Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Convert NPF to use BPF byte-code by default. Compile BPF ...
details: https://anonhg.NetBSD.org/src/rev/3234cc6de4fd
branches: trunk
changeset: 790105:3234cc6de4fd
user: rmind <rmind%NetBSD.org@localhost>
date: Thu Sep 19 01:04:45 2013 +0000
description:
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
diffstat:
lib/libnpf/npf.c | 300 ++++++++++-
lib/libnpf/npf.h | 25 +-
sys/modules/npf/Makefile | 4 +-
sys/net/npf/files.npf | 3 +-
sys/net/npf/npf.c | 7 +-
sys/net/npf/npf.h | 14 +-
sys/net/npf/npf_bpf.c | 155 ++++++
sys/net/npf/npf_ctl.c | 6 +-
sys/net/npf/npf_impl.h | 12 +-
sys/net/npf/npf_ruleset.c | 55 +-
usr.sbin/npf/npfctl/Makefile | 10 +-
usr.sbin/npf/npfctl/npf_bpf_comp.c | 602 ++++++++++++++++++++++++
usr.sbin/npf/npfctl/npf_build.c | 234 +++-----
usr.sbin/npf/npfctl/npf_data.c | 20 +-
usr.sbin/npf/npfctl/npf_disassemble.c | 6 +-
usr.sbin/npf/npfctl/npf_parse.y | 7 +-
usr.sbin/npf/npfctl/npf_show.c | 490 +++++++++++++++++++
usr.sbin/npf/npfctl/npf_var.h | 6 +-
usr.sbin/npf/npfctl/npfctl.c | 21 +-
usr.sbin/npf/npfctl/npfctl.h | 47 +-
usr.sbin/npf/npftest/libnpftest/Makefile | 1 +
usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c | 122 ++++
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c | 8 +-
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c | 16 +-
usr.sbin/npf/npftest/libnpftest/npf_test.h | 1 +
usr.sbin/npf/npftest/npftest.c | 8 +-
usr.sbin/npf/npftest/npftest.h | 1 +
27 files changed, 1897 insertions(+), 284 deletions(-)
diffs (truncated from 3028 to 300 lines):
diff -r 5e28b2405262 -r 3234cc6de4fd lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Thu Sep 19 00:58:11 2013 +0000
+++ b/lib/libnpf/npf.c Thu Sep 19 01:04:45 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.19 2013/03/20 00:29:46 christos Exp $ */
+/* $NetBSD: npf.c,v 1.20 2013/09/19 01:04:46 rmind Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.19 2013/03/20 00:29:46 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.20 2013/09/19 01:04:46 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -47,23 +47,6 @@
#define _NPF_PRIVATE
#include "npf.h"
-struct nl_config {
- /* Rules, translations, tables, procedures. */
- prop_dictionary_t ncf_dict;
- prop_array_t ncf_alg_list;
- prop_array_t ncf_rules_list;
- prop_array_t ncf_rproc_list;
- prop_array_t ncf_table_list;
- prop_array_t ncf_nat_list;
- /* Debug information. */
- prop_dictionary_t ncf_debug;
- /* Error report. */
- prop_dictionary_t ncf_err;
- /* Custom file to externalise property-list. */
- const char * ncf_plist;
- bool ncf_flush;
-};
-
struct nl_rule {
prop_dictionary_t nrl_dict;
};
@@ -85,6 +68,37 @@
prop_dictionary_t nxt_dict;
};
+struct nl_config {
+ /* Rules, translations, tables, procedures. */
+ prop_dictionary_t ncf_dict;
+ prop_array_t ncf_alg_list;
+ prop_array_t ncf_rules_list;
+ prop_array_t ncf_rproc_list;
+ prop_array_t ncf_table_list;
+ prop_array_t ncf_nat_list;
+
+ /* Iterators. */
+ prop_object_iterator_t ncf_rule_iter;
+ unsigned ncf_reduce[16];
+ unsigned ncf_nlevel;
+ unsigned ncf_counter;
+ nl_rule_t ncf_cur_rule;
+
+ prop_object_iterator_t ncf_table_iter;
+ nl_table_t ncf_cur_table;
+
+ prop_object_iterator_t ncf_rproc_iter;
+ nl_rproc_t ncf_cur_rproc;
+
+ /* Error report and debug information. */
+ prop_dictionary_t ncf_err;
+ prop_dictionary_t ncf_debug;
+
+ /* Custom file to externalise property-list. */
+ const char * ncf_plist;
+ bool ncf_flush;
+};
+
static prop_array_t _npf_ruleset_transform(prop_array_t);
/*
@@ -131,9 +145,10 @@
prop_object_release(npf_dict);
return ENOMEM;
}
- prop_dictionary_set(npf_dict, "rules", rlset);
- prop_object_release(rlset);
+ prop_object_release(ncf->ncf_rules_list);
+ ncf->ncf_rules_list = rlset;
+ prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
prop_dictionary_set(npf_dict, "algs", ncf->ncf_alg_list);
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
@@ -150,16 +165,16 @@
prop_object_release(npf_dict);
return error;
}
-
- error = prop_dictionary_sendrecv_ioctl(npf_dict, fd,
- IOC_NPF_RELOAD, &ncf->ncf_err);
- if (error) {
- prop_object_release(npf_dict);
- assert(ncf->ncf_err == NULL);
- return error;
+ if (fd) {
+ error = prop_dictionary_sendrecv_ioctl(npf_dict, fd,
+ IOC_NPF_RELOAD, &ncf->ncf_err);
+ if (error) {
+ prop_object_release(npf_dict);
+ assert(ncf->ncf_err == NULL);
+ return error;
+ }
+ prop_dictionary_get_int32(ncf->ncf_err, "errno", &error);
}
-
- prop_dictionary_get_int32(ncf->ncf_err, "errno", &error);
prop_object_release(npf_dict);
return error;
}
@@ -226,7 +241,6 @@
void
npf_config_destroy(nl_config_t *ncf)
{
-
if (!ncf->ncf_dict) {
prop_object_release(ncf->ncf_alg_list);
prop_object_release(ncf->ncf_rules_list);
@@ -246,7 +260,6 @@
void
_npf_config_setsubmit(nl_config_t *ncf, const char *plist_file)
{
-
ncf->ncf_plist = plist_file;
}
@@ -487,6 +500,20 @@
}
int
+npf_rule_setinfo(nl_rule_t *rl, const void *info, size_t len)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ prop_data_t idata;
+
+ if ((idata = prop_data_create_data(info, len)) == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set(rldict, "info", idata);
+ prop_object_release(idata);
+ return 0;
+}
+
+int
npf_rule_setprio(nl_rule_t *rl, pri_t pri)
{
prop_dictionary_t rldict = rl->nrl_dict;
@@ -544,6 +571,97 @@
return 0;
}
+static nl_rule_t *
+_npf_rule_iterate1(nl_config_t *ncf, prop_array_t rlist, unsigned *level)
+{
+ prop_dictionary_t rldict;
+ uint32_t skipto = 0;
+
+ if (!ncf->ncf_rule_iter) {
+ /* Initialise the iterator. */
+ ncf->ncf_rule_iter = prop_array_iterator(rlist);
+ ncf->ncf_nlevel = 0;
+ ncf->ncf_reduce[0] = 0;
+ ncf->ncf_counter = 0;
+ }
+
+ rldict = prop_object_iterator_next(ncf->ncf_rule_iter);
+ if ((ncf->ncf_cur_rule.nrl_dict = rldict) == NULL) {
+ prop_object_iterator_release(ncf->ncf_rule_iter);
+ ncf->ncf_rule_iter = NULL;
+ return NULL;
+ }
+ *level = ncf->ncf_nlevel;
+
+ prop_dictionary_get_uint32(rldict, "skip-to", &skipto);
+ if (skipto) {
+ ncf->ncf_nlevel++;
+ ncf->ncf_reduce[ncf->ncf_nlevel] = skipto;
+ }
+ if (ncf->ncf_reduce[ncf->ncf_nlevel] == ++ncf->ncf_counter) {
+ assert(ncf->ncf_nlevel > 0);
+ ncf->ncf_nlevel--;
+ }
+ return &ncf->ncf_cur_rule;
+}
+
+nl_rule_t *
+npf_rule_iterate(nl_config_t *ncf, unsigned *level)
+{
+ return _npf_rule_iterate1(ncf, ncf->ncf_rules_list, level);
+}
+
+const char *
+npf_rule_getname(nl_rule_t *rl)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ const char *rname = NULL;
+
+ prop_dictionary_get_cstring_nocopy(rldict, "name", &rname);
+ return rname;
+}
+
+uint32_t
+npf_rule_getattr(nl_rule_t *rl)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ uint32_t attr = 0;
+
+ prop_dictionary_get_uint32(rldict, "attributes", &attr);
+ return attr;
+}
+
+unsigned
+npf_rule_getinterface(nl_rule_t *rl)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ unsigned if_idx = 0;
+
+ prop_dictionary_get_uint32(rldict, "interface", &if_idx);
+ return if_idx;
+}
+
+const void *
+npf_rule_getinfo(nl_rule_t *rl, size_t *len)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ prop_object_t obj = prop_dictionary_get(rldict, "info");
+
+ *len = prop_data_size(obj);
+ return prop_data_data_nocopy(obj);
+}
+
+const char *
+npf_rule_getproc(nl_rule_t *rl)
+{
+ prop_dictionary_t rldict = rl->nrl_dict;
+ const char *rpname = NULL;
+
+ prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rpname);
+ return rpname;
+}
+
+#if 1
static int
_npf_rule_foreach1(prop_array_t rules, nl_rule_callback_t func)
{
@@ -588,6 +706,7 @@
{
return _npf_rule_foreach1(ncf->ncf_rules_list, func);
}
+#endif
int
_npf_ruleset_list(int fd, const char *rname, nl_config_t *ncf)
@@ -615,6 +734,7 @@
return error;
}
+#if 1
pri_t
_npf_rule_getinfo(nl_rule_t *nrl, const char **rname, uint32_t *attr,
u_int *if_idx)
@@ -637,16 +757,7 @@
*size = prop_data_size(obj);
return prop_data_data_nocopy(obj);
}
-
-const char *
-_npf_rule_rproc(nl_rule_t *nrl)
-{
- prop_dictionary_t rldict = nrl->nrl_dict;
- const char *rpname = NULL;
-
- prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rpname);
- return rpname;
-}
+#endif
void
npf_rule_destroy(nl_rule_t *rl)
@@ -710,7 +821,6 @@
bool
npf_rproc_exists_p(nl_config_t *ncf, const char *name)
{
-
return _npf_prop_array_lookup(ncf->ncf_rproc_list, "name", name);
}
@@ -730,6 +840,34 @@
return 0;
}
Home |
Main Index |
Thread Index |
Old Index