Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src - Fix NPF config reload with dynamic rules present.
details: https://anonhg.NetBSD.org/src/rev/dd8bb410990f
branches: trunk
changeset: 784835:dd8bb410990f
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Feb 10 23:47:37 2013 +0000
description:
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
diffstat:
lib/libnpf/npf.c | 44 ++++++++++++-
lib/libnpf/npf.h | 4 +-
sys/net/npf/npf.h | 5 +-
sys/net/npf/npf_conf.c | 11 ++-
sys/net/npf/npf_ctl.c | 28 +++++--
sys/net/npf/npf_impl.h | 10 ++-
sys/net/npf/npf_ruleset.c | 116 ++++++++++++++++++++++++++++++---
usr.sbin/npf/npfctl/npf_build.c | 5 +-
usr.sbin/npf/npfctl/npf_disassemble.c | 19 ++++-
usr.sbin/npf/npfctl/npfctl.c | 15 +++-
usr.sbin/npf/npfctl/npfctl.h | 4 +-
11 files changed, 221 insertions(+), 40 deletions(-)
diffs (truncated from 593 to 300 lines):
diff -r d24976c42952 -r dd8bb410990f lib/libnpf/npf.c
--- a/lib/libnpf/npf.c Sun Feb 10 23:37:32 2013 +0000
+++ b/lib/libnpf/npf.c Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.16 2013/02/09 03:35:33 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.17 2013/02/10 23:47:37 rmind Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.16 2013/02/09 03:35:33 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.17 2013/02/10 23:47:37 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -320,6 +320,20 @@
return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
}
+int
+npf_ruleset_flush(int fd, const char *rname)
+{
+ prop_dictionary_t rldict;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_FLUSH);
+ return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE);
+}
+
/*
* _npf_ruleset_transform: transform the ruleset representing nested
* rules with lists into an array.
@@ -569,6 +583,32 @@
return _npf_rule_foreach1(ncf->ncf_rules_list, func);
}
+int
+_npf_ruleset_list(int fd, const char *rname, nl_config_t *ncf)
+{
+ prop_dictionary_t rldict, ret;
+ int error;
+
+ rldict = prop_dictionary_create();
+ if (rldict == NULL) {
+ return ENOMEM;
+ }
+ prop_dictionary_set_cstring(rldict, "ruleset-name", rname);
+ prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_LIST);
+ error = prop_dictionary_sendrecv_ioctl(rldict, fd, IOC_NPF_RULE, &ret);
+ if (!error) {
+ prop_array_t rules;
+
+ rules = prop_dictionary_get(ret, "rules");
+ if (rules == NULL) {
+ return EINVAL;
+ }
+ prop_object_release(ncf->ncf_rules_list);
+ ncf->ncf_rules_list = rules;
+ }
+ return error;
+}
+
pri_t
_npf_rule_getinfo(nl_rule_t *nrl, const char **rname, uint32_t *attr,
u_int *if_idx)
diff -r d24976c42952 -r dd8bb410990f lib/libnpf/npf.h
--- a/lib/libnpf/npf.h Sun Feb 10 23:37:32 2013 +0000
+++ b/lib/libnpf/npf.h Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.13 2013/02/09 03:35:33 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.14 2013/02/10 23:47:38 rmind Exp $ */
/*-
* Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -82,6 +82,7 @@
int npf_ruleset_add(int, const char *, nl_rule_t *, uintptr_t *);
int npf_ruleset_remove(int, const char *, uintptr_t);
int npf_ruleset_remkey(int, const char *, const void *, size_t);
+int npf_ruleset_flush(int, const char *);
nl_ext_t * npf_ext_construct(const char *name);
void npf_ext_param_u32(nl_ext_t *, const char *, uint32_t);
@@ -121,6 +122,7 @@
void _npf_config_error(nl_config_t *, nl_error_t *);
void _npf_config_setsubmit(nl_config_t *, const char *);
+int _npf_ruleset_list(int, const char *, nl_config_t *);
int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
pri_t _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *,
u_int *);
diff -r d24976c42952 -r dd8bb410990f sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sun Feb 10 23:37:32 2013 +0000
+++ b/sys/net/npf/npf.h Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.26 2013/02/09 03:35:31 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.27 2013/02/10 23:47:37 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -235,7 +235,8 @@
#define NPF_CMD_RULE_INSERT 2
#define NPF_CMD_RULE_REMOVE 3
#define NPF_CMD_RULE_REMKEY 4
-#define NPF_CMD_RULE_FLUSH 5
+#define NPF_CMD_RULE_LIST 5
+#define NPF_CMD_RULE_FLUSH 6
/*
* NPF ioctl(2): table commands and structures.
diff -r d24976c42952 -r dd8bb410990f sys/net/npf/npf_conf.c
--- a/sys/net/npf/npf_conf.c Sun Feb 10 23:37:32 2013 +0000
+++ b/sys/net/npf/npf_conf.c Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conf.c,v 1.1 2013/02/09 03:35:31 rmind Exp $ */
+/* $NetBSD: npf_conf.c,v 1.2 2013/02/10 23:47:37 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.1 2013/02/09 03:35:31 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.2 2013/02/10 23:47:37 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -185,6 +185,13 @@
return mutex_owned(&npf_config_lock);
}
+void
+npf_config_sync(void)
+{
+ KASSERT(npf_config_locked_p());
+ pserialize_perform(npf_config_psz);
+}
+
/*
* Reader-side synchronisation routines.
*/
diff -r d24976c42952 -r dd8bb410990f sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Sun Feb 10 23:37:32 2013 +0000
+++ b/sys/net/npf/npf_ctl.c Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.21 2013/02/09 03:35:31 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.22 2013/02/10 23:47:37 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.21 2013/02/09 03:35:31 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.22 2013/02/10 23:47:37 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -581,10 +581,7 @@
error = EINVAL;
break;
}
- rl = npf_ruleset_remove(rlset, ruleset_name, (uintptr_t)id64);
- if (rl == NULL) {
- error = ENOENT;
- }
+ error = npf_ruleset_remove(rlset, ruleset_name, (uintptr_t)id64);
break;
}
case NPF_CMD_RULE_REMKEY: {
@@ -596,16 +593,27 @@
error = EINVAL;
break;
}
- rl = npf_ruleset_remkey(rlset, ruleset_name, key, len);
- if (rl == NULL) {
- error = ENOENT;
- }
+ error = npf_ruleset_remkey(rlset, ruleset_name, key, len);
+ break;
+ }
+ case NPF_CMD_RULE_LIST: {
+ retdict = npf_ruleset_list(rlset, ruleset_name);
+ break;
+ }
+ case NPF_CMD_RULE_FLUSH: {
+ error = npf_ruleset_flush(rlset, ruleset_name);
break;
}
default:
error = EINVAL;
break;
}
+
+ /* Destroy any removed rules. */
+ if (!error && rcmd != NPF_CMD_RULE_ADD && rcmd != NPF_CMD_RULE_LIST) {
+ npf_config_sync();
+ npf_ruleset_gc(rlset);
+ }
npf_config_exit();
if (rl) {
diff -r d24976c42952 -r dd8bb410990f sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h Sun Feb 10 23:37:32 2013 +0000
+++ b/sys/net/npf/npf_impl.h Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.26 2013/02/09 03:35:32 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.27 2013/02/10 23:47:37 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -130,6 +130,7 @@
void npf_config_enter(void);
void npf_config_exit(void);
+void npf_config_sync(void);
bool npf_config_locked_p(void);
int npf_config_read_enter(void);
void npf_config_read_exit(int);
@@ -231,9 +232,12 @@
void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
int npf_ruleset_add(npf_ruleset_t *, const char *, npf_rule_t *);
-npf_rule_t * npf_ruleset_remove(npf_ruleset_t *, const char *, uintptr_t);
-npf_rule_t * npf_ruleset_remkey(npf_ruleset_t *, const char *,
+int npf_ruleset_remove(npf_ruleset_t *, const char *, uintptr_t);
+int npf_ruleset_remkey(npf_ruleset_t *, const char *,
const void *, size_t);
+prop_dictionary_t npf_ruleset_list(npf_ruleset_t *, const char *);
+int npf_ruleset_flush(npf_ruleset_t *, const char *);
+void npf_ruleset_gc(npf_ruleset_t *);
npf_rule_t * npf_ruleset_inspect(npf_cache_t *, nbuf_t *,
const npf_ruleset_t *, const int, const int);
diff -r d24976c42952 -r dd8bb410990f sys/net/npf/npf_ruleset.c
--- a/sys/net/npf/npf_ruleset.c Sun Feb 10 23:37:32 2013 +0000
+++ b/sys/net/npf/npf_ruleset.c Sun Feb 10 23:47:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.17 2013/02/09 03:35:32 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.18 2013/02/10 23:47:37 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.17 2013/02/09 03:35:32 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.18 2013/02/10 23:47:37 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -52,9 +52,14 @@
#include "npf_impl.h"
struct npf_ruleset {
- /* List of all rules and dynamic (i.e. named) rules. */
+ /*
+ * - List of all rules.
+ * - Dynamic (i.e. named) rules.
+ * - G/C list for convenience.
+ */
LIST_HEAD(, npf_rule) rs_all;
LIST_HEAD(, npf_rule) rs_dynamic;
+ LIST_HEAD(, npf_rule) rs_gc;
/* Number of array slots and active rules. */
u_int rs_slots;
@@ -95,6 +100,9 @@
npf_rule_t * r_parent;
} /* C11 */;
+ /* Dictionary. */
+ prop_dictionary_t r_dict;
+
/* Rule name and all-list entry. */
char r_name[NPF_RULE_MAXNAMELEN];
LIST_ENTRY(npf_rule) r_aentry;
@@ -143,6 +151,7 @@
npf_rule_free(rl);
}
KASSERT(LIST_EMPTY(&rlset->rs_dynamic));
+ KASSERT(LIST_EMPTY(&rlset->rs_gc));
kmem_free(rlset, len);
}
@@ -238,25 +247,26 @@
return 0;
}
-npf_rule_t *
+int
Home |
Main Index |
Thread Index |
Old Index