CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun May 31 15:57:15 UTC 2020 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: npf-params(7): fix the state.key defaults. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.4 src/usr.sbin/npf/npf-params.7:1.5 --- src/usr.sbin/npf/npf-params.7:1.4 Sat May 30 14:16:56 2020 +++ src/usr.sbin/npf/npf-params.7 Sun May 31 15:57:15 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.4 2020/05/30 14:16:56 rmind Exp $ +.\" $NetBSD: npf-params.7,v 1.5 2020/05/31 15:57:15 rmind Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -94,10 +94,10 @@ some of the information in (from) the ke .It Li interface Include interface identifier into the keys, making the connection state strictly per-interface. -Default: 0. +Default: 1. .It Li direction Include packet direction into the keys. -Default: 0. +Default: 1. .El .\" --- .It Li state.generic
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: rmind Date: Sat May 30 21:00:31 UTC 2020 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_test_subr.c Log Message: npftest -- npf_test_init(): add a workaround for NetBSD. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 \ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.17 src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.18 --- src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.17 Sat May 30 14:16:57 2020 +++ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Sat May 30 21:00:31 2020 @@ -64,6 +64,13 @@ npf_test_init(int (*pton_func)(int, cons { npf_t *npf; +#ifdef __NetBSD__ + // XXX: Workaround for npf_init() + if ((npf = npf_getkernctx()) != NULL) { + npf_worker_discharge(npf); + npf_worker_sysfini(); + } +#endif npfk_sysinit(0); npf = npfk_create(0, &npftest_mbufops, &npftest_ifops, NULL); npfk_thread_register(npf);
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat May 30 20:54:54 UTC 2020 Modified Files: src/sys/net/npf: npf_worker.c Log Message: npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_worker.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_worker.c diff -u src/sys/net/npf/npf_worker.c:1.8 src/sys/net/npf/npf_worker.c:1.9 --- src/sys/net/npf/npf_worker.c:1.8 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_worker.c Sat May 30 20:54:54 2020 @@ -29,7 +29,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.8 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.9 2020/05/30 20:54:54 rmind Exp $"); #include #include @@ -81,7 +81,8 @@ npf_worker_sysinit(unsigned nworkers) winfo = kmem_zalloc(len, KM_SLEEP); winfo->worker_count = nworkers; mutex_init(&winfo->lock, MUTEX_DEFAULT, IPL_SOFTNET); - cv_init(&winfo->cv, "npfgccv"); + cv_init(&winfo->exit_cv, "npfgcx"); + cv_init(&winfo->cv, "npfgcw"); LIST_INIT(&winfo->instances); worker_info = winfo; @@ -121,6 +122,7 @@ npf_worker_sysfini(void) } } cv_destroy(&winfo->cv); + cv_destroy(&winfo->exit_cv); mutex_destroy(&winfo->lock); kmem_free(winfo, offsetof(npf_workerinfo_t, worker[nworkers])); worker_info = NULL;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun May 24 15:35:40 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl: npf_scan.l Log Message: PR/55288: npfctl: change parameter syntax to be more permissive. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_scan.l diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.30 src/usr.sbin/npf/npfctl/npf_scan.l:1.31 --- src/usr.sbin/npf/npfctl/npf_scan.l:1.30 Mon Sep 30 00:37:11 2019 +++ src/usr.sbin/npf/npfctl/npf_scan.l Sun May 24 15:35:39 2020 @@ -91,6 +91,7 @@ npfctl_parse_string(const char *str, par ID [a-zA-Z_][a-zA-Z_0-9]* DID [a-zA-Z_][a-zA-Z_0-9-]* +SPID [a-zA-Z][a-zA-Z_0-9.]* NUMBER [0-9]+ HEXDIG [0-9a-fA-F]+ @@ -227,7 +228,7 @@ any return ANY; return VAR_ID; } -[a-z]*"."[a-z.]* { +{ID}"."{SPID}+ { yylval.str = estrndup(yytext, yyleng); return PARAM; }
CVS commit: src
Module Name:src Committed By: rmind Date: Sat May 23 19:56:00 UTC 2020 Modified Files: src/sys/net/npf: npf_conf.c npf_conn.c npf_conn.h npf_conndb.c npf_inet.c npf_nat.c src/usr.sbin/npf/npfctl: npf_build.c npf_show.c npfctl.h Log Message: Backport selected NPF fixes from the upstream (to be pulled up): - npf_conndb_lookup: protect the connection lookup with pserialize(9), instead of incorrectly assuming that the handler always runs at IPL_SOFNET. Should fix crashes reported on high load (PR/55182). - npf_config_destroy: handle partially initialized config; fixes crashes with some invalid configurations. - NAT policy creation / destruction: set the initial reference and do not wait for reference draining on destruction; destroy the policy on the last reference drop instead. Fixes a lockup with the dynamic NAT rules. - npf_nat_{export,import}: fix a regression since dynamic NAT rules. - npfctl: fix a regression and restore the default group behaviour. - Add npf_cache_tcp() and validate the TCP data offset (from maxv@). To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conndb.c cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.15 src/sys/net/npf/npf_conf.c:1.16 --- src/sys/net/npf/npf_conf.c:1.15 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_conf.c Sat May 23 19:56:00 2020 @@ -47,7 +47,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.15 2019/08/25 13:21:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.16 2020/05/23 19:56:00 rmind Exp $"); #include #include @@ -94,10 +94,18 @@ npf_config_destroy(npf_config_t *nc) * Note: the rulesets must be destroyed first, in order to drop * any references to the tableset. */ - npf_ruleset_destroy(nc->ruleset); - npf_ruleset_destroy(nc->nat_ruleset); - npf_rprocset_destroy(nc->rule_procs); - npf_tableset_destroy(nc->tableset); + if (nc->ruleset) { + npf_ruleset_destroy(nc->ruleset); + } + if (nc->nat_ruleset) { + npf_ruleset_destroy(nc->nat_ruleset); + } + if (nc->rule_procs) { + npf_rprocset_destroy(nc->rule_procs); + } + if (nc->tableset) { + npf_tableset_destroy(nc->tableset); + } kmem_free(nc, sizeof(npf_config_t)); } Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.30 src/sys/net/npf/npf_conn.c:1.31 --- src/sys/net/npf/npf_conn.c:1.30 Sun Sep 29 17:00:29 2019 +++ src/sys/net/npf/npf_conn.c Sat May 23 19:56:00 2020 @@ -107,7 +107,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.30 2019/09/29 17:00:29 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.31 2020/05/23 19:56:00 rmind Exp $"); #include #include @@ -311,7 +311,7 @@ npf_conn_lookup(const npf_cache_t *npc, if (!npf_conn_conkey(npc, &key, true)) { return NULL; } - con = npf_conndb_lookup(npf->conn_db, &key, forw); + con = npf_conndb_lookup(npf, &key, forw); if (con == NULL) { return NULL; } @@ -908,7 +908,7 @@ npf_conn_find(npf_t *npf, const nvlist_t if (!kdict || !npf_connkey_import(kdict, &key)) { return EINVAL; } - con = npf_conndb_lookup(npf->conn_db, &key, &forw); + con = npf_conndb_lookup(npf, &key, &forw); if (con == NULL) { return ESRCH; } Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.18 src/sys/net/npf/npf_conn.h:1.19 --- src/sys/net/npf/npf_conn.h:1.18 Sun Aug 11 20:26:33 2019 +++ src/sys/net/npf/npf_conn.h Sat May 23 19:56:00 2020 @@ -157,7 +157,7 @@ void npf_conndb_sysfini(npf_t *); npf_conndb_t * npf_conndb_create(void); void npf_conndb_destroy(npf_conndb_t *); -npf_conn_t * npf_conndb_lookup(npf_conndb_t *, const npf_connkey_t *, bool *); +npf_conn_t * npf_conndb_lookup(npf_t *, const npf_connkey_t *, bool *); bool npf_conndb_insert(npf_conndb_t *, const npf_connkey_t *, npf_conn_t *, bool); npf_conn_t * npf_conndb_remove(npf_conndb_t *, npf_connkey_t *); Index: src/sys/net/npf/npf_conndb.c diff -u src/sys/net/npf/npf_conndb.c:1.7 src/sys/net/npf/npf_conndb.c:1.8 --- src/sys/net/npf/npf_conndb.c:1.7 Sat Dec 14 15:21:51 2019 +++ src/sys/net/npf/npf_conndb.c Sat May 23 19:56:00 2020 @@ -46,7 +46,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conndb.c,v 1.7 2019/12/14 15:21:51 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conndb.c,v 1.8 2020/05/23 19:56:00 rmind Exp $"); #include #
CVS commit: src/sys/kern
Module Name:src Committed By: rmind Date: Sat May 23 19:52:12 UTC 2020 Modified Files: src/sys/kern: subr_thmap.c Log Message: thmap(9): merge changes from the upstream -- primarily, switch to the C11-style memory fences and atomic primitives; in NetBSD, this translates to using the atomic_loadstore(9) primitives. To be pulled up (just in case). To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/kern/subr_thmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_thmap.c diff -u src/sys/kern/subr_thmap.c:1.5 src/sys/kern/subr_thmap.c:1.6 --- src/sys/kern/subr_thmap.c:1.5 Mon Feb 4 08:00:27 2019 +++ src/sys/kern/subr_thmap.c Sat May 23 19:52:12 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_thmap.c,v 1.5 2019/02/04 08:00:27 mrg Exp $ */ +/* $NetBSD: subr_thmap.c,v 1.6 2020/05/23 19:52:12 rmind Exp $ */ /*- * Copyright (c) 2018 Mindaugas Rasiukevicius @@ -53,7 +53,7 @@ * re-try from the root; this is a case for deletions and is achieved * using the NODE_DELETED flag. * - * iii) the node destruction must be synchronised with the readers, + * iii) the node destruction must be synchronized with the readers, * e.g. by using the Epoch-based reclamation or other techniques. * * - WRITERS AND LOCKING: Each intermediate node has a spin-lock (which @@ -87,7 +87,6 @@ * https://www.csd.uoc.gr/~hy460/pdf/p650-lehman.pdf */ - #ifdef _KERNEL #include #include @@ -112,20 +111,19 @@ #include "utils.h" #endif -THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.5 2019/02/04 08:00:27 mrg Exp $"); +THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.6 2020/05/23 19:52:12 rmind Exp $"); /* * NetBSD kernel wrappers */ #ifdef _KERNEL #define ASSERT KASSERT -#define atomic_thread_fence(x) x -#define memory_order_stores membar_producer() -#define memory_order_loads membar_consumer() -#define atomic_cas_32_p(p, e, n) (atomic_cas_32((p), (e), (n)) == (e)) -#define atomic_cas_ptr_p(p, e, n) \ -(atomic_cas_ptr((p), (void *)(e), (void *)(n)) == (e)) -#define atomic_exchange atomic_swap_ptr +#define atomic_thread_fence(x) membar_sync() +#define atomic_compare_exchange_weak_explicit_32(p, e, n, m1, m2) \ +(atomic_cas_32((p), *(e), (n)) == *(e)) +#define atomic_compare_exchange_weak_explicit_ptr(p, e, n, m1, m2) \ +(atomic_cas_ptr((p), *(void **)(e), (void *)(n)) == *(void **)(e)) +#define atomic_exchange_explicit(o, n, m1) atomic_swap_ptr((o), (n)) #define murmurhash3 murmurhash2 #endif @@ -160,6 +158,7 @@ THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.5 * least significant bit. */ typedef uintptr_t thmap_ptr_t; +typedef uintptr_t atomic_thmap_ptr_t; // C11 _Atomic #define THMAP_NULL ((thmap_ptr_t)0) @@ -188,9 +187,9 @@ typedef uintptr_t thmap_ptr_t; */ typedef struct { - uint32_t state; - thmap_ptr_t parent; - thmap_ptr_t slots[LEVEL_SIZE]; + uint32_t state; // C11 _Atomic + thmap_ptr_t parent; + atomic_thmap_ptr_t slots[LEVEL_SIZE]; } thmap_inode_t; #define THMAP_INODE_LEN sizeof(thmap_inode_t) @@ -217,11 +216,11 @@ typedef struct { #define THMAP_ROOT_LEN (sizeof(thmap_ptr_t) * ROOT_SIZE) struct thmap { - uintptr_t baseptr; - thmap_ptr_t * root; - unsigned flags; - const thmap_ops_t *ops; - thmap_gc_t * gc_list; + uintptr_t baseptr; + atomic_thmap_ptr_t * root; + unsigned flags; + const thmap_ops_t * ops; + thmap_gc_t * gc_list; // C11 _Atomic }; static void stage_mem_gc(thmap_t *, uintptr_t, size_t); @@ -253,9 +252,9 @@ static const thmap_ops_t thmap_default_o #ifdef DIAGNOSTIC static inline bool -node_locked_p(const thmap_inode_t *node) +node_locked_p(thmap_inode_t *node) { - return (node->state & NODE_LOCKED) != 0; + return (atomic_load_relaxed(&node->state) & NODE_LOCKED) != 0; } #endif @@ -265,18 +264,14 @@ lock_node(thmap_inode_t *node) unsigned bcount = SPINLOCK_BACKOFF_MIN; uint32_t s; again: - s = node->state; + s = atomic_load_relaxed(&node->state); if (s & NODE_LOCKED) { SPINLOCK_BACKOFF(bcount); goto again; } - /* - * CAS will issue a full memory fence for us. - * - * WARNING: for optimisations purposes, callers rely on us - * issuing load and store fence - */ - if (!atomic_cas_32_p(&node->state, s, s | NODE_LOCKED)) { + /* Acquire from prior release in unlock_node.() */ + if (!atomic_compare_exchange_weak_explicit_32(&node->state, + &s, s | NODE_LOCKED, memory_order_acquire, memory_order_relaxed)) { bcount = SPINLOCK_BACKOFF_MIN; goto again; } @@ -285,11 +280,11 @@ again: static void unlock_node(thmap_inode_t *node) { - uint32_t s = node->state & ~NODE_LOCKED; + uint32_t s = atomic_load_relaxed(&node->state) & ~NODE_LOCKED; ASSERT(node_locked_p(node)); - atomic_thread_fence(memory_order_stores); - node->state = s; // atomic store + /* Release to subsequent ac
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Apr 7 22:23:40 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): Add more info about ifaddrs(). To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.84 src/usr.sbin/npf/npfctl/npf.conf.5:1.85 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.84 Sat Jan 19 21:19:32 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Apr 7 22:23:40 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.84 2019/01/19 21:19:32 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $ .\" .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 14, 2019 +.Dd February 2, 2019 .Dt NPF.CONF 5 .Os .Sh NAME @@ -148,12 +148,16 @@ The .Cm family keyword of a filtering rule can be used in combination to explicitly select an IP address type. +This function can also be used with +.Cm map +to specify the translation address, see below. .El .Pp Example of configuration: .Bd -literal -offset indent $var1 = inet4(wm0) $var2 = ifaddrs(wm0) + group default { block in on wm0 all # rule 1 block in on $var1 all # rule 2 @@ -350,6 +354,11 @@ redirecting the public port 9022 to the .Pp .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp +The translation address can also by dynamic, based on the interface. +The following would select IPv4 address currently assigned to the interface: +.Pp +.Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) +.Pp If the dynamic NAT is configured with multiple translation addresses, then a custom selection algorithm can be chosen using the .Cm algo @@ -587,10 +596,9 @@ $localnet = { 10.1.1.0/24 } alg "icmp" -# Note: if $ext_if has multiple IP address (e.g. IPv6 as well), -# then the translation address has to be specified explicitly. -map $ext_if dynamic 10.1.1.0/24 -> $ext_if -map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 +# These NAT rules will dynamically select the interface address(es). +map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) +map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- ifaddrs($ext_if) port 9022 procedure "log" { # The logging facility can be used together with npfd(8). @@ -635,7 +643,7 @@ group default { .Xr npfctl 8 , .Xr npfd 8 .Pp -.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website" +.Lk http://rmind.github.io/npf/ "NPF documentation website" .Sh HISTORY NPF first appeared in .Nx 6.0 .
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Fri Feb 15 22:49:24 UTC 2019 Modified Files: src/sys/external/bsd/libnv/dist: nvpair.c Log Message: nvpair_remove_nvlist_array: revert part of the rev 1.4 change (it was applied by mistake because the libnv upsteam code on Github has deviated from FreeBSD, i.e. it has a different nvlist_set_array_next() logic). To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/external/bsd/libnv/dist/nvpair.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nvpair.c diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.5 src/sys/external/bsd/libnv/dist/nvpair.c:1.6 --- src/sys/external/bsd/libnv/dist/nvpair.c:1.5 Tue Feb 12 12:52:49 2019 +++ src/sys/external/bsd/libnv/dist/nvpair.c Fri Feb 15 22:49:24 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $ */ +/* $NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $"); #else -__RCSID("$NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $"); +__RCSID("$NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $"); #endif #include @@ -251,16 +251,8 @@ nvpair_remove_nvlist_array(nvpair_t *nvp nvlarray = __DECONST(nvlist_t **, nvpair_get_nvlist_array(nvp, &count)); for (i = 0; i < count; i++) { - nvlist_t *nvl; - nvpair_t *nnvp; - - nvl = nvlarray[i]; - nnvp = nvlist_get_array_next_nvpair(nvl); - if (nnvp != NULL) { - nvpair_free_structure(nnvp); - } - nvlist_set_array_next(nvl, NULL); - nvlist_set_parent(nvl, NULL); + nvlist_set_array_next(nvlarray[i], NULL); + nvlist_set_parent(nvlarray[i], NULL); } }
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Tue Feb 12 12:52:49 UTC 2019 Modified Files: src/sys/external/bsd/libnv/dist: nvpair.c Log Message: libnv: Free the data array for NV_TYPE_DESCRIPTOR_ARRAY case. Obtained from FreeBSD rev 343987 by oshogbo@. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/libnv/dist/nvpair.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nvpair.c diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.4 src/sys/external/bsd/libnv/dist/nvpair.c:1.5 --- src/sys/external/bsd/libnv/dist/nvpair.c:1.4 Tue Feb 12 12:49:23 2019 +++ src/sys/external/bsd/libnv/dist/nvpair.c Tue Feb 12 12:52:49 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $ */ +/* $NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $"); #else -__RCSID("$NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $"); +__RCSID("$NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $"); #endif #include @@ -2099,6 +2099,7 @@ nvpair_free(nvpair_t *nvp) case NV_TYPE_DESCRIPTOR_ARRAY: for (i = 0; i < nvp->nvp_nitems; i++) close(((int *)(intptr_t)nvp->nvp_data)[i]); + nv_free((int *)(intptr_t)nvp->nvp_data); break; #endif case NV_TYPE_NVLIST:
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Tue Feb 12 12:49:23 UTC 2019 Modified Files: src/sys/external/bsd/libnv/dist: nv_impl.h nvlist.c nvpair.c Log Message: libnv: fix multiple memory leaks. - nvpair_create_stringv: free the temporary string; this fix affects nvlist_add_stringf() and nvlist_add_stringv(). - nvpair_remove_nvlist_array (NV_TYPE_NVLIST_ARRAY case): free the chain of nvpairs (as resetting it prevents nvlist_destroy() from freeing it). Note: freeing the chain in nvlist_destroy() is not sufficient, because it would still leak through nvlist_take_nvlist_array(). This affects all nvlist_*_nvlist_array() users. Found by clang/gcc ASAN. These fixes have been contributed to the upstream (FreeBSD) repository. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/external/bsd/libnv/dist/nv_impl.h cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nvlist.c cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/libnv/dist/nvpair.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nv_impl.h diff -u src/sys/external/bsd/libnv/dist/nv_impl.h:1.5 src/sys/external/bsd/libnv/dist/nv_impl.h:1.6 --- src/sys/external/bsd/libnv/dist/nv_impl.h:1.5 Sun Sep 23 19:07:10 2018 +++ src/sys/external/bsd/libnv/dist/nv_impl.h Tue Feb 12 12:49:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nv_impl.h,v 1.5 2018/09/23 19:07:10 rmind Exp $ */ +/* $NetBSD: nv_impl.h,v 1.6 2019/02/12 12:49:23 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -125,6 +125,7 @@ bool nvlist_move_nvpair(nvlist_t *nvl, n void nvlist_set_parent(nvlist_t *nvl, nvpair_t *parent); void nvlist_set_array_next(nvlist_t *nvl, nvpair_t *ele); +nvpair_t *nvlist_get_array_next_nvpair(nvlist_t *nvl); const nvpair_t *nvlist_get_nvpair(const nvlist_t *nvl, const char *name); Index: src/sys/external/bsd/libnv/dist/nvlist.c diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.6 src/sys/external/bsd/libnv/dist/nvlist.c:1.7 --- src/sys/external/bsd/libnv/dist/nvlist.c:1.6 Sat Sep 22 17:13:30 2018 +++ src/sys/external/bsd/libnv/dist/nvlist.c Tue Feb 12 12:49:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $ */ +/* $NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $"); #else -__RCSID("$NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $"); +__RCSID("$NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $"); #endif #include @@ -269,6 +269,15 @@ nvlist_set_array_next(nvlist_t *nvl, nvp nvl->nvl_array_next = ele; } +nvpair_t * +nvlist_get_array_next_nvpair(nvlist_t *nvl) +{ + + NVLIST_ASSERT(nvl); + + return (nvl->nvl_array_next); +} + bool nvlist_in_array(const nvlist_t *nvl) { Index: src/sys/external/bsd/libnv/dist/nvpair.c diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.3 src/sys/external/bsd/libnv/dist/nvpair.c:1.4 --- src/sys/external/bsd/libnv/dist/nvpair.c:1.3 Sat Sep 8 14:32:25 2018 +++ src/sys/external/bsd/libnv/dist/nvpair.c Tue Feb 12 12:49:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nvpair.c,v 1.3 2018/09/08 14:32:25 christos Exp $ */ +/* $NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $"); #else -__RCSID("$NetBSD: nvpair.c,v 1.3 2018/09/08 14:32:25 christos Exp $"); +__RCSID("$NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $"); #endif #include @@ -251,8 +251,16 @@ nvpair_remove_nvlist_array(nvpair_t *nvp nvlarray = __DECONST(nvlist_t **, nvpair_get_nvlist_array(nvp, &count)); for (i = 0; i < count; i++) { - nvlist_set_array_next(nvlarray[i], NULL); - nvlist_set_parent(nvlarray[i], NULL); + nvlist_t *nvl; + nvpair_t *nnvp; + + nvl = nvlarray[i]; + nnvp = nvlist_get_array_next_nvpair(nvl); + if (nnvp != NULL) { + nvpair_free_structure(nnvp); + } + nvlist_set_array_next(nvl, NULL); + nvlist_set_parent(nvl, NULL); } } @@ -1216,8 +1224,7 @@ nvpair_create_stringv(const char *name, if (len < 0) return (NULL); nvp = nvpair_create_string(name, str); - if (nvp == NULL) - nv_free(str); + nv_free(str); return (nvp); } #endif
CVS commit: src/doc
Module Name:src Committed By: rmind Date: Sat Jan 19 21:36:09 UTC 2019 Modified Files: src/doc: CHANGES Log Message: Mention NPF improvements. To generate a diff of this commit: cvs rdiff -u -r1.2491 -r1.2492 src/doc/CHANGES Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES diff -u src/doc/CHANGES:1.2491 src/doc/CHANGES:1.2492 --- src/doc/CHANGES:1.2491 Fri Jan 18 04:14:47 2019 +++ src/doc/CHANGES Sat Jan 19 21:36:09 2019 @@ -1,4 +1,4 @@ -# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2491 $> +# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2492 $> # # # [Note: This file does not mention every change made to the NetBSD source tree. @@ -308,3 +308,7 @@ Changes from NetBSD 8.0 to NetBSD 9.0: sgimips: Import irisboot, yet another bootloader for pre-ARC sgimips machines. Submitted by Naruaki Etomi via PR port-sgimips/53539. [tsutsui 20190112] + npf: Major NPF improvements (added support for dynamic NAT address, + NETMAP algorithm for static NAT, lock-free lookup for 'ipset' + tables, lock-free state lookup, incremental state G/C, etc). + [rmind 20190119]
CVS commit: src/sys/kern
Module Name:src Committed By: rmind Date: Sat Jan 19 20:42:54 UTC 2019 Modified Files: src/sys/kern: subr_thmap.c Log Message: thmap: use KM_NOSLEEP for now; might revisit later. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/kern/subr_thmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_thmap.c diff -u src/sys/kern/subr_thmap.c:1.3 src/sys/kern/subr_thmap.c:1.4 --- src/sys/kern/subr_thmap.c:1.3 Sat Dec 22 21:53:06 2018 +++ src/sys/kern/subr_thmap.c Sat Jan 19 20:42:54 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_thmap.c,v 1.3 2018/12/22 21:53:06 christos Exp $ */ +/* $NetBSD: subr_thmap.c,v 1.4 2019/01/19 20:42:54 rmind Exp $ */ /*- * Copyright (c) 2018 Mindaugas Rasiukevicius @@ -112,7 +112,7 @@ #include "utils.h" #endif -THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.3 2018/12/22 21:53:06 christos Exp $"); +THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.4 2019/01/19 20:42:54 rmind Exp $"); /* * NetBSD kernel wrappers @@ -233,7 +233,7 @@ static void stage_mem_gc(thmap_t *, uint static uintptr_t alloc_wrapper(size_t len) { - return (uintptr_t)kmem_intr_alloc(len, KM_SLEEP); + return (uintptr_t)kmem_intr_alloc(len, KM_NOSLEEP); } static void @@ -843,7 +843,7 @@ stage_mem_gc(thmap_t *thmap, uintptr_t a { thmap_gc_t *head, *gc; - gc = kmem_intr_alloc(sizeof(thmap_gc_t), KM_SLEEP); + gc = kmem_intr_alloc(sizeof(thmap_gc_t), KM_NOSLEEP); gc->addr = addr; gc->len = len; retry:
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sun Dec 16 14:06:56 UTC 2018 Modified Files: src/sys/kern: files.kern src/sys/rump/librump/rumpkern: Makefile.rumpkern Added Files: src/sys/kern: subr_thmap.c src/sys/sys: thmap.h Log Message: Import thmap -- a concurrent trie-hash map, combining the elements of hashing and radix trie. It supports lock-free lookups and concurrent inserts/deletes. It is designed to be optimal as a general purpose *concurrent* associative array. Upstream: https://github.com/rmind/thmap Discussed on tech-kern@ To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/kern/files.kern cvs rdiff -u -r0 -r1.1 src/sys/kern/subr_thmap.c cvs rdiff -u -r1.171 -r1.172 src/sys/rump/librump/rumpkern/Makefile.rumpkern cvs rdiff -u -r0 -r1.1 src/sys/sys/thmap.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/files.kern diff -u src/sys/kern/files.kern:1.27 src/sys/kern/files.kern:1.28 --- src/sys/kern/files.kern:1.27 Mon Dec 3 00:11:02 2018 +++ src/sys/kern/files.kern Sun Dec 16 14:06:56 2018 @@ -1,4 +1,4 @@ -# $NetBSD: files.kern,v 1.27 2018/12/03 00:11:02 christos Exp $ +# $NetBSD: files.kern,v 1.28 2018/12/16 14:06:56 rmind Exp $ # # kernel sources @@ -142,6 +142,7 @@ file kern/subr_psref.c kern file kern/subr_specificdata.c kern file kern/subr_tftproot.c tftproot file kern/subr_time.c kern +file kern/subr_thmap.c kern file kern/subr_userconf.c userconf file kern/subr_vmem.c kern file kern/subr_workqueue.c kern Index: src/sys/rump/librump/rumpkern/Makefile.rumpkern diff -u src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.171 src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.172 --- src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.171 Fri Sep 14 01:55:20 2018 +++ src/sys/rump/librump/rumpkern/Makefile.rumpkern Sun Dec 16 14:06:56 2018 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.rumpkern,v 1.171 2018/09/14 01:55:20 mrg Exp $ +# $NetBSD: Makefile.rumpkern,v 1.172 2018/12/16 14:06:56 rmind Exp $ # .include "${RUMPTOP}/Makefile.rump" @@ -122,6 +122,7 @@ SRCS+= init_sysctl_base.c \ subr_psref.c \ subr_specificdata.c \ subr_time.c \ + subr_thmap.c \ subr_vmem.c \ subr_workqueue.c \ subr_xcall.c \ Added files: Index: src/sys/kern/subr_thmap.c diff -u /dev/null src/sys/kern/subr_thmap.c:1.1 --- /dev/null Sun Dec 16 14:06:56 2018 +++ src/sys/kern/subr_thmap.c Sun Dec 16 14:06:56 2018 @@ -0,0 +1,934 @@ +/*- + * Copyright (c) 2018 Mindaugas Rasiukevicius + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * Upstream: https://github.com/rmind/thmap/ + */ + +/* + * Concurrent trie-hash map. + * + * The data structure is conceptually a radix trie on hashed keys. + * Keys are hashed using a 32-bit function. The root level is a special + * case: it is managed using the compare-and-swap (CAS) atomic operation + * and has a fanout of 64. The subsequent levels are constructed using + * intermediate nodes with a fanout of 16 (using 4 bits). As more levels + * are created, more blocks of the 32-bit hash value might be generated + * by incrementing the seed parameter of the hash function. + * + * Concurrency + * + * - READERS: Descending is simply walking through the slot values of + * the intermediate nodes. It is lock-free as there is no intermediate + * state: the slot is either empty or has a pointer to the child node. + * The main assumptions here are the following: + * + * i) modifications must preserve consistency with the respect to the + * readers i.e. the readers can only see the valid node values; + * + *
CVS commit: src/doc
Module Name:src Committed By: rmind Date: Sat Sep 29 18:48:55 UTC 2018 Modified Files: src/doc: CHANGES Log Message: Mention that NPF was converted to use libnv. To generate a diff of this commit: cvs rdiff -u -r1.2443 -r1.2444 src/doc/CHANGES Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES diff -u src/doc/CHANGES:1.2443 src/doc/CHANGES:1.2444 --- src/doc/CHANGES:1.2443 Sun Sep 23 13:46:53 2018 +++ src/doc/CHANGES Sat Sep 29 18:48:55 2018 @@ -1,4 +1,4 @@ -# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2443 $> +# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2444 $> # # # [Note: This file does not mention every change made to the NetBSD source tree. @@ -228,3 +228,4 @@ Changes from NetBSD 8.0 to NetBSD 9.0: kernel: Remove the ISDN code, including daic(4), iavc(4), isic(4), ifpci(4), ifritz, iwic(4), and all the ISDN-related userland tools. [maxv 20180923] + npf: Converted to use libnv [rmind 20180929]
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Sep 29 18:00:36 UTC 2018 Modified Files: src/sys/net/npf: npf_sendpkt.c Log Message: npf_return_tcp: fix no-INET6 case. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_sendpkt.c diff -u src/sys/net/npf/npf_sendpkt.c:1.20 src/sys/net/npf/npf_sendpkt.c:1.21 --- src/sys/net/npf/npf_sendpkt.c:1.20 Sat Sep 29 14:41:36 2018 +++ src/sys/net/npf/npf_sendpkt.c Sat Sep 29 18:00:35 2018 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.20 2018/09/29 14:41:36 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.21 2018/09/29 18:00:35 rmind Exp $"); #include #include @@ -56,16 +56,16 @@ __KERNEL_RCSID(0, "$NetBSD: npf_sendpkt. #define DEFAULT_IP_TTL (ip_defttl) #if defined(_NPF_STANDALONE) -#define m_gethdr(t, f) npf->mbufops->alloc(0, 0) -#define m_freem(m) npc->npc_ctx->mbufops->free(m) -#define mtod(m,t) ((t)((npf)->mbufops->getdata(m))) +#define m_gethdr(t, f) (npf)->mbufops->alloc(0, 0) +#define m_freem(m) (npc)->npc_ctx->mbufops->free(m) +#define mtod(m,t) ((t)((npc)->npc_ctx->mbufops->getdata(m))) #endif #if !defined(INET6) || defined(_NPF_STANDALONE) #define in6_cksum(...) 0 #define ip6_output(...) 0 #define icmp6_error(m, ...) m_freem(m) -#define npf_ip6_setscope(n, i) 0 +#define npf_ip6_setscope(n, i) ((void)(i), 0) #endif #if defined(INET6) @@ -190,21 +190,19 @@ npf_return_tcp(npf_cache_t *npc) KASSERT(npf_iscached(npc, NPC_IP6)); th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), sizeof(struct tcphdr)); - } - /* Handle IPv6 scopes */ - if (npf_iscached(npc, NPC_IP6) && npf_ip6_setscope(npc, ip6) != 0) { - goto bad; + /* Handle IPv6 scopes */ + if (npf_ip6_setscope(npc, ip6) != 0) { + goto bad; + } } /* Pass to IP layer. */ if (npf_iscached(npc, NPC_IP4)) { return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); } -#if defined(INET6) return ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL); bad: -#endif m_freem(m); return EINVAL; }
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Sun Sep 23 21:35:26 UTC 2018 Modified Files: src/sys/external/bsd/libnv/dist: nv_kern_netbsd.c Log Message: nvlist_copyin: fix the flag handling. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c diff -u src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.4 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.5 --- src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.4 Sun Sep 23 19:07:10 2018 +++ src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Sun Sep 23 21:35:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $ */ +/* $NetBSD: nv_kern_netbsd.c,v 1.5 2018/09/23 21:35:26 rmind Exp $ */ /*- * Copyright (c) 2018 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $"); +__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.5 2018/09/23 21:35:26 rmind Exp $"); #if !defined(_KERNEL) && !defined(_STANDALONE) #include @@ -74,9 +74,9 @@ int nvlist_copyin(const nvlist_ref_t *nref, nvlist_t **nvlp, size_t lim) { const size_t len = nref->len; + int flags, error; nvlist_t *nvl; void *buf; - int error; if (len >= lim) { return E2BIG; @@ -87,7 +87,8 @@ nvlist_copyin(const nvlist_ref_t *nref, kmem_free(buf, len); return error; } - nvl = nvlist_unpack(buf, len, nref->flags); + flags = nref->flags & (NV_FLAG_IGNORE_CASE | NV_FLAG_NO_UNIQUE); + nvl = nvlist_unpack(buf, len, flags); kmem_free(buf, len); if (nvl == NULL) { return EINVAL; @@ -126,7 +127,7 @@ nvlist_copyout(nvlist_ref_t *nref, const (vaddr_t)uaddr + len); goto err; } - nref->flags = nvlist_error(nvl); + nref->flags = nvlist_flags(nvl); nref->buf = uaddr; nref->len = len; err:
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Sun Sep 23 19:07:10 UTC 2018 Modified Files: src/sys/external/bsd/libnv/dist: nv_impl.h nv_kern_netbsd.c Log Message: libnv: add a wrapper around free(9) since in FreeBSD it can take NULL. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/libnv/dist/nv_impl.h cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nv_impl.h diff -u src/sys/external/bsd/libnv/dist/nv_impl.h:1.4 src/sys/external/bsd/libnv/dist/nv_impl.h:1.5 --- src/sys/external/bsd/libnv/dist/nv_impl.h:1.4 Sat Sep 22 17:13:30 2018 +++ src/sys/external/bsd/libnv/dist/nv_impl.h Sun Sep 23 19:07:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nv_impl.h,v 1.4 2018/09/22 17:13:30 rmind Exp $ */ +/* $NetBSD: nv_impl.h,v 1.5 2018/09/23 19:07:10 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -65,10 +65,11 @@ extern void *nv_calloc(size_t, size_t); # endif # define nv_realloc(buf, size) realloc((buf), (size), M_NVLIST, \ M_WAITOK) -# define nv_free(buf) free((buf), M_NVLIST) # ifdef __FreeBSD__ +# define nv_free(buf) free((buf), M_NVLIST) # define nv_strdup(buf) strdup((buf), M_NVLIST) # else +extern void nv_free(void *); extern char *nv_strdup(const char *); # endif # define nv_vasprintf(ptr, ...) vasprintf(ptr, M_NVLIST, __VA_ARGS__) Index: src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c diff -u src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.3 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.4 --- src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.3 Sat Sep 22 17:13:30 2018 +++ src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Sun Sep 23 19:07:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $ */ +/* $NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $ */ /*- * Copyright (c) 2018 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $"); +__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $"); #if !defined(_KERNEL) && !defined(_STANDALONE) #include @@ -61,6 +61,15 @@ extern void dealloc(void *, unsigned int #ifndef _STANDALONE #ifdef _KERNEL +void +nv_free(void *buf) +{ + if (!buf) { + return; + } + free(buf, M_NVLIST); +} + int nvlist_copyin(const nvlist_ref_t *nref, nvlist_t **nvlp, size_t lim) {
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Sat Sep 22 17:13:30 UTC 2018 Modified Files: src/sys/external/bsd/libnv/dist: nv_impl.h nv_kern_netbsd.c nvlist.c Log Message: libnv: fix some NetBSD wrappers. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/libnv/dist/nv_impl.h cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c cvs rdiff -u -r1.5 -r1.6 src/sys/external/bsd/libnv/dist/nvlist.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nv_impl.h diff -u src/sys/external/bsd/libnv/dist/nv_impl.h:1.3 src/sys/external/bsd/libnv/dist/nv_impl.h:1.4 --- src/sys/external/bsd/libnv/dist/nv_impl.h:1.3 Sat Sep 8 14:12:53 2018 +++ src/sys/external/bsd/libnv/dist/nv_impl.h Sat Sep 22 17:13:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nv_impl.h,v 1.3 2018/09/08 14:12:53 christos Exp $ */ +/* $NetBSD: nv_impl.h,v 1.4 2018/09/22 17:13:30 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -82,11 +82,11 @@ extern char *nv_strdup(const char *); #else /* USERLAND */ # define nv_malloc(size) malloc((size)) -# define nv_calloc(n, size) calloc(n, size) # define nv_realloc(buf, size) realloc((buf), (size)) # define nv_free(buf) free((buf)) -# define nv_strdup(buf) strdup(buf) # define nv_vasprintf(ptr, ...) vasprintf(ptr, __VA_ARGS__) +void *nv_calloc(size_t, size_t); +char *nv_strdup(const char *); # define ERRNO_SET(var) do {\ errno = (var); \ Index: src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c diff -u src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.2 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.3 --- src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.2 Sat Sep 8 14:12:53 2018 +++ src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Sat Sep 22 17:13:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nv_kern_netbsd.c,v 1.2 2018/09/08 14:12:53 christos Exp $ */ +/* $NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $ */ /*- * Copyright (c) 2018 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.2 2018/09/08 14:12:53 christos Exp $"); +__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $"); #if !defined(_KERNEL) && !defined(_STANDALONE) #include @@ -198,11 +198,11 @@ nvlist_recv_ioctl(int fd, unsigned long void * nv_calloc(size_t n, size_t s) { - n *= s; - void *buf = nv_malloc(n); + const size_t len = n * s; + void *buf = nv_malloc(len); if (buf == NULL) return NULL; - memset(buf, 0, n); + memset(buf, 0, len); return buf; } Index: src/sys/external/bsd/libnv/dist/nvlist.c diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.5 src/sys/external/bsd/libnv/dist/nvlist.c:1.6 --- src/sys/external/bsd/libnv/dist/nvlist.c:1.5 Tue Sep 11 02:20:31 2018 +++ src/sys/external/bsd/libnv/dist/nvlist.c Sat Sep 22 17:13:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nvlist.c,v 1.5 2018/09/11 02:20:31 christos Exp $ */ +/* $NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $"); #else -__RCSID("$NetBSD: nvlist.c,v 1.5 2018/09/11 02:20:31 christos Exp $"); +__RCSID("$NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $"); #endif #include @@ -1180,7 +1180,7 @@ nvlist_xunpack(const void *buf, size_t s goto fail; nvlist_set_parent(tmpnvl, nvp); break; -#if !defined(_KERNEL) && !defined(_STANDALONE) +#if !defined(_KERNEL) && !defined(_STANDALONE) && !defined(__NetBSD__) case NV_TYPE_DESCRIPTOR: ptr = nvpair_unpack_descriptor(isbe, nvp, ptr, &left, fds, nfds);
CVS commit: src
Module Name:src Committed By: rmind Date: Sat Sep 22 12:54:34 UTC 2018 Modified Files: src/distrib/sets/lists/base: shl.mi src/distrib/sets/lists/comp: mi shl.mi src/distrib/sets/lists/debug: mi shl.mi src/sys/rump/kern: Makefile.rumpkerncomp Added Files: src/sys/rump/kern/lib/libnv: Makefile Log Message: Add rumpkern_nv (in-kernel RUMP libnv). To generate a diff of this commit: cvs rdiff -u -r1.847 -r1.848 src/distrib/sets/lists/base/shl.mi cvs rdiff -u -r1.2228 -r1.2229 src/distrib/sets/lists/comp/mi cvs rdiff -u -r1.321 -r1.322 src/distrib/sets/lists/comp/shl.mi cvs rdiff -u -r1.265 -r1.266 src/distrib/sets/lists/debug/mi cvs rdiff -u -r1.207 -r1.208 src/distrib/sets/lists/debug/shl.mi cvs rdiff -u -r1.12 -r1.13 src/sys/rump/kern/Makefile.rumpkerncomp cvs rdiff -u -r0 -r1.1 src/sys/rump/kern/lib/libnv/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/base/shl.mi diff -u src/distrib/sets/lists/base/shl.mi:1.847 src/distrib/sets/lists/base/shl.mi:1.848 --- src/distrib/sets/lists/base/shl.mi:1.847 Mon Sep 3 15:30:36 2018 +++ src/distrib/sets/lists/base/shl.mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.847 2018/09/03 15:30:36 christos Exp $ +# $NetBSD: shl.mi,v 1.848 2018/09/22 12:54:34 rmind Exp $ # # Note: Don't delete entries from here - mark them as "obsolete" instead, # unless otherwise stated below. @@ -689,6 +689,9 @@ ./usr/lib/librumpkern_ksem.so base-obsolete obsolete ./usr/lib/librumpkern_ksem.so.0 base-obsolete obsolete ./usr/lib/librumpkern_ksem.so.0.0 base-obsolete obsolete +./usr/lib/librumpkern_nv.so base-rump-shlib rump +./usr/lib/librumpkern_nv.so.0 base-rump-shlib rump +./usr/lib/librumpkern_nv.so.0.0 base-rump-shlib rump ./usr/lib/librumpkern_sljit.so base-rump-shlib rump,sljit ./usr/lib/librumpkern_sljit.so.0 base-rump-shlib rump,sljit ./usr/lib/librumpkern_sljit.so.0.0 base-rump-shlib rump,sljit Index: src/distrib/sets/lists/comp/mi diff -u src/distrib/sets/lists/comp/mi:1.2228 src/distrib/sets/lists/comp/mi:1.2229 --- src/distrib/sets/lists/comp/mi:1.2228 Thu Sep 6 19:19:44 2018 +++ src/distrib/sets/lists/comp/mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.2228 2018/09/06 19:19:44 maxv Exp $ +# $NetBSD: mi,v 1.2229 2018/09/22 12:54:34 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. ./etc/mtree/set.compcomp-sys-root @@ -3647,6 +3647,8 @@ ./usr/lib/librumpkern_crypto_p.a comp-c-proflib rump,profile ./usr/lib/librumpkern_ksem.a comp-obsolete obsolete ./usr/lib/librumpkern_ksem_p.a comp-obsolete obsolete +./usr/lib/librumpkern_nv.a comp-c-lib rump +./usr/lib/librumpkern_nv_p.a comp-c-proflib rump,profile ./usr/lib/librumpkern_sljit.a comp-c-lib rump,sljit ./usr/lib/librumpkern_sljit_p.a comp-c-proflib rump,sljit,profile ./usr/lib/librumpkern_solaris.a comp-c-lib rump,zfs Index: src/distrib/sets/lists/comp/shl.mi diff -u src/distrib/sets/lists/comp/shl.mi:1.321 src/distrib/sets/lists/comp/shl.mi:1.322 --- src/distrib/sets/lists/comp/shl.mi:1.321 Mon Aug 13 08:26:49 2018 +++ src/distrib/sets/lists/comp/shl.mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.321 2018/08/13 08:26:49 christos Exp $ +# $NetBSD: shl.mi,v 1.322 2018/09/22 12:54:34 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -213,6 +213,7 @@ ./usr/lib/librumphijack_pic.a comp-c-piclib compatfile,picinstall,rump ./usr/lib/librumpkern_crypto_pic.a comp-c-piclib picinstall,rump ./usr/lib/librumpkern_ksem_pic.a comp-obsolete obsolete +./usr/lib/librumpkern_nv_pic.a comp-c-piclib picinstall,rump ./usr/lib/librumpkern_sljit_pic.a comp-c-piclib picinstall,rump,sljit ./usr/lib/librumpkern_solaris_pic.a comp-c-piclib picinstall,rump,zfs ./usr/lib/librumpkern_sysproxy_pic.a comp-c-piclib picinstall,rump Index: src/distrib/sets/lists/debug/mi diff -u src/distrib/sets/lists/debug/mi:1.265 src/distrib/sets/lists/debug/mi:1.266 --- src/distrib/sets/lists/debug/mi:1.265 Wed Sep 19 13:58:26 2018 +++ src/distrib/sets/lists/debug/mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.265 2018/09/19 13:58:26 maxv Exp $ +# $NetBSD: mi,v 1.266 2018/09/22 12:54:34 rmind Exp $ ./etc/mtree/set.debug comp-sys-root ./usr/lib comp-sys-usr compatdir ./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile @@ -202,6 +202,7 @@ ./usr/lib/librumphijack_g.a comp-c-debuglib debuglib,compatfile,rump ./usr/lib/librumpkern_crypto_g.a comp-c-debuglib debuglib,rump ./usr/lib/librumpkern_ksem_g.a comp-obsolete obsolete,compatfile +./usr/lib/librumpkern_nv_g.a comp-c-debuglib debuglib,rump ./usr/lib/librumpkern_sljit_g.a comp-c-debuglib debuglib,rump,sljit ./usr/lib/librumpkern_solaris_g.a c
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Sep 1 16:28:57 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): fix some of the previous incorrect or inaccurate changes. The TCP flags option is not only for the stateful tracking. Dynamic NAT implies NAPT; algorithms, at least for now, are for static NAT mappings. Mention that ALG ICMP is also for traceroute behind NAT; also mention "MSS clamping" (some users might search for this term, so keeping the terminology is helpful). To generate a diff of this commit: cvs rdiff -u -r1.70 -r1.71 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.70 src/usr.sbin/npf/npfctl/npf.conf.5:1.71 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.70 Fri Aug 31 11:18:35 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Sep 1 16:28:57 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 31, 2018 +.Dd September 1, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -87,8 +87,8 @@ table type hash dynamic .Pp .Ed Currently, tables support three data storage types: "hash", "tree", or "cdb". -Tables can also be set as containing "dynamic" or "static" data i.e. loaded from - a specified file. +Tables can also be set as containing "dynamic" or "static" data i.e. loaded +from a specified file. Tables of type "hash" and "cdb" can only contain IP addresses. Only static data can be used with a storage type of "cdb". .Pp @@ -166,9 +166,31 @@ option set, this rule is considered the evaluation of subsequent rules is skipped. Otherwise, the last matching rule is used. .Pp -A rule can also instruct NPF to create an entry in the state table -when passing the packet, to notify the sender when blocking it, and -to apply a procedure to the packet (e.g. "log") in either case. +The +.Cd proto +keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP +or other). +Its parameter should be a protocol number or its symbolic name, +as specified in the +.Pa /etc/protocols +file. +The protocol keyword can additionally have protocol-specific options. +The +.Cd flags +keyword can be used to match the packets against specific TCP flags, +according to the following syntax: +.Bl -tag -width protoXX -offset indent +.It proto tcp flags Ar match[/mask] +.El +.Pp +Where +.Ar match +is the set of TCP flags to be matched, out of the +.Ar mask +set, both sets being represented as a string combination of: S (SYN), +A (ACK), F (FIN), R (RST). The flags that are not present in +.Ar mask +are ignored. .Pp To notify the sender of a blocking decision, three .Cd return @@ -187,20 +209,19 @@ Return an ICMP UNREACHABLE message, when Applies to IPv4 and IPv6. .El .Pp +Further packet specification at present is limited to TCP and UDP +understanding source and destination ports, and ICMP and IPv6-ICMP +understanding icmp-type. +.Pp +A rule can also instruct NPF to create an entry in the state table when +passing the packet or to apply a procedure to the packet (e.g. "log"). +.Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet4 proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" .Ed .Pp -Any protocol in -.Pa /etc/protocols -can be specified. -Further packet -specification at present is limited to protocol TCP understanding flags, -TCP and UDP understanding source and destination ports, and ICMP and -IPv6-ICMP understanding icmp-type. -.Pp Alternatively, NPF supports .Xr pcap-filter 7 syntax, for example: @@ -223,25 +244,6 @@ precaution. In both cases, a full TCP state tracking is performed for TCP connections and a limited tracking for message-based protocols (UDP and ICMP). .Pp -The -.Cd flags -keyword can be used in conjunction with the -.Cd stateful -keyword to match the packets against specific TCP flags, according to -the following syntax: -.Bl -tag -width flagsXX -offset indent -.It flags Ar match[/mask] -.El -.Pp -Where -.Ar match -is the set of TCP flags to be matched, out of the -.Ar mask -set, both sets being represented as a string combination of: S (SYN), -A (ACK), F (FIN), R (RST). The flags that are not present in -.Ar mask -are ignored. -.Pp By default, a stateful rule implies SYN-only flag check ("flags S/SAFR") for the TCP packets. It is not advisable to change this behavior; however, @@ -271,21 +273,32 @@ specified by $pub_ip for the packets on map $ext_if dynamic 10.1.1.0/24 -> $pub_ip .Ed .Pp -Several NAT algo
CVS commit: src/sys/netinet
Module Name:src Committed By: rmind Date: Thu Mar 29 21:40:53 UTC 2018 Modified Files: src/sys/netinet: tcp_input.c Log Message: tcp_urp_drop: fix a bug introduced in 1.390 rev (hi maxv@). To generate a diff of this commit: cvs rdiff -u -r1.400 -r1.401 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_input.c diff -u src/sys/netinet/tcp_input.c:1.400 src/sys/netinet/tcp_input.c:1.401 --- src/sys/netinet/tcp_input.c:1.400 Thu Mar 29 18:54:48 2018 +++ src/sys/netinet/tcp_input.c Thu Mar 29 21:40:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_input.c,v 1.400 2018/03/29 18:54:48 maxv Exp $ */ +/* $NetBSD: tcp_input.c,v 1.401 2018/03/29 21:40:53 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -148,7 +148,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.400 2018/03/29 18:54:48 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.401 2018/03/29 21:40:53 rmind Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -340,7 +340,7 @@ tcp_fields_to_net(struct tcphdr *th) static void tcp_urp_drop(struct tcphdr *th, int todrop, int *tiflags) { - if (th->th_urp > 1) { + if (th->th_urp > todrop) { th->th_urp -= todrop; } else { *tiflags &= ~TH_URG;
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun Dec 10 22:04:41 UTC 2017 Modified Files: src/usr.sbin/npf: npf.7 src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l npf_show.c npfctl.8 npfctl.h todo Log Message: npfctl: add support for the 'no-ports' flag in the 'map' statements. This allows us to create a NAT policy without the port translation. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npf.7 cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.25 -r1.26 src/usr.sbin/npf/npfctl/npf_scan.l cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.8 cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/todo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf.7 diff -u src/usr.sbin/npf/npf.7:1.3 src/usr.sbin/npf/npf.7:1.4 --- src/usr.sbin/npf/npf.7:1.3 Sun Jul 12 23:54:43 2015 +++ src/usr.sbin/npf/npf.7 Sun Dec 10 22:04:41 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $ +.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -78,7 +78,8 @@ documentation and other manual pages. .Xr bpfjit 4 , .Xr npf.conf 5 , .Xr pcap-filter 7 , -.Xr npfctl 8 +.Xr npfctl 8 , +.Xr npfd 8 .Pp .Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation" .Sh HISTORY Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.49 src/usr.sbin/npf/npfctl/npf.conf.5:1.50 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.49 Mon Jul 3 21:35:31 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 10 22:04:41 2017 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 19, 2017 +.Dd December 10, 2017 .Dt NPF.CONF 5 .Os .Sh NAME @@ -233,6 +233,14 @@ procedure "someproc" { .Ed .Pp In this case, the procedure calls the logging and normalisation modules. +The logging facility requires the npf_ext_log kernel module which would +normally get auto-loaded by NPF. +The specified npflog interface would also be auto-created once the +configuration is loaded. +The log packets can be written to a file using the +.Xr npfd 8 +daemon. +.Pp Traffic normalisation has a set of different mechanisms. In the example above, the normalisation procedure has arguments which apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) @@ -248,8 +256,7 @@ i.e., the next line is considered an ext .Sh GRAMMAR The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, -therefore it does not strictly represent the full syntax, which -is more flexible. +therefore it does not strictly represent the formal grammar. .Bd -literal ; Syntax of a single line. Lines can be separated by LF (\\n) or ; a semicolon. Comments start with a hash (#) character. @@ -279,10 +286,13 @@ table-def = "table" table-id "type" ( "h ; Mapping for address translation. map = "map" interface - ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] + ( "static" [ "algo" algorithm ] | "dynamic" ) + [ map-flags ] [ proto ] net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" [ proto ] filt-opts ] +map-flags = "no-ports" + ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. @@ -352,8 +362,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_ map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 procedure "log" { - # Note: npf_ext_log kernel module should be loaded, if not built-in. - # Also, the interface created, e.g.: ifconfig npflog0 create + # The logging facility can be used together with npfd(8). log: npflog0 } @@ -387,7 +396,8 @@ group default { .Xr bpf 4 , .Xr npf 7 , .Xr pcap-filter 7 , -.Xr npfctl 8 +.Xr npfctl 8 , +.Xr npfd 8 .Sh HISTORY NPF first appeared in .Nx 6.0 . Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.44 src/usr.sbin/npf/npfctl/npf_build.c:1.45 --- src/usr.sbin/npf/npfctl/npf_build.c:1.44 Thu Jan 19 20:18:17 2017 +++ src/usr.sbin/npf/npfctl/npf_build.c Sun Dec 10 22:04:41 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Dec 10 01:18:21 UTC 2017 Modified Files: src/sys/net/npf: npf_ctl.c npf_impl.h npf_ruleset.c npf_worker.c Log Message: - npf_mk_rules: enforce unique names for the dynamic rulesets. - npf_worker_unregister: merge fix for the standalone NPF. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.69 -r1.70 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_worker.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.49 src/sys/net/npf/npf_ctl.c:1.50 --- src/sys/net/npf/npf_ctl.c:1.49 Mon Oct 30 03:02:35 2017 +++ src/sys/net/npf/npf_ctl.c Sun Dec 10 01:18:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.49 2017/10/30 03:02:35 ozaki-r Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.50 2017/12/10 01:18:21 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -38,7 +38,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.49 2017/10/30 03:02:35 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.50 2017/12/10 01:18:21 rmind Exp $"); #include #include @@ -371,12 +371,18 @@ npf_mk_rules(npf_t *npf, npf_ruleset_t * it = prop_array_iterator(rules); while ((rldict = prop_object_iterator_next(it)) != NULL) { npf_rule_t *rl = NULL; + const char *name; - /* Generate a single rule. */ error = npf_mk_singlerule(npf, rldict, rpset, &rl, errdict); if (error) { break; } + if (prop_dictionary_get_cstring_nocopy(rldict, "name", &name) && + npf_ruleset_lookup(rlset, name) != NULL) { + NPF_ERR_DEBUG(errdict); + npf_rule_free(rl); + return EEXIST; + } npf_ruleset_insert(rlset, rl); } prop_object_iterator_release(it); Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.69 src/sys/net/npf/npf_impl.h:1.70 --- src/sys/net/npf/npf_impl.h:1.69 Sun Feb 19 02:11:19 2017 +++ src/sys/net/npf/npf_impl.h Sun Dec 10 01:18:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.69 2017/02/19 02:11:19 christos Exp $ */ +/* $NetBSD: npf_impl.h,v 1.70 2017/12/10 01:18:21 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -330,6 +330,7 @@ npf_natpolicy_t *npf_ruleset_findnat(npf void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *); int npf_ruleset_export(npf_t *, const npf_ruleset_t *, prop_array_t); +npf_rule_t * npf_ruleset_lookup(npf_ruleset_t *, const char *); int npf_ruleset_add(npf_ruleset_t *, const char *, npf_rule_t *); int npf_ruleset_remove(npf_ruleset_t *, const char *, uint64_t); int npf_ruleset_remkey(npf_ruleset_t *, const char *, Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.45 src/sys/net/npf/npf_ruleset.c:1.46 --- src/sys/net/npf/npf_ruleset.c:1.45 Sun Jan 29 00:15:54 2017 +++ src/sys/net/npf/npf_ruleset.c Sun Dec 10 01:18:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.46 2017/12/10 01:18:21 rmind Exp $ */ /*- * Copyright (c) 2009-2015 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.46 2017/12/10 01:18:21 rmind Exp $"); #include #include @@ -208,7 +208,7 @@ npf_ruleset_insert(npf_ruleset_t *rlset, } } -static npf_rule_t * +npf_rule_t * npf_ruleset_lookup(npf_ruleset_t *rlset, const char *name) { npf_rule_t *rl; Index: src/sys/net/npf/npf_worker.c diff -u src/sys/net/npf/npf_worker.c:1.3 src/sys/net/npf/npf_worker.c:1.4 --- src/sys/net/npf/npf_worker.c:1.3 Mon Jan 2 21:49:51 2017 +++ src/sys/net/npf/npf_worker.c Sun Dec 10 01:18:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_worker.c,v 1.3 2017/01/02 21:49:51 rmind Exp $ */ +/* $NetBSD: npf_worker.c,v 1.4 2017/12/10 01:18:21 rmind Exp $ */ /*- * Copyright (c) 2010-2015 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.3 2017/01/02 21:49:51 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.4 2017/12/10 01:18:21 rmind Exp $"); #include #include @@ -148,9 +148,12 @@ void npf_worker_unregister(npf_t *npf, npf_workfunc_t func) { const unsigned idx = npf->worker_id; - npf_worker_t *wrk = &npf_workers[idx]; + npf_worker_t *wrk; npf_t *instance; + if (!npf_worker_count) + return; + wrk = &npf_workers[idx]; mutex_enter(&wrk->worker_lock); npf_worker_testset(wrk, func, NULL); if ((instance = wrk->instances) == npf) {
CVS commit: src/sys/net/npf
ndex: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.23 src/sys/net/npf/npf_conn.c:1.24 --- src/sys/net/npf/npf_conn.c:1.23 Sun Jan 29 00:15:54 2017 +++ src/sys/net/npf/npf_conn.c Sun Dec 10 00:07:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $ */ +/* $NetBSD: npf_conn.c,v 1.24 2017/12/10 00:07:36 rmind Exp $ */ /*- * Copyright (c) 2014-2015 Mindaugas Rasiukevicius @@ -100,7 +100,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.24 2017/12/10 00:07:36 rmind Exp $"); #include #include @@ -727,7 +727,8 @@ npf_conn_pass(const npf_conn_t *con, npf { KASSERT(con->c_refcnt > 0); if (__predict_true(con->c_flags & CONN_PASS)) { - *mi = con->c_mi; + mi->mi_rid = con->c_rid; + mi->mi_retfl = con->c_retfl; *rp = con->c_rproc; return true; } @@ -752,8 +753,10 @@ npf_conn_setpass(npf_conn_t *con, const */ atomic_or_uint(&con->c_flags, CONN_PASS); con->c_rproc = rp; - if (rp) - con->c_mi = *mi; + if (rp) { + con->c_rid = mi->mi_rid; + con->c_retfl = mi->mi_retfl; + } } /* Index: src/sys/net/npf/npf_ext_normalize.c diff -u src/sys/net/npf/npf_ext_normalize.c:1.5 src/sys/net/npf/npf_ext_normalize.c:1.6 --- src/sys/net/npf/npf_ext_normalize.c:1.5 Sun Jan 29 00:15:54 2017 +++ src/sys/net/npf/npf_ext_normalize.c Sun Dec 10 00:07:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */ +/* $NetBSD: npf_ext_normalize.c,v 1.6 2017/12/10 00:07:36 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -28,7 +28,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.6 2017/12/10 00:07:36 rmind Exp $"); #include #include @@ -147,8 +147,8 @@ npf_normalize(npf_cache_t *npc, void *pa int *decision) { npf_normalize_t *np = params; - struct tcphdr *th = npc->npc_l4.tcp; uint16_t cksum, mss, maxmss = np->n_maxmss; + struct tcphdr *th; int wscale; /* Skip, if already blocking. */ @@ -160,6 +160,7 @@ npf_normalize(npf_cache_t *npc, void *pa if (npf_iscached(npc, NPC_IP4) && (np->n_random_id || np->n_minttl)) { npf_normalize_ip4(npc, np); } + th = npc->npc_l4.tcp; /* * TCP Maximum Segment Size (MSS) "clamping". Only if SYN packet. @@ -180,8 +181,13 @@ npf_normalize(npf_cache_t *npc, void *pa } maxmss = htons(maxmss); - /* Store new MSS, calculate TCP checksum and update it. */ - if (npf_fetch_tcpopts(npc, &maxmss, &wscale)) { + /* + * Store new MSS, calculate TCP checksum and update it. + * WARNING: must re-fetch the TCP header after the modification. + */ + if (npf_fetch_tcpopts(npc, &maxmss, &wscale) && + nbuf_cksum_barrier(npc->npc_nbuf, mi->mi_di)) { + th = npc->npc_l4.tcp; cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss); th->th_sum = cksum; }
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Thu Dec 7 00:22:06 UTC 2017 Modified Files: src/lib/libnpf: libnpf.3 Log Message: libnpf(3): improve the wording, fix and expand some sections. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libnpf/libnpf.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.4 src/lib/libnpf/libnpf.3:1.5 --- src/lib/libnpf/libnpf.3:1.4 Tue Dec 27 21:25:12 2016 +++ src/lib/libnpf/libnpf.3 Thu Dec 7 00:22:06 2017 @@ -1,6 +1,6 @@ -.\" $NetBSD: libnpf.3,v 1.4 2016/12/27 21:25:12 wiz Exp $ +.\" $NetBSD: libnpf.3,v 1.5 2017/12/07 00:22:06 rmind Exp $ .\" -.\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc. +.\" Copyright (c) 2011-2017 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 19, 2015 +.Dd December 7, 2017 .Dt LIBNPF 3 .Os .Sh NAME @@ -110,23 +110,24 @@ The configuration can be submitted to th .Ss Configuration .Bl -tag -width 4n .It Fn npf_config_create -Create a configuration. +Create a new configuration object. .It Fn npf_config_submit "ncf" "fd" "errinfo" -Submit configuration -.Fa ncf +Submit the configuration object, specified by +.Fa ncf , to the kernel. -On error, the the description is written into the structure specified by +On failure, the error information is written into the structure +specified by .Fa errinfo . .It Fn npf_config_export "fd" "len" -Serialize the given configuration and return binary object and its -length in +Serialize the current configuration and return the binary object as +well as its length in .Fa len parameter. The binary object is dynamically allocated and should be destroyed using .Xr free 3 . .It Fn npf_config_import "blob" "len" Read the configuration from a binary object of the specified length, -unserialize, construct and return the configuration object. +unserialize, and return the configuration object. .It Fn npf_config_flush "fd" Flush the current configuration. .It Fn npf_config_retrieve "fd" "active" "loaded" @@ -135,7 +136,7 @@ Retrieve and return the loaded configura Indicate whether the retrieved configuration is active (true if yes and false otherwise). .It Fn npf_config_destroy "ncf" -Destroy the configuration +Destroy the configuration object, specified by .Fa ncf . .El .\" --- @@ -143,91 +144,97 @@ Destroy the configuration .Bl -tag -width 4n .It Fn npf_rule_create "name" "attr" "ifname" Create a rule with a given name, attribute and priorty. -Name can be +If the name is specified, then it should be unique within the +configuration object. +Otherwise, the name can be .Dv NULL , -in which case rule has no unique identifier. -Otherwise, rules shall not have duplicate names. +in which case the rule will have no identifier. The following attributes, which can be ORed, are available: .Bl -tag -width indent .It Dv NPF_RULE_PASS -Decision of this rule is "pass". +The decision of this rule shall be "pass". If this attribute is not -specified, then packet "block" (drop) is the default. +specified, then "block" (drop the packet) is the default. .It Dv NPF_RULE_IN -Match incoming packets. +Match the incoming packets. .It Dv NPF_RULE_OUT -Match outgoing packets. +Match the outgoing packets. .It Dv NPF_RULE_FINAL -Indicates that on rule match, further processing of the -ruleset should be stopped and this rule applied instantly. +Indicate that on rule match, further processing of the ruleset should +be stopped and this rule should be applied instantly. .It Dv NPF_RULE_STATEFUL -Create a state (session) on match, track the connection and -therefore pass the backwards stream without inspection. +Create a state (session) on match, track the connection and pass the +backwards stream (the returning packets) without the ruleset inspection. The state is uniquely identified by a 5-tuple (source and destination IP addresses, port numbers and an interface identifier). .It Dv NPF_RULE_MULTIENDS -Exclude the interface from the state identifier. +Exclude the interface identifier from the state key i.e. use a 4-tuple. .It Dv NPF_RULE_RETRST Return TCP RST packet in a case of packet block. .It Dv NPF_RULE_RETICMP Return ICMP destination unreachable in a case of packet block. .It Dv NPF_RULE_GROUP Allow this rule to have sub-rules. -If used with +If this flag is used with the .Dv NPF_RULE_DYNAMIC -flag set, the can be added dynamically. +flag set, then it is a dynamic group. +The sub-rules can be added dynamically to a dynamic group, also meaning +that the sub-rules must have the +.Dv NPF_RULE_DYNAMIC +flag set. Otherwise rules must be added statically i.e. created with the configuration. .It Dv
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Fri Jan 20 23:00:30 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_parse.y Log Message: npfctl: fix shift/reduce conflicts, thanks to riastradh@. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf_parse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_parse.y diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.43 src/usr.sbin/npf/npfctl/npf_parse.y:1.44 --- src/usr.sbin/npf/npfctl/npf_parse.y:1.43 Fri Jan 20 03:16:40 2017 +++ src/usr.sbin/npf/npfctl/npf_parse.y Fri Jan 20 23:00:30 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.43 2017/01/20 03:16:40 kre Exp $ */ +/* $NetBSD: npf_parse.y,v 1.44 2017/01/20 23:00:30 rmind Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -180,7 +180,7 @@ yyerror(const char *fmt, ...) %type element, list_elems, list, value %type mapseg %type filt_opts, all_or_filt_opts -%type opt_proto +%type proto opt_proto %type group_opts %type onoff @@ -357,7 +357,11 @@ map { npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4); } - | MAP ifref map_sd map_algo opt_proto mapseg map_type mapseg + | MAP ifref map_sd map_algo mapseg map_type mapseg + { + npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4); + } + | MAP ifref map_sd map_algo proto mapseg map_type mapseg { npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4); } @@ -546,7 +550,7 @@ opt_family | { $$ = AF_UNSPEC; } ; -opt_proto +proto : PROTO TCP tcp_flags_and_mask { $$.op_proto = IPPROTO_TCP; @@ -572,6 +576,10 @@ opt_proto $$.op_proto = $2; $$.op_opts = NULL; } + ; + +opt_proto + : proto { $$ = $1; } | { $$.op_proto = -1;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Jan 19 20:18:18 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_data.c npf_parse.y npfctl.h Log Message: npfctl: - Add protocol filter option for "map". - Print user-friendly error if table contains an entry with invalid netmask. - Add support for inline ports. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/npf/npfctl/npf_data.c cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf_parse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.46 src/usr.sbin/npf/npfctl/npf.conf.5:1.47 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.46 Tue Jan 3 01:29:49 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Jan 19 20:18:17 2017 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.47 2017/01/19 20:18:17 rmind Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -228,11 +228,15 @@ For example: .Bd -literal procedure "someproc" { log: npflog0 - normalize: "random-id", "min-ttl" 64 + normalize: "random-id", "min-ttl" 64, "max-mss" 1432 } .Ed .Pp In this case, the procedure calls the logging and normalisation modules. +Traffic normalisation has a set of different mechanisms. +In the example above, the normalisation procedure has arguments which +apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) +flag cleansing, minimum TTL enforcement and TCP MSS "clamping". .Ss Misc Text after a hash .Pq Sq # @@ -275,9 +279,9 @@ table-def = "table" table-id "type" ( "h ; Mapping for address translation. map = "map" interface - ( "static" [ "algo" algorithm ] | "dynamic" ) + ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] net-seg ( "->" | "<-" | "<->" ) net-seg - [ "pass" filt-opts ] + [ "pass" [ proto ] filt-opts ] ; Rule procedure definition. The name should be in the double quotes. ; @@ -295,8 +299,7 @@ group = "group" ( "default" | group-opt group-opts = name-string [ "in" | "out" ] [ "on" interface ] rule-list = [ rule new-line ] rule-list -npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] - ( "all" | filt-opts ) +npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-ends" ] [ "in" | out" ] [ "final" ] [ "on" interface ] @@ -306,6 +309,7 @@ static-rule = ( "block" [ block-opts ] | dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset +proto = "proto" protocol [ proto-opts ] block-opts = "return-rst" | "return-icmp" | "return" family-opt = "inet4" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | @@ -345,7 +349,7 @@ alg "icmp" # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic 10.1.1.0/24 -> $ext_if -map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022 +map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 procedure "log" { # Note: npf_ext_log kernel module should be loaded, if not built-in. Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.43 src/usr.sbin/npf/npfctl/npf_build.c:1.44 --- src/usr.sbin/npf/npfctl/npf_build.c:1.43 Tue Jan 3 01:29:49 2017 +++ src/usr.sbin/npf/npfctl/npf_build.c Thu Jan 19 20:18:17 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $"); #include #include @@ -586,9 +586,9 @@ npfctl_build_rule(uint32_t attr, const c */ static nl_nat_t * npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap, -const filt_opts_t *fopts, u_int flags) +const opt_proto_t *op, const filt_opts_t *fopts, u_int flags) { - const opt_proto_t op = { .op_proto = -1, .op_opts = NULL }; + const opt_proto_t def_op = { .op_proto = -1, .op_opts = NULL }; fam_addr_mask_t *am = npfctl_get_singlefam(ap->ap_netaddr); in_port_t port; nl_nat_t *nat; @@ -600,10 +600,13 @@ npfctl_build_nat(int type, const char *i } else { port = 0; } + if (!op) { + op = &def_op; + } nat = npf_nat_create(type, flags, ifname, am->fam_family, &am->fam_addr, am->fam_mask, port); - npfctl_build_code(nat, am->f
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Tue Jan 3 01:29:49 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l npfctl.h Log Message: npfctl: dynamic interface address handling; update npf.conf(8). To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.39 -r1.40 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.45 src/usr.sbin/npf/npfctl/npf.conf.5:1.46 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.45 Tue Dec 27 22:35:33 2016 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 3 01:29:49 2017 @@ -1,6 +1,6 @@ -.\"$NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $ .\" -.\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. +.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 28, 2016 +.Dd January 3, 2017 .Dt NPF.CONF 5 .Os .Sh NAME @@ -110,6 +110,24 @@ Specific interface addresses can be sele $pub_if4 = inet4(wm0) $pub_if46 = { inet4(wm0), inet6(wm0) } .Ed +.Pp +In the above examples, NPF will statically capture the interface +addresses on configuration load. +.Pp +The following can be used for dynamic handling of the interface addresses: +.Bd -literal +$pub_if = ifaddrs(wm0) +.Ed +.Pp +In this case, the expression will represent the runtime list of addresses, +reflecting any changes to the interface, including the attach and detach. +Marking the interface as ``down'' has no effect, i.e. all addresses will +remain present. +.Pp +The dynamic address list represents both the IPv4 and IPv6 addresses, +therefore the +.Cd family +keyword can be used in combination to make the filtering more narrow. .Ss Groups Groups may have the following options: name, interface, and direction. They are defined in the following form: Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.42 src/usr.sbin/npf/npfctl/npf_build.c:1.43 --- src/usr.sbin/npf/npfctl/npf_build.c:1.42 Tue Dec 27 22:35:33 2016 +++ src/usr.sbin/npf/npfctl/npf_build.c Tue Jan 3 01:29:49 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $ */ /*- - * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. + * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $"); #include #include @@ -65,6 +65,7 @@ static nl_rule_t * the_rule = NULL; static nl_rule_t * current_group[MAX_RULE_NESTING]; static unsigned rule_nesting_level = 0; static nl_rule_t * defgroup = NULL; +static unsigned npfctl_tid_counter = 0; static void npfctl_dump_bpf(struct bpf_program *); @@ -797,10 +798,9 @@ npfctl_fill_table(nl_table_t *tl, u_int void npfctl_build_table(const char *tname, u_int type, const char *fname) { - static unsigned tid = 0; nl_table_t *tl; - tl = npf_table_create(tname, tid++, type); + tl = npf_table_create(tname, npfctl_tid_counter++, type); assert(tl != NULL); if (npf_table_insert(npf_conf, tl)) { @@ -814,6 +814,24 @@ npfctl_build_table(const char *tname, u_ } } +npfvar_t * +npfctl_ifnet_table(const char *ifname) +{ + char tname[NPF_TABLE_MAXNAMELEN]; + nl_table_t *tl; + u_int tid; + + snprintf(tname, sizeof(tname), ".ifnet-%s", ifname); + + tid = npfctl_table_getid(tname); + if (tid == (unsigned)-1) { + tid = npfctl_tid_counter++; + tl = npf_table_create(tname, tid, NPF_TABLE_TREE); + (void)npf_table_insert(npf_conf, tl); + } + return npfvar_create_element(NPFVAR_TABLE, &tid, sizeof(u_int)); +} + /* * npfctl_build_alg: create an NPF application level gateway and add it * to the configuration. Index: src/usr.sbin/npf/npfctl/npfctl.h diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.42 src/usr.sbin/npf/npfctl/npfctl.h:1.43 --- src/usr.sbin/npf/npfctl/npfctl.h:1.42 Tue Dec 27 22:35:33 2016 +++ src/usr.sbin/npf/npfctl/npfctl.h Tue Jan 3 01:29:49 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.h,v 1.42 2016/12/27 22:35:33 rmind Exp $ */ +/* $NetBSD: npfctl.h,v 1.43 2017/01/03 01:29:49 rmind Exp $ */ /*- * Cop
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Tue Jan 3 00:58:05 UTC 2017 Modified Files: src/sys/net/npf: npf_conf.c npf_ifaddr.c npf_impl.h npf_os.c Log Message: NPF: fix the interface table initialisation on load. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_ifaddr.c cvs rdiff -u -r1.66 -r1.67 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.10 src/sys/net/npf/npf_conf.c:1.11 --- src/sys/net/npf/npf_conf.c:1.10 Mon Dec 26 23:05:06 2016 +++ src/sys/net/npf/npf_conf.c Tue Jan 3 00:58:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conf.c,v 1.10 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_conf.c,v 1.11 2017/01/03 00:58:05 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -49,7 +49,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.10 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.11 2017/01/03 00:58:05 rmind Exp $"); #include #include @@ -157,7 +157,7 @@ npf_config_load(npf_t *npf, npf_ruleset_ npf_ifmap_flush(npf); npf_conn_load(npf, conns, !flush); mutex_exit(&npf->config_lock); - return; + goto done; } /* @@ -183,6 +183,9 @@ npf_config_load(npf_t *npf, npf_ruleset_ /* Finally, it is safe to destroy the old config. */ npf_config_destroy(onc); +done: + /* Sync all interface address tables (can be done asynchronously). */ + npf_ifaddr_syncall(npf); } /* Index: src/sys/net/npf/npf_ifaddr.c diff -u src/sys/net/npf/npf_ifaddr.c:1.1 src/sys/net/npf/npf_ifaddr.c:1.2 --- src/sys/net/npf/npf_ifaddr.c:1.1 Mon Jan 2 21:49:51 2017 +++ src/sys/net/npf/npf_ifaddr.c Tue Jan 3 00:58:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $ */ +/* $NetBSD: npf_ifaddr.c,v 1.2 2017/01/03 00:58:05 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.2 2017/01/03 00:58:05 rmind Exp $"); #include #include @@ -46,20 +46,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c #include "npf_impl.h" -void -npf_ifaddr_init(npf_t *npf) -{ - ifnet_t *ifp; - - KERNEL_LOCK(1, NULL); - IFNET_LOCK(); - IFNET_WRITER_FOREACH(ifp) { - npf_ifaddr_sync(npf, ifp); - } - IFNET_UNLOCK(); - KERNEL_UNLOCK_ONE(NULL); -} - static npf_table_t * lookup_ifnet_table(npf_t *npf, ifnet_t *ifp) { @@ -177,3 +163,19 @@ npf_ifaddr_flush(npf_t *npf, ifnet_t *if } replace_ifnet_table(npf, t); } + +void +npf_ifaddr_syncall(npf_t *npf) +{ + ifnet_t *ifp; + + KERNEL_LOCK(1, NULL); + IFNET_LOCK(); + IFNET_WRITER_FOREACH(ifp) { + npf_ifaddr_sync(npf, ifp); + } + IFNET_UNLOCK(); + KERNEL_UNLOCK_ONE(NULL); +} + + Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.66 src/sys/net/npf/npf_impl.h:1.67 --- src/sys/net/npf/npf_impl.h:1.66 Mon Jan 2 21:49:51 2017 +++ src/sys/net/npf/npf_impl.h Tue Jan 3 00:58:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.66 2017/01/02 21:49:51 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.67 2017/01/03 00:58:05 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -247,9 +247,9 @@ void npf_ifmap_flush(npf_t *); u_int npf_ifmap_getid(npf_t *, const ifnet_t *); const char * npf_ifmap_getname(npf_t *, const u_int); -void npf_ifaddr_init(npf_t *); void npf_ifaddr_sync(npf_t *, ifnet_t *); void npf_ifaddr_flush(npf_t *, ifnet_t *); +void npf_ifaddr_syncall(npf_t *); /* Packet filter hooks. */ int npf_pfil_register(bool); Index: src/sys/net/npf/npf_os.c diff -u src/sys/net/npf/npf_os.c:1.4 src/sys/net/npf/npf_os.c:1.5 --- src/sys/net/npf/npf_os.c:1.4 Mon Jan 2 23:02:04 2017 +++ src/sys/net/npf/npf_os.c Tue Jan 3 00:58:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_os.c,v 1.4 2017/01/02 23:02:04 christos Exp $ */ +/* $NetBSD: npf_os.c,v 1.5 2017/01/03 00:58:05 rmind Exp $ */ /*- * Copyright (c) 2009-2016 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.4 2017/01/02 23:02:04 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.5 2017/01/03 00:58:05 rmind Exp $"); #ifdef _KERNEL_OPT #include "pf.h" @@ -153,7 +153,6 @@ npf_init(void) npf = npf_create(0, NULL, &kern_ifops); npf_setkernctx(npf); npf_pfil_register(true); - npf_ifaddr_init(npf); #ifdef _MODULE devmajor_t bmajor = NODEVMAJOR, cmajor = NODEVMAJOR; @@ -445,6 +444,12 @@ npf_pfil_register(bool init) PFIL_ALL, npf_ph_inet6); KASSERT(error == 0); } + + /* + * It is necessary to re-sync all/any interface address tables, + * since we did n
CVS commit: src/sys
Exp $ */ /*- * Copyright (c) 2009-2016 The NetBSD Foundation, Inc. @@ -42,7 +42,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.25 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.26 2017/01/02 21:49:51 rmind Exp $"); #include #include @@ -183,6 +183,21 @@ npf_tableset_insert(npf_tableset_t *ts, return error; } +npf_table_t * +npf_tableset_swap(npf_tableset_t *ts, npf_table_t *newt) +{ + const u_int tid = newt->t_id; + npf_table_t *oldt = ts->ts_map[tid]; + + KASSERT(tid < ts->ts_nitems); + KASSERT(oldt->t_id == newt->t_id); + + newt->t_refcnt = oldt->t_refcnt; + oldt->t_refcnt = 0; + + return atomic_swap_ptr(&ts->ts_map[tid], newt); +} + /* * npf_tableset_getbyname: look for a table in the set given the name. */ @@ -354,7 +369,8 @@ npf_table_create(const char *name, u_int LIST_INIT(&t->t_list); break; case NPF_TABLE_HASH: - t->t_hashl = hashinit(1024, HASH_LIST, true, &t->t_hashmask); + size = MIN(size, 128); + t->t_hashl = hashinit(size, HASH_LIST, true, &t->t_hashmask); if (t->t_hashl == NULL) { goto out; } @@ -409,6 +425,12 @@ npf_table_destroy(npf_table_t *t) kmem_free(t, sizeof(npf_table_t)); } +u_int +npf_table_getid(npf_table_t *t) +{ + return t->t_id; +} + /* * npf_table_check: validate the name, ID and type. */ Added files: Index: src/sys/net/npf/npf_ifaddr.c diff -u /dev/null src/sys/net/npf/npf_ifaddr.c:1.1 --- /dev/null Mon Jan 2 21:49:51 2017 +++ src/sys/net/npf/npf_ifaddr.c Mon Jan 2 21:49:51 2017 @@ -0,0 +1,179 @@ +/* $NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $ */ + +/*- + * Copyright (c) 2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Mindaugas Rasiukevicius. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * NPF network interface handling module. + */ + +#include +__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $"); + +#include +#include +#include + +#include +#include +#include + +#include "npf_impl.h" + +void +npf_ifaddr_init(npf_t *npf) +{ + ifnet_t *ifp; + + KERNEL_LOCK(1, NULL); + IFNET_LOCK(); + IFNET_WRITER_FOREACH(ifp) { + npf_ifaddr_sync(npf, ifp); + } + IFNET_UNLOCK(); + KERNEL_UNLOCK_ONE(NULL); +} + +static npf_table_t * +lookup_ifnet_table(npf_t *npf, ifnet_t *ifp) +{ + const npf_ifops_t *ifops = npf->ifops; + char tname[NPF_TABLE_MAXNAMELEN]; + npf_tableset_t *ts; + const char *ifname; + npf_table_t *t; + u_int tid; + + /* Get the interface name and prefix it. */ + ifname = ifops->getname(ifp); + snprintf(tname, sizeof(tname), ".ifnet-%s", ifname); + + KERNEL_LOCK(1, NULL); + npf_config_enter(npf); + ts = npf_config_tableset(npf); + + /* + * Check whether this interface is of any interest to us. + */ + t = npf_tableset_getbyname(ts, tname); + if (!t) { + goto out; + } + tid = npf_table_getid(t); + + /* Create a new NPF table for the interface. */ + t = npf_table_create(tname, tid, NPF_TABLE_HASH, NULL, 16); + if (!t) { + goto out; + } + return t; +out: + npf_config_exit(npf); + KERNEL_UNLOCK_ONE(NULL); + return NULL; +} + +static void +replace_ifnet_table(npf_t *npf, npf_table_t *newt) +{ + npf_tableset_t *ts = npf_config_tableset(npf); + npf_table_t *oldt; + + KERNEL_UNLOCK_ONE(NULL); + + /* + * Finally, swap the tables and issue a sync barrier. + */ + oldt = npf_tableset_swap(ts, newt); + npf_config_sync(npf); + npf_config_exit(npf); + + /* At this point, it is safe to destroy the old tabl
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Dec 29 20:48:50 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c npfctl.c Log Message: Improve 'npfctl debug' a little bit. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.21 src/usr.sbin/npf/npfctl/npf_show.c:1.22 --- src/usr.sbin/npf/npfctl/npf_show.c:1.21 Tue Dec 27 20:14:35 2016 +++ src/usr.sbin/npf/npfctl/npf_show.c Thu Dec 29 20:48:50 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $ */ +/* $NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $"); #include #define __FAVOR_BSD @@ -506,8 +506,8 @@ npfctl_config_show(int fd) loaded ? "loaded" : "empty"); print_linesep(ctx); } else { - npfctl_config_send(0, NULL); ncf = npfctl_config_ref(); + (void)npf_config_build(ncf); loaded = true; } ctx->conf = ncf; Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.51 src/usr.sbin/npf/npfctl/npfctl.c:1.52 --- src/usr.sbin/npf/npfctl/npfctl.c:1.51 Tue Dec 27 20:24:32 2016 +++ src/usr.sbin/npf/npfctl/npfctl.c Thu Dec 29 20:48:50 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $ */ +/* $NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $"); #include #include @@ -70,6 +70,7 @@ enum { NPFCTL_STATS, NPFCTL_SAVE, NPFCTL_LOAD, + NPFCTL_DEBUG, NPFCTL_CONN_LIST, }; @@ -83,7 +84,6 @@ static const struct operations_s { { "reload", NPFCTL_RELOAD }, { "show", NPFCTL_SHOWCONF, }, { "flush", NPFCTL_FLUSH }, - { "valid", NPFCTL_VALIDATE }, /* Table */ { "table", NPFCTL_TABLE }, /* Rule */ @@ -94,6 +94,9 @@ static const struct operations_s { { "save", NPFCTL_SAVE }, { "load", NPFCTL_LOAD }, { "list", NPFCTL_CONN_LIST }, + /* Misc. */ + { "valid", NPFCTL_VALIDATE }, + { "debug", NPFCTL_DEBUG }, /* --- */ { NULL, 0 } }; @@ -247,14 +250,12 @@ npfctl_print_addrmask(int alen, const ch switch (alen) { case 4: { struct sockaddr_in *sin = (void *)&ss; - sin->sin_len = sizeof(*sin); sin->sin_family = AF_INET; memcpy(&sin->sin_addr, addr, sizeof(sin->sin_addr)); break; } case 16: { struct sockaddr_in6 *sin6 = (void *)&ss; - sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = AF_INET6; memcpy(&sin6->sin6_addr, addr, sizeof(sin6->sin6_addr)); break; @@ -593,7 +594,7 @@ struct npf_conn_filter { }; static int -npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p, +npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p, const char *ifname, void *v) { struct npf_conn_filter *fil = v; @@ -674,21 +675,19 @@ npfctl_conn_list(int fd, int argc, char if (header) fprintf(f.fp, "%*.*s %*.*s\n", w, w, "From address:port ", w, w, "To address:port "); - + npf_conn_list(fd, npfctl_conn_print, &f); return 0; } -static void -npfctl(int action, int argc, char **argv) +static int +npfctl_open_dev(const char *path) { - int fd, ver, boolval, ret = 0; - nl_config_t *ncf; - const char *fun = ""; + int fd, ver; - fd = open(NPF_DEV_PATH, O_RDONLY); + fd = open(path, O_RDONLY); if (fd == -1) { - err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH); + err(EXIT_FAILURE, "cannot open '%s'", path); } if (ioctl(fd, IOC_NPF_VERSION, &ver) == -1) { err(EXIT_FAILURE, "ioctl(IOC_NPF_VERSION)"); @@ -698,6 +697,24 @@ npfctl(int action, int argc, char **argv "incompatible NPF interface version (%d, kernel %d)\n" "Hint: update userland?", NPF_VERSION, ver); } + return fd; +} + +static void +npfctl(int action, int argc, char **argv) +{ + int fd, boolval, ret = 0; + const char *fun = ""; + nl_config_t *ncf; + + switch (action) { + case NPFCTL_VALIDATE: + case NPFCTL_DEBUG: + fd = 0; + break; + default: + fd = npfctl_open_dev(NPF_DEV_PATH); + } switch (action) { case NPFCTL_START: @@ -725,12 +742,6 @@ npfctl(int action, int argc, char **argv ret = npf_config_flush(fd); fun = "npf_config_flush"; break; - case NPFCTL_VALIDATE: - npfctl_config_init(false); - npfctl_parse_file(argc < 3 ? NPF_CONF_PATH : argv[2]); - ret = npfctl_config_show(0); - fun = "npfctl_config_show"; -
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Tue Dec 27 22:35:33 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 npf_bpf_comp.c npf_build.c npf_data.c npf_parse.y npf_scan.l npfctl.h Log Message: npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.26 -r1.27 src/usr.sbin/npf/npfctl/npf_data.c cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.44 src/usr.sbin/npf/npfctl/npf.conf.5:1.45 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.44 Sun Feb 1 22:57:21 2015 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Dec 27 22:35:33 2016 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.44 2015/02/01 22:57:21 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $ .\" .\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd February 1, 2015 +.Dd December 28, 2016 .Dt NPF.CONF 5 .Os .Sh NAME @@ -295,7 +295,8 @@ proto-opts = "flags" tcp-flags [ "/" tcp addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] -filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] +filt-addr = [ "!" ] [ interface | var-name | + addr-mask | table-id | "any" ] filt-port = "port" ( port-num | port-from "-" port-to | var-name ) .Ed .\" - Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.9 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.10 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.9 Mon Dec 26 23:05:05 2016 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Tue Dec 27 22:35:33 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf_comp.c,v 1.9 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.9 2016/12/26 23:05:05 christos Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $"); #include #include @@ -244,18 +244,29 @@ npfctl_bpf_group(npf_bpf_t *ctx) } void -npfctl_bpf_endgroup(npf_bpf_t *ctx) +npfctl_bpf_endgroup(npf_bpf_t *ctx, bool invert) { struct bpf_program *bp = &ctx->prog; const size_t curoff = bp->bf_len; /* If there are no blocks or only one - nothing to do. */ - if ((ctx->nblocks - ctx->gblock) <= 1) { + if (!invert && (ctx->nblocks - ctx->gblock) <= 1) { ctx->goff = ctx->gblock = 0; return; } /* + * If inverting, then prepend a jump over the statement below. + * If matching, jump will jump below and the fail will happen. + */ + if (invert) { + struct bpf_insn insns_ret[] = { + BPF_STMT(BPF_JMP+BPF_JA, 1), + }; + add_insns(ctx, insns_ret, __arraycount(insns_ret)); + } + + /* * Append a failure return as a fall-through i.e. if there is * no match within the group. */ @@ -309,7 +320,7 @@ fetch_l3(npf_bpf_t *ctx, sa_family_t af, */ if (ingroup) { assert(ctx->nblocks == ctx->gblock); - npfctl_bpf_endgroup(ctx); + npfctl_bpf_endgroup(ctx, false); } /* Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.41 src/usr.sbin/npf/npfctl/npf_build.c:1.42 --- src/usr.sbin/npf/npfctl/npf_build.c:1.41 Mon Dec 26 23:05:05 2016 +++ src/usr.sbin/npf/npfctl/npf_build.c Tue Dec 27 22:35:33 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.41 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.41 2016/12/26 23:05:05 christos Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $"); #include #include @@ -268,7 +268,7 @@ npfctl_build_vars(npf_bpf_t *ctx, sa_fam assert(false); } } - npfctl_bpf_endgroup(ctx); + npfctl_bpf_endgroup(ctx, (opts & MATCH_INVERT) != 0); } static void @@ -321,6 +321,7 @@ npfctl_build_code(nl_rule_t *rl, sa_fami const addr_port_t *apto = &fopts->fo_to; const int proto = op->op_proto; npf_bpf_t *bc; + unsigned opts; size_t len; /* If none specified, then no byte-code. */ @@ -365,8 +366,10 @@ npfctl_build_code(nl_rule_t *rl, sa_fami } /* Build IP address
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: rmind Date: Tue Dec 27 22:20:00 UTC 2016 Added Files: src/usr.sbin/npf/npfd: Makefile npfd.c npfd.h npfd_log.c Log Message: Add some very preliminary npfd(8) code. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npfd/Makefile \ src/usr.sbin/npf/npfd/npfd.c src/usr.sbin/npf/npfd/npfd.h \ src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/usr.sbin/npf/npfd/Makefile diff -u /dev/null src/usr.sbin/npf/npfd/Makefile:1.1 --- /dev/null Tue Dec 27 22:20:00 2016 +++ src/usr.sbin/npf/npfd/Makefile Tue Dec 27 22:20:00 2016 @@ -0,0 +1,17 @@ +# $NetBSD: Makefile,v 1.1 2016/12/27 22:20:00 rmind Exp $ +# +# Public Domain +# + +PROG= npfd + +SRCS= npfd.c +CPPFLAGS+= -I${.CURDIR} + +LDADD+= -lnpf -lpcap +DPADD+= ${LIBNPF} ${LIBPCAP} + +WARNS= 5 +NOLINT= # disabled deliberately + +.include Index: src/usr.sbin/npf/npfd/npfd.c diff -u /dev/null src/usr.sbin/npf/npfd/npfd.c:1.1 --- /dev/null Tue Dec 27 22:20:00 2016 +++ src/usr.sbin/npf/npfd/npfd.c Tue Dec 27 22:20:00 2016 @@ -0,0 +1,127 @@ +/* $NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Mindaugas Rasiukevicius. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +__RCSID("$NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $"); + +#include +#include +#include +#include + +#include "npfd.h" + +static volatile sig_atomic_t hup = false; + +int +npfd_getctl(void) +{ + int fd; + + fd = open(NPF_DEV_PATH, O_RDONLY); + if (fd == -1) { + err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH); + } + if (ioctl(fd, IOC_NPF_VERSION, &ver) == -1) { + err(EXIT_FAILURE, "ioctl(IOC_NPF_VERSION)"); + } + if (ver != NPF_VERSION) { + errx(EXIT_FAILURE, + "incompatible NPF interface version (%d, kernel %d)\n" + "Hint: update userland?", NPF_VERSION, ver); + } + return fd; +} + +static void +npfd_event_loop(void) +{ + int fds[8], fd, nfds = 0, maxfd = 0; + fd_set rfds; + + FD_ZERO(&rfds); + + fd = npfd_log_create(0) + fds[nfds++] = fd; + FD_SET(fd, &rfds); + + for (int i = 0; i < nfds; i++) { + maxfd = MAX(maxfd, fds[i] + 1); + } + + while (!done) { + if ((ret = select(maxfd, &rfds, NULL, NULL, NULL)) == -1) { + syslog(LOG_ERR, "select failed: %m"); + err(EXIT_FAILURE, "select"); + } + if (hup) { + hup = false; + } + + for (fd = 0; fd < maxfd; fd++) { + // TODO + } + } +} + +static void +sighup_handler(int sig) +{ + hup = true; +} + +int +main(int argc, char **argv) +{ + bool daemon_off = false; + int ch; + + while ((ch = getopt(argc, argv, "d")) != -1) { + switch (ch) { + case 'd': + daemon_off = true; + break; + default: + errx(EXIT_FAILURE, "usage:\n\t%s [ -d ]", argv[0]); + } + } + + openlog(argv[0], LOG_PID | LOG_NDELAY | LOG_CONS, LOG_DAEMON); + if (!daemon_off && daemon(0, 0) == -1) { + syslog(LOG_ERR, "daemon failed: %m"); + err(EXIT_FAILURE, "daemon"); + } + signal(SIGHUP, sighup_handler); + npfd_event_loop(); + closelog(); + + return 0; +} Index: src/usr.sbin/npf/npfd/npfd.h diff -u /dev/null src/usr.sbin/npf/npfd/npfd.h:1.1 --- /dev/null Tue Dec 27 22:20:00 2016 +++ src/usr.sbin/npf/npfd/npfd.h Tue Dec 27 22:20:00 2016 @@ -0,0 +1,49 @@ +/* $NetBSD: npfd.h,v 1.1 2016/12/27 22:20:00 rmind Exp $ */
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Tue Dec 27 20:32:58 UTC 2016 Modified Files: src/lib/libnpf: npf.c npf.h Log Message: KNF To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/lib/libnpf/npf.c cvs rdiff -u -r1.32 -r1.33 src/lib/libnpf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.41 src/lib/libnpf/npf.c:1.42 --- src/lib/libnpf/npf.c:1.41 Tue Dec 27 20:14:07 2016 +++ src/lib/libnpf/npf.c Tue Dec 27 20:32:58 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.41 2016/12/27 20:14:07 christos Exp $ */ +/* $NetBSD: npf.c,v 1.42 2016/12/27 20:32:58 rmind Exp $ */ /*- * Copyright (c) 2010-2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.41 2016/12/27 20:14:07 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.42 2016/12/27 20:32:58 rmind Exp $"); #include #include @@ -1427,18 +1427,18 @@ npf_conn_list(int fd, npf_conn_func_t fu if (ncf == NULL) { return errno; } - -/* Connection list - array */ -if (prop_object_type(ncf->ncf_conn_list) != PROP_TYPE_ARRAY) { -return EINVAL; -} - -prop_object_iterator_t it = prop_array_iterator(ncf->ncf_conn_list); -prop_dictionary_t condict; -while ((condict = prop_object_iterator_next(it)) != NULL) { -if (prop_object_type(condict) != PROP_TYPE_DICTIONARY) { + + /* Connection list - array */ + if (prop_object_type(ncf->ncf_conn_list) != PROP_TYPE_ARRAY) { + return EINVAL; + } + + prop_object_iterator_t it = prop_array_iterator(ncf->ncf_conn_list); + prop_dictionary_t condict; + while ((condict = prop_object_iterator_next(it)) != NULL) { + if (prop_object_type(condict) != PROP_TYPE_DICTIONARY) { return EINVAL; -} + } npf_conn_handle(condict, fun, v); } return 0; Index: src/lib/libnpf/npf.h diff -u src/lib/libnpf/npf.h:1.32 src/lib/libnpf/npf.h:1.33 --- src/lib/libnpf/npf.h:1.32 Tue Dec 27 20:14:07 2016 +++ src/lib/libnpf/npf.h Tue Dec 27 20:32:58 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.32 2016/12/27 20:14:07 christos Exp $ */ +/* $NetBSD: npf.h,v 1.33 2016/12/27 20:32:58 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -150,10 +150,9 @@ void _npf_debug_addif(nl_config_t *, co int _npf_alg_load(nl_config_t *, const char *); int _npf_alg_unload(nl_config_t *, const char *); -/* utils */ -typedef int (*npf_conn_func_t)(unsigned, const npf_addr_t *, const in_port_t *, -const char *, void *); -int npf_conn_list(int, npf_conn_func_t, void *); +typedef int (*npf_conn_func_t)(unsigned, const npf_addr_t *, +const in_port_t *, const char *, void *); +int npf_conn_list(int, npf_conn_func_t, void *); #endif
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Tue Dec 27 17:58:56 UTC 2016 Modified Files: src/lib/libnpf: libnpf.3 Log Message: Update libnpf(3) man page. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/lib/libnpf/libnpf.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.2 src/lib/libnpf/libnpf.3:1.3 --- src/lib/libnpf/libnpf.3:1.2 Sun Aug 3 00:02:56 2014 +++ src/lib/libnpf/libnpf.3 Tue Dec 27 17:58:56 2016 @@ -1,6 +1,6 @@ -.\" $NetBSD: libnpf.3,v 1.2 2014/08/03 00:02:56 rmind Exp $ +.\" $NetBSD: libnpf.3,v 1.3 2016/12/27 17:58:56 rmind Exp $ .\" -.\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc. +.\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 2, 2014 +.Dd April 19, 2015 .Dt LIBNPF 3 .Os .Sh NAME @@ -41,11 +41,19 @@ .Ft nl_config_t * .Fn npf_config_create "void" .Ft int -.Fn npf_config_submit "nl_config_t *ncf" "int fd" -.Ft void -.Fn npf_config_destroy "nl_config_t *ncf" +.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo" +.Ft nl_config_t * +.Fn npf_config_retrieve "int fd" "bool *active" "bool *loaded" .Ft int .Fn npf_config_flush "int fd" +.Ft void +.Fn npf_config_export "const nl_config_t *ncf" "size_t *len" +.Ft nl_config_t * +.Fn npf_config_import "const void *blob" "size_t len" +.Ft bool +.Fn npf_config_active_p "nl_config_t *ncf" +.Ft void +.Fn npf_config_destroy "nl_config_t *ncf" .\" --- .Ft nl_rule_t * .Fn npf_rule_create "char *name" "uint32_t attr" "const char *ifname" @@ -53,14 +61,18 @@ .Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len" .Ft int .Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len" +.Ft int +.Fn npf_rule_setinfo "nl_rule_t *rl" "const void *info" "size_t len" .Ft bool .Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name" .Ft int -.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" -.Ft int -.Fn npf_rule_setprio "nl_rule_t *rl" "pri_t pri" +.Fn npf_rule_setprio "nl_rule_t *rl" "int pri" .Ft int .Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name" +.Ft int +.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" +.Ft void * +.Fn npf_rule_export "nl_rule_t *rl" "size_t *length" .Ft void .Fn npf_rule_destroy "nl_rule_t *rl" .\" --- @@ -99,15 +111,32 @@ The configuration can be submitted to th .Bl -tag -width 4n .It Fn npf_config_create Create a configuration. -.It Fn npf_config_submit "ncf" "fd" +.It Fn npf_config_submit "ncf" "fd" "errinfo" Submit configuration .Fa ncf to the kernel. +On error, the the description is written into the structure specified by +.Fa errinfo . +.It Fn npf_config_export "fd" "len" +Serialize the given configuration and return binary object and its +length in +.Fa len +parameter. +The binary object is dynamically allocated and should be destroyed using +.Xr free 3 . +.It Fn npf_config_import "blob" "len" +Read the configuration from a binary object of the specified length, +unserialize, construct and return the configuration object. +.It Fn npf_config_flush "fd" +Flush the current configuration. +.It Fn npf_config_retrieve "fd" "active" "loaded" +Retrieve and return the loaded configuration from the kernel. +.It Fn npf_config_active_p "ncf" +Indicate whether the retrievied configuration is active (true if yes +and false otherwise). .It Fn npf_config_destroy "ncf" Destroy the configuration .Fa ncf . -.It Fn npf_config_flush "fd" -Flush the current configuration. .El .\" --- .Ss Rule interface @@ -124,20 +153,32 @@ The following attributes, which can be O Decision of this rule is "pass". If this attribute is not specified, then packet "block" (drop) is the default. +.It Dv NPF_RULE_IN +Match incoming packets. +.It Dv NPF_RULE_OUT +Match outgoing packets. .It Dv NPF_RULE_FINAL Indicates that on rule match, further processing of the ruleset should be stopped and this rule applied instantly. .It Dv NPF_RULE_STATEFUL Create a state (session) on match, track the connection and therefore pass the backwards stream without inspection. +The state is uniquely identified by a 5-tuple (source and destination +IP addresses, port numbers and an interface identifier). +.It Dv NPF_RULE_MULTIENDS +Exclude the interface from the state identifier. .It Dv NPF_RULE_RETRST Return TCP RST packet in a case of packet block. .It Dv NPF_RULE_RETICMP Return ICMP destination unreachable in a case of packet block. -.It Dv NPF_RULE_IN -Rule may match only if incoming packet. -.It Dv NPF_RULE_OUT -Rule may match only if outgoing packet. +.It Dv NPF_RULE_GROUP
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:59:48 UTC 2016 Modified Files: src/sys/net/npf: npf_os.c Log Message: Convert NPF to the latest pfil(9) changes. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_os.c diff -u src/sys/net/npf/npf_os.c:1.1 src/sys/net/npf/npf_os.c:1.2 --- src/sys/net/npf/npf_os.c:1.1 Mon Dec 26 23:05:06 2016 +++ src/sys/net/npf/npf_os.c Mon Dec 26 23:59:47 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_os.c,v 1.1 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_os.c,v 1.2 2016/12/26 23:59:47 rmind Exp $ */ /*- * Copyright (c) 2009-2016 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.1 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.2 2016/12/26 23:59:47 rmind Exp $"); #ifdef _KERNEL_OPT #include "pf.h" @@ -345,23 +345,20 @@ npfkern_packet_handler(void *arg, struct /* * npf_ifhook: hook handling interface changes. */ -static int -npf_ifhook(void *arg, struct mbuf **mp, ifnet_t *ifp, int di) +static void +npf_ifhook(void *arg, unsigned long cmd, void *arg2) { npf_t *npf = npf_getkernctx(); - u_long cmd = (u_long)mp; + ifnet_t *ifp = arg2; - if (di == PFIL_IFNET) { - switch (cmd) { - case PFIL_IFNET_ATTACH: - npf_ifmap_attach(npf, ifp); - break; - case PFIL_IFNET_DETACH: - npf_ifmap_detach(npf, ifp); - break; - } + switch (cmd) { + case PFIL_IFNET_ATTACH: + npf_ifmap_attach(npf, ifp); + break; + case PFIL_IFNET_DETACH: + npf_ifmap_detach(npf, ifp); + break; } - return 0; } /* @@ -383,8 +380,7 @@ npf_pfil_register(bool init) error = ENOENT; goto out; } - error = pfil_add_hook(npf_ifhook, NULL, - PFIL_IFADDR | PFIL_IFNET, npf_ph_if); + error = pfil_add_ihook(npf_ifhook, NULL, PFIL_IFNET, npf_ph_if); KASSERT(error == 0); } if (init) { @@ -436,8 +432,7 @@ npf_pfil_unregister(bool fini) KERNEL_LOCK(1, NULL); if (fini && npf_ph_if) { - (void)pfil_remove_hook(npf_ifhook, NULL, - PFIL_IFADDR | PFIL_IFNET, npf_ph_if); + (void)pfil_remove_ihook(npf_ifhook, NULL, PFIL_IFNET, npf_ph_if); } if (npf_ph_inet) { (void)pfil_remove_hook(npfkern_packet_handler, npf,
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:39:18 UTC 2016 Modified Files: src/sys/net/npf: npf.h Log Message: Bump NPF_VERSION to 19. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.52 src/sys/net/npf/npf.h:1.53 --- src/sys/net/npf/npf.h:1.52 Mon Dec 26 23:05:06 2016 +++ src/sys/net/npf/npf.h Mon Dec 26 23:39:18 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.52 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf.h,v 1.53 2016/12/26 23:39:18 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -39,7 +39,7 @@ #include #include -#define NPF_VERSION 18 +#define NPF_VERSION 19 #if defined(_NPF_STANDALONE) #include "npf_stand.h"
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:10:46 UTC 2016 Modified Files: src/sys/net/npf: npf_state_tcp.c Log Message: npf_tcp_fsm: fix for the NPF_TCPS_SYN_RECEIVED state. SYN re-transmission after SYN-ACK was seen by NPF should not terminate the connection. Thanks to: Alexander Kiselev To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_state_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_state_tcp.c diff -u src/sys/net/npf/npf_state_tcp.c:1.17 src/sys/net/npf/npf_state_tcp.c:1.18 --- src/sys/net/npf/npf_state_tcp.c:1.17 Mon Dec 26 23:05:06 2016 +++ src/sys/net/npf/npf_state_tcp.c Mon Dec 26 23:10:46 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_state_tcp.c,v 1.17 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_state_tcp.c,v 1.18 2016/12/26 23:10:46 rmind Exp $ */ /*- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.17 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.18 2016/12/26 23:10:46 rmind Exp $"); #include #include @@ -192,6 +192,8 @@ static const uint8_t npf_tcp_fsm[NPF_TCP [TCPFC_ACK] = NPF_TCPS_ESTABLISHED, /* FIN may be sent early. */ [TCPFC_FIN] = NPF_TCPS_FIN_SENT, + /* Late SYN re-transmission. */ + [TCPFC_SYN] = NPF_TCPS_OK, }, [NPF_FLOW_BACK] = { /* SYN-ACK may be retransmitted. */
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 21:16:06 UTC 2016 Modified Files: src/sys/net/npf: lpm.c Log Message: Fix kmem_free() in hashmap_remove(). To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/lpm.c diff -u src/sys/net/npf/lpm.c:1.2 src/sys/net/npf/lpm.c:1.3 --- src/sys/net/npf/lpm.c:1.2 Mon Dec 26 12:44:10 2016 +++ src/sys/net/npf/lpm.c Mon Dec 26 21:16:06 2016 @@ -31,7 +31,7 @@ #if defined(_KERNEL) #include -__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.2 2016/12/26 12:44:10 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.3 2016/12/26 21:16:06 rmind Exp $"); #include #include @@ -245,7 +245,7 @@ hashmap_remove(lpm_hmap_t *hmap, const v } else { hmap->bucket[i] = entry->next; } - free(entry, M_TEMP); + kmem_free(entry, offsetof(lpm_ent_t, key[len])); return 0; } prev = entry;
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 12:44:10 UTC 2016 Modified Files: src/sys/net/npf: lpm.c Log Message: Fix kmem_free() sizes in hashmap_rehash() and lpm_clear(). To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/lpm.c diff -u src/sys/net/npf/lpm.c:1.1 src/sys/net/npf/lpm.c:1.2 --- src/sys/net/npf/lpm.c:1.1 Fri Dec 9 02:40:38 2016 +++ src/sys/net/npf/lpm.c Mon Dec 26 12:44:10 2016 @@ -31,7 +31,7 @@ #if defined(_KERNEL) #include -__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1 2016/12/09 02:40:38 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.2 2016/12/26 12:44:10 rmind Exp $"); #include #include @@ -117,7 +117,7 @@ lpm_clear(lpm_t *lpm, lpm_dtor_t dtor, v entry = next; } } - kmem_free(hmap->bucket, hmap->hashsize); + kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *)); hmap->bucket = NULL; hmap->hashsize = 0; hmap->nitems = 0; @@ -158,7 +158,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_ for (hashsize = 1; hashsize < size; hashsize <<= 1) { continue; } - bucket = kmem_zalloc(hashsize * sizeof(*bucket), KM_SLEEP); + bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), KM_SLEEP); if (bucket == NULL) return false; for (unsigned n = 0; n < hmap->hashsize; n++) { @@ -175,7 +175,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_ } } if (hmap->bucket) - kmem_free(hmap->bucket, hmap->hashsize); + kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *)); hmap->bucket = bucket; hmap->hashsize = hashsize; return true;
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Dec 8 23:07:12 UTC 2016 Modified Files: src/sys/net/npf: npf.h npf_conn.c npf_handler.c npf_mbuf.c Log Message: NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus pass-through them on other interfaces. Per discussion with christos@. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf.h cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.c \ src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.48 --- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf.h Thu Dec 8 23:07:11 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.48 2016/12/08 23:07:11 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -116,8 +116,8 @@ void * nbuf_ensure_contig(nbuf_t *, siz void * nbuf_ensure_writable(nbuf_t *, size_t); bool nbuf_cksum_barrier(nbuf_t *, int); -int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t); -int nbuf_find_tag(nbuf_t *, uint32_t, void **); +int nbuf_add_tag(nbuf_t *, uint32_t); +int nbuf_find_tag(nbuf_t *, uint32_t *); /* * Packet information cache. @@ -259,8 +259,8 @@ bool npf_autounload_p(void); #define NPF_LAYER_2 2 #define NPF_LAYER_3 3 -/* XXX mbuf.h: just for now. */ -#define PACKET_TAG_NPF 10 +/* Packet tags. */ +#define NPF_NTAG_PASS 0x0001 /* * Rule commands (non-ioctl). Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.16 src/sys/net/npf/npf_conn.c:1.17 --- src/sys/net/npf/npf_conn.c:1.16 Thu Feb 5 22:04:03 2015 +++ src/sys/net/npf/npf_conn.c Thu Dec 8 23:07:11 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $ */ /*- * Copyright (c) 2014-2015 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $"); #include #include @@ -432,11 +432,21 @@ npf_conn_inspect(npf_cache_t *npc, const ok = npf_state_inspect(npc, &con->c_state, forw); mutex_exit(&con->c_lock); + /* If invalid state: let the rules deal with it. */ if (__predict_false(!ok)) { - /* Invalid: let the rules deal with it. */ npf_conn_release(con); npf_stats_inc(NPF_STAT_INVALID_STATE); - con = NULL; + return NULL; + } + + /* + * If this is multi-end state, then specially tag the packet + * so it will be just passed-through on other interfaces. + */ + if (con->c_ifid == 0 && nbuf_add_tag(nbuf, NPF_NTAG_PASS) != 0) { + npf_conn_release(con); + *error = ENOMEM; + return NULL; } return con; } Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.16 src/sys/net/npf/npf_mbuf.c:1.17 --- src/sys/net/npf/npf_mbuf.c:1.16 Fri Mar 18 10:09:46 2016 +++ src/sys/net/npf/npf_mbuf.c Thu Dec 8 23:07:11 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $ */ +/* $NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $"); #include #include @@ -274,7 +274,7 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di) * => Returns 0 on success or errno on failure. */ int -nbuf_add_tag(nbuf_t *nbuf, uint32_t key, uint32_t val) +nbuf_add_tag(nbuf_t *nbuf, uint32_t val) { struct mbuf *m = nbuf->nb_mbuf0; struct m_tag *mt; @@ -298,7 +298,7 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t key, * => Returns 0 on success or errno on failure. */ int -nbuf_find_tag(nbuf_t *nbuf, uint32_t key, void **data) +nbuf_find_tag(nbuf_t *nbuf, uint32_t *val) { struct mbuf *m = nbuf->nb_mbuf0; struct m_tag *mt; @@ -309,6 +309,6 @@ nbuf_find_tag(nbuf_t *nbuf, uint32_t key if (mt == NULL) { return EINVAL; } - *data = (void *)(mt + 1); + *val = *(uint32_t *)(mt + 1); return 0; } Index: src/sys/net/npf/npf_handler.c diff -u src/sys/net/npf/npf_handler.c:1.33 src/sys/net/npf/npf_handler.c:1.34 --- src/sys/net/npf/npf_handler.c:1.33 Wed Jul 23 01:25:34 2014 +++ src/sys/net/npf/npf_handler.c Thu Dec 8 23:07:11 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_handler.c,v 1.33 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf_handler.c,v 1.34 2016/12/08 23:07:11 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #i
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun Jul 12 23:54:44 UTC 2015 Modified Files: src/usr.sbin/npf: npf.7 src/usr.sbin/npf/npfctl: npf_var.c Log Message: - npfvar_get_type1: check for NULL first. - Minor fix for the npf(7) man page. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npf.7 cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npfctl/npf_var.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf.7 diff -u src/usr.sbin/npf/npf.7:1.2 src/usr.sbin/npf/npf.7:1.3 --- src/usr.sbin/npf/npf.7:1.2 Sun Aug 10 19:09:43 2014 +++ src/usr.sbin/npf/npf.7 Sun Jul 12 23:54:43 2015 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf.7,v 1.2 2014/08/10 19:09:43 rmind Exp $ +.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 2, 2014 +.Dd July 13, 2015 .Dt NPF 7 .Os .Sh NAME @@ -69,7 +69,7 @@ Traffic normalization (extension). Packet logging (extension). .El .Pp -For a full set features and their description, see the NPF +For a full set of features and their description, see the NPF documentation and other manual pages. .\" - .Sh SEE ALSO Index: src/usr.sbin/npf/npfctl/npf_var.c diff -u src/usr.sbin/npf/npfctl/npf_var.c:1.8 src/usr.sbin/npf/npfctl/npf_var.c:1.9 --- src/usr.sbin/npf/npfctl/npf_var.c:1.8 Tue Nov 19 00:28:41 2013 +++ src/usr.sbin/npf/npfctl/npf_var.c Sun Jul 12 23:54:44 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_var.c,v 1.8 2013/11/19 00:28:41 rmind Exp $ */ +/* $NetBSD: npf_var.c,v 1.9 2015/07/12 23:54:44 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npf_var.c,v 1.8 2013/11/19 00:28:41 rmind Exp $"); +__RCSID("$NetBSD: npf_var.c,v 1.9 2015/07/12 23:54:44 rmind Exp $"); #include #include @@ -239,14 +239,14 @@ npfvar_get_type1(const npfvar_t *vp, siz { npf_element_t *el; + if (vp == NULL) + return -1; + if (level >= var_num) { yyerror("variable loop for '%s'", vp->v_key); return -1; } - if (vp == NULL) - return -1; - if (vp->v_count <= idx) { yyerror("variable '%s' has only %zu elements, requested %zu", vp->v_key, vp->v_count, idx);
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Jul 12 23:51:53 UTC 2015 Modified Files: src/sys/net/npf: npf_if.c npf_mbuf.c Log Message: npfkern: eliminate INACTIVE_ID and use 0 for unregistered interfaces. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_if.c diff -u src/sys/net/npf/npf_if.c:1.4 src/sys/net/npf/npf_if.c:1.5 --- src/sys/net/npf/npf_if.c:1.4 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_if.c Sun Jul 12 23:51:53 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_if.c,v 1.4 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_if.c,v 1.5 2015/07/12 23:51:53 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -35,14 +35,17 @@ * NPF uses its own interface IDs (npf-if-id). When NPF configuration is * (re)loaded, each required interface name is registered and a matching * network interface gets an ID assigned. If an interface is not present, - * it gets an ID on attach. Any other interfaces get INACTIVE_ID. + * it gets an ID on attach. + * + * IDs start from 1. Zero is reserved to indicate "no interface" case or + * an interface of no interest (i.e. not registered). * * The IDs are mapped synchronously based on interface events which are * monitored using pfil(9) hooks. */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.4 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.5 2015/07/12 23:51:53 rmind Exp $"); #ifdef _KERNEL_OPT #include "pf.h" @@ -59,8 +62,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1 #include "npf_impl.h" -#define INACTIVE_ID ((u_int)-1) - typedef struct { char n_ifname[IFNAMSIZ]; } npf_ifmap_t; @@ -68,12 +69,6 @@ typedef struct { static npf_ifmap_t npf_ifmap[NPF_MAX_IFMAP] __read_mostly; static u_int npf_ifmap_cnt __read_mostly; -/* - * NOTE: IDs start from 1. Zero is reserved for "no interface" and - * (unsigned)-1 for "inactive interface". Therefore, an interface - * can have either INACTIVE_ID or non-zero ID. - */ - static u_int npf_ifmap_new(void) { @@ -85,7 +80,7 @@ npf_ifmap_new(void) if (npf_ifmap_cnt == NPF_MAX_IFMAP) { printf("npf_ifmap_new: out of slots; bump NPF_MAX_IFMAP\n"); - return INACTIVE_ID; + return 0; } return ++npf_ifmap_cnt; } @@ -101,7 +96,7 @@ npf_ifmap_lookup(const char *ifname) if (nim->n_ifname[0] && strcmp(nim->n_ifname, ifname) == 0) return i + 1; } - return INACTIVE_ID; + return 0; } u_int @@ -112,11 +107,10 @@ npf_ifmap_register(const char *ifname) u_int i; npf_config_enter(); - if ((i = npf_ifmap_lookup(ifname)) != INACTIVE_ID) { + if ((i = npf_ifmap_lookup(ifname)) != 0) { goto out; } - if ((i = npf_ifmap_new()) == INACTIVE_ID) { - i = INACTIVE_ID; + if ((i = npf_ifmap_new()) == 0) { goto out; } nim = &npf_ifmap[i - 1]; @@ -146,7 +140,7 @@ npf_ifmap_flush(void) KERNEL_LOCK(1, NULL); IFNET_FOREACH(ifp) { - ifp->if_pf_kif = (void *)(uintptr_t)INACTIVE_ID; + ifp->if_pf_kif = (void *)(uintptr_t)0; } KERNEL_UNLOCK_ONE(NULL); } @@ -155,8 +149,7 @@ u_int npf_ifmap_getid(const ifnet_t *ifp) { const u_int i = (uintptr_t)ifp->if_pf_kif; - - KASSERT(i == INACTIVE_ID || (i > 0 && i <= npf_ifmap_cnt)); + KASSERT(i <= npf_ifmap_cnt); return i; } @@ -184,7 +177,8 @@ npf_ifmap_attach(ifnet_t *ifp) void npf_ifmap_detach(ifnet_t *ifp) { + /* Diagnostic. */ npf_config_enter(); - ifp->if_pf_kif = (void *)(uintptr_t)INACTIVE_ID; /* diagnostic */ + ifp->if_pf_kif = (void *)(uintptr_t)0; npf_config_exit(); } Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.13 src/sys/net/npf/npf_mbuf.c:1.14 --- src/sys/net/npf/npf_mbuf.c:1.13 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_mbuf.c Sun Jul 12 23:51:53 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_mbuf.c,v 1.13 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_mbuf.c,v 1.14 2015/07/12 23:51:53 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.14 2015/07/12 23:51:53 rmind Exp $"); #include #include @@ -57,7 +57,7 @@ nbuf_init(nbuf_t *nbuf, struct mbuf *m, nbuf->nb_mbuf0 = m; nbuf->nb_ifp = ifp; - nbuf->nb_ifid = ifid; + nbuf->nb_ifid = ifid; nbuf_reset(nbuf); }
CVS commit: src
Module Name:src Committed By: rmind Date: Mon Jun 8 01:00:43 UTC 2015 Modified Files: src/sys/net/npf: npf_ctl.c src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c Log Message: - npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.39 -r1.40 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.41 src/sys/net/npf/npf_ctl.c:1.42 --- src/sys/net/npf/npf_ctl.c:1.41 Fri Mar 20 23:36:28 2015 +++ src/sys/net/npf/npf_ctl.c Mon Jun 8 01:00:43 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.41 2015/03/20 23:36:28 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.42 2015/06/08 01:00:43 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.41 2015/03/20 23:36:28 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.42 2015/06/08 01:00:43 rmind Exp $"); #include #include @@ -49,13 +49,9 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v #include "npf_impl.h" #include "npf_conn.h" -#if defined(DEBUG) || defined(DIAGNOSTIC) #define NPF_ERR_DEBUG(e) \ prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \ prop_dictionary_set_uint32((e), "source-line", __LINE__); -#else -#define NPF_ERR_DEBUG(e) -#endif /* * npfctl_switch: enable or disable packet inspection. Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.7 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.8 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.7 Sun Jun 29 00:05:24 2014 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Mon Jun 8 01:00:43 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf_comp.c,v 1.7 2014/06/29 00:05:24 rmind Exp $ */ +/* $NetBSD: npf_bpf_comp.c,v 1.8 2015/06/08 01:00:43 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.7 2014/06/29 00:05:24 rmind Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.8 2015/06/08 01:00:43 rmind Exp $"); #include #include @@ -189,6 +189,10 @@ npfctl_bpf_complete(npf_bpf_t *ctx) struct bpf_program *bp = &ctx->prog; const u_int retoff = bp->bf_len; + /* No instructions (optimised out). */ + if (!bp->bf_len) + return NULL; + /* Add the return fragment (success and failure paths). */ struct bpf_insn insns_ret[] = { BPF_STMT(BPF_RET+BPF_K, NPF_BPF_SUCCESS), Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.39 src/usr.sbin/npf/npfctl/npf_build.c:1.40 --- src/usr.sbin/npf/npfctl/npf_build.c:1.39 Sat Mar 21 00:49:07 2015 +++ src/usr.sbin/npf/npfctl/npf_build.c Mon Jun 8 01:00:43 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.40 2015/06/08 01:00:43 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.40 2015/06/08 01:00:43 rmind Exp $"); #include #include @@ -368,6 +368,10 @@ npfctl_build_code(nl_rule_t *rl, sa_fami /* Complete BPF byte-code and pass to the rule. */ struct bpf_program *bf = npfctl_bpf_complete(bc); + if (bf == NULL) { + npfctl_bpf_destroy(bc); + return true; + } len = bf->bf_len * sizeof(struct bpf_insn); if (npf_rule_setcode(rl, NPF_CODE_BPF, bf->bf_insns, len) == -1) {
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Wed Jun 3 23:36:05 UTC 2015 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl: fix the from/to port mess up when showing the rules. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.18 src/usr.sbin/npf/npfctl/npf_show.c:1.19 --- src/usr.sbin/npf/npfctl/npf_show.c:1.18 Sat Mar 21 00:49:07 2015 +++ src/usr.sbin/npf/npfctl/npf_show.c Wed Jun 3 23:36:05 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.19 2015/06/03 23:36:05 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.19 2015/06/03 23:36:05 rmind Exp $"); #include #include @@ -214,14 +214,14 @@ print_portrange(npf_conf_info_t *ctx, co char *p; if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) - any_str = "to any "; - if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) any_str = "from any "; + if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) + any_str = "to any "; if (fport != tport) { - easprintf(&p, "%s%u:%u", any_str, fport, tport); + easprintf(&p, "%sport %u:%u", any_str, fport, tport); } else { - easprintf(&p, "%s%u", any_str, fport); + easprintf(&p, "%sport %u", any_str, fport); } return p; } @@ -271,11 +271,11 @@ static const struct mark_keyword_mapent { BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 }, { BM_SRC_TABLE, "from <%s>", NULL, SEEN_SRC, print_table, 1 }, - { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 }, + { BM_SRC_PORTS, "%s", ", ", 0, print_portrange,2 }, { BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 }, { BM_DST_TABLE, "to <%s>", NULL, SEEN_DST, print_table, 1 }, - { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 }, + { BM_DST_PORTS, "%s", ", ", 0, print_portrange,2 }, }; static const char * __attribute__((format_arg(2))) @@ -351,6 +351,7 @@ npfctl_print_filter(npf_conf_info_t *ctx "pcap-filter \"...\"" : "unrecognized-bytecode"); return; } + ctx->flags = 0; /* * BPF filter criteria described by the byte-code marks.
CVS commit: src/sys/uvm
Module Name:src Committed By: rmind Date: Wed May 27 19:43:40 UTC 2015 Modified Files: src/sys/uvm: uvm_bio.c Log Message: ubc_alloc: perform pmap_update() in the error path as we might have removed the mapping. To generate a diff of this commit: cvs rdiff -u -r1.82 -r1.83 src/sys/uvm/uvm_bio.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/uvm/uvm_bio.c diff -u src/sys/uvm/uvm_bio.c:1.82 src/sys/uvm/uvm_bio.c:1.83 --- src/sys/uvm/uvm_bio.c:1.82 Fri Sep 5 09:24:21 2014 +++ src/sys/uvm/uvm_bio.c Wed May 27 19:43:40 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: uvm_bio.c,v 1.82 2014/09/05 09:24:21 matt Exp $ */ +/* $NetBSD: uvm_bio.c,v 1.83 2015/05/27 19:43:40 rmind Exp $ */ /* * Copyright (c) 1998 Chuck Silvers. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uvm_bio.c,v 1.82 2014/09/05 09:24:21 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uvm_bio.c,v 1.83 2015/05/27 19:43:40 rmind Exp $"); #include "opt_uvmhist.h" #include "opt_ubc.h" @@ -581,6 +581,10 @@ again_faultbusy: &npages, 0, VM_PROT_READ | VM_PROT_WRITE, advice, gpflags); UVMHIST_LOG(ubchist, "faultbusy getpages %d", error, 0, 0, 0); if (error) { + /* + * Flush: the mapping above might have been removed. + */ + pmap_update(pmap_kernel()); goto out; } for (i = 0; i < npages; i++) {
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Mar 21 00:49:07 UTC 2015 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c npf_show.c Log Message: npfctl: - Fix the filter criteria when to/from is omitted but port used. - Print more user-friendly error if an NPF table has a duplicate entry. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.38 src/usr.sbin/npf/npfctl/npf_build.c:1.39 --- src/usr.sbin/npf/npfctl/npf_build.c:1.38 Sat May 31 22:41:37 2014 +++ src/usr.sbin/npf/npfctl/npf_build.c Sat Mar 21 00:49:07 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $"); #include #include @@ -91,6 +91,10 @@ npfctl_config_send(int fd, const char *o } npf_rule_insert(npf_conf, NULL, defgroup); error = npf_config_submit(npf_conf, fd); + if (error == EEXIST) { /* XXX */ + errx(EXIT_FAILURE, "(re)load failed: " + "some table has a duplicate entry?"); + } if (error) { nl_error_t ne; _npf_config_error(npf_conf, &ne); Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.17 src/usr.sbin/npf/npfctl/npf_show.c:1.18 --- src/usr.sbin/npf/npfctl/npf_show.c:1.17 Mon Feb 2 19:08:32 2015 +++ src/usr.sbin/npf/npfctl/npf_show.c Sat Mar 21 00:49:07 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $"); #include #include @@ -53,13 +53,22 @@ __RCSID("$NetBSD: npf_show.c,v 1.17 2015 #include "npfctl.h" +#define SEEN_SRC 0x01 +#define SEEN_DST 0x02 + typedef struct { nl_config_t * conf; FILE * fp; long fpos; + u_int flags; + uint32_t curmark; } npf_conf_info_t; -static npf_conf_info_t stdout_ctx = { .fp = stdout, .fpos = 0 }; +static npf_conf_info_t stdout_ctx = { + .fp = stdout, + .fpos = 0, + .flags = 0 +}; static void print_indent(npf_conf_info_t *, u_int); static void print_linesep(npf_conf_info_t *); @@ -201,12 +210,18 @@ static char * print_portrange(npf_conf_info_t *ctx, const uint32_t *words) { u_int fport = words[0], tport = words[1]; + const char *any_str = ""; char *p; + if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) + any_str = "to any "; + if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) + any_str = "from any "; + if (fport != tport) { - easprintf(&p, "%u:%u", fport, tport); + easprintf(&p, "%s%u:%u", any_str, fport, tport); } else { - easprintf(&p, "%u", fport); + easprintf(&p, "%s%u", any_str, fport); } return p; } @@ -244,22 +259,23 @@ static const struct mark_keyword_mapent u_int mark; const char * token; const char * sep; + u_int set_flags; char * (*printfn)(npf_conf_info_t *, const uint32_t *); u_int fwords; } mark_keyword_map[] = { - { BM_IPVER, "family %s", NULL, print_family, 1 }, - { BM_PROTO, "proto %s", ", ", print_proto, 1 }, - { BM_TCPFL, "flags %s", NULL, print_tcpflags, 2 }, - { BM_ICMP_TYPE, "icmp-type %s", NULL, print_number, 1 }, - { BM_ICMP_CODE, "code %s", NULL, print_number, 1 }, - - { BM_SRC_CIDR, "from %s", ", ", print_address, 6 }, - { BM_SRC_TABLE, "from <%s>", NULL, print_table, 1 }, - { BM_SRC_PORTS, "port %s", ", ", print_portrange,2 }, - - { BM_DST_CIDR, "to %s", ", ", print_address, 6 }, - { BM_DST_TABLE, "to <%s>", NULL, print_table, 1 }, - { BM_DST_PORTS, "port %s", ", ", print_portrange,2 }, + { BM_IPVER, "family %s", NULL, 0, print_family, 1 }, + { BM_PROTO, "proto %s", ", ", 0, print_proto, 1 }, + { BM_TCPFL, "flags %s", NULL, 0, print_tcpflags, 2 }, + { BM_ICMP_TYPE, "icmp-type %s", NULL, 0, print_number, 1 }, + { BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 }, + + { BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 }, + { BM_SRC_TABLE, "from <%s>", NULL, SEEN_SRC, print_table, 1 }, + { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 }, + + { BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 }, + { BM_DST_TABLE, "to <%s>", NULL, SEEN_DST, print_table, 1 }, + { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 }, }; static const char * __attribute__((format_arg(2))) @@ -
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Mar 20 23:36:28 UTC 2015 Modified Files: src/sys/net/npf: npf_ctl.c npf_ruleset.c Log Message: NPF: replace the TAILQ of the dynamic rules with a linked list and fix the inheriting of the active dynamic rules during the reload; also, fix a bug in the insert path by putting a memory barrier in the right place. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.40 src/sys/net/npf/npf_ctl.c:1.41 --- src/sys/net/npf/npf_ctl.c:1.40 Sun Aug 24 20:36:30 2014 +++ src/sys/net/npf/npf_ctl.c Fri Mar 20 23:36:28 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.41 2015/03/20 23:36:28 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.41 2015/03/20 23:36:28 rmind Exp $"); #include #include @@ -778,6 +778,9 @@ npfctl_rule(u_long cmd, void *data) } case NPF_CMD_RULE_LIST: { retdict = npf_ruleset_list(rlset, ruleset_name); + if (!retdict) { + error = ESRCH; + } break; } case NPF_CMD_RULE_FLUSH: { @@ -797,6 +800,7 @@ npfctl_rule(u_long cmd, void *data) npf_config_exit(); if (rl) { + KASSERT(error); npf_rule_free(rl); } out: Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.41 src/sys/net/npf/npf_ruleset.c:1.42 --- src/sys/net/npf/npf_ruleset.c:1.41 Mon Feb 2 00:31:39 2015 +++ src/sys/net/npf/npf_ruleset.c Fri Mar 20 23:36:28 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.42 2015/03/20 23:36:28 rmind Exp $ */ /*- * Copyright (c) 2009-2015 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.42 2015/03/20 23:36:28 rmind Exp $"); #include #include @@ -89,21 +89,24 @@ struct npf_rule { npf_natpolicy_t * r_natp; npf_rproc_t * r_rproc; - /* Rule priority: (highest) 1, 2 ... n (lowest). */ - pri_t r_priority; - - /* - * Dynamic group: subset queue and a dynamic group list entry. - * Dynamic rule: entry and the parent rule (the group). - */ union { - TAILQ_HEAD(npf_ruleq, npf_rule) r_subset; - TAILQ_ENTRY(npf_rule) r_entry; - } /* C11 */; - union { - LIST_ENTRY(npf_rule) r_dentry; - npf_rule_t * r_parent; - } /* C11 */; + /* + * Dynamic group: rule subset and a group list entry. + */ + struct { + npf_rule_t * r_subset; + LIST_ENTRY(npf_rule) r_dentry; + }; + + /* + * Dynamic rule: priority, parent group and next rule. + */ + struct { + int r_priority; + npf_rule_t * r_parent; + npf_rule_t * r_next; + }; + }; /* Rule ID, name and the optional key. */ uint64_t r_id; @@ -147,19 +150,6 @@ npf_ruleset_create(size_t slots) return rlset; } -static void -npf_ruleset_unlink(npf_ruleset_t *rlset, npf_rule_t *rl) -{ - if (NPF_DYNAMIC_GROUP_P(rl->r_attr)) { - LIST_REMOVE(rl, r_dentry); - } - if (NPF_DYNAMIC_RULE_P(rl->r_attr)) { - npf_rule_t *rg = rl->r_parent; - TAILQ_REMOVE(&rg->r_subset, rl, r_entry); - } - LIST_REMOVE(rl, r_aentry); -} - void npf_ruleset_destroy(npf_ruleset_t *rlset) { @@ -167,7 +157,19 @@ npf_ruleset_destroy(npf_ruleset_t *rlset npf_rule_t *rl; while ((rl = LIST_FIRST(&rlset->rs_all)) != NULL) { - npf_ruleset_unlink(rlset, rl); + if (NPF_DYNAMIC_GROUP_P(rl->r_attr)) { + /* + * Note: r_subset may point to the rules which + * were inherited by a new ruleset. + */ + rl->r_subset = NULL; + LIST_REMOVE(rl, r_dentry); + } + if (NPF_DYNAMIC_RULE_P(rl->r_attr)) { + /* Not removing from r_subset, see above. */ + KASSERT(rl->r_parent != NULL); + } + LIST_REMOVE(rl, r_aentry); npf_rule_free(rl); } KASSERT(LIST_EMPTY(&rlset->rs_dynamic)); @@ -222,16 +224,16 @@ npf_ruleset_lookup(npf_ruleset_t *rlset, int npf_ruleset_add(npf_ruleset_t *rlset, const char *rname, npf_rule_t *rl) { - npf_rule_t *rg, *it; - pri_t priocmd; + npf_rule_t *rg, *it, *target; + int priocmd; + if (!NPF_DYNAMIC_RULE_P(rl->r_attr)) { + return EINVAL; + } rg = npf_ruleset_lookup(rlset, rname); if (rg == NULL) { return ESRCH; } - if (!NPF_DYNAMIC_RULE_P(rl->r_attr)) { - return EINVAL; - } /* Dynamic rule - assign a unique ID and save the parent. */ rl->r_id = ++rlset->rs_idcnt; @@ -245,29 +247,32 @@ npf_ruleset_add(npf_ruleset_t *rlset, co rl->r_priority = 0; } + /* + * WARNING: once rg->subset or target->r_next of an *active* + * rule is
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Feb 5 22:04:03 UTC 2015 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf_conn_establish: fix the previous change - drop the reference on error. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.15 src/sys/net/npf/npf_conn.c:1.16 --- src/sys/net/npf/npf_conn.c:1.15 Sun Feb 1 22:41:22 2015 +++ src/sys/net/npf/npf_conn.c Thu Feb 5 22:04:03 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $ */ /*- * Copyright (c) 2014-2015 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $"); #include #include @@ -528,8 +528,8 @@ err: * here since there might be references acquired already. */ if (error) { - const u_int dflags = CONN_REMOVED | CONN_EXPIRE; - atomic_or_uint(&con->c_flags, dflags); + atomic_or_uint(&con->c_flags, CONN_REMOVED | CONN_EXPIRE); + atomic_dec_uint(&con->c_refcnt); npf_stats_inc(NPF_STAT_RACE_CONN); } else { NPF_PRINTF(("NPF: establish conn %p\n", con)); @@ -569,6 +569,8 @@ npf_conn_destroy(npf_conn_t *con) /* * npf_conn_setnat: associate NAT entry with the connection, update and * re-insert connection entry using the translation values. + * + * => The caller must be holding a reference. */ int npf_conn_setnat(const npf_cache_t *npc, npf_conn_t *con,
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Mon Feb 2 19:08:32 UTC 2015 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl_print_rule: print the ID in hex, not decimal. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.16 src/usr.sbin/npf/npfctl/npf_show.c:1.17 --- src/usr.sbin/npf/npfctl/npf_show.c:1.16 Mon Feb 2 00:31:39 2015 +++ src/usr.sbin/npf/npfctl/npf_show.c Mon Feb 2 19:08:32 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $"); #include #include @@ -388,7 +388,7 @@ npfctl_print_rule(npf_conf_info_t *ctx, /* If dynamic rule - print its ID. */ if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) { uint64_t id = npf_rule_getid(rl); - fprintf(ctx->fp, "# id = \"%" PRIu64 "\" ", id); + fprintf(ctx->fp, "# id = \"%" PRIx64 "\" ", id); } fputs("\n", ctx->fp);
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Mon Feb 2 00:55:28 UTC 2015 Modified Files: src/lib/libnpf: npf.c npf.h Log Message: libnpf: add npf_rule_getid() and npf_rule_getcode(). Missed in the previous commit. To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/lib/libnpf/npf.c cvs rdiff -u -r1.27 -r1.28 src/lib/libnpf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.34 src/lib/libnpf/npf.c:1.35 --- src/lib/libnpf/npf.c:1.34 Sun Aug 24 20:37:35 2014 +++ src/lib/libnpf/npf.c Mon Feb 2 00:55:28 2015 @@ -1,7 +1,7 @@ -/* $NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $ */ +/* $NetBSD: npf.c,v 1.35 2015/02/02 00:55:28 rmind Exp $ */ /*- - * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. + * Copyright (c) 2010-2015 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.35 2015/02/02 00:55:28 rmind Exp $"); #include #include @@ -715,6 +715,27 @@ npf_rule_getproc(nl_rule_t *rl) return rpname; } +uint64_t +npf_rule_getid(nl_rule_t *rl) +{ + prop_dictionary_t rldict = rl->nrl_dict; + uint64_t id = 0; + + (void)prop_dictionary_get_uint64(rldict, "id", &id); + return id; +} + +const void * +npf_rule_getcode(nl_rule_t *rl, int *type, size_t *len) +{ + prop_dictionary_t rldict = rl->nrl_dict; + prop_object_t obj = prop_dictionary_get(rldict, "code"); + + prop_dictionary_get_uint32(rldict, "code-type", (uint32_t *)type); + *len = prop_data_size(obj); + return prop_data_data_nocopy(obj); +} + int _npf_ruleset_list(int fd, const char *rname, nl_config_t *ncf) { Index: src/lib/libnpf/npf.h diff -u src/lib/libnpf/npf.h:1.27 src/lib/libnpf/npf.h:1.28 --- src/lib/libnpf/npf.h:1.27 Wed Jul 23 01:25:34 2014 +++ src/lib/libnpf/npf.h Mon Feb 2 00:55:28 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.27 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.28 2015/02/02 00:55:28 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -129,6 +129,8 @@ uint32_t npf_rule_getattr(nl_rule_t *); const char * npf_rule_getinterface(nl_rule_t *); const void * npf_rule_getinfo(nl_rule_t *, size_t *); const char * npf_rule_getproc(nl_rule_t *); +uint64_t npf_rule_getid(nl_rule_t *); +const void * npf_rule_getcode(nl_rule_t *, int *, size_t *); nl_table_t * npf_table_iterate(nl_config_t *); const char * npf_table_getname(nl_table_t *);
CVS commit: src
Module Name:src Committed By: rmind Date: Mon Feb 2 00:31:39 UTC 2015 Modified Files: src/sys/net/npf: npf_impl.h npf_ruleset.c src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl(8): report dynamic rule ID in a comment, print the case when libpcap is used correctly. Also, add npf_ruleset_dump() helper in the kernel. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.60 src/sys/net/npf/npf_impl.h:1.61 --- src/sys/net/npf/npf_impl.h:1.60 Sun Nov 30 01:37:53 2014 +++ src/sys/net/npf/npf_impl.h Mon Feb 2 00:31:39 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.61 2015/02/02 00:31:39 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -344,6 +344,7 @@ prop_array_t npf_alg_export(void); const char * npf_addr_dump(const npf_addr_t *, int); void npf_state_dump(const npf_state_t *); void npf_nat_dump(const npf_nat_t *); +void npf_ruleset_dump(const char *); void npf_state_setsampler(void (*)(npf_state_t *, bool)); #endif /* _NPF_IMPL_H_ */ Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.40 src/sys/net/npf/npf_ruleset.c:1.41 --- src/sys/net/npf/npf_ruleset.c:1.40 Sun Nov 30 01:37:53 2014 +++ src/sys/net/npf/npf_ruleset.c Mon Feb 2 00:31:39 2015 @@ -1,7 +1,7 @@ -/* $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $ */ /*- - * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. + * Copyright (c) 2009-2015 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $"); #include #include @@ -936,3 +936,25 @@ npf_rule_conclude(const npf_rule_t *rl, *retfl = rl->r_attr; return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH; } + + +#if defined(DDB) || defined(_NPF_TESTING) + +void +npf_ruleset_dump(const char *name) +{ + npf_ruleset_t *rlset = npf_config_ruleset(); + npf_rule_t *rg, *rl; + + LIST_FOREACH(rg, &rlset->rs_dynamic, r_dentry) { + printf("ruleset '%s':\n", rg->r_name); + TAILQ_FOREACH(rl, &rg->r_subset, r_entry) { + printf("\tid %"PRIu64", key: ", rl->r_id); + for (u_int i = 0; i < NPF_RULE_MAXKEYLEN; i++) +printf("%x", rl->r_key[i]); + printf("\n"); + } + } +} + +#endif Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.15 src/usr.sbin/npf/npfctl/npf_show.c:1.16 --- src/usr.sbin/npf/npfctl/npf_show.c:1.15 Sun Jul 20 00:48:51 2014 +++ src/usr.sbin/npf/npfctl/npf_show.c Mon Feb 2 00:31:39 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $"); #include #include @@ -316,10 +316,25 @@ static void npfctl_print_filter(npf_conf_info_t *ctx, nl_rule_t *rl) { const void *marks; - size_t mlen; + size_t mlen, len; + const void *code; + int type; - /* BPF filter criteria described by the byte-code marks. */ marks = npf_rule_getinfo(rl, &mlen); + if (!marks && (code = npf_rule_getcode(rl, &type, &len)) != NULL) { + /* + * No marks, but the byte-code is present. This must + * have been filled by libpcap(3) or possibly an unknown + * to us byte-code. + */ + fprintf(ctx->fp, "%s ", type == NPF_CODE_BPF ? + "pcap-filter \"...\"" : "unrecognized-bytecode"); + return; + } + + /* + * BPF filter criteria described by the byte-code marks. + */ for (u_int i = 0; i < __arraycount(mark_keyword_map); i++) { const struct mark_keyword_mapent *mk = &mark_keyword_map[i]; char *val; @@ -356,7 +371,7 @@ npfctl_print_rule(npf_conf_info_t *ctx, fprintf(ctx->fp, "on %s ", ifname); } - if ((attr & (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)) == NPF_RULE_GROUP) { + if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP) { /* Group; done. */ fputs("\n", ctx->fp); return; @@ -367,8 +382,15 @@ npfctl_print_rule(npf_conf_info_t *ctx, /* Rule procedure. */ if ((rproc = npf_rule_getproc(rl)) != NULL) { - fprintf(ctx->fp, "apply \"%s\"", rproc); + fprintf(ctx->fp, "apply \"%s\" ", rproc); + } + + /* If dynamic rule - print its ID. */ + if ((at
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Feb 1 22:57:22 UTC 2015 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): mention alg, include in the example, minor fix. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.43 src/usr.sbin/npf/npfctl/npf.conf.5:1.44 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.43 Fri Dec 26 22:44:54 2014 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Feb 1 22:57:21 2015 @@ -1,6 +1,6 @@ -.\"$NetBSD: npf.conf.5,v 1.43 2014/12/26 22:44:54 christos Exp $ +.\"$NetBSD: npf.conf.5,v 1.44 2015/02/01 22:57:21 rmind Exp $ .\" -.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. +.\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 26, 2014 +.Dd February 1, 2015 .Dt NPF.CONF 5 .Os .Sh NAME @@ -232,7 +232,8 @@ is more flexible. ; Syntax of a single line. Lines can be separated by LF (\\n) or ; a semicolon. Comments start with a hash (#) character. -syntax = var-def | table-def | map | group | rproc | comment +syntax = var-def | set-param | alg | table-def | + map | group | rproc | comment ; Variable definition. Names can be alpha-numeric, including "_" character. @@ -240,8 +241,12 @@ var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) -; Parameter setting -set-statement = "set" parameter value +; Parameter setting. +set-param = "set" param-value + +; Application level gateway. The name should be in the double quotes. + +alg = "alg" alg-name ; Table definition. Table ID shall be numeric. Path is in the double quotes. @@ -306,8 +311,8 @@ directory containing further examples .\" - .Sh EXAMPLES .Bd -literal -$ext_if = { inet4(wm0), inet6(wm0) } -$int_if = { inet4(wm1), inet6(wm1) } +$ext_if = { inet4(wm0) } +$int_if = { inet4(wm1) } table type hash file "/etc/npf_blacklist" table type tree dynamic @@ -316,6 +321,8 @@ $services_tcp = { http, https, smtp, dom $services_udp = { domain, ntp, 6000 } $localnet = { 10.1.1.0/24 } +alg "icmp" + # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic 10.1.1.0/24 -> $ext_if
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Feb 1 22:41:22 UTC 2015 Modified Files: src/sys/net/npf: npf_conn.c Log Message: - npf_conn_establish: remove a rare race condition when we might destroy a connection when it is still referenced by another thread. - npf_conn_destroy: remove the backwards entry using the saved key, PR/49488. - Sprinkle some asserts. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.14 src/sys/net/npf/npf_conn.c:1.15 --- src/sys/net/npf/npf_conn.c:1.14 Sat Dec 20 16:19:43 2014 +++ src/sys/net/npf/npf_conn.c Sun Feb 1 22:41:22 2015 @@ -1,7 +1,7 @@ -/* $NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $ */ /*- - * Copyright (c) 2014 Mindaugas Rasiukevicius + * Copyright (c) 2014-2015 Mindaugas Rasiukevicius * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. * All rights reserved. * @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $"); #include #include @@ -369,7 +369,6 @@ npf_conn_lookup(const npf_cache_t *npc, /* Check if connection is active and not expired. */ flags = con->c_flags; ok = (flags & (CONN_ACTIVE | CONN_EXPIRE)) == CONN_ACTIVE; - if (__predict_false(!ok)) { atomic_dec_uint(&con->c_refcnt); return NULL; @@ -453,6 +452,7 @@ npf_conn_establish(npf_cache_t *npc, int { const nbuf_t *nbuf = npc->npc_nbuf; npf_conn_t *con; + int error = 0; KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)); @@ -468,16 +468,16 @@ npf_conn_establish(npf_cache_t *npc, int NPF_PRINTF(("NPF: create conn %p\n", con)); npf_stats_inc(NPF_STAT_CONN_CREATE); - /* Reference count and flags (indicate direction). */ mutex_init(&con->c_lock, MUTEX_DEFAULT, IPL_SOFTNET); con->c_flags = (di & PFIL_ALL); - con->c_refcnt = 1; + con->c_refcnt = 0; con->c_rproc = NULL; con->c_nat = NULL; - /* Initialize protocol state. */ + /* Initialize the protocol state. */ if (!npf_state_init(npc, &con->c_state)) { - goto err; + npf_conn_destroy(con); + return NULL; } KASSERT(npf_iscached(npc, NPC_IP46)); @@ -488,45 +488,65 @@ npf_conn_establish(npf_cache_t *npc, int * Construct "forwards" and "backwards" keys. Also, set the * interface ID for this connection (unless it is global). */ - if (!npf_conn_conkey(npc, fw, true)) { - goto err; - } - if (!npf_conn_conkey(npc, bk, false)) { - goto err; + if (!npf_conn_conkey(npc, fw, true) || + !npf_conn_conkey(npc, bk, false)) { + npf_conn_destroy(con); + return NULL; } fw->ck_backptr = bk->ck_backptr = con; con->c_ifid = per_if ? nbuf->nb_ifid : 0; con->c_proto = npc->npc_proto; - /* Set last activity time for a new connection. */ + /* + * Set last activity time for a new connection and acquire + * a reference for the caller before we make it visible. + */ getnanouptime(&con->c_atime); + con->c_refcnt = 1; /* * Insert both keys (entries representing directions) of the - * connection. At this point, it becomes visible. + * connection. At this point it becomes visible, but we activate + * the connection later. */ + mutex_enter(&con->c_lock); if (!npf_conndb_insert(conn_db, fw, con)) { + error = EISCONN; goto err; } if (!npf_conndb_insert(conn_db, bk, con)) { - /* We have hit the duplicate. */ - npf_conndb_remove(conn_db, fw); - npf_stats_inc(NPF_STAT_RACE_CONN); + npf_conn_t *ret __diagused; + ret = npf_conndb_remove(conn_db, fw); + KASSERT(ret == con); + error = EISCONN; goto err; } +err: + /* + * If we have hit the duplicate: mark the connection as expired + * and let the G/C thread to take care of it. We cannot do it + * here since there might be references acquired already. + */ + if (error) { + const u_int dflags = CONN_REMOVED | CONN_EXPIRE; + atomic_or_uint(&con->c_flags, dflags); + npf_stats_inc(NPF_STAT_RACE_CONN); + } else { + NPF_PRINTF(("NPF: establish conn %p\n", con)); + } /* Finally, insert into the connection list. */ - NPF_PRINTF(("NPF: establish conn %p\n", con)); npf_conndb_enqueue(conn_db, con); - return con; -err: - npf_conn_destroy(con); - return NULL; + mutex_exit(&con->c_lock); + + return error ? NULL : con; } static void npf_conn_destroy(npf_conn_t *con) { + KASSERT(con->c_refcnt == 0); + if (con->c_nat) { /* Release any NAT structures. */ npf_nat_destroy(con->c_nat); @@ -582,6 +602,8 @@ npf_conn_setnat(const npf_cache_t *npc,
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sun Jan 18 23:16:35 UTC 2015 Modified Files: src/sys/kern: subr_ipi.c src/sys/sys: ipi.h Log Message: Implement ipi_trigger_multi(9); requested by cherry@. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/kern/subr_ipi.c cvs rdiff -u -r1.2 -r1.3 src/sys/sys/ipi.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_ipi.c diff -u src/sys/kern/subr_ipi.c:1.2 src/sys/kern/subr_ipi.c:1.3 --- src/sys/kern/subr_ipi.c:1.2 Sun May 25 15:34:19 2014 +++ src/sys/kern/subr_ipi.c Sun Jan 18 23:16:35 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_ipi.c,v 1.2 2014/05/25 15:34:19 rmind Exp $ */ +/* $NetBSD: subr_ipi.c,v 1.3 2015/01/18 23:16:35 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: subr_ipi.c,v 1.2 2014/05/25 15:34:19 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_ipi.c,v 1.3 2015/01/18 23:16:35 rmind Exp $"); #include #include @@ -45,6 +45,7 @@ __KERNEL_RCSID(0, "$NetBSD: subr_ipi.c,v #include #include #include +#include #include #include #include @@ -188,6 +189,35 @@ ipi_trigger(u_int ipi_id, struct cpu_inf } /* + * ipi_trigger_multi: same as ipi_trigger() but sends to the multiple + * CPUs given the target CPU set. + */ +void +ipi_trigger_multi(u_int ipi_id, const kcpuset_t *target) +{ + const cpuid_t selfid = cpu_index(curcpu()); + CPU_INFO_ITERATOR cii; + struct cpu_info *ci; + + KASSERT(kpreempt_disabled()); + KASSERT(target != NULL); + + for (CPU_INFO_FOREACH(cii, ci)) { + const cpuid_t cpuid = cpu_index(ci); + + if (!kcpuset_isset(target, cpuid) || cpuid == selfid) { + continue; + } + ipi_trigger(ipi_id, ci); + } + if (kcpuset_isset(target, selfid)) { + int s = splhigh(); + ipi_cpu_handler(); + splx(s); + } +} + +/* * put_msg: insert message into the mailbox. */ static inline void Index: src/sys/sys/ipi.h diff -u src/sys/sys/ipi.h:1.2 src/sys/sys/ipi.h:1.3 --- src/sys/sys/ipi.h:1.2 Sun May 25 15:34:19 2014 +++ src/sys/sys/ipi.h Sun Jan 18 23:16:35 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: ipi.h,v 1.2 2014/05/25 15:34:19 rmind Exp $ */ +/* $NetBSD: ipi.h,v 1.3 2015/01/18 23:16:35 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -67,6 +67,7 @@ void cpu_ipi(struct cpu_info *); u_int ipi_register(ipi_func_t, void *); void ipi_unregister(u_int); void ipi_trigger(u_int, struct cpu_info *); +void ipi_trigger_multi(u_int, const kcpuset_t *); /* Public interface: synchronous IPIs. */ void ipi_unicast(ipi_msg_t *, struct cpu_info *);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Fri Dec 26 20:44:38 UTC 2014 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: npfctl(8): attempt to preload bpfjit kernel module and print the warning on failure. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.43 src/usr.sbin/npf/npfctl/npfctl.c:1.44 --- src/usr.sbin/npf/npfctl/npfctl.c:1.43 Mon Aug 11 23:48:01 2014 +++ src/usr.sbin/npf/npfctl/npfctl.c Fri Dec 26 20:44:38 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $ */ +/* $NetBSD: npfctl.c,v 1.44 2014/12/26 20:44:38 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,11 +30,12 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.44 2014/12/26 20:44:38 rmind Exp $"); #include #include #include +#include #include #include @@ -480,6 +481,22 @@ npfctl_rule(int fd, int argc, char **arg exit(EXIT_SUCCESS); } +static void +npfctl_preload_bpfjit(void) +{ + modctl_load_t args = { + .ml_filename = "bpfjit", + .ml_flags = MODCTL_NO_PROP, + .ml_props = NULL, + .ml_propslen = 0 + }; + + if (modctl(MODCTL_LOAD, &args) != 0 && errno != EEXIST) { + fprintf(stderr, "WARNING: bpfjit is not loaded; " + "this may have severe impact on performance."); + } +} + static int npfctl_save(int fd) { @@ -547,6 +564,7 @@ npfctl(int action, int argc, char **argv fun = "ioctl(IOC_NPF_SWITCH)"; break; case NPFCTL_RELOAD: + npfctl_preload_bpfjit(); npfctl_config_init(false); npfctl_parse_file(argc < 3 ? NPF_CONF_PATH : argv[2]); errno = ret = npfctl_config_send(fd, NULL); @@ -581,6 +599,7 @@ npfctl(int action, int argc, char **argv npfctl_rule(fd, argc, argv); break; case NPFCTL_LOAD: + npfctl_preload_bpfjit(); ret = npfctl_load(fd); fun = "npfctl_config_load"; break;
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Dec 20 16:19:43 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h npf_nat.c Log Message: NPF: set the connection flags atomically in the post-creation logic and fix a tiny race condition window. Might fix PR/49488. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.13 src/sys/net/npf/npf_conn.c:1.14 --- src/sys/net/npf/npf_conn.c:1.13 Sun Nov 30 00:40:55 2014 +++ src/sys/net/npf/npf_conn.c Sat Dec 20 16:19:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $"); #include #include @@ -660,7 +660,7 @@ npf_conn_setpass(npf_conn_t *con, npf_rp * If rproc is set, the caller transfers its reference to us, * which will be released on npf_conn_destroy(). */ - con->c_flags |= CONN_PASS; + atomic_or_uint(&con->c_flags, CONN_PASS); con->c_rproc = rp; } @@ -673,7 +673,7 @@ npf_conn_release(npf_conn_t *con) { if ((con->c_flags & (CONN_ACTIVE | CONN_EXPIRE)) == 0) { /* Activate: after this, connection is globally visible. */ - con->c_flags |= CONN_ACTIVE; + atomic_or_uint(&con->c_flags, CONN_ACTIVE); } KASSERT(con->c_refcnt > 0); atomic_dec_uint(&con->c_refcnt); Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.7 src/sys/net/npf/npf_conn.h:1.8 --- src/sys/net/npf/npf_conn.h:1.7 Sun Nov 30 00:40:55 2014 +++ src/sys/net/npf/npf_conn.h Sat Dec 20 16:19:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.7 2014/11/30 00:40:55 rmind Exp $ */ +/* $NetBSD: npf_conn.h,v 1.8 2014/12/20 16:19:43 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -47,7 +47,7 @@ typedef struct npf_connkey npf_connkey_t #include /* - * See npf_conn_key() function for the description key layout. + * See npf_conn_conkey() function for the key layout description. */ #define NPF_CONN_NKEYWORDS (2 + ((sizeof(npf_addr_t) * 2) >> 2)) #define NPF_CONN_MAXKEYLEN (NPF_CONN_NKEYWORDS * sizeof(uint32_t)) Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.37 src/sys/net/npf/npf_nat.c:1.38 --- src/sys/net/npf/npf_nat.c:1.37 Sun Nov 30 01:37:53 2014 +++ src/sys/net/npf/npf_nat.c Sat Dec 20 16:19:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.38 2014/12/20 16:19:43 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.38 2014/12/20 16:19:43 rmind Exp $"); #include #include @@ -914,8 +914,8 @@ npf_nat_dump(const npf_nat_t *nt) np = nt->nt_natpolicy; memcpy(&ip, &np->n_taddr, sizeof(ip)); - printf("\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n", - np, np->n_type, np->n_flags, inet_ntoa(ip), np->n_tport); + printf("\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n", np, + np->n_type, np->n_flags, inet_ntoa(ip), ntohs(np->n_tport)); memcpy(&ip, &nt->nt_oaddr, sizeof(ip)); printf("\tNAT: original address %s oport %d tport %d\n", inet_ntoa(ip), ntohs(nt->nt_oport), ntohs(nt->nt_tport));
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Nov 30 01:37:53 UTC 2014 Modified Files: src/sys/net/npf: npf_conf.c npf_impl.h npf_nat.c npf_ruleset.c Log Message: - npf_config_load: if loading the connections, do not perform any actice NAT policy take over or or portmap sharing - just replace them all. - npf_config_fini: flush with the empty connection database. - npf_nat_import: fix the stat counter. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.59 -r1.60 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.8 src/sys/net/npf/npf_conf.c:1.9 --- src/sys/net/npf/npf_conf.c:1.8 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_conf.c Sun Nov 30 01:37:53 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -48,7 +48,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $"); #include #include @@ -105,11 +105,13 @@ npf_config_destroy(npf_config_t *nc) void npf_config_fini(void) { + npf_conndb_t *cd = npf_conndb_create(); + /* Flush the connections. */ mutex_enter(&npf_config_lock); npf_conn_tracking(false); pserialize_perform(npf_config_psz); - npf_conn_load(NULL, false); + npf_conn_load(cd, false); npf_ifmap_flush(); mutex_exit(&npf_config_lock); @@ -127,6 +129,7 @@ npf_config_load(npf_ruleset_t *rset, npf npf_ruleset_t *nset, npf_rprocset_t *rpset, npf_conndb_t *conns, bool flush) { + const bool load = conns != NULL; npf_config_t *nc, *onc; nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP); @@ -143,9 +146,9 @@ npf_config_load(npf_ruleset_t *rset, npf */ mutex_enter(&npf_config_lock); if ((onc = npf_config) != NULL) { - npf_ruleset_reload(rset, onc->n_rules); + npf_ruleset_reload(rset, onc->n_rules, load); npf_tableset_reload(tset, onc->n_tables); - npf_ruleset_reload(nset, onc->n_nat_rules); + npf_ruleset_reload(nset, onc->n_nat_rules, load); } /* Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.59 src/sys/net/npf/npf_impl.h:1.60 --- src/sys/net/npf/npf_impl.h:1.59 Mon Aug 11 23:48:01 2014 +++ src/sys/net/npf/npf_impl.h Sun Nov 30 01:37:53 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -254,7 +254,7 @@ int npf_table_flush(npf_table_t *); npf_ruleset_t * npf_ruleset_create(size_t); void npf_ruleset_destroy(npf_ruleset_t *); void npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *); -void npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *); +void npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *, bool); npf_rule_t * npf_ruleset_sharepm(npf_ruleset_t *, npf_natpolicy_t *); npf_natpolicy_t *npf_ruleset_findnat(npf_ruleset_t *, uint64_t); void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *); Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.36 src/sys/net/npf/npf_nat.c:1.37 --- src/sys/net/npf/npf_nat.c:1.36 Sun Nov 30 00:40:55 2014 +++ src/sys/net/npf/npf_nat.c Sun Nov 30 01:37:53 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $"); #include #include @@ -364,6 +364,8 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf npf_portmap_t *pm, *mpm; KASSERT(np && mnp && np != mnp); + KASSERT(LIST_EMPTY(&mnp->n_nat_list)); + KASSERT(mnp->n_refcnt == 0); /* Using port map and having equal translation address? */ if ((np->n_flags & mnp->n_flags & NPF_NAT_PORTMAP) == 0) { @@ -889,6 +891,7 @@ npf_nat_import(prop_dictionary_t natdict pool_cache_put(nat_cache, nt); return NULL; } + npf_stats_inc(NPF_STAT_NAT_CREATE); /* * Associate, take a reference and insert. Unlocked since Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.39 src/sys/net/npf/npf_ruleset.c:1.40 --- src/sys/net/npf/npf_ruleset.c:1.39 Sun Nov 30 00:40:55 2014 +++ src/sys/net/npf/npf_ruleset.c Sun Nov 30 01:37:53 2014 @@ -1,4 +1,
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Nov 30 00:40:55 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h npf_nat.c npf_ruleset.c Log Message: NPF: - npf_nat_import: take the port only if using the portmap. - Sprinkle some comments and asserts. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.12 src/sys/net/npf/npf_conn.c:1.13 --- src/sys/net/npf/npf_conn.c:1.12 Sun Aug 24 20:36:30 2014 +++ src/sys/net/npf/npf_conn.c Sun Nov 30 00:40:55 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $"); #include #include @@ -680,11 +680,11 @@ npf_conn_release(npf_conn_t *con) } /* - * npf_conn_retnat: return associated NAT data entry and indicate + * npf_conn_getnat: return associated NAT data entry and indicate * whether it is a "forwards" or "backwards" stream. */ npf_nat_t * -npf_conn_retnat(npf_conn_t *con, const int di, bool *forw) +npf_conn_getnat(npf_conn_t *con, const int di, bool *forw) { KASSERT(con->c_refcnt > 0); *forw = (con->c_flags & PFIL_ALL) == di; Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.6 src/sys/net/npf/npf_conn.h:1.7 --- src/sys/net/npf/npf_conn.h:1.6 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_conn.h Sun Nov 30 00:40:55 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.6 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_conn.h,v 1.7 2014/11/30 00:40:55 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -113,7 +113,7 @@ bool npf_conn_pass(const npf_conn_t *, void npf_conn_setpass(npf_conn_t *, npf_rproc_t *); int npf_conn_setnat(const npf_cache_t *, npf_conn_t *, npf_nat_t *, u_int); -npf_nat_t * npf_conn_retnat(npf_conn_t *, const int, bool *); +npf_nat_t * npf_conn_getnat(npf_conn_t *, const int, bool *); void npf_conn_gc(npf_conndb_t *, bool, bool); int npf_conn_import(npf_conndb_t *, prop_dictionary_t, npf_ruleset_t *); Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.35 src/sys/net/npf/npf_nat.c:1.36 --- src/sys/net/npf/npf_nat.c:1.35 Wed Nov 26 21:25:35 2014 +++ src/sys/net/npf/npf_nat.c Sun Nov 30 00:40:55 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $"); #include #include @@ -252,6 +252,7 @@ npf_nat_newpolicy(prop_dictionary_t natd np->n_portmap = pm; } else { KASSERT(np->n_portmap != NULL); + KASSERT(np->n_portmap->p_refcnt > 0); } return np; err: @@ -417,6 +418,9 @@ npf_nat_getport(npf_natpolicy_t *np) u_int n = PORTMAP_SIZE, idx, bit; uint32_t map, nmap; + KASSERT((np->n_flags & NPF_NAT_PORTMAP) != 0); + KASSERT(pm->p_refcnt > 0); + idx = cprng_fast32() % PORTMAP_SIZE; for (;;) { KASSERT(idx < PORTMAP_SIZE); @@ -450,6 +454,9 @@ npf_nat_takeport(npf_natpolicy_t *np, in uint32_t map, nmap; u_int idx, bit; + KASSERT((np->n_flags & NPF_NAT_PORTMAP) != 0); + KASSERT(pm->p_refcnt > 0); + port = ntohs(port) - PORTMAP_FIRST; idx = port >> PORTMAP_SHIFT; bit = port & PORTMAP_MASK; @@ -474,6 +481,9 @@ npf_nat_putport(npf_natpolicy_t *np, in_ uint32_t map, nmap; u_int idx, bit; + KASSERT((np->n_flags & NPF_NAT_PORTMAP) != 0); + KASSERT(pm->p_refcnt > 0); + port = ntohs(port) - PORTMAP_FIRST; idx = port >> PORTMAP_SHIFT; bit = port & PORTMAP_MASK; @@ -686,7 +696,7 @@ npf_do_nat(npf_cache_t *npc, npf_conn_t * Determines whether the stream is "forwards" or "backwards". * Note: no need to lock, since reference on connection is held. */ - if (con && (nt = npf_conn_retnat(con, di, &forw)) != NULL) { + if (con && (nt = npf_conn_getnat(con, di, &forw)) != NULL) { np = nt->nt_natpolicy; goto translate; } @@ -874,7 +884,8 @@ npf_nat_import(prop_dictionary_t natdict pro
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Wed Nov 26 21:25:35 UTC 2014 Modified Files: src/sys/net/npf: npf_nat.c npf_ruleset.c Log Message: NPF: fix the reference counting and share the active NAT portmap correctly when performing the reload. Should fixes PR/49412, reported by kardel@. To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.34 src/sys/net/npf/npf_nat.c:1.35 --- src/sys/net/npf/npf_nat.c:1.34 Sun Aug 24 20:36:30 2014 +++ src/sys/net/npf/npf_nat.c Wed Nov 26 21:25:35 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $"); #include #include @@ -313,9 +313,10 @@ npf_nat_freepolicy(npf_natpolicy_t *np) kpause("npfgcnat", false, 1, NULL); } KASSERT(LIST_EMPTY(&np->n_nat_list)); + KASSERT(pm == NULL || pm->p_refcnt > 0); /* Destroy the port map, on last reference. */ - if (pm && --pm->p_refcnt == 0) { + if (pm && atomic_dec_uint_nv(&pm->p_refcnt) == 0) { KASSERT((np->n_flags & NPF_NAT_PORTMAP) != 0); kmem_free(pm, PORTMAP_MEM_SIZE); } @@ -373,17 +374,21 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf if (memcmp(&np->n_taddr, &mnp->n_taddr, np->n_alen) != 0) { return false; } - /* If NAT policy has an old port map - drop the reference. */ mpm = mnp->n_portmap; - if (mpm) { - /* Note: at this point we cannot hold a last reference. */ - KASSERT(mpm->p_refcnt > 1); - mpm->p_refcnt--; + KASSERT(mpm == NULL || mpm->p_refcnt > 0); + + /* + * If NAT policy has an old port map - drop the reference + * and destroy the port map if it was the last. + */ + if (mpm && atomic_dec_uint_nv(&mpm->p_refcnt) == 0) { + kmem_free(mpm, PORTMAP_MEM_SIZE); } + /* Share the port map. */ pm = np->n_portmap; + atomic_inc_uint(&pm->p_refcnt); mnp->n_portmap = pm; - pm->p_refcnt++; return true; } Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.37 src/sys/net/npf/npf_ruleset.c:1.38 --- src/sys/net/npf/npf_ruleset.c:1.37 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_ruleset.c Wed Nov 26 21:25:35 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.38 2014/11/26 21:25:35 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.38 2014/11/26 21:25:35 rmind Exp $"); #include #include @@ -421,22 +421,6 @@ npf_ruleset_gc(npf_ruleset_t *rlset) } /* - * npf_ruleset_cmpnat: find a matching NAT policy in the ruleset. - */ -static inline npf_rule_t * -npf_ruleset_cmpnat(npf_ruleset_t *rlset, npf_natpolicy_t *mnp) -{ - npf_rule_t *rl; - - /* Find a matching NAT policy in the old ruleset. */ - LIST_FOREACH(rl, &rlset->rs_all, r_aentry) { - if (rl->r_natp && npf_nat_cmppolicy(rl->r_natp, mnp)) - break; - } - return rl; -} - -/* * npf_ruleset_reload: prepare the new ruleset by scanning the active * ruleset and 1) sharing the dynamic rules 2) sharing NAT policies. * @@ -492,18 +476,30 @@ npf_ruleset_reload(npf_ruleset_t *newset continue; } + /* + * First, try to share the active port map. If this + * policy will be unused, npf_nat_freepolicy() will + * drop the reference. + */ + npf_ruleset_sharepm(oldset, np); + /* Does it match with any policy in the active ruleset? */ - if ((actrl = npf_ruleset_cmpnat(oldset, np)) == NULL) { + LIST_FOREACH(actrl, &oldset->rs_all, r_aentry) { + if (!actrl->r_natp) +continue; + if ((actrl->r_attr & NPF_RULE_KEEPNAT) != 0) +continue; + if (npf_nat_cmppolicy(actrl->r_natp, np)) +break; + } + if (!actrl) { + /* No: just set the ID and continue. */ npf_nat_setid(np, ++nid); continue; } - /* - * Inherit the matching NAT policy and check other ones - * in the new ruleset for sharing the portmap. - */ + /* Yes: inherit the matching NAT policy. */ rl->r_natp = actrl->r_natp; - npf_ruleset_sharepm(newset, rl->r_natp); npf_nat_setid(rl->r_natp, ++nid); /* @@ -525,13 +521,8 @@ npf_ruleset_sharepm(npf_ruleset_t *rl
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Sat Sep 13 17:18:45 UTC 2014 Modified Files: src/sys/net: bpf.c Log Message: PR/49190: bpf_deliver: set scratch memory store in bpf_args_t. To generate a diff of this commit: cvs rdiff -u -r1.188 -r1.189 src/sys/net/bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpf.c diff -u src/sys/net/bpf.c:1.188 src/sys/net/bpf.c:1.189 --- src/sys/net/bpf.c:1.188 Fri Sep 5 09:22:22 2014 +++ src/sys/net/bpf.c Sat Sep 13 17:18:45 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf.c,v 1.188 2014/09/05 09:22:22 matt Exp $ */ +/* $NetBSD: bpf.c,v 1.189 2014/09/13 17:18:45 rmind Exp $ */ /* * Copyright (c) 1990, 1991, 1993 @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.188 2014/09/05 09:22:22 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.189 2014/09/13 17:18:45 rmind Exp $"); #if defined(_KERNEL_OPT) #include "opt_bpf.h" @@ -1388,25 +1388,24 @@ static inline void bpf_deliver(struct bpf_if *bp, void *(*cpfn)(void *, const void *, size_t), void *pkt, u_int pktlen, u_int buflen, const bool rcv) { - struct timespec ts; + const bpf_ctx_t *bc = NULL; + uint32_t mem[BPF_MEMWORDS]; bpf_args_t args = { .pkt = (const uint8_t *)pkt, .wirelen = pktlen, .buflen = buflen, - .mem = NULL, + .mem = mem, .arg = NULL }; - struct bpf_d *d; - - const bpf_ctx_t *bc = NULL; bool gottime = false; + struct timespec ts; /* * Note that the IPL does not have to be raised at this point. * The only problem that could arise here is that if two different * interfaces shared any data. This is not the case. */ - for (d = bp->bif_dlist; d != NULL; d = d->bd_next) { + for (struct bpf_d *d = bp->bif_dlist; d != NULL; d = d->bd_next) { u_int slen; if (!d->bd_seesent && !rcv) {
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Tue Sep 9 20:16:12 UTC 2014 Modified Files: src/sys/net: if.c if.h route.c src/sys/netatalk: at_control.c src/sys/netinet: in.c src/sys/netinet6: in6.c in6_ifattach.c mld6.c nd6_nbr.c Log Message: Eliminate IFAREF() and IFAFREE() macros in favour of functions. To generate a diff of this commit: cvs rdiff -u -r1.290 -r1.291 src/sys/net/if.c cvs rdiff -u -r1.174 -r1.175 src/sys/net/if.h cvs rdiff -u -r1.132 -r1.133 src/sys/net/route.c cvs rdiff -u -r1.35 -r1.36 src/sys/netatalk/at_control.c cvs rdiff -u -r1.147 -r1.148 src/sys/netinet/in.c cvs rdiff -u -r1.175 -r1.176 src/sys/netinet6/in6.c cvs rdiff -u -r1.92 -r1.93 src/sys/netinet6/in6_ifattach.c cvs rdiff -u -r1.59 -r1.60 src/sys/netinet6/mld6.c cvs rdiff -u -r1.100 -r1.101 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.290 src/sys/net/if.c:1.291 --- src/sys/net/if.c:1.290 Sat Aug 9 05:33:01 2014 +++ src/sys/net/if.c Tue Sep 9 20:16:12 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.290 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: if.c,v 1.291 2014/09/09 20:16:12 rmind Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.290 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.291 2014/09/09 20:16:12 rmind Exp $"); #include "opt_inet.h" @@ -362,7 +362,7 @@ if_set_sadl(struct ifnet *ifp, const voi (void)sockaddr_dl_setaddr(sdl, sdl->sdl_len, lla, ifp->if_addrlen); if (factory) { ifp->if_hwdl = ifp->if_dl; - IFAREF(ifp->if_hwdl); + ifaref(ifp->if_hwdl); } /* TBD routing socket */ } @@ -402,9 +402,9 @@ if_sadl_setrefs(struct ifnet *ifp, struc { const struct sockaddr_dl *sdl; ifnet_addrs[ifp->if_index] = ifa; - IFAREF(ifa); + ifaref(ifa); ifp->if_dl = ifa; - IFAREF(ifa); + ifaref(ifa); sdl = satosdl(ifa->ifa_addr); ifp->if_sadl = sdl; } @@ -447,9 +447,9 @@ if_deactivate_sadl(struct ifnet *ifp) ifp->if_sadl = NULL; ifnet_addrs[ifp->if_index] = NULL; - IFAFREE(ifa); + ifafree(ifa); ifp->if_dl = NULL; - IFAFREE(ifa); + ifafree(ifa); } void @@ -494,7 +494,7 @@ if_free_sadl(struct ifnet *ifp) ifa_remove(ifp, ifa); if_deactivate_sadl(ifp); if (ifp->if_hwdl == ifa) { - IFAFREE(ifa); + ifafree(ifa); ifp->if_hwdl = NULL; } splx(s); @@ -1101,11 +1101,28 @@ if_clone_list(struct if_clonereq *ifcr) } void +ifaref(struct ifaddr *ifa) +{ + ifa->ifa_refcnt++; +} + +void +ifafree(struct ifaddr *ifa) +{ + KASSERT(ifa != NULL); + KASSERT(ifa->ifa_refcnt > 0); + + if (--ifa->ifa_refcnt == 0) { + free(ifa, M_IFADDR); + } +} + +void ifa_insert(struct ifnet *ifp, struct ifaddr *ifa) { ifa->ifa_ifp = ifp; TAILQ_INSERT_TAIL(&ifp->if_addrlist, ifa, ifa_list); - IFAREF(ifa); + ifaref(ifa); } void @@ -1113,7 +1130,7 @@ ifa_remove(struct ifnet *ifp, struct ifa { KASSERT(ifa->ifa_ifp == ifp); TAILQ_REMOVE(&ifp->if_addrlist, ifa, ifa_list); - IFAFREE(ifa); + ifafree(ifa); } static inline int Index: src/sys/net/if.h diff -u src/sys/net/if.h:1.174 src/sys/net/if.h:1.175 --- src/sys/net/if.h:1.174 Thu Jul 31 06:35:47 2014 +++ src/sys/net/if.h Tue Sep 9 20:16:12 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if.h,v 1.174 2014/07/31 06:35:47 ozaki-r Exp $ */ +/* $NetBSD: if.h,v 1.175 2014/09/09 20:16:12 rmind Exp $ */ /*- * Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc. @@ -718,44 +718,6 @@ struct if_addrprefreq { #endif /* _NETBSD_SOURCE */ #ifdef _KERNEL -#ifdef IFAREF_DEBUG -#define IFAREF(ifa) \ -do { \ - printf("IFAREF: %s:%d %p -> %d\n", __FILE__, __LINE__, \ - (ifa), ++(ifa)->ifa_refcnt);\ -} while (/*CONSTCOND*/ 0) - -#define IFAFREE(ifa) \ -do { \ - if ((ifa)->ifa_refcnt <= 0) \ - panic("%s:%d: %p ifa_refcnt <= 0", __FILE__, \ - __LINE__, (ifa)); \ - printf("IFAFREE: %s:%d %p -> %d\n", __FILE__, __LINE__, \ - (ifa), --(ifa)->ifa_refcnt);\ - if ((ifa)->ifa_refcnt == 0) \ - ifafree(ifa); \ -} while (/*CONSTCOND*/ 0) -#else -#define IFAREF(ifa) (ifa)->ifa_refcnt++ - -#ifdef DIAGNOSTIC -#define IFAFREE(ifa) \ -do { \ - if ((ifa)->ifa_refcnt <= 0) \ - panic("%s:%d: %p ifa_refcnt <= 0", __FILE__, \ - __LINE__, (ifa)); \ - if (--(ifa)->ifa_refcnt == 0) \ - ifafree(ifa); \ -} while (/*CONSTCOND*/ 0) -#else -#define IFAFREE(ifa) \ -do { \ - if (--(ifa)->ifa_refcnt == 0) \ - ifafree(ifa); \ -} while (/*CONSTCOND*/ 0) -#endif /* DIAGNOSTIC */ -#endif /* IFAREF_DEBUG */ - #ifdef ALTQ #define ALTQ_DECL(x) x #define ALTQ_COMMA , @@ -922,6 +884,9 @@ int if_flags_set(struct ifnet *, const s void ifa_insert(struct ifnet *, struct ifaddr *); void ifa_remove(struct ifnet *, struct ifaddr *); +void ifare
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sun Sep 7 00:50:57 UTC 2014 Modified Files: src/sys/netinet: in_pcb.c src/sys/netinet6: in6_pcb.c Log Message: in_pcbdetach: move ip_freemoptions() under softnet_lock for now (this will be changed back once other IP paths become MP-safe). Same for IPv6 routine. This partially reverts 1.150 of in_pcb.c and 1.127 of in6_pcb.c changes. To generate a diff of this commit: cvs rdiff -u -r1.151 -r1.152 src/sys/netinet/in_pcb.c cvs rdiff -u -r1.128 -r1.129 src/sys/netinet6/in6_pcb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/in_pcb.c diff -u src/sys/netinet/in_pcb.c:1.151 src/sys/netinet/in_pcb.c:1.152 --- src/sys/netinet/in_pcb.c:1.151 Tue Aug 5 05:24:26 2014 +++ src/sys/netinet/in_pcb.c Sun Sep 7 00:50:56 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in_pcb.c,v 1.151 2014/08/05 05:24:26 rtr Exp $ */ +/* $NetBSD: in_pcb.c,v 1.152 2014/09/07 00:50:56 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -93,7 +93,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.151 2014/08/05 05:24:26 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.152 2014/09/07 00:50:56 rmind Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -606,9 +606,9 @@ in_pcbdetach(void *v) m_free(inp->inp_options); } rtcache_free(&inp->inp_route); + ip_freemoptions(inp->inp_moptions); sofree(so); /* drops the socket's lock */ - ip_freemoptions(inp->inp_moptions); pool_put(&inpcb_pool, inp); mutex_enter(softnet_lock); /* reacquire the softnet_lock */ } Index: src/sys/netinet6/in6_pcb.c diff -u src/sys/netinet6/in6_pcb.c:1.128 src/sys/netinet6/in6_pcb.c:1.129 --- src/sys/netinet6/in6_pcb.c:1.128 Tue Aug 5 05:24:27 2014 +++ src/sys/netinet6/in6_pcb.c Sun Sep 7 00:50:56 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_pcb.c,v 1.128 2014/08/05 05:24:27 rtr Exp $ */ +/* $NetBSD: in6_pcb.c,v 1.129 2014/09/07 00:50:56 rmind Exp $ */ /* $KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.128 2014/08/05 05:24:27 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.129 2014/09/07 00:50:56 rmind Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -617,9 +617,9 @@ in6_pcbdetach(struct in6pcb *in6p) free(in6p->in6p_outputopts, M_IP6OPT); } rtcache_free(&in6p->in6p_route); + ip6_freemoptions(in6p->in6p_moptions); sofree(so);/* drops the socket's lock */ - ip6_freemoptions(in6p->in6p_moptions); pool_put(&in6pcb_pool, in6p); mutex_enter(softnet_lock); /* reacquire it */ }
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Sun Aug 24 20:37:35 UTC 2014 Modified Files: src/lib/libnpf: npf.c Log Message: npf_config_submit: finally, include the saved connections. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/lib/libnpf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.33 src/lib/libnpf/npf.c:1.34 --- src/lib/libnpf/npf.c:1.33 Mon Aug 11 23:48:01 2014 +++ src/lib/libnpf/npf.c Sun Aug 24 20:37:35 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */ +/* $NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $"); #include #include @@ -69,13 +69,14 @@ struct nl_ext { }; struct nl_config { - /* Rules, translations, tables, procedures. */ + /* Rules, translations, procedures, tables, connections. */ prop_dictionary_t ncf_dict; prop_array_t ncf_alg_list; prop_array_t ncf_rules_list; prop_array_t ncf_rproc_list; prop_array_t ncf_table_list; prop_array_t ncf_nat_list; + prop_array_t ncf_conn_list; /* Iterators. */ prop_object_iterator_t ncf_rule_iter; @@ -153,6 +154,10 @@ npf_config_submit(nl_config_t *ncf, int prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list); prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list); prop_dictionary_set(npf_dict, "nat", ncf->ncf_nat_list); + if (ncf->ncf_conn_list) { + prop_dictionary_set(npf_dict, "conn-list", + ncf->ncf_conn_list); + } prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush); if (ncf->ncf_debug) { prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug); @@ -194,6 +199,7 @@ _npf_config_consdict(prop_dictionary_t n ncf->ncf_rproc_list = prop_dictionary_get(npf_dict, "rprocs"); ncf->ncf_table_list = prop_dictionary_get(npf_dict, "tables"); ncf->ncf_nat_list = prop_dictionary_get(npf_dict, "nat"); + ncf->ncf_conn_list = prop_dictionary_get(npf_dict, "conn-list"); return ncf; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Aug 24 20:36:30 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_ctl.c npf_nat.c Log Message: - npf_conn_import: add a missing stat counter increment. - npf_nat_import: add a missing reference and make a comment. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.11 src/sys/net/npf/npf_conn.c:1.12 --- src/sys/net/npf/npf_conn.c:1.11 Mon Aug 11 23:48:01 2014 +++ src/sys/net/npf/npf_conn.c Sun Aug 24 20:36:30 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $"); #include #include @@ -899,6 +899,7 @@ npf_conn_import(npf_conndb_t *cd, prop_d con = pool_cache_get(conn_cache, PR_WAITOK); memset(con, 0, sizeof(npf_conn_t)); mutex_init(&con->c_lock, MUTEX_DEFAULT, IPL_SOFTNET); + npf_stats_inc(NPF_STAT_CONN_CREATE); prop_dictionary_get_uint32(cdict, "proto", &con->c_proto); prop_dictionary_get_uint32(cdict, "flags", &con->c_flags); @@ -952,6 +953,8 @@ npf_conn_import(npf_conndb_t *cd, prop_d npf_conndb_remove(cd, fw); goto err; } + + NPF_PRINTF(("NPF: imported conn %p\n", con)); npf_conndb_enqueue(cd, con); return 0; err: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.39 src/sys/net/npf/npf_ctl.c:1.40 --- src/sys/net/npf/npf_ctl.c:1.39 Mon Aug 11 23:48:01 2014 +++ src/sys/net/npf/npf_ctl.c Sun Aug 24 20:36:30 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $"); #include #include @@ -459,7 +459,7 @@ npf_mk_connlist(prop_array_t conlist, np prop_dictionary_t condict; prop_object_iterator_t it; npf_conndb_t *cd; - int error; + int error = 0; /* Connection list - array */ if (prop_object_type(conlist) != PROP_TYPE_ARRAY) { @@ -469,8 +469,6 @@ npf_mk_connlist(prop_array_t conlist, np /* Create a connection database. */ cd = npf_conndb_create(); - - error = 0; it = prop_array_iterator(conlist); while ((condict = prop_object_iterator_next(it)) != NULL) { /* Connection - dictionary. */ @@ -479,7 +477,7 @@ npf_mk_connlist(prop_array_t conlist, np error = EINVAL; break; } - /* Construct and insert real connection structure. */ + /* Construct and insert the connection. */ error = npf_conn_import(cd, condict, natlist); if (error) { NPF_ERR_DEBUG(errdict); Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.33 src/sys/net/npf/npf_nat.c:1.34 --- src/sys/net/npf/npf_nat.c:1.33 Mon Aug 11 23:48:01 2014 +++ src/sys/net/npf/npf_nat.c Sun Aug 24 20:36:30 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $"); #include #include @@ -812,6 +812,7 @@ npf_nat_destroy(npf_nat_t *nt) mutex_enter(&np->n_lock); LIST_REMOVE(nt, nt_entry); + KASSERT(np->n_refcnt > 0); atomic_dec_uint(&np->n_refcnt); mutex_exit(&np->n_lock); @@ -873,9 +874,14 @@ npf_nat_import(prop_dictionary_t natdict return NULL; } - LIST_INSERT_HEAD(&np->n_nat_list, nt, nt_entry); + /* + * Associate, take a reference and insert. Unlocked since + * the policy is not yet visible. + */ nt->nt_natpolicy = np; nt->nt_conn = con; + np->n_refcnt++; + LIST_INSERT_HEAD(&np->n_nat_list, nt, nt_entry); return nt; }
CVS commit: src
Module Name:src Committed By: rmind Date: Mon Aug 11 23:48:01 UTC 2014 Modified Files: src/lib/libnpf: npf.c src/sys/net/npf: npf_alg.c npf_conn.c npf_ctl.c npf_impl.h npf_nat.c src/usr.sbin/npf/npfctl: npfctl.c Log Message: - Add and use npf_alg_export(). - npf_conn_import: handle NAT metadata correctly. - npf_nat_newpolicy: restore the policy ID. - npfctl_load: fix error code handling for the limit cases. - npf_config_import: fix the inverted logic. - npfctl_load: improve error handling. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/lib/libnpf/npf.c cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_alg.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.32 src/lib/libnpf/npf.c:1.33 --- src/lib/libnpf/npf.c:1.32 Sun Aug 10 19:09:43 2014 +++ src/lib/libnpf/npf.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $"); #include #include @@ -237,11 +237,11 @@ npf_config_import(const char *path) nl_config_t *ncf; npf_dict = prop_dictionary_internalize_from_file(path); - if (npf_dict) { + if (!npf_dict) { return NULL; } ncf = _npf_config_consdict(npf_dict); - if (ncf == NULL) { + if (!ncf) { prop_object_release(npf_dict); return NULL; } Index: src/sys/net/npf/npf_alg.c diff -u src/sys/net/npf/npf_alg.c:1.14 src/sys/net/npf/npf_alg.c:1.15 --- src/sys/net/npf/npf_alg.c:1.14 Sun Jul 20 00:37:41 2014 +++ src/sys/net/npf/npf_alg.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $ */ +/* $NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2010-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $"); #include #include @@ -244,3 +244,24 @@ npf_alg_conn(npf_cache_t *npc, int di) pserialize_read_exit(s); return con; } + +prop_array_t +npf_alg_export(void) +{ + prop_array_t alglist = prop_array_create(); + + KASSERT(npf_config_locked_p()); + + for (u_int i = 0; i < alg_count; i++) { + const npf_alg_t *alg = &alg_list[i]; + + if (alg->na_name == NULL) { + continue; + } + prop_dictionary_t algdict = prop_dictionary_create(); + prop_dictionary_set_cstring(algdict, "name", alg->na_name); + prop_array_add(alglist, algdict); + prop_object_release(algdict); + } + return alglist; +} Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.10 src/sys/net/npf/npf_conn.c:1.11 --- src/sys/net/npf/npf_conn.c:1.10 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_conn.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $"); #include #include @@ -917,8 +917,11 @@ npf_conn_import(npf_conndb_t *cd, prop_d } memcpy(&con->c_state, d, sizeof(npf_state_t)); - /* Reconstruct NAT association, if any, or return NULL. */ - con->c_nat = npf_nat_import(cdict, natlist, con); + /* Reconstruct NAT association, if any. */ + if ((obj = prop_dictionary_get(cdict, "nat")) != NULL && + (con->c_nat = npf_nat_import(obj, natlist, con)) == NULL) { + goto err; + } /* * Fetch and copy the keys for each direction. Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.38 src/sys/net/npf/npf_ctl.c:1.39 --- src/sys/net/npf/npf_ctl.c:1.38 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_ctl.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Aug 11 01:54:13 UTC 2014 Modified Files: src/sys/net/npf: npf_conf.c npf_ctl.c npf_impl.h npf_rproc.c npf_ruleset.c npf_tableset.c Log Message: NPF: finish up the rework of npfctl_save() mechanism. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.21 -r1.22 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.7 src/sys/net/npf/npf_conf.c:1.8 --- src/sys/net/npf/npf_conf.c:1.7 Wed Jul 23 01:25:34 2014 +++ src/sys/net/npf/npf_conf.c Mon Aug 11 01:54:12 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conf.c,v 1.7 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -48,7 +48,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.7 2014/07/23 01:25:34 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $"); #include #include @@ -66,7 +66,6 @@ typedef struct { npf_tableset_t * n_tables; npf_ruleset_t * n_nat_rules; npf_rprocset_t * n_rprocs; - prop_dictionary_t n_dict; bool n_default_pass; } npf_config_t; @@ -77,7 +76,6 @@ static pserialize_t npf_config_psz __c void npf_config_init(void) { - prop_dictionary_t dict; npf_ruleset_t *rlset, *nset; npf_rprocset_t *rpset; npf_tableset_t *tset; @@ -86,19 +84,17 @@ npf_config_init(void) npf_config_psz = pserialize_create(); /* Load the empty configuration. */ - dict = prop_dictionary_create(); tset = npf_tableset_create(0); rpset = npf_rprocset_create(); rlset = npf_ruleset_create(0); nset = npf_ruleset_create(0); - npf_config_load(dict, rlset, tset, nset, rpset, NULL, true); + npf_config_load(rlset, tset, nset, rpset, NULL, true); KASSERT(npf_config != NULL); } static void npf_config_destroy(npf_config_t *nc) { - prop_object_release(nc->n_dict); npf_ruleset_destroy(nc->n_rules); npf_ruleset_destroy(nc->n_nat_rules); npf_rprocset_destroy(nc->n_rprocs); @@ -127,8 +123,8 @@ npf_config_fini(void) * Performs the necessary synchronisation and destroys the old config. */ void -npf_config_load(prop_dictionary_t dict, npf_ruleset_t *rset, -npf_tableset_t *tset, npf_ruleset_t *nset, npf_rprocset_t *rpset, +npf_config_load(npf_ruleset_t *rset, npf_tableset_t *tset, +npf_ruleset_t *nset, npf_rprocset_t *rpset, npf_conndb_t *conns, bool flush) { npf_config_t *nc, *onc; @@ -138,7 +134,6 @@ npf_config_load(prop_dictionary_t dict, nc->n_tables = tset; nc->n_nat_rules = nset; nc->n_rprocs = rpset; - nc->n_dict = dict; nc->n_default_pass = flush; /* @@ -185,9 +180,6 @@ npf_config_load(prop_dictionary_t dict, * If not flushing - enable the connection tracking. */ npf_conn_load(conns, !flush); - - /* Sync the config proplib data. */ - npf_tableset_syncdict(tset, dict); mutex_exit(&npf_config_lock); /* Finally, it is safe to destroy the old config. */ @@ -261,10 +253,10 @@ npf_config_tableset(void) return npf_config->n_tables; } -prop_dictionary_t -npf_config_dict(void) +npf_rprocset_t * +npf_config_rprocs(void) { - return npf_config->n_dict; + return npf_config->n_rprocs; } bool Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.37 src/sys/net/npf/npf_ctl.c:1.38 --- src/sys/net/npf/npf_ctl.c:1.37 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_ctl.c Mon Aug 11 01:54:12 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.37 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.37 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $"); #include #include @@ -181,7 +181,6 @@ npf_mk_tables(npf_tableset_t *tblset, pr NPF_ERR_DEBUG(errdict); break; } - prop_dictionary_remove(tbldict, "entries"); } prop_object_iterator_release(it); /* @@ -555,7 +554,6 @@ npfctl_load(u_long cmd, void *data) if (error) { goto fail; } - prop_dictionary_remove(npf_dict, "nat"); /* Tables. */ tables = prop_dictionary_get(npf_dict, "tables"); @@ -597,7 +595,6 @@ npfctl_load(u_long cmd, void *data) if (error) { goto fail; } - prop_dictionary_remove(npf_dict, "conn-list"); } flush = false; @@ -606,7 +603,7 @@ npfctl_load(u_long cmd, void *data) /* * Finally - perform the load. */ - npf_config_load(npf_dict, rls
CVS commit: src
12 @@ npf_nat_create(int type, u_int flags, co npf_rule_destroy(rl); return NULL; } - prop_dictionary_set(rldict, "translation-ip", addrdat); - prop_dictionary_set_uint32(rldict, "translation-mask", mask); + prop_dictionary_set(rldict, "nat-ip", addrdat); + prop_dictionary_set_uint32(rldict, "nat-mask", mask); prop_object_release(addrdat); /* Translation port (for redirect case). */ - prop_dictionary_set_uint16(rldict, "translation-port", port); + prop_dictionary_set_uint16(rldict, "nat-port", port); return (nl_nat_t *)rl; } @@ -901,7 +901,7 @@ npf_nat_insert(nl_config_t *ncf, nl_nat_ { prop_dictionary_t rldict = nt->nrl_dict; - prop_dictionary_set_int32(rldict, "priority", NPF_PRI_LAST); + prop_dictionary_set_int32(rldict, "prio", NPF_PRI_LAST); prop_array_add(ncf->ncf_nat_list, rldict); return 0; } @@ -917,7 +917,7 @@ int npf_nat_setalgo(nl_nat_t *nt, u_int algo) { prop_dictionary_t rldict = nt->nrl_dict; - prop_dictionary_set_uint32(rldict, "translation-algo", algo); + prop_dictionary_set_uint32(rldict, "nat-algo", algo); return 0; } @@ -930,7 +930,7 @@ npf_nat_setnpt66(nl_nat_t *nt, uint16_t if ((error = npf_nat_setalgo(nt, NPF_ALGO_NPT66)) != 0) { return error; } - prop_dictionary_set_uint16(rldict, "npt66-adjustment", adj); + prop_dictionary_set_uint16(rldict, "npt66-adj", adj); return 0; } @@ -958,13 +958,13 @@ void npf_nat_getmap(nl_nat_t *nt, npf_addr_t *addr, size_t *alen, in_port_t *port) { prop_dictionary_t rldict = nt->nrl_dict; - prop_object_t obj = prop_dictionary_get(rldict, "translation-ip"); + prop_object_t obj = prop_dictionary_get(rldict, "nat-ip"); *alen = prop_data_size(obj); memcpy(addr, prop_data_data_nocopy(obj), *alen); *port = 0; - prop_dictionary_get_uint16(rldict, "translation-port", port); + prop_dictionary_get_uint16(rldict, "nat-port", port); } /* Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.46 src/sys/net/npf/npf.h:1.47 --- src/sys/net/npf/npf.h:1.46 Wed Jul 23 01:48:05 2014 +++ src/sys/net/npf/npf.h Sun Aug 10 19:09:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.46 2014/07/23 01:48:05 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -45,7 +45,7 @@ #include #include -#define NPF_VERSION 16 +#define NPF_VERSION 17 /* * Public declarations and definitions. Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.9 src/sys/net/npf/npf_conn.c:1.10 --- src/sys/net/npf/npf_conn.c:1.9 Sat Jul 26 16:42:03 2014 +++ src/sys/net/npf/npf_conn.c Sun Aug 10 19:09:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $"); #include #include @@ -809,11 +809,11 @@ npf_conn_worker(void) } /* - * npf_conn_export: construct a list of connections prepared for saving. + * npf_conndb_export: construct a list of connections prepared for saving. * Note: this is expected to be an expensive operation. */ int -npf_conn_export(prop_array_t conlist) +npf_conndb_export(prop_array_t conlist) { npf_conn_t *con, *prev; @@ -830,33 +830,12 @@ npf_conn_export(prop_array_t conlist) con = npf_conndb_getlist(conn_db); while (con) { npf_conn_t *next = con->c_next; - prop_data_t d; + prop_dictionary_t cdict; - if ((con->c_flags & (CONN_ACTIVE|CONN_EXPIRE)) != CONN_ACTIVE) - goto skip; - - prop_dictionary_t cdict = prop_dictionary_create(); - prop_dictionary_set_uint32(cdict, "flags", con->c_flags); - prop_dictionary_set_uint32(cdict, "proto", con->c_proto); - /* FIXME: interface-id */ - - d = prop_data_create_data(&con->c_state, sizeof(npf_state_t)); - prop_dictionary_set_and_rel(cdict, "state", d); - - const uint32_t *fkey = con->c_forw_entry.ck_key; - d = prop_data_create_data(fkey, NPF_CONN_MAXKEYLEN); - prop_dictionary_set_and_rel(cdict, "forw-key", d); - - const uint32_t *bkey = con->c_back_entry.ck_key; - d = prop_data_create_data(bkey, NPF_CONN_MAXKEYLEN); - prop_dictionary_set_and_rel(cdict, "back-key", d); - - if (con->c_nat) { - npf_nat_export(cdict, con->c_nat); + if ((cdict = npf_conn_export(con)) != NULL) { + prop_array_add(conlist, cdict); + prop_object_release(cdict); } - prop_array_add(conlist, cdict); - prop_object_release(cdict); -skip: prev = con; con = next; } @@ -866,6 +845,43 @@ skip: } /* + * npf_conn_ex
CVS commit: src/sys/netinet6
Module Name:src Committed By: rmind Date: Sun Aug 3 22:55:24 UTC 2014 Modified Files: src/sys/netinet6: in6_pcb.c Log Message: in6_pcbdetach: now that IGMP and multicast groups are MP-safe, we can move the ip6_freemoptions() call outside the softnet_lock. Should fix PR/49065. To generate a diff of this commit: cvs rdiff -u -r1.126 -r1.127 src/sys/netinet6/in6_pcb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_pcb.c diff -u src/sys/netinet6/in6_pcb.c:1.126 src/sys/netinet6/in6_pcb.c:1.127 --- src/sys/netinet6/in6_pcb.c:1.126 Thu Jul 24 15:12:03 2014 +++ src/sys/netinet6/in6_pcb.c Sun Aug 3 22:55:24 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_pcb.c,v 1.126 2014/07/24 15:12:03 rtr Exp $ */ +/* $NetBSD: in6_pcb.c,v 1.127 2014/08/03 22:55:24 rmind Exp $ */ /* $KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.126 2014/07/24 15:12:03 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.127 2014/08/03 22:55:24 rmind Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -599,24 +599,28 @@ in6_pcbdetach(struct in6pcb *in6p) #if defined(IPSEC) if (ipsec_enabled) ipsec6_delete_pcbpolicy(in6p); -#endif /* IPSEC */ - so->so_pcb = 0; - if (in6p->in6p_options) +#endif + so->so_pcb = NULL; + + s = splnet(); + in6_pcbstate(in6p, IN6P_ATTACHED); + LIST_REMOVE(&in6p->in6p_head, inph_lhash); + TAILQ_REMOVE(&in6p->in6p_table->inpt_queue, &in6p->in6p_head, + inph_queue); + splx(s); + + if (in6p->in6p_options) { m_freem(in6p->in6p_options); + } if (in6p->in6p_outputopts != NULL) { ip6_clearpktopts(in6p->in6p_outputopts, -1); free(in6p->in6p_outputopts, M_IP6OPT); } rtcache_free(&in6p->in6p_route); + sofree(so);/* drops the socket's lock */ + ip6_freemoptions(in6p->in6p_moptions); - s = splnet(); - in6_pcbstate(in6p, IN6P_ATTACHED); - LIST_REMOVE(&in6p->in6p_head, inph_lhash); - TAILQ_REMOVE(&in6p->in6p_table->inpt_queue, &in6p->in6p_head, - inph_queue); pool_put(&in6pcb_pool, in6p); - splx(s); - sofree(so);/* drops the socket's lock */ mutex_enter(softnet_lock); /* reacquire it */ }
CVS commit: src/sys/netinet
Module Name:src Committed By: rmind Date: Sun Aug 3 22:11:50 UTC 2014 Modified Files: src/sys/netinet: in_pcb.c Log Message: in_pcbdetach: not that IGMP and multicast groups are MP-safe, we can move the ip_freemoptions() call outside the softnet_lock. Should fix PR/49065. To generate a diff of this commit: cvs rdiff -u -r1.149 -r1.150 src/sys/netinet/in_pcb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/in_pcb.c diff -u src/sys/netinet/in_pcb.c:1.149 src/sys/netinet/in_pcb.c:1.150 --- src/sys/netinet/in_pcb.c:1.149 Thu Jul 24 15:12:03 2014 +++ src/sys/netinet/in_pcb.c Sun Aug 3 22:11:50 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in_pcb.c,v 1.149 2014/07/24 15:12:03 rtr Exp $ */ +/* $NetBSD: in_pcb.c,v 1.150 2014/08/03 22:11:50 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -93,7 +93,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.149 2014/07/24 15:12:03 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.150 2014/08/03 22:11:50 rmind Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -593,19 +593,23 @@ in_pcbdetach(void *v) #if defined(IPSEC) if (ipsec_enabled) ipsec4_delete_pcbpolicy(inp); -#endif /* IPSEC */ - so->so_pcb = 0; - if (inp->inp_options) - (void)m_free(inp->inp_options); - rtcache_free(&inp->inp_route); - ip_freemoptions(inp->inp_moptions); +#endif + so->so_pcb = NULL; + s = splnet(); in_pcbstate(inp, INP_ATTACHED); LIST_REMOVE(&inp->inp_head, inph_lhash); TAILQ_REMOVE(&inp->inp_table->inpt_queue, &inp->inp_head, inph_queue); - pool_put(&inpcb_pool, inp); splx(s); + + if (inp->inp_options) { + m_free(inp->inp_options); + } + rtcache_free(&inp->inp_route); sofree(so); /* drops the socket's lock */ + + ip_freemoptions(inp->inp_moptions); + pool_put(&inpcb_pool, inp); mutex_enter(softnet_lock); /* reacquire the softnet_lock */ }
CVS commit: src
Module Name:src Committed By: rmind Date: Sun Aug 3 00:02:56 UTC 2014 Modified Files: src/lib/libnpf: libnpf.3 src/usr.sbin/npf/npfctl: npf.conf.5 npfctl.8 Log Message: Cross-link npf(7). To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/lib/libnpf/libnpf.3 cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.1 src/lib/libnpf/libnpf.3:1.2 --- src/lib/libnpf/libnpf.3:1.1 Tue Jul 22 22:28:47 2014 +++ src/lib/libnpf/libnpf.3 Sun Aug 3 00:02:56 2014 @@ -1,4 +1,4 @@ -.\" $NetBSD: libnpf.3,v 1.1 2014/07/22 22:28:47 christos Exp $ +.\" $NetBSD: libnpf.3,v 1.2 2014/08/03 00:02:56 rmind Exp $ .\" .\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 22, 2014 +.Dd August 2, 2014 .Dt LIBNPF 3 .Os .Sh NAME @@ -297,6 +297,7 @@ Destroy the specified table. .\" - .Sh SEE ALSO .Xr bpf 4 , +.Xr npf 7 , .Xr npfctl 8 .Sh HISTORY The NPF library first appeared in Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.41 src/usr.sbin/npf/npfctl/npf.conf.5:1.42 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.41 Thu May 15 23:52:32 2014 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Aug 3 00:02:56 2014 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.41 2014/05/15 23:52:32 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.42 2014/08/03 00:02:56 rmind Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 15, 2014 +.Dd August 2, 2014 .Dt NPF.CONF 5 .Os .Sh NAME @@ -352,6 +352,7 @@ group default { .\" - .Sh SEE ALSO .Xr bpf 4 , +.Xr npf 7 , .Xr pcap-filter 7 , .Xr npfctl 8 .Sh HISTORY Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.16 src/usr.sbin/npf/npfctl/npfctl.8:1.17 --- src/usr.sbin/npf/npfctl/npfctl.8:1.16 Wed Jul 23 01:25:34 2014 +++ src/usr.sbin/npf/npfctl/npfctl.8 Sun Aug 3 00:02:56 2014 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.16 2014/07/23 01:25:34 rmind Exp $ +.\" $NetBSD: npfctl.8,v 1.17 2014/08/03 00:02:56 rmind Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 23, 2014 +.Dd August 2, 2014 .Dt NPFCTL 8 .Os .Sh NAME @@ -186,7 +186,8 @@ Addition and removal of entries in the t .\" - .Sh SEE ALSO .Xr bpf 4 , -.Xr npf.conf 5 +.Xr npf.conf 5 , +.Xr npf 7 .Sh HISTORY NPF first appeared in .Nx 6.0 .
CVS commit: src
Module Name:src Committed By: rmind Date: Sat Aug 2 23:57:40 UTC 2014 Modified Files: src/distrib/sets/lists/man: mi src/usr.sbin/npf: Makefile Added Files: src/usr.sbin/npf: npf.7 Log Message: NPF: add a general npf(7) manual page. Improved by wiz@. To generate a diff of this commit: cvs rdiff -u -r1.1481 -r1.1482 src/distrib/sets/lists/man/mi cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/Makefile cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npf.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/man/mi diff -u src/distrib/sets/lists/man/mi:1.1481 src/distrib/sets/lists/man/mi:1.1482 --- src/distrib/sets/lists/man/mi:1.1481 Fri Aug 1 14:08:47 2014 +++ src/distrib/sets/lists/man/mi Sat Aug 2 23:57:40 2014 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1481 2014/08/01 14:08:47 christos Exp $ +# $NetBSD: mi,v 1.1482 2014/08/02 23:57:40 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -2224,6 +2224,7 @@ ./usr/share/man/cat7/module.0 man-reference-catman .cat ./usr/share/man/cat7/msafer.0 man-obsolete obsolete ./usr/share/man/cat7/nls.0 man-reference-catman .cat +./usr/share/man/cat7/npf.0 man-npf-catman .cat,npf ./usr/share/man/cat7/orders.0 man-reference-catman .cat ./usr/share/man/cat7/packages.0 man-obsolete obsolete ./usr/share/man/cat7/pcap-filter.0 man-netutil-catman .cat @@ -5167,6 +5168,7 @@ ./usr/share/man/html7/mdoc.html man-groff-htmlman html,groff ./usr/share/man/html7/module.html man-reference-htmlman html ./usr/share/man/html7/nls.html man-reference-htmlman html +./usr/share/man/html7/npf.html man-npf-htmlman html,npf ./usr/share/man/html7/orders.html man-reference-htmlman html ./usr/share/man/html7/pcap-filter.html man-netutil-htmlman html ./usr/share/man/html7/pcap-linktype.html man-netutil-htmlman html @@ -8084,6 +8086,7 @@ ./usr/share/man/man7/module.7 man-reference-man .man ./usr/share/man/man7/msafer.7 man-obsolete obsolete ./usr/share/man/man7/nls.7 man-reference-man .man +./usr/share/man/man7/npf.7 man-npf-man .man,npf ./usr/share/man/man7/orders.7 man-reference-man .man ./usr/share/man/man7/packages.7 man-obsolete obsolete ./usr/share/man/man7/pcap-filter.7 man-netutil-man .man Index: src/usr.sbin/npf/Makefile diff -u src/usr.sbin/npf/Makefile:1.4 src/usr.sbin/npf/Makefile:1.5 --- src/usr.sbin/npf/Makefile:1.4 Thu Sep 13 21:02:50 2012 +++ src/usr.sbin/npf/Makefile Sat Aug 2 23:57:40 2014 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.4 2012/09/13 21:02:50 martin Exp $ +# $NetBSD: Makefile,v 1.5 2014/08/02 23:57:40 rmind Exp $ .include @@ -8,4 +8,7 @@ SUBDIR= npfctl SUBDIR+= npftest .endif +MAN= npf.7 + +.include .include Added files: Index: src/usr.sbin/npf/npf.7 diff -u /dev/null src/usr.sbin/npf/npf.7:1.1 --- /dev/null Sat Aug 2 23:57:40 2014 +++ src/usr.sbin/npf/npf.7 Sat Aug 2 23:57:40 2014 @@ -0,0 +1,91 @@ +.\" $NetBSD: npf.7,v 1.1 2014/08/02 23:57:40 rmind Exp $ +.\" +.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This material is based upon work partially supported by The +.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 2, 2014 +.Dt NPF 7 +.Os +.Sh NAME +.Nm NPF +.Nd NetBSD packet filter +.\" - +.Sh DESCRIPTION +NPF is a layer 3 packet filter
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Jul 26 16:42:03 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf_conn_conkey: fix a comment. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.8 src/sys/net/npf/npf_conn.c:1.9 --- src/sys/net/npf/npf_conn.c:1.8 Fri Jul 25 23:21:46 2014 +++ src/sys/net/npf/npf_conn.c Sat Jul 26 16:42:03 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $"); #include #include @@ -297,9 +297,9 @@ npf_conn_conkey(const npf_cache_t *npc, /* * Construct a key formed out of 32-bit integers. The key layout: * - * Field: | proto | alen | src-id | dst-id | src-addr | dst-addr | - *+---+---+++--+--+ - * Bits: | 8 | 8 | 16 | 16 | 32-128 | 32-128 | + * Field: | proto | alen | src-id | dst-id | src-addr | dst-addr | + *+++++--+--+ + * Bits: | 16 | 16 | 16 | 16 | 32-128 | 32-128 | * * The source and destination are inverted if they key is for the * backwards stream (forw == false). The address length depends
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Jul 25 23:21:46 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h Log Message: npf_conn_conkey: adjust to return the key length and add a comment describing the key layout. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.7 src/sys/net/npf/npf_conn.c:1.8 --- src/sys/net/npf/npf_conn.c:1.7 Fri Jul 25 23:07:21 2014 +++ src/sys/net/npf/npf_conn.c Fri Jul 25 23:21:46 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $"); #include #include @@ -242,8 +242,10 @@ npf_conn_trackable_p(const npf_cache_t * /* * npf_conn_conkey: construct a key for the connection lookup. + * + * => Returns the key length in bytes or zero on failure. */ -bool +unsigned npf_conn_conkey(const npf_cache_t *npc, npf_connkey_t *key, const bool forw) { const u_int alen = npc->npc_alen; @@ -272,7 +274,7 @@ npf_conn_conkey(const npf_cache_t *npc, id[NPF_DST] = ic->icmp_id; break; } - return false; + return 0; case IPPROTO_ICMPV6: if (npf_iscached(npc, NPC_ICMP_ID)) { const struct icmp6_hdr *ic6 = npc->npc_l4.icmp6; @@ -280,21 +282,30 @@ npf_conn_conkey(const npf_cache_t *npc, id[NPF_DST] = ic6->icmp6_id; break; } - return false; + return 0; default: /* Unsupported protocol. */ - return false; + return 0; } - /* - * Finally, construct a key formed out of 32-bit integers. - */ if (__predict_true(forw)) { isrc = NPF_SRC, idst = NPF_DST; } else { isrc = NPF_DST, idst = NPF_SRC; } + /* + * Construct a key formed out of 32-bit integers. The key layout: + * + * Field: | proto | alen | src-id | dst-id | src-addr | dst-addr | + *+---+---+++--+--+ + * Bits: | 8 | 8 | 16 | 16 | 32-128 | 32-128 | + * + * The source and destination are inverted if they key is for the + * backwards stream (forw == false). The address length depends + * on the 'alen' field; it is a length in bytes, either 4 or 16. + */ + key->ck_key[0] = ((uint32_t)npc->npc_proto << 16) | (alen & 0x); key->ck_key[1] = ((uint32_t)id[isrc] << 16) | id[idst]; @@ -308,8 +319,7 @@ npf_conn_conkey(const npf_cache_t *npc, memcpy(&key->ck_key[2 + nwords], npc->npc_ips[idst], alen); keylen = (2 + (nwords * 2)) * sizeof(uint32_t); } - (void)keylen; - return true; + return keylen; } static __inline void Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.4 src/sys/net/npf/npf_conn.h:1.5 --- src/sys/net/npf/npf_conn.h:1.4 Fri Jul 25 23:07:21 2014 +++ src/sys/net/npf/npf_conn.h Fri Jul 25 23:21:46 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.4 2014/07/25 23:07:21 rmind Exp $ */ +/* $NetBSD: npf_conn.h,v 1.5 2014/07/25 23:21:46 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -103,7 +103,7 @@ void npf_conn_sysfini(void); void npf_conn_tracking(bool); void npf_conn_load(npf_conndb_t *, bool); -bool npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool); +unsigned npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool); npf_conn_t * npf_conn_lookup(const npf_cache_t *, const int, bool *); npf_conn_t * npf_conn_inspect(npf_cache_t *, const int, int *); npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool);
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Jul 25 23:07:21 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h npf_ctl.c Log Message: npf_mk_connlist: destroy the connections on error path. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.6 src/sys/net/npf/npf_conn.c:1.7 --- src/sys/net/npf/npf_conn.c:1.6 Wed Jul 23 01:25:34 2014 +++ src/sys/net/npf/npf_conn.c Fri Jul 25 23:07:21 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.6 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.6 2014/07/23 01:25:34 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $"); #include #include @@ -141,7 +141,6 @@ static npf_conndb_t * conn_db __read_mo static pool_cache_t conn_cache __read_mostly; static kmutex_t conn_lock __cacheline_aligned; -static void npf_conn_gc(npf_conndb_t *, bool, bool); static void npf_conn_worker(void); static void npf_conn_destroy(npf_conn_t *); @@ -706,7 +705,7 @@ npf_conn_expired(const npf_conn_t *con, * => If it is a flush request, then destroy all connections. * => If 'sync' is true, then perform passive serialisation. */ -static void +void npf_conn_gc(npf_conndb_t *cd, bool flush, bool sync) { npf_conn_t *con, *prev, *gclist = NULL; Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.3 src/sys/net/npf/npf_conn.h:1.4 --- src/sys/net/npf/npf_conn.h:1.3 Wed Jul 23 01:25:34 2014 +++ src/sys/net/npf/npf_conn.h Fri Jul 25 23:07:21 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.3 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf_conn.h,v 1.4 2014/07/25 23:07:21 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -114,6 +114,7 @@ void npf_conn_setpass(npf_conn_t *, npf int npf_conn_setnat(const npf_cache_t *, npf_conn_t *, npf_nat_t *, u_int); npf_nat_t * npf_conn_retnat(npf_conn_t *, const int, bool *); +void npf_conn_gc(npf_conndb_t *, bool, bool); int npf_conn_export(prop_array_t); int npf_conn_import(npf_conndb_t *, prop_dictionary_t, npf_ruleset_t *); Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.35 src/sys/net/npf/npf_ctl.c:1.36 --- src/sys/net/npf/npf_ctl.c:1.35 Wed Jul 23 01:25:34 2014 +++ src/sys/net/npf/npf_ctl.c Fri Jul 25 23:07:21 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.35 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.36 2014/07/25 23:07:21 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.35 2014/07/23 01:25:34 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.36 2014/07/25 23:07:21 rmind Exp $"); #include #include @@ -492,7 +492,7 @@ npf_mk_connlist(prop_array_t conlist, np } prop_object_iterator_release(it); if (error) { - /* FIXME: npf_conn_gc(cd, true, false); */ + npf_conn_gc(cd, true, false); npf_conndb_destroy(cd); } else { *conndb = cd;
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Jul 25 20:07:32 UTC 2014 Modified Files: src/sys/net/npf: npf_state_tcp.c Log Message: npf_tcp_inwindow: enable strict RST check by default. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_state_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_state_tcp.c diff -u src/sys/net/npf/npf_state_tcp.c:1.15 src/sys/net/npf/npf_state_tcp.c:1.16 --- src/sys/net/npf/npf_state_tcp.c:1.15 Sun Jul 20 00:37:41 2014 +++ src/sys/net/npf/npf_state_tcp.c Fri Jul 25 20:07:32 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_state_tcp.c,v 1.15 2014/07/20 00:37:41 rmind Exp $ */ +/* $NetBSD: npf_state_tcp.c,v 1.16 2014/07/25 20:07:32 rmind Exp $ */ /*- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.15 2014/07/20 00:37:41 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.16 2014/07/25 20:07:32 rmind Exp $"); #include #include @@ -89,7 +89,7 @@ static u_int npf_tcp_timeouts[] __read_m [NPF_TCPS_TIME_WAIT] = 60 * 2 * 2, }; -static bool npf_strict_order_rst __read_mostly = false; +static bool npf_strict_order_rst __read_mostly = true; #define NPF_TCP_MAXACKWIN 66000 @@ -395,7 +395,7 @@ npf_tcp_inwindow(npf_cache_t *npc, npf_s seq = end; } - /* Strict in-order sequence for RST packets. */ + /* Strict in-order sequence for RST packets (RFC 5961). */ if (npf_strict_order_rst && (fstate->nst_end - seq) > 1) { return false; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Wed Jul 23 01:48:05 UTC 2014 Modified Files: src/sys/net/npf: npf.h Log Message: npf_iscached: add an assert. To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.45 src/sys/net/npf/npf.h:1.46 --- src/sys/net/npf/npf.h:1.45 Wed Jul 23 01:25:34 2014 +++ src/sys/net/npf/npf.h Wed Jul 23 01:48:05 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.45 2014/07/23 01:25:34 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.46 2014/07/23 01:48:05 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -172,6 +172,7 @@ typedef struct { static inline bool npf_iscached(const npf_cache_t *npc, const int inf) { + KASSERT(npc->npc_nbuf != NULL); return __predict_true((npc->npc_info & inf) != 0); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Jul 20 00:48:51 UTC 2014 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: formatting To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.14 src/usr.sbin/npf/npfctl/npf_show.c:1.15 --- src/usr.sbin/npf/npfctl/npf_show.c:1.14 Sat May 31 22:41:37 2014 +++ src/usr.sbin/npf/npfctl/npf_show.c Sun Jul 20 00:48:51 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $"); #include #include @@ -452,7 +452,7 @@ npfctl_config_show(int fd) if (ncf == NULL) { return errno; } - fprintf(ctx->fp, "Filtering:\t%s\nConfiguration:\t%s\n", + fprintf(ctx->fp, "# filtering:\t%s\n# config:\t%s\n", active ? "active" : "inactive", loaded ? "loaded" : "empty"); print_linesep(ctx);
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Jul 20 00:43:47 UTC 2014 Removed Files: src/sys/net/npf: npf_session.c Log Message: Bye bye npf_session.c To generate a diff of this commit: cvs rdiff -u -r1.33 -r0 src/sys/net/npf/npf_session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
on)) { return false; } - if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { - npf_recache(npc, nbuf); + if (nbuf_flag_p(npc->npc_nbuf, NBUF_DATAREF_RESET)) { + npf_recache(npc); } } Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.3 src/sys/net/npf/npf_conn.c:1.4 --- src/sys/net/npf/npf_conn.c:1.3 Sat Jul 19 21:22:58 2014 +++ src/sys/net/npf/npf_conn.c Sun Jul 20 00:37:41 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.3 2014/07/19 21:22:58 christos Exp $ */ +/* $NetBSD: npf_conn.c,v 1.4 2014/07/20 00:37:41 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -100,7 +100,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.3 2014/07/19 21:22:58 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.4 2014/07/20 00:37:41 rmind Exp $"); #include #include @@ -358,9 +358,9 @@ connkey_set_id(npf_connkey_t *key, const * => If found, we will hold a reference for the caller. */ npf_conn_t * -npf_conn_lookup(const npf_cache_t *npc, const nbuf_t *nbuf, -const int di, bool *forw) +npf_conn_lookup(const npf_cache_t *npc, const int di, bool *forw) { + const nbuf_t *nbuf = npc->npc_nbuf; npf_conn_t *con; npf_connkey_t key; u_int flags, cifid; @@ -411,8 +411,9 @@ npf_conn_lookup(const npf_cache_t *npc, * => If found, we will hold a reference for the caller. */ npf_conn_t * -npf_conn_inspect(npf_cache_t *npc, nbuf_t *nbuf, const int di, int *error) +npf_conn_inspect(npf_cache_t *npc, const int di, int *error) { + nbuf_t *nbuf = npc->npc_nbuf; npf_conn_t *con; bool forw, ok; @@ -422,7 +423,7 @@ npf_conn_inspect(npf_cache_t *npc, nbuf_ } /* Query ALG which may lookup connection for us. */ - if ((con = npf_alg_conn(npc, nbuf, di)) != NULL) { + if ((con = npf_alg_conn(npc, di)) != NULL) { /* Note: reference is held. */ return con; } @@ -433,13 +434,13 @@ npf_conn_inspect(npf_cache_t *npc, nbuf_ KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)); /* Main lookup of the connection. */ - if ((con = npf_conn_lookup(npc, nbuf, di, &forw)) == NULL) { + if ((con = npf_conn_lookup(npc, di, &forw)) == NULL) { return NULL; } /* Inspect the protocol data and handle state changes. */ mutex_enter(&con->c_lock); - ok = npf_state_inspect(npc, nbuf, &con->c_state, forw); + ok = npf_state_inspect(npc, &con->c_state, forw); mutex_exit(&con->c_lock); if (__predict_false(!ok)) { @@ -458,8 +459,9 @@ npf_conn_inspect(npf_cache_t *npc, nbuf_ * => Connection will be activated on the first reference release. */ npf_conn_t * -npf_conn_establish(npf_cache_t *npc, nbuf_t *nbuf, int di, bool per_if) +npf_conn_establish(npf_cache_t *npc, int di, bool per_if) { + const nbuf_t *nbuf = npc->npc_nbuf; npf_conn_t *con; KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)); @@ -484,7 +486,7 @@ npf_conn_establish(npf_cache_t *npc, nbu con->c_nat = NULL; /* Initialize protocol state. */ - if (!npf_state_init(npc, nbuf, &con->c_state)) { + if (!npf_state_init(npc, &con->c_state)) { goto err; } Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.1 src/sys/net/npf/npf_conn.h:1.2 --- src/sys/net/npf/npf_conn.h:1.1 Sat Jul 19 19:14:21 2014 +++ src/sys/net/npf/npf_conn.h Sun Jul 20 00:37:41 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.1 2014/07/19 19:14:21 rmind Exp $ */ +/* $NetBSD: npf_conn.h,v 1.2 2014/07/20 00:37:41 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -100,10 +100,9 @@ void npf_conn_sysfini(void); void npf_conn_tracking(bool); bool npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool); -npf_conn_t * npf_conn_lookup(const npf_cache_t *, const nbuf_t *, - const int, bool *); -npf_conn_t * npf_conn_inspect(npf_cache_t *, nbuf_t *, const int, int *); -npf_conn_t * npf_conn_establish(npf_cache_t *, nbuf_t *, int, bool); +npf_conn_t * npf_conn_lookup(const npf_cache_t *, const int, bool *); +npf_conn_t * npf_conn_inspect(npf_cache_t *, const int, int *); +npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool); void npf_conn_release(npf_conn_t *); void npf_conn_expire(npf_conn_t *); bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **); Index: src/sys/net/npf/npf_ext_log.c diff -u src/sys/net/npf/npf_ext_log.c:1.7 src/sys/net/npf/npf_ext_log.c:1.8 --- src/sys/net/npf/npf_ext_log.c:1.7 Mon May 19 18:45:51 2014 +++ src/sys/net/npf/npf_ext_log.c Sun Jul 20 00:37:41 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ext_log.c,v 1.7 2014/05/19 18:45:51 jakllsch Exp $ */ +/* $NetBSD: npf_ext_log.c,v 1.8 2014/07/20 00:37:41 rmind Exp $ */ /*- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.7 2014/05/19 18:45:51 jakllsch Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.8 2014/07/20 00:37:41 rmind Exp $"); #include
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Jul 19 20:59:01 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Fix gcc warnings. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.1 src/sys/net/npf/npf_conn.c:1.2 --- src/sys/net/npf/npf_conn.c:1.1 Sat Jul 19 18:24:16 2014 +++ src/sys/net/npf/npf_conn.c Sat Jul 19 20:59:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.1 2014/07/19 18:24:16 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.2 2014/07/19 20:59:01 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -100,7 +100,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.1 2014/07/19 18:24:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.2 2014/07/19 20:59:01 rmind Exp $"); #include #include @@ -328,6 +328,7 @@ npf_conn_conkey(const npf_cache_t *npc, memcpy(&key->ck_key[2 + nwords], npc->npc_ips[idst], alen); keylen = (2 + (nwords * 2)) * sizeof(uint32_t); } + (void)keylen; return true; } @@ -566,7 +567,7 @@ npf_conn_setnat(const npf_cache_t *npc, [NPF_NATIN] = NPF_SRC, }; npf_connkey_t key, *bk; - npf_conn_t *ret; + npf_conn_t *ret __diagused; npf_addr_t *taddr; in_port_t tport; u_int tidx;
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Jul 19 19:14:21 UTC 2014 Added Files: src/sys/net/npf: npf_conn.h Log Message: Add npf_conn.h missed in the previous commit. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/sys/net/npf/npf_conn.h diff -u /dev/null src/sys/net/npf/npf_conn.h:1.1 --- /dev/null Sat Jul 19 19:14:21 2014 +++ src/sys/net/npf/npf_conn.h Sat Jul 19 19:14:21 2014 @@ -0,0 +1,139 @@ +/* $NetBSD: npf_conn.h,v 1.1 2014/07/19 19:14:21 rmind Exp $ */ + +/*- + * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This material is based upon work partially supported by The + * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _NPF_CONN_H_ +#define _NPF_CONN_H_ + +#if !defined(_KERNEL) +#error "kernel-level header only" +#endif + +#include + +#include "npf_impl.h" + +typedef struct npf_connkey npf_connkey_t; + +#if defined(__NPF_CONN_PRIVATE) + +#include + +#define NPF_CONN_NKEYWORDS (2 + ((sizeof(npf_addr_t) * 2) >> 2)) +#define NPF_CONN_MAXKEYLEN (NPF_CONN_NKEYWORDS * sizeof(uint32_t)) +#define NPF_CONN_GETALEN(key) ((key)->ck_key[0] & 0x) +#define NPF_CONN_KEYLEN(key) (8 + (2 * NPF_CONN_GETALEN(key))) + +struct npf_connkey { + /* Entry node and back-pointer to the actual connection. */ + rb_node_t ck_rbnode; + uint32_t ck_key[NPF_CONN_NKEYWORDS]; + npf_conn_t * ck_backptr; +}; + +/* + * The main connection tracking structure. + */ + +struct npf_conn { + /* + * Connection "forwards" and "backwards" entries, plus the + * interface ID (if zero, then the state is global). + */ + npf_connkey_t c_forw_entry; + npf_connkey_t c_back_entry; + u_int c_proto; + u_int c_ifid; + + /* Flags and entry in the connection database or G/C list. */ + u_int c_flags; + npf_conn_t * c_next; + + /* Associated rule procedure or NAT (if any). */ + npf_rproc_t * c_rproc; + npf_nat_t * c_nat; + + /* + * The protocol state, reference count and the last activity + * time (used to calculate expiration time). + */ + kmutex_t c_lock; + npf_state_t c_state; + u_int c_refcnt; + struct timespec c_atime; +}; + +#endif + +/* + * Connection tracking interface. + */ +void npf_conn_sysinit(void); +void npf_conn_sysfini(void); +void npf_conn_tracking(bool); + +bool npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool); +npf_conn_t * npf_conn_lookup(const npf_cache_t *, const nbuf_t *, + const int, bool *); +npf_conn_t * npf_conn_inspect(npf_cache_t *, nbuf_t *, const int, int *); +npf_conn_t * npf_conn_establish(npf_cache_t *, nbuf_t *, int, bool); +void npf_conn_release(npf_conn_t *); +void npf_conn_expire(npf_conn_t *); +bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **); +void npf_conn_setpass(npf_conn_t *, npf_rproc_t *); +int npf_conn_setnat(const npf_cache_t *, npf_conn_t *, + npf_nat_t *, u_int); +npf_nat_t * npf_conn_retnat(npf_conn_t *, const int, bool *); + +void npf_conn_load(npf_conndb_t *); +int npf_conn_save(prop_array_t, prop_array_t); +int npf_conn_restore(npf_conndb_t *, prop_dictionary_t); + +void npf_conn_print(const npf_conn_t *); + +/* + * Connection database (aka state table) interface. + */ +npf_conndb_t * npf_conndb_create(void); +void npf_conndb_destroy(npf_conndb_t *); + +npf_conn_t * npf_conndb_lookup(npf_conndb_t *, const npf_connkey_t *, + bool *); +bool npf_conndb_insert(npf_conndb_t *, npf_connkey_t *, +
CVS commit: src/sys/netinet
Module Name:src Committed By: rmind Date: Thu Jul 10 14:05:19 UTC 2014 Modified Files: src/sys/netinet: tcp_usrreq.c Log Message: tcp_accept: simplify a little. To generate a diff of this commit: cvs rdiff -u -r1.186 -r1.187 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_usrreq.c diff -u src/sys/netinet/tcp_usrreq.c:1.186 src/sys/netinet/tcp_usrreq.c:1.187 --- src/sys/netinet/tcp_usrreq.c:1.186 Wed Jul 9 14:41:42 2014 +++ src/sys/netinet/tcp_usrreq.c Thu Jul 10 14:05:19 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_usrreq.c,v 1.186 2014/07/09 14:41:42 rtr Exp $ */ +/* $NetBSD: tcp_usrreq.c,v 1.187 2014/07/10 14:05:19 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.186 2014/07/09 14:41:42 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.187 2014/07/10 14:05:19 rmind Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -948,20 +948,6 @@ tcp_accept(struct socket *so, struct mbu { return EINVAL; } -#ifdef INET - if (inp) { - tp = intotcpcb(inp); - /* WHAT IF TP IS 0? */ - ostate = tcp_debug_capture(tp, PRU_ACCEPT); - } -#endif -#ifdef INET6 - if (in6p) { - tp = in6totcpcb(in6p); - /* WHAT IF TP IS 0? */ - ostate = tcp_debug_capture(tp, PRU_ACCEPT); - } -#endif /* * Accept a connection. Essentially all the work is @@ -969,16 +955,22 @@ tcp_accept(struct socket *so, struct mbu * of the peer, storing through addr. */ #ifdef INET - if (inp) + if (inp) { + tp = intotcpcb(inp); + KASSERT(tp != NULL); + ostate = tcp_debug_capture(tp, PRU_ACCEPT); in_setpeeraddr(inp, nam); + } #endif #ifdef INET6 - if (in6p) + if (in6p) { + tp = in6totcpcb(in6p); + KASSERT(tp != NULL); + ostate = tcp_debug_capture(tp, PRU_ACCEPT); in6_setpeeraddr(in6p, nam); + } #endif - tcp_debug_trace(so, tp, ostate, PRU_ACCEPT); - return 0; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Jun 30 00:01:24 UTC 2014 Modified Files: src/sys/net/npf: npf_bpf.c Log Message: NPF: use BPF JIT by default. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_bpf.c diff -u src/sys/net/npf/npf_bpf.c:1.9 src/sys/net/npf/npf_bpf.c:1.10 --- src/sys/net/npf/npf_bpf.c:1.9 Sun Jun 29 00:05:24 2014 +++ src/sys/net/npf/npf_bpf.c Mon Jun 30 00:01:23 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $ */ +/* $NetBSD: npf_bpf.c,v 1.10 2014/06/30 00:01:23 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.10 2014/06/30 00:01:23 rmind Exp $"); #include #include @@ -127,11 +127,7 @@ npf_bpf_filter(bpf_args_t *args, const v void * npf_bpf_compile(void *code, size_t size) { -#if 0 return bpf_jit_generate(npf_bpfctx, code, size); -#else - return NULL; -#endif } bool
CVS commit: src
Module Name:src Committed By: rmind Date: Sun Jun 29 00:05:24 UTC 2014 Modified Files: src/sys/net/npf: npf.h npf_bpf.c src/usr.sbin/npf/npfctl: npf_bpf_comp.c Log Message: NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf.h cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_bpf.c cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfctl/npf_bpf_comp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.41 src/sys/net/npf/npf.h:1.42 --- src/sys/net/npf/npf.h:1.41 Wed Jun 25 00:20:06 2014 +++ src/sys/net/npf/npf.h Sun Jun 29 00:05:24 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.41 2014/06/25 00:20:06 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.42 2014/06/29 00:05:24 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -45,7 +45,7 @@ #include #include -#define NPF_VERSION 13 +#define NPF_VERSION 14 /* * Public declarations and definitions. Index: src/sys/net/npf/npf_bpf.c diff -u src/sys/net/npf/npf_bpf.c:1.8 src/sys/net/npf/npf_bpf.c:1.9 --- src/sys/net/npf/npf_bpf.c:1.8 Wed Jun 25 00:20:06 2014 +++ src/sys/net/npf/npf_bpf.c Sun Jun 29 00:05:24 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $ */ +/* $NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $"); #include #include @@ -78,7 +78,7 @@ npf_bpf_sysfini(void) } void -npf_bpf_prepare(npf_cache_t *npc, nbuf_t *nbuf, bpf_args_t *args, uint32_t *m) +npf_bpf_prepare(npf_cache_t *npc, nbuf_t *nbuf, bpf_args_t *args, uint32_t *M) { const struct mbuf *mbuf = nbuf_head_mbuf(nbuf); const size_t pktlen = m_length(mbuf); @@ -87,19 +87,39 @@ npf_bpf_prepare(npf_cache_t *npc, nbuf_t args->pkt = (const uint8_t *)mbuf; args->wirelen = pktlen; args->buflen = 0; - args->mem = m; + args->mem = M; args->arg = npc; + + /* + * Convert address length to IP version. Just mask out + * number 4 or set 6 if higher bits set, such that: + * + * 0 => 0 + * 4 => 4 (IPVERSION) + * 16 => 6 (IPV6_VERSION >> 4) + */ + const u_int alen = npc->npc_alen; + const uint32_t ver = (alen & 4) | ((alen >> 4) * 6); + + /* + * Output words in the memory store: + * BPF_MW_IPVER IP version (4 or 6). + * BPF_MW_L4OFF L4 header offset. + * BPF_MW_L4PROTO L4 protocol. + */ + M[BPF_MW_IPVER] = ver; + M[BPF_MW_L4OFF] = npc->npc_hlen; + M[BPF_MW_L4PROTO] = npc->npc_proto; } int npf_bpf_filter(bpf_args_t *args, const void *code, bpfjit_func_t jcode) { -#if 0 /* Execute JIT-compiled code. */ if (__predict_true(jcode)) { return jcode(npf_bpfctx, args); } -#endif + /* Execute BPF byte-code. */ return bpf_filter_ext(npf_bpfctx, code, args); } @@ -123,35 +143,18 @@ npf_bpf_validate(const void *code, size_ /* * NPF_COP_L3: fetches layer 3 information. - * - * Output words in the memory store: - * BPF_MW_IPVER IP version (4 or 6). - * BPF_MW_L4OFF L4 header offset. - * BPF_MW_L4PROTO L4 protocol. */ static uint32_t npf_cop_l3(const bpf_ctx_t *bc, bpf_args_t *args, uint32_t A) { const npf_cache_t * const npc = (const npf_cache_t *)args->arg; + const uint32_t ver = (npc->npc_alen & 4) | ((npc->npc_alen >> 4) * 6); uint32_t * const M = args->mem; - /* - * Convert address length to IP version. Just mask out - * number 4 or set 6 if higher bits set, such that: - * - * 0 => 0 - * 4 => 4 (IPVERSION) - * 16 => 6 (IPV6_VERSION >> 4) - */ - const u_int alen = npc->npc_alen; - const uint32_t ver = (alen & 4) | ((alen >> 4) * 6); - M[BPF_MW_IPVER] = ver; M[BPF_MW_L4OFF] = npc->npc_hlen; M[BPF_MW_L4PROTO] = npc->npc_proto; - - /* A <- IP version */ - return ver; + return ver; /* A <- IP version */ } #define SRC_FLAG_BIT (1U << 31) Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.6 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.7 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.6 Sat May 31 22:41:37 2014 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Sun Jun 29 00:05:24 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $ */ +/* $NetBSD: npf_bpf_comp.c,v 1.7 2014/06/29 00:05:24 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.7 2014/06/29 00:05:24 rmind Exp $"); #include #include @@ -284,8 +284,7 @@ fetch_l3(npf_bpf_t *ctx, sa_fami
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Wed Jun 25 01:21:36 UTC 2014 Modified Files: src/sys/net: bpfjit.c Log Message: bpfjit_generate_code: emit the instruction correctly. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/net/bpfjit.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpfjit.c diff -u src/sys/net/bpfjit.c:1.14 src/sys/net/bpfjit.c:1.15 --- src/sys/net/bpfjit.c:1.14 Tue Jun 24 22:19:36 2014 +++ src/sys/net/bpfjit.c Wed Jun 25 01:21:36 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: bpfjit.c,v 1.14 2014/06/24 22:19:36 rmind Exp $ */ +/* $NetBSD: bpfjit.c,v 1.15 2014/06/25 01:21:36 rmind Exp $ */ /*- * Copyright (c) 2011-2014 Alexander Nasonov. @@ -31,9 +31,9 @@ #include #ifdef _KERNEL -__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.14 2014/06/24 22:19:36 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.15 2014/06/25 01:21:36 rmind Exp $"); #else -__RCSID("$NetBSD: bpfjit.c,v 1.14 2014/06/24 22:19:36 rmind Exp $"); +__RCSID("$NetBSD: bpfjit.c,v 1.15 2014/06/25 01:21:36 rmind Exp $"); #endif #include @@ -1670,7 +1670,7 @@ bpfjit_generate_code(const bpf_ctx_t *bc status = sljit_emit_op1(compiler, SLJIT_MOV_P, BJ_TMP1REG, 0, - BJ_ARGS, offsetof(struct bpf_args, mem)); + SLJIT_MEM1(BJ_ARGS), offsetof(struct bpf_args, mem)); if (status != SLJIT_SUCCESS) goto fail;
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: rmind Date: Wed Jun 25 00:21:42 UTC 2014 Modified Files: src/usr.sbin/npf/npftest: README src/usr.sbin/npf/npftest/libnpftest: npf_perf_test.c Log Message: npftest: add an example in the README, fix the total in npf_test_conc(). To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npftest/README cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/README diff -u src/usr.sbin/npf/npftest/README:1.5 src/usr.sbin/npf/npftest/README:1.6 --- src/usr.sbin/npf/npftest/README:1.5 Wed May 14 21:46:50 2014 +++ src/usr.sbin/npf/npftest/README Wed Jun 25 00:21:42 2014 @@ -1,4 +1,4 @@ -$NetBSD: README,v 1.5 2014/05/14 21:46:50 rmind Exp $ +$NetBSD: README,v 1.6 2014/06/25 00:21:42 rmind Exp $ npftest - a tool for regression testing and debugging NPF. It uses RUMP framework to run NPF kernel module in the userspace. @@ -12,12 +12,16 @@ npftest -c /tmp/npf.plist -t Stream: -tcpdump -w stream.pcap -i $INTERFACE "host $HOST and tcp" +tcpdump -w stream.pcap -i $interface "host $host and tcp" npfctl debug npftest.conf /tmp/npf.plist npftest -c /tmp/npf.plist -s stream.pcap > stream_npf_data.txt Preferably, use MALLOC_OPTIONS="AJ" and/or other facilities. +Benchmark: + +npftest -b rule -c /tmp/npf.plist -p $ncpu + --- Update RUMP libraries once the kernel side has been changed. Hint: Index: src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c:1.3 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c:1.4 --- src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c:1.3 Tue Sep 24 22:52:14 2013 +++ src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c Wed Jun 25 00:21:42 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_perf_test.c,v 1.3 2013/09/24 22:52:14 joerg Exp $ */ +/* $NetBSD: npf_perf_test.c,v 1.4 2014/06/25 00:21:42 rmind Exp $ */ /* * NPF benchmarking. @@ -99,5 +99,5 @@ npf_test_conc(bool st, unsigned nthreads kmem_free(npackets, sizeof(uint64_t) * nthreads); kmem_free(l, sizeof(lwp_t *) * nthreads); - printf("%u\t%" PRIu64 "\n", nthreads, total); + printf("%u\t%" PRIu64 "\n", nthreads, total / NSECS); }
CVS commit: src
Module Name:src Committed By: rmind Date: Wed Jun 25 00:20:06 UTC 2014 Modified Files: src/sys/net/npf: npf.h npf_bpf.c npf_impl.h npf_ruleset.c src/usr.sbin/npf/npftest/libnpftest: npf_bpf_test.c Log Message: Adjust NPF to the recent BPF / BPF JIT changes and make it work again. All regression tests are happy now (hi alnsn!). To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf.h cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_bpf.c cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.40 src/sys/net/npf/npf.h:1.41 --- src/sys/net/npf/npf.h:1.40 Fri May 30 23:26:06 2014 +++ src/sys/net/npf/npf.h Wed Jun 25 00:20:06 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.40 2014/05/30 23:26:06 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.41 2014/06/25 00:20:06 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -67,6 +67,8 @@ typedef uint8_t npf_netmask_t; #define BPF_MW_L4OFF 1 #define BPF_MW_L4PROTO 2 #endif +/* The number of words used. */ +#define NPF_BPF_NWORDS 3 #if defined(_KERNEL) Index: src/sys/net/npf/npf_bpf.c diff -u src/sys/net/npf/npf_bpf.c:1.7 src/sys/net/npf/npf_bpf.c:1.8 --- src/sys/net/npf/npf_bpf.c:1.7 Tue Jun 24 11:31:49 2014 +++ src/sys/net/npf/npf_bpf.c Wed Jun 25 00:20:06 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf.c,v 1.7 2014/06/24 11:31:49 alnsn Exp $ */ +/* $NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,11 +34,12 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.7 2014/06/24 11:31:49 alnsn Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $"); #include #include +#include #include #include @@ -59,12 +60,15 @@ static const bpf_copfunc_t npf_bpfcop[] [NPF_COP_TABLE] = npf_cop_table, }; +#define BPF_MW_ALLMASK \ +((1U << BPF_MW_IPVER) | (1U << BPF_MW_L4OFF) | (1U << BPF_MW_L4PROTO)) + void npf_bpf_sysinit(void) { npf_bpfctx = bpf_create(); - KASSERT(npf_bpfctx != NULL); bpf_set_cop(npf_bpfctx, npf_bpfcop, __arraycount(npf_bpfcop)); + bpf_set_extmem(npf_bpfctx, NPF_BPF_NWORDS, BPF_MW_ALLMASK); } void @@ -73,6 +77,20 @@ npf_bpf_sysfini(void) bpf_destroy(npf_bpfctx); } +void +npf_bpf_prepare(npf_cache_t *npc, nbuf_t *nbuf, bpf_args_t *args, uint32_t *m) +{ + const struct mbuf *mbuf = nbuf_head_mbuf(nbuf); + const size_t pktlen = m_length(mbuf); + + /* Prepare the arguments for the BPF programs. */ + args->pkt = (const uint8_t *)mbuf; + args->wirelen = pktlen; + args->buflen = 0; + args->mem = m; + args->arg = npc; +} + int npf_bpf_filter(bpf_args_t *args, const void *code, bpfjit_func_t jcode) { Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.52 src/sys/net/npf/npf_impl.h:1.53 --- src/sys/net/npf/npf_impl.h:1.52 Fri May 30 23:26:06 2014 +++ src/sys/net/npf/npf_impl.h Wed Jun 25 00:20:06 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.52 2014/05/30 23:26:06 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.53 2014/06/25 00:20:06 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -223,6 +223,7 @@ bool npf_return_block(npf_cache_t *, nb /* BPF interface. */ void npf_bpf_sysinit(void); void npf_bpf_sysfini(void); +void npf_bpf_prepare(npf_cache_t *, nbuf_t *, bpf_args_t *, uint32_t *); int npf_bpf_filter(bpf_args_t *, const void *, bpfjit_func_t); void * npf_bpf_compile(void *, size_t); bool npf_bpf_validate(const void *, size_t); Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.32 src/sys/net/npf/npf_ruleset.c:1.33 --- src/sys/net/npf/npf_ruleset.c:1.32 Tue Jun 24 10:53:30 2014 +++ src/sys/net/npf/npf_ruleset.c Wed Jun 25 00:20:06 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.32 2014/06/24 10:53:30 alnsn Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.33 2014/06/25 00:20:06 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.32 2014/06/24 10:53:30 alnsn Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.33 2014/06/25 00:20:06 rmind Exp $"); #include #include @@ -741,18 +741,18 @@ npf_ruleset_inspect(npf_cache_t *npc, nb const u_int nitems = rlset->rs_nitems; const u_int ifid = nbuf->nb_ifid; npf_rule_t *final_rl = NULL; - const struct mbuf *m; bpf_args_t bc_args; u_int n = 0; - memset(&bc_args, 0, sizeof(bpf_args_t)); - m = nbuf_head_mbuf(nbuf); - bc_args.pkt = (const uint8_t *)m; - bc_args.wirelen = m_length(m); - bc_args.arg = npc; - KASSERT(((di & PFIL_IN) != 0) ^ ((di & PFIL_OUT) != 0)); + /* +
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Tue Jun 24 22:27:40 UTC 2014 Modified Files: src/sys/net: bpf_filter.c Log Message: - bpf_validate_ext: fix memword validation in BPF_ST/BPF_STX case. - bpf_set_extmem: check the number of words against BPF_MAX_MEMWORDS. To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/net/bpf_filter.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpf_filter.c diff -u src/sys/net/bpf_filter.c:1.63 src/sys/net/bpf_filter.c:1.64 --- src/sys/net/bpf_filter.c:1.63 Tue Jun 24 22:19:36 2014 +++ src/sys/net/bpf_filter.c Tue Jun 24 22:27:40 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf_filter.c,v 1.63 2014/06/24 22:19:36 rmind Exp $ */ +/* $NetBSD: bpf_filter.c,v 1.64 2014/06/24 22:27:40 rmind Exp $ */ /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.63 2014/06/24 22:19:36 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.64 2014/06/24 22:27:40 rmind Exp $"); #if 0 #if !(defined(lint) || defined(KERNEL)) @@ -79,8 +79,9 @@ bpf_set_cop(bpf_ctx_t *bc, const bpf_cop int bpf_set_extmem(bpf_ctx_t *bc, size_t nwords, bpf_memword_init_t preinited) { - /* XXX check arguments */ - + if (nwords > BPF_MAX_MEMWORDS) { + return EINVAL; + } bc->extwords = nwords; bc->preinited = preinited; return 0; @@ -661,7 +662,7 @@ bpf_validate(const struct bpf_insn *f, i goto out; #if defined(KERNEL) || defined(_KERNEL) /* validate the memory word */ - invalid &= ~BPF_MEMWORD_INIT(1 << p->k); + invalid &= ~BPF_MEMWORD_INIT(p->k); #endif break; case BPF_ALU:
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Tue Jun 24 22:19:36 UTC 2014 Modified Files: src/sys/net: bpf.h bpf_filter.c bpfjit.c Log Message: - Improve the comments in bpf.h and KNF a little. - Rename bpf_ctx_t member noinit to preinited (reflects the meaning better). To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/net/bpf.h cvs rdiff -u -r1.62 -r1.63 src/sys/net/bpf_filter.c cvs rdiff -u -r1.13 -r1.14 src/sys/net/bpfjit.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpf.h diff -u src/sys/net/bpf.h:1.64 src/sys/net/bpf.h:1.65 --- src/sys/net/bpf.h:1.64 Tue Jun 24 10:53:30 2014 +++ src/sys/net/bpf.h Tue Jun 24 22:19:36 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf.h,v 1.64 2014/06/24 10:53:30 alnsn Exp $ */ +/* $NetBSD: bpf.h,v 1.65 2014/06/24 22:19:36 rmind Exp $ */ /* * Copyright (c) 1990, 1991, 1993 @@ -280,19 +280,16 @@ struct bpf_insn { /* * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). */ -#define BPF_MEMWORDS 16 +#define BPF_MEMWORDS 16 /* - * Each bit in bpf_memword_init_t value indicates if the corresponding - * external memory word is initialised prior to calling a bpf program. - * Note that when used internally, a meaning is often flipped: bits - * indicate which memory words need to be initialised prior to - * executing a bpf program. + * bpf_memword_init_t: bits indicate which words in the external memory + * store will be initialised by the caller before BPF program execution. */ typedef uint32_t bpf_memword_init_t; -#define BPF_MEMWORD_INIT(k) (UINT32_C(1) << (k)) +#define BPF_MEMWORD_INIT(k) (UINT32_C(1) << (k)) -/* Two most significant bits are reserved by bpfjit. */ +/* Note: two most significant bits are reserved by bpfjit. */ __CTASSERT(BPF_MEMWORDS + 2 <= sizeof(bpf_memword_init_t) * NBBY); #ifdef _KERNEL @@ -300,13 +297,10 @@ __CTASSERT(BPF_MEMWORDS + 2 <= sizeof(bp * Max number of external memory words (for BPF_LD|BPF_MEM and BPF_ST). */ #define BPF_MAX_MEMWORDS 30 -__CTASSERT(BPF_MAX_MEMWORDS >= BPF_MEMWORDS); -#ifdef __BPF_PRIVATE -/* Two most significant bits are reserved by bpfjit. */ +__CTASSERT(BPF_MAX_MEMWORDS >= BPF_MEMWORDS); __CTASSERT(BPF_MAX_MEMWORDS + 2 <= sizeof(bpf_memword_init_t) * NBBY); #endif -#endif /* * Structure to retrieve available DLTs for the interface. @@ -319,10 +313,7 @@ struct bpf_dltlist { struct bpf_ctx; typedef struct bpf_ctx bpf_ctx_t; -struct bpf_args; -typedef struct bpf_args bpf_args_t; - -struct bpf_args { +typedef struct bpf_args { const uint8_t * pkt; size_t wirelen; size_t buflen; @@ -336,21 +327,32 @@ struct bpf_args { */ uint32_t * mem; /* pointer to external memory store */ void * arg; /* auxiliary argument for a copfunc */ -}; +} bpf_args_t; #if defined(_KERNEL) || defined(__BPF_PRIVATE) + typedef uint32_t (*bpf_copfunc_t)(const bpf_ctx_t *, bpf_args_t *, uint32_t); struct bpf_ctx { + /* + * BPF coprocessor functions and the number of them. + */ const bpf_copfunc_t * copfuncs; size_t nfuncs; + /* - * Number of external memwords, up to BPF_MAX_MEMWORDS or 0. - * The latter forces a switch to internal memstore with a - * fixed number (BPF_MEMWORDS) of memwords. + * The number of memory words in the external memory store. + * There may be up to BPF_MAX_MEMWORDS words; if zero is set, + * then the internal memory store is used which has a fixed + * number of words (BPF_MEMWORDS). */ size_t extwords; - bpf_memword_init_t noinit; /* pre-initialised external memwords */ + + /* + * The bitmask indicating which words in the external memstore + * will be initialised by the caller. + */ + bpf_memword_init_t preinited; }; #endif @@ -447,20 +449,20 @@ bpf_mtap_sl_out(struct ifnet *_ifp, u_ch } -void bpf_setops(void); +void bpf_setops(void); -void bpf_ops_handover_enter(struct bpf_ops *); -void bpf_ops_handover_exit(void); +void bpf_ops_handover_enter(struct bpf_ops *); +void bpf_ops_handover_exit(void); -void bpfilterattach(int); +void bpfilterattach(int); bpf_ctx_t *bpf_create(void); void bpf_destroy(bpf_ctx_t *); -int bpf_set_cop(bpf_ctx_t *, const bpf_copfunc_t *, size_t); -int bpf_set_extmem(bpf_ctx_t *, size_t, bpf_memword_init_t); -u_int bpf_filter_ext(const bpf_ctx_t *, const struct bpf_insn *, bpf_args_t *); -int bpf_validate_ext(const bpf_ctx_t *, const struct bpf_insn *, int); +int bpf_set_cop(bpf_ctx_t *, const bpf_copfunc_t *, size_t); +int bpf_set_extmem(bpf_ctx_t *, size_t, bpf_memword_init_t); +u_int bpf_filter_ext(const bpf_ctx_t *, const struct bpf_insn *, bpf_args_t *); +int bpf_validate_ext(const bpf_ctx_t *, const struct bpf_insn *, int); bpfjit_func_t bpf_jit_generate(bpf_ctx_t *, void *, size_t); void bpf_jit_freecode(bpfjit_func_t); Index: src/sys/net/bpf_filter.c diff -u src/sys/net/bpf_filter.c:1.62 src/sys/net/bpf_filter.c:1.63 --- src/
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Fri Jun 13 13:54:08 UTC 2014 Modified Files: src/sys/net: if.c Log Message: if_detach: drain ip6_pktq as well. To generate a diff of this commit: cvs rdiff -u -r1.280 -r1.281 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.280 src/sys/net/if.c:1.281 --- src/sys/net/if.c:1.280 Tue Jun 10 09:38:30 2014 +++ src/sys/net/if.c Fri Jun 13 13:54:08 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.280 2014/06/10 09:38:30 joerg Exp $ */ +/* $NetBSD: if.c,v 1.281 2014/06/13 13:54:08 rmind Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.280 2014/06/10 09:38:30 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.281 2014/06/13 13:54:08 rmind Exp $"); #include "opt_inet.h" @@ -875,6 +875,9 @@ again: #ifdef INET pktq_barrier(ip_pktq); #endif +#ifdef INET6 + pktq_barrier(ip6_pktq); +#endif xc = xc_broadcast(0, (xcfunc_t)nullop, NULL, NULL); xc_wait(xc);
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Mon Jun 9 14:44:48 UTC 2014 Modified Files: src/sys/net: pktqueue.c Log Message: pktqueue: add or fix some comments, remove some header inclusions. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/net/pktqueue.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/pktqueue.c diff -u src/sys/net/pktqueue.c:1.3 src/sys/net/pktqueue.c:1.4 --- src/sys/net/pktqueue.c:1.3 Mon Jun 9 13:03:16 2014 +++ src/sys/net/pktqueue.c Mon Jun 9 14:44:48 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $ */ +/* $NetBSD: pktqueue.c,v 1.4 2014/06/09 14:44:48 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -29,8 +29,14 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * The packet queue (pktqueue) interface is a lockless IP input queue + * which also abstracts and handles network ISR scheduling. It provides + * a mechanism to enable receiver-side packet steering (RPS). + */ + #include -__KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v 1.4 2014/06/09 14:44:48 rmind Exp $"); #include #include @@ -43,10 +49,6 @@ __KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v #include #include -#include -#include -#include - #include /* @@ -285,7 +287,7 @@ pktq_barrier(pktqueue_t *pq) /* * pktq_flush: free mbufs in all queues. * - * => The caller must ensure there are no concurrent writers or flush. + * => The caller must ensure there are no concurrent writers or flush calls. */ void pktq_flush(pktqueue_t *pq) @@ -332,12 +334,12 @@ pktq_set_maxlen(pktqueue_t *pq, size_t m /* * At this point, the new packets are flowing into the new - * queues. However, the old queues may have same packets - * present which are no longer being present. We are going + * queues. However, the old queues may have some packets + * present which are no longer being processed. We are going * to re-enqueue them. This may change the order of packet * arrival, but it is not considered an issue. * - * There may also in-flight interrupts calling pktq_dequeue() + * There may be in-flight interrupts calling pktq_dequeue() * which reference the old queues. Issue a barrier to ensure * that we are going to be the only pcq_get() callers on the * old queues.
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Mon Jun 9 13:03:16 UTC 2014 Modified Files: src/sys/net: pktqueue.c src/sys/rump/librump/rumpkern: intr.c Log Message: Restore the assert in RUMP's softint_schedule_cpu() and just ensure curcpu() in the caller. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/pktqueue.c cvs rdiff -u -r1.44 -r1.45 src/sys/rump/librump/rumpkern/intr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/pktqueue.c diff -u src/sys/net/pktqueue.c:1.2 src/sys/net/pktqueue.c:1.3 --- src/sys/net/pktqueue.c:1.2 Mon Jun 9 12:57:04 2014 +++ src/sys/net/pktqueue.c Mon Jun 9 13:03:16 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $ */ +/* $NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $"); #include #include @@ -204,9 +204,9 @@ pktq_rps_hash(const struct mbuf *m __unu * => Returns false on failure; caller is responsible to free the packet. */ bool -pktq_enqueue(pktqueue_t *pq, struct mbuf *m, const u_int hash) +pktq_enqueue(pktqueue_t *pq, struct mbuf *m, const u_int hash __unused) { - const unsigned cpuid = hash % ncpu; + const unsigned cpuid = curcpu()->ci_index /* hash % ncpu */; KASSERT(kpreempt_disabled()); Index: src/sys/rump/librump/rumpkern/intr.c diff -u src/sys/rump/librump/rumpkern/intr.c:1.44 src/sys/rump/librump/rumpkern/intr.c:1.45 --- src/sys/rump/librump/rumpkern/intr.c:1.44 Sun Jun 8 15:24:34 2014 +++ src/sys/rump/librump/rumpkern/intr.c Mon Jun 9 13:03:16 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $ */ +/* $NetBSD: intr.c,v 1.45 2014/06/09 13:03:16 rmind Exp $ */ /* * Copyright (c) 2008-2010 Antti Kantee. All Rights Reserved. @@ -26,7 +26,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: intr.c,v 1.45 2014/06/09 13:03:16 rmind Exp $"); #include #include @@ -329,8 +329,8 @@ softint_schedule_cpu(void *arg, struct c { /* * TODO: implement this properly - * KASSERT(curcpu() == ci); */ + KASSERT(curcpu() == ci); softint_schedule(arg); }
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Mon Jun 9 12:57:05 UTC 2014 Modified Files: src/sys/net: if.c pktqueue.c pktqueue.h Log Message: Implement pktq_set_maxlen() and let sysctl net.inet.{ip,ip6}.ifq.maxlen be changed on the fly again. To generate a diff of this commit: cvs rdiff -u -r1.278 -r1.279 src/sys/net/if.c cvs rdiff -u -r1.1 -r1.2 src/sys/net/pktqueue.c src/sys/net/pktqueue.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.278 src/sys/net/if.c:1.279 --- src/sys/net/if.c:1.278 Sat Jun 7 13:25:33 2014 +++ src/sys/net/if.c Mon Jun 9 12:57:04 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.278 2014/06/07 13:25:33 he Exp $ */ +/* $NetBSD: if.c,v 1.279 2014/06/09 12:57:04 rmind Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.278 2014/06/07 13:25:33 he Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.279 2014/06/09 12:57:04 rmind Exp $"); #include "opt_inet.h" @@ -2341,6 +2341,20 @@ bad: #if defined(INET) || defined(INET6) static int +sysctl_pktq_maxlen(SYSCTLFN_ARGS, pktqueue_t *pq) +{ + u_int nmaxlen = pktq_get_count(pq, PKTQ_MAXLEN); + struct sysctlnode node = *rnode; + int error; + + node.sysctl_data = &nmaxlen; + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + if (error || newp == NULL) + return error; + return pktq_set_maxlen(pq, nmaxlen); +} + +static int sysctl_pktq_count(SYSCTLFN_ARGS, pktqueue_t *pq, u_int count_id) { int count = pktq_get_count(pq, count_id); @@ -2357,12 +2371,21 @@ sysctl_pktq_count(SYSCTLFN_ARGS, pktqueu } #if defined(INET) -SYSCTL_NET_PKTQ(ip_pktq, maxlen, PKTQ_MAXLEN) +static int +sysctl_net_ip_pktq_maxlen(SYSCTLFN_ARGS) +{ + return sysctl_pktq_maxlen(SYSCTLFN_CALL(rnode), ip_pktq); +} SYSCTL_NET_PKTQ(ip_pktq, items, PKTQ_NITEMS) SYSCTL_NET_PKTQ(ip_pktq, drops, PKTQ_DROPS) #endif + #if defined(INET6) -SYSCTL_NET_PKTQ(ip6_pktq, maxlen, PKTQ_MAXLEN) +static int +sysctl_net_ip6_pktq_maxlen(SYSCTLFN_ARGS) +{ + return sysctl_pktq_maxlen(SYSCTLFN_CALL(rnode), ip6_pktq); +} SYSCTL_NET_PKTQ(ip6_pktq, items, PKTQ_NITEMS) SYSCTL_NET_PKTQ(ip6_pktq, drops, PKTQ_DROPS) #endif Index: src/sys/net/pktqueue.c diff -u src/sys/net/pktqueue.c:1.1 src/sys/net/pktqueue.c:1.2 --- src/sys/net/pktqueue.c:1.1 Thu Jun 5 23:48:16 2014 +++ src/sys/net/pktqueue.c Mon Jun 9 12:57:04 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pktqueue.c,v 1.1 2014/06/05 23:48:16 rmind Exp $ */ +/* $NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v 1.1 2014/06/05 23:48:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $"); #include #include @@ -299,3 +299,63 @@ pktq_flush(pktqueue_t *pq) } } } + +/* + * pktq_set_maxlen: create per-CPU queues using a new size and replace + * the existing queues without losing any packets. + */ +int +pktq_set_maxlen(pktqueue_t *pq, size_t maxlen) +{ + const u_int slotbytes = ncpu * sizeof(pcq_t *); + pcq_t **qs; + + if (!maxlen || maxlen > PCQ_MAXLEN) + return EINVAL; + if (pq->pq_maxlen == maxlen) + return 0; + + /* First, allocate the new queues and replace them. */ + qs = kmem_zalloc(slotbytes, KM_SLEEP); + for (u_int i = 0; i < ncpu; i++) { + qs[i] = pcq_create(maxlen, KM_SLEEP); + } + mutex_enter(&pq->pq_lock); + for (u_int i = 0; i < ncpu; i++) { + /* Swap: store of a word is atomic. */ + pcq_t *q = pq->pq_queue[i]; + pq->pq_queue[i] = qs[i]; + qs[i] = q; + } + pq->pq_maxlen = maxlen; + mutex_exit(&pq->pq_lock); + + /* + * At this point, the new packets are flowing into the new + * queues. However, the old queues may have same packets + * present which are no longer being present. We are going + * to re-enqueue them. This may change the order of packet + * arrival, but it is not considered an issue. + * + * There may also in-flight interrupts calling pktq_dequeue() + * which reference the old queues. Issue a barrier to ensure + * that we are going to be the only pcq_get() callers on the + * old queues. + */ + pktq_barrier(pq); + + for (u_int i = 0; i < ncpu; i++) { + struct mbuf *m; + + while ((m = pcq_get(qs[i])) != NULL) { + while (!pcq_put(pq->pq_queue[i], m)) { +kpause("pktqrenq", false, 1, NULL); + } + } + pcq_destroy(qs[i]); + } + + /* Well, that was fun. */ + kmem_free(qs, slotbytes); + return 0; +} Index: src/sys/net/pktqueue.h diff -u src/sys/net/pktqueue.h:1.1 src/sys/net/pktqueue.h:1.2 --- src/sys/net/pktqueue.h:1.1 Thu Jun 5 23:48:16 2014 +++ src/sys/net/pktqueue.h Mon Jun 9 12:57:04 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pktqueue.h,v 1.1 2014/06/05 23:48:16 rmind Exp $ */ +/* $NetBSD: pktqueue.h,v 1.2 2014/06/09 12:57:04 rmind Exp $ */ /*- * Copyright (c
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Mon Jun 9 12:44:07 UTC 2014 Modified Files: src/sys/kern: subr_pcq.c src/sys/sys: pcq.h Log Message: Add PCQ_MAXLEN constant. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/kern/subr_pcq.c cvs rdiff -u -r1.1 -r1.2 src/sys/sys/pcq.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_pcq.c diff -u src/sys/kern/subr_pcq.c:1.7 src/sys/kern/subr_pcq.c:1.8 --- src/sys/kern/subr_pcq.c:1.7 Thu Feb 6 03:47:16 2014 +++ src/sys/kern/subr_pcq.c Mon Jun 9 12:44:06 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_pcq.c,v 1.7 2014/02/06 03:47:16 riastradh Exp $ */ +/* $NetBSD: subr_pcq.c,v 1.8 2014/06/09 12:44:06 rmind Exp $ */ /*- * Copyright (c) 2009 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: subr_pcq.c,v 1.7 2014/02/06 03:47:16 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_pcq.c,v 1.8 2014/06/09 12:44:06 rmind Exp $"); #include #include @@ -60,6 +60,7 @@ struct pcq { * Consumer (c) - in the higher 16 bits. * * We have a limitation of 16 bits i.e. 0x items in the queue. + * The PCQ_MAXLEN constant is set accordingly. */ static inline void @@ -197,7 +198,7 @@ pcq_create(size_t nitems, km_flag_t kmfl { pcq_t *pcq; - KASSERT(nitems > 0 || nitems <= 0x); + KASSERT(nitems > 0 || nitems <= PCQ_MAXLEN); pcq = kmem_zalloc(offsetof(pcq_t, pcq_items[nitems]), kmflags); if (pcq == NULL) { Index: src/sys/sys/pcq.h diff -u src/sys/sys/pcq.h:1.1 src/sys/sys/pcq.h:1.2 --- src/sys/sys/pcq.h:1.1 Tue Nov 11 20:17:27 2008 +++ src/sys/sys/pcq.h Mon Jun 9 12:44:06 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pcq.h,v 1.1 2008/11/11 20:17:27 matt Exp $ */ +/* $NetBSD: pcq.h,v 1.2 2014/06/09 12:44:06 rmind Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -37,12 +37,16 @@ typedef struct pcq pcq_t; #ifdef _KERNEL + +#define PCQ_MAXLEN (0xU) + bool pcq_put(pcq_t *, void *); void * pcq_peek(pcq_t *); void * pcq_get(pcq_t *); size_t pcq_maxitems(pcq_t *); pcq_t * pcq_create(size_t, km_flag_t); void pcq_destroy(pcq_t *); + #endif /* _KERNEL */ #endif /* _SYS_PCQ_H_ */
CVS commit: src/sys/rump/librump/rumpkern
Module Name:src Committed By: rmind Date: Sun Jun 8 15:24:34 UTC 2014 Modified Files: src/sys/rump/librump/rumpkern: intr.c Log Message: RUMP's softint_schedule_cpu: comment out an assert for now. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/sys/rump/librump/rumpkern/intr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/rump/librump/rumpkern/intr.c diff -u src/sys/rump/librump/rumpkern/intr.c:1.43 src/sys/rump/librump/rumpkern/intr.c:1.44 --- src/sys/rump/librump/rumpkern/intr.c:1.43 Thu Jun 5 23:43:04 2014 +++ src/sys/rump/librump/rumpkern/intr.c Sun Jun 8 15:24:34 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: intr.c,v 1.43 2014/06/05 23:43:04 rmind Exp $ */ +/* $NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $ */ /* * Copyright (c) 2008-2010 Antti Kantee. All Rights Reserved. @@ -26,7 +26,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: intr.c,v 1.43 2014/06/05 23:43:04 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $"); #include #include @@ -327,8 +327,10 @@ softint_schedule(void *arg) void softint_schedule_cpu(void *arg, struct cpu_info *ci) { - /* TODO: implement this properly */ - KASSERT(curcpu() == ci); + /* + * TODO: implement this properly + * KASSERT(curcpu() == ci); + */ softint_schedule(arg); }
CVS commit: src/sys/rump/librump/rumpkern
Module Name:src Committed By: rmind Date: Sat Jun 7 11:08:09 UTC 2014 Modified Files: src/sys/rump/librump/rumpkern: scheduler.c Log Message: Make kpreempt_disabled() always return true in RUMP kernels for now. May revisit once RUMP provides better splfoo/splx() handling. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/rump/librump/rumpkern/scheduler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/rump/librump/rumpkern/scheduler.c diff -u src/sys/rump/librump/rumpkern/scheduler.c:1.38 src/sys/rump/librump/rumpkern/scheduler.c:1.39 --- src/sys/rump/librump/rumpkern/scheduler.c:1.38 Thu Jun 5 23:43:04 2014 +++ src/sys/rump/librump/rumpkern/scheduler.c Sat Jun 7 11:08:09 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: scheduler.c,v 1.38 2014/06/05 23:43:04 rmind Exp $ */ +/* $NetBSD: scheduler.c,v 1.39 2014/06/07 11:08:09 rmind Exp $ */ /* * Copyright (c) 2010, 2011 Antti Kantee. All Rights Reserved. @@ -26,7 +26,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: scheduler.c,v 1.38 2014/06/05 23:43:04 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: scheduler.c,v 1.39 2014/06/07 11:08:09 rmind Exp $"); #include #include @@ -526,10 +526,14 @@ kpreempt_enable(void) bool kpreempt_disabled(void) { +#if 0 const lwp_t *l = curlwp; return l->l_nopreempt != 0 || l->l_stat == LSZOMB || - (l->l_flag & LW_IDLE) != 0 /* || cpu_kpreempt_disabled() */; + (l->l_flag & LW_IDLE) != 0 || cpu_kpreempt_disabled(); +#endif + /* XXX: emulate cpu_kpreempt_disabled() */ + return true; } void
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Sat Jun 7 11:00:29 UTC 2014 Modified Files: src/sys/net: if_loop.c Log Message: lostart: silence gcc warning (XXX: gcc is not right though). To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/sys/net/if_loop.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_loop.c diff -u src/sys/net/if_loop.c:1.79 src/sys/net/if_loop.c:1.80 --- src/sys/net/if_loop.c:1.79 Thu Jun 5 23:48:16 2014 +++ src/sys/net/if_loop.c Sat Jun 7 11:00:29 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if_loop.c,v 1.79 2014/06/05 23:48:16 rmind Exp $ */ +/* $NetBSD: if_loop.c,v 1.80 2014/06/07 11:00:29 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -65,7 +65,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_loop.c,v 1.79 2014/06/05 23:48:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_loop.c,v 1.80 2014/06/07 11:00:29 rmind Exp $"); #include "opt_inet.h" #include "opt_atalk.h" @@ -359,11 +359,11 @@ lostart(struct ifnet *ifp) { for (;;) { pktqueue_t *pktq = NULL; - struct ifqueue *ifq; + struct ifqueue *ifq = NULL; struct mbuf *m; size_t pktlen; uint32_t af; - int s, isr; + int s, isr = 0; IFQ_DEQUEUE(&ifp->if_snd, m); if (m == NULL)
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Fri Jun 6 22:15:32 UTC 2014 Modified Files: src/sys/net: if_spppsubr.c Log Message: sppp_input: handle pktqueue case correctly (fix for the previous). To generate a diff of this commit: cvs rdiff -u -r1.129 -r1.130 src/sys/net/if_spppsubr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_spppsubr.c diff -u src/sys/net/if_spppsubr.c:1.129 src/sys/net/if_spppsubr.c:1.130 --- src/sys/net/if_spppsubr.c:1.129 Thu Jun 5 23:48:16 2014 +++ src/sys/net/if_spppsubr.c Fri Jun 6 22:15:32 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if_spppsubr.c,v 1.129 2014/06/05 23:48:16 rmind Exp $ */ +/* $NetBSD: if_spppsubr.c,v 1.130 2014/06/06 22:15:32 rmind Exp $ */ /* * Synchronous PPP/Cisco link level subroutines. @@ -41,7 +41,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.129 2014/06/05 23:48:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.130 2014/06/06 22:15:32 rmind Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -636,8 +636,9 @@ sppp_input(struct ifnet *ifp, struct mbu } queue_pkt: - if (! (ifp->if_flags & IFF_UP) || ! inq) + if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { goto drop; + } /* Check queue. */ if (__predict_true(pktq)) {
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Fri Jun 6 01:27:32 UTC 2014 Modified Files: src/sys/net: route.c Log Message: rtfree: let's assert for a non-negative reference count and see what happens. To generate a diff of this commit: cvs rdiff -u -r1.131 -r1.132 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/route.c diff -u src/sys/net/route.c:1.131 src/sys/net/route.c:1.132 --- src/sys/net/route.c:1.131 Fri Jun 6 01:02:47 2014 +++ src/sys/net/route.c Fri Jun 6 01:27:32 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: route.c,v 1.131 2014/06/06 01:02:47 rmind Exp $ */ +/* $NetBSD: route.c,v 1.132 2014/06/06 01:27:32 rmind Exp $ */ /*- * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -93,7 +93,7 @@ #include "opt_route.h" #include -__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.131 2014/06/06 01:02:47 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.132 2014/06/06 01:27:32 rmind Exp $"); #include #include @@ -376,16 +376,13 @@ rtfree(struct rtentry *rt) { struct ifaddr *ifa; - if (rt == NULL) - panic("rtfree"); + KASSERT(rt != NULL); + KASSERT(rt->rt_refcnt > 0); + rt->rt_refcnt--; - if (rt->rt_refcnt <= 0 && (rt->rt_flags & RTF_UP) == 0) { + if (rt->rt_refcnt == 0 && (rt->rt_flags & RTF_UP) == 0) { rt_assert_inactive(rt); rttrash--; - if (rt->rt_refcnt < 0) { - printf("rtfree: %p not freed (neg refs)\n", rt); - return; - } rt_timer_remove_all(rt, 0); ifa = rt->rt_ifa; rt->rt_ifa = NULL;