d12154d5 usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 23 18:34:01 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 23 21:01:03 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.25 2012/12/06 22:36:51 rmind Exp $
+.\" $NetBSD: npf.conf.5,v 1.26 2012/12/23 21:01:04 rmind Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 6, 2012
+.Dd December 23, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -98,9 +98,11 @@
Tables of type "hash" can only contain IP addresses.
.Ss Interfaces
Interfaces can be specified as the values of the variables:
+.Pp
.Bd -literal
$pub_if_list = { ifnet(wm0), ifnet(wm1) }
.Ed
+.Pp
In the context of filtering, an interface provides a list of its
all IP addresses, including IPv4 and IPv6.
Specific interface addresses can be selected by the family, e.g.:
@@ -285,6 +287,7 @@
procedure "log" {
# Note: npf_ext_log kernel module should be loaded, if not built-in.
+ # Also, the interface created, e.g.: ifconfig npflog0 create
log: npflog0
}
Home |
Main Index |
Thread Index |
Old Index