CVS commit: src/sys/net/npf
Module Name:src Committed By: kardel Date: Tue Aug 8 16:10:42 UTC 2023 Modified Files: src/sys/net/npf: npf_ruleset.c Log Message: The analysis documented in PR misc/56990 is correct. Fix by not returning when encountering a ruleset rule. The code up to now would stop at any group rule. ruleset rules are marked as group rule and a dynamic rule. processing is only finished when a result is present AND we are looking at a plain group rule. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.51 src/sys/net/npf/npf_ruleset.c:1.52 --- src/sys/net/npf/npf_ruleset.c:1.51 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_ruleset.c Tue Aug 8 16:10:41 2023 @@ -34,7 +34,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.51 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.52 2023/08/08 16:10:41 kardel Exp $"); #include #include @@ -891,7 +891,7 @@ npf_ruleset_inspect(npf_cache_t *npc, co KASSERT(n < skip_to); /* Group is a barrier: return a matching if found any. */ - if ((attr & NPF_RULE_GROUP) != 0 && final_rl) { + if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP && final_rl) { break; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: kardel Date: Tue Aug 8 16:10:42 UTC 2023 Modified Files: src/sys/net/npf: npf_ruleset.c Log Message: The analysis documented in PR misc/56990 is correct. Fix by not returning when encountering a ruleset rule. The code up to now would stop at any group rule. ruleset rules are marked as group rule and a dynamic rule. processing is only finished when a result is present AND we are looking at a plain group rule. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Fri Feb 24 11:03:01 UTC 2023 Modified Files: src/sys/net/npf: npf_nat.c npf_rproc.c npf_tableset.c Log Message: npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals. Discussed on tech-kern: https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html Requested by rmind@: https://github.com/rmind/npf/pull/127#issuecomment-1399573125 To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.52 src/sys/net/npf/npf_nat.c:1.53 --- src/sys/net/npf/npf_nat.c:1.52 Sat Apr 9 23:38:33 2022 +++ src/sys/net/npf/npf_nat.c Fri Feb 24 11:03:01 2023 @@ -67,7 +67,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.52 2022/04/09 23:38:33 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.53 2023/02/24 11:03:01 riastradh Exp $"); #include #include @@ -279,15 +279,11 @@ npf_natpolicy_release(npf_natpolicy_t *n { KASSERT(atomic_load_relaxed(>n_refcnt) > 0); -#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_release(); -#endif if (atomic_dec_uint_nv(>n_refcnt) != 0) { return; } -#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_acquire(); -#endif KASSERT(LIST_EMPTY(>n_nat_list)); mutex_destroy(>n_lock); kmem_free(np, sizeof(npf_natpolicy_t)); Index: src/sys/net/npf/npf_rproc.c diff -u src/sys/net/npf/npf_rproc.c:1.22 src/sys/net/npf/npf_rproc.c:1.23 --- src/sys/net/npf/npf_rproc.c:1.22 Sat Apr 9 23:38:33 2022 +++ src/sys/net/npf/npf_rproc.c Fri Feb 24 11:03:01 2023 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_rproc.c,v 1.22 2022/04/09 23:38:33 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_rproc.c,v 1.23 2023/02/24 11:03:01 riastradh Exp $"); #include #include @@ -330,15 +330,12 @@ npf_rproc_release(npf_rproc_t *rp) { KASSERT(atomic_load_relaxed(>rp_refcnt) > 0); -#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_release(); -#endif if (atomic_dec_uint_nv(>rp_refcnt) != 0) { return; } -#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_acquire(); -#endif + /* XXXintr */ for (unsigned i = 0; i < rp->rp_ext_count; i++) { npf_ext_t *ext = rp->rp_ext[i]; Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.41 src/sys/net/npf/npf_tableset.c:1.42 --- src/sys/net/npf/npf_tableset.c:1.41 Mon Jan 23 13:40:04 2023 +++ src/sys/net/npf/npf_tableset.c Fri Feb 24 11:03:01 2023 @@ -46,7 +46,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.41 2023/01/23 13:40:04 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.42 2023/02/24 11:03:01 riastradh Exp $"); #include #include @@ -160,14 +160,10 @@ npf_tableset_destroy(npf_tableset_t *ts) if (t == NULL) continue; -#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_release(); -#endif if (atomic_dec_uint_nv(>t_refcnt) > 0) continue; -#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_acquire(); -#endif npf_table_destroy(t); } kmem_free(ts, NPF_TABLESET_SIZE(ts->ts_nitems));
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Fri Feb 24 11:03:01 UTC 2023 Modified Files: src/sys/net/npf: npf_nat.c npf_rproc.c npf_tableset.c Log Message: npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals. Discussed on tech-kern: https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html Requested by rmind@: https://github.com/rmind/npf/pull/127#issuecomment-1399573125 To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: kardel Date: Sun Feb 12 13:38:37 UTC 2023 Modified Files: src/sys/net/npf: npf.h npf_mbuf.c npf_sendpkt.c Log Message: PR kern/56052: allow block-return packets passed through without rule matching. Included up-stream as https://github.com/rmind/npf/pull/115 To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/net/npf/npf.h cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.63 src/sys/net/npf/npf.h:1.64 --- src/sys/net/npf/npf.h:1.63 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf.h Sun Feb 12 13:38:37 2023 @@ -122,6 +122,7 @@ void * nbuf_ensure_writable(nbuf_t *, s bool nbuf_cksum_barrier(nbuf_t *, int); int nbuf_add_tag(nbuf_t *, uint32_t); +int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t); int nbuf_find_tag(nbuf_t *, uint32_t *); /* Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.24 src/sys/net/npf/npf_mbuf.c:1.25 --- src/sys/net/npf/npf_mbuf.c:1.24 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_mbuf.c Sun Feb 12 13:38:37 2023 @@ -36,7 +36,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.24 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.25 2023/02/12 13:38:37 kardel Exp $"); #include #include @@ -297,14 +297,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di) } /* - * nbuf_add_tag: associate a tag with the network buffer. + * npf_mbuf_add_tag: associate a tag with the network buffer. * * => Returns 0 on success or error number on failure. */ int -nbuf_add_tag(nbuf_t *nbuf, uint32_t val) +npf_mbuf_add_tag(nbuf_t *nbuf, struct mbuf *m, uint32_t val) { - struct mbuf *m = nbuf->nb_mbuf0; #ifdef _KERNEL struct m_tag *mt; uint32_t *dat; @@ -328,6 +327,18 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t val) } /* + * nbuf_add_tag: associate a tag with the network buffer. + * + * => Returns 0 on success or error number on failure. + */ +int +nbuf_add_tag(nbuf_t *nbuf, uint32_t val) +{ + struct mbuf *m = nbuf->nb_mbuf0; + return npf_mbuf_add_tag(nbuf, m, val); +} + +/* * nbuf_find_tag: find a tag associated with a network buffer. * * => Returns 0 on success or error number on failure. Index: src/sys/net/npf/npf_sendpkt.c diff -u src/sys/net/npf/npf_sendpkt.c:1.22 src/sys/net/npf/npf_sendpkt.c:1.23 --- src/sys/net/npf/npf_sendpkt.c:1.22 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_sendpkt.c Sun Feb 12 13:38:37 2023 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.22 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.23 2023/02/12 13:38:37 kardel Exp $"); #include #include @@ -197,6 +197,9 @@ npf_return_tcp(npf_cache_t *npc) } } + /* don't look at our generated reject packets going out */ + (void)npf_mbuf_add_tag(npc->npc_nbuf, m, NPF_NTAG_PASS); + /* Pass to IP layer. */ if (npf_iscached(npc, NPC_IP4)) { return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); @@ -215,6 +218,9 @@ npf_return_icmp(const npf_cache_t *npc) { struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf); + /* don't look at our generated reject packets going out */ + (void)nbuf_add_tag(npc->npc_nbuf, NPF_NTAG_PASS); + if (npf_iscached(npc, NPC_IP4)) { icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT, 0, 0); return 0;
CVS commit: src/sys/net/npf
Module Name:src Committed By: kardel Date: Sun Feb 12 13:38:37 UTC 2023 Modified Files: src/sys/net/npf: npf.h npf_mbuf.c npf_sendpkt.c Log Message: PR kern/56052: allow block-return packets passed through without rule matching. Included up-stream as https://github.com/rmind/npf/pull/115 To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/net/npf/npf.h cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Mon Jan 23 13:40:05 UTC 2023 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: npf(9): Drop table lock around copyout. It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock. We need t_lock in order to iterate over the list of entries. However, during copyout itself, we only need to ensure that the object we're copying out isn't freed by npf_table_remove or npf_table_gc. Fortunately, the only caller of npf_table_list, npf_table_remove, and npf_table_gc is npfctl_table, and it serializes all of them by the npf config lock. So we can safely drop t_lock across copyout. PR kern/57136 PR kern/57181 To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.40 src/sys/net/npf/npf_tableset.c:1.41 --- src/sys/net/npf/npf_tableset.c:1.40 Sun Jan 22 18:45:43 2023 +++ src/sys/net/npf/npf_tableset.c Mon Jan 23 13:40:04 2023 @@ -46,7 +46,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.40 2023/01/22 18:45:43 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.41 2023/01/23 13:40:04 riastradh Exp $"); #include #include @@ -766,15 +766,17 @@ table_ent_copyout(const npf_addr_t *addr } static int -table_generic_list(const npf_table_t *t, void *ubuf, size_t len) +table_generic_list(npf_table_t *t, void *ubuf, size_t len) { npf_tblent_t *ent; size_t off = 0; int error = 0; LIST_FOREACH(ent, >t_list, te_listent) { + mutex_exit(>t_lock); error = table_ent_copyout(>te_addr, ent->te_alen, ent->te_preflen, ubuf, len, ); + mutex_enter(>t_lock); if (error) break; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Mon Jan 23 13:40:05 UTC 2023 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: npf(9): Drop table lock around copyout. It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock. We need t_lock in order to iterate over the list of entries. However, during copyout itself, we only need to ensure that the object we're copying out isn't freed by npf_table_remove or npf_table_gc. Fortunately, the only caller of npf_table_list, npf_table_remove, and npf_table_gc is npfctl_table, and it serializes all of them by the npf config lock. So we can safely drop t_lock across copyout. PR kern/57136 PR kern/57181 To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Jan 22 18:45:43 UTC 2023 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: npf(9): Another comment tweak to match upstream. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.39 src/sys/net/npf/npf_tableset.c:1.40 --- src/sys/net/npf/npf_tableset.c:1.39 Sun Jan 22 18:39:22 2023 +++ src/sys/net/npf/npf_tableset.c Sun Jan 22 18:45:43 2023 @@ -46,7 +46,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.39 2023/01/22 18:39:22 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.40 2023/01/22 18:45:43 riastradh Exp $"); #include #include @@ -101,7 +101,7 @@ struct npf_table { /* * Table ID, type and lock. The ID may change during the - * config reload, it is protected by the npf->config_lock. + * config reload, it is protected by the npf_t::config_lock. */ int t_type; unsigned t_id;
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Jan 22 18:45:43 UTC 2023 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: npf(9): Another comment tweak to match upstream. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Jan 22 18:39:35 UTC 2023 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf(9): Update comment to reduce diff from upstream. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.34 src/sys/net/npf/npf_conn.c:1.35 --- src/sys/net/npf/npf_conn.c:1.34 Sun Feb 13 19:20:23 2022 +++ src/sys/net/npf/npf_conn.c Sun Jan 22 18:39:35 2023 @@ -97,14 +97,14 @@ * * Lock order * - * npf->config_lock -> + * npf_t::config_lock -> * conn_lock -> * npf_conn_t::c_lock */ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.34 2022/02/13 19:20:23 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.35 2023/01/22 18:39:35 riastradh Exp $"); #include #include
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Jan 22 18:39:35 UTC 2023 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf(9): Update comment to reduce diff from upstream. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Jan 22 18:39:22 UTC 2023 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: npf(9): Use __HAVE_ATOMIC_AS_MEMBAR around refcnt consistently. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.38 src/sys/net/npf/npf_tableset.c:1.39 --- src/sys/net/npf/npf_tableset.c:1.38 Sat Apr 9 23:38:33 2022 +++ src/sys/net/npf/npf_tableset.c Sun Jan 22 18:39:22 2023 @@ -46,7 +46,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.38 2022/04/09 23:38:33 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.39 2023/01/22 18:39:22 riastradh Exp $"); #include #include @@ -160,10 +160,14 @@ npf_tableset_destroy(npf_tableset_t *ts) if (t == NULL) continue; +#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_release(); +#endif if (atomic_dec_uint_nv(>t_refcnt) > 0) continue; +#ifndef __HAVE_ATOMIC_AS_MEMBAR membar_acquire(); +#endif npf_table_destroy(t); } kmem_free(ts, NPF_TABLESET_SIZE(ts->ts_nitems));
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Jan 22 18:39:22 UTC 2023 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: npf(9): Use __HAVE_ATOMIC_AS_MEMBAR around refcnt consistently. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 28 17:28:15 UTC 2022 Modified Files: src/sys/net/npf: npf_params.c Log Message: Make the thmap(9) used for params use sleepable allocations, suggested by rmind@. Should fix PR 56802. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_params.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_params.c diff -u src/sys/net/npf/npf_params.c:1.4 src/sys/net/npf/npf_params.c:1.5 --- src/sys/net/npf/npf_params.c:1.4 Thu Apr 28 15:43:51 2022 +++ src/sys/net/npf/npf_params.c Thu Apr 28 17:28:15 2022 @@ -26,7 +26,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.4 2022/04/28 15:43:51 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.5 2022/04/28 17:28:15 martin Exp $"); #include #include @@ -69,13 +69,30 @@ npf_param_general_register(npf_t *npf) npf_param_register(npf, param_map, __arraycount(param_map)); } +static uintptr_t +npf_param_thmap_alloc(size_t len) +{ + return (uintptr_t)kmem_alloc(len, KM_SLEEP); +} + +static void +npf_param_thmap_free(uintptr_t addr, size_t len) +{ +kmem_free((void *)addr, len); +} + +static const thmap_ops_t npf_param_thmap_ops = { +.alloc = npf_param_thmap_alloc, +.free = npf_param_thmap_free +}; + void npf_param_init(npf_t *npf) { npf_paraminfo_t *paraminfo; paraminfo = kmem_zalloc(sizeof(npf_paraminfo_t), KM_SLEEP); - paraminfo->map = thmap_create(0, NULL, THMAP_NOCOPY); + paraminfo->map = thmap_create(0, _param_thmap_ops, THMAP_NOCOPY); npf->paraminfo = paraminfo; /* Register some general parameters. */
CVS commit: src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 28 17:28:15 UTC 2022 Modified Files: src/sys/net/npf: npf_params.c Log Message: Make the thmap(9) used for params use sleepable allocations, suggested by rmind@. Should fix PR 56802. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_params.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 28 15:43:51 UTC 2022 Modified Files: src/sys/net/npf: npf_params.c Log Message: Temporary hack to make PR 56802 (when it happens) tell us for sure that it is caused by KM_NOSLEEP memory allocation failure. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_params.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 28 15:43:51 UTC 2022 Modified Files: src/sys/net/npf: npf_params.c Log Message: Temporary hack to make PR 56802 (when it happens) tell us for sure that it is caused by KM_NOSLEEP memory allocation failure. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_params.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_params.c diff -u src/sys/net/npf/npf_params.c:1.3 src/sys/net/npf/npf_params.c:1.4 --- src/sys/net/npf/npf_params.c:1.3 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_params.c Thu Apr 28 15:43:51 2022 @@ -26,7 +26,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.3 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.4 2022/04/28 15:43:51 martin Exp $"); #include #include @@ -184,7 +184,9 @@ npf_param_register(npf_t *npf, npf_param void *ret __diagused; ret = thmap_put(pinfo->map, name, strlen(name), param); - KASSERT(ret == param); + KASSERTMSG(ret == param, + "parameter insertion failed: ret=%p, param=%p", + ret, param); /* Assign the default value. */ KASSERT(param->default_val >= param->min);
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Feb 13 19:20:23 UTC 2022 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf(4): Use atomic_store_release and atomic_load_consume for conn_db. ...or atomic_load_relaxed, when npf->conn_lock is held, for the sake of C11. No need for store-before-load implied by membar_sync. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Feb 13 19:20:23 UTC 2022 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf(4): Use atomic_store_release and atomic_load_consume for conn_db. ...or atomic_load_relaxed, when npf->conn_lock is held, for the sake of C11. No need for store-before-load implied by membar_sync. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.33 src/sys/net/npf/npf_conn.c:1.34 --- src/sys/net/npf/npf_conn.c:1.33 Mon Jan 25 17:18:55 2021 +++ src/sys/net/npf/npf_conn.c Sun Feb 13 19:20:23 2022 @@ -104,7 +104,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.33 2021/01/25 17:18:55 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.34 2022/02/13 19:20:23 riastradh Exp $"); #include #include @@ -221,8 +221,7 @@ npf_conn_load(npf_t *npf, npf_conndb_t * KASSERT(atomic_load_relaxed(>conn_tracking) == CONN_TRACKING_OFF); odb = atomic_load_relaxed(>conn_db); - membar_sync(); - atomic_store_relaxed(>conn_db, ndb); + atomic_store_release(>conn_db, ndb); } if (track) { /* After this point lookups start flying in. */ @@ -492,7 +491,7 @@ npf_conn_establish(npf_cache_t *npc, con * the connection later. */ mutex_enter(>c_lock); - conn_db = atomic_load_relaxed(>conn_db); + conn_db = atomic_load_consume(>conn_db); if (!npf_conndb_insert(conn_db, fw, con, NPF_FLOW_FORW)) { error = EISCONN; goto err; @@ -597,7 +596,7 @@ npf_conn_setnat(const npf_cache_t *npc, } /* Remove the "backwards" key. */ - conn_db = atomic_load_relaxed(>conn_db); + conn_db = atomic_load_consume(>conn_db); bk = npf_conn_getbackkey(con, con->c_alen); ret = npf_conndb_remove(conn_db, bk); KASSERT(ret == con); @@ -762,7 +761,7 @@ npf_conn_remove(npf_conndb_t *cd, npf_co void npf_conn_worker(npf_t *npf) { - npf_conndb_t *conn_db = atomic_load_relaxed(>conn_db); + npf_conndb_t *conn_db = atomic_load_consume(>conn_db); npf_conndb_gc(npf, conn_db, false, true); }
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Feb 13 19:20:11 UTC 2022 Modified Files: src/sys/net/npf: npf_conf.c npf_ifaddr.c Log Message: npf(4): Use atomic_store_release and atomic_load_consume for config. ...or atomic_load_relaxed, when the config is locked. (Not necessary to use atomic_* at all in NetBSD, but in C11 it will be cheaper to say atomic_load_relaxed explicitly so an _Atomic-qualified object doesn't cause the load to be surrounded by unnecessary membars.) No need for store-before-load ordering here, so no need to membar_sync. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_ifaddr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sun Feb 13 19:20:11 UTC 2022 Modified Files: src/sys/net/npf: npf_conf.c npf_ifaddr.c Log Message: npf(4): Use atomic_store_release and atomic_load_consume for config. ...or atomic_load_relaxed, when the config is locked. (Not necessary to use atomic_* at all in NetBSD, but in C11 it will be cheaper to say atomic_load_relaxed explicitly so an _Atomic-qualified object doesn't cause the load to be surrounded by unnecessary membars.) No need for store-before-load ordering here, so no need to membar_sync. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_ifaddr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.17 src/sys/net/npf/npf_conf.c:1.18 --- src/sys/net/npf/npf_conf.c:1.17 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_conf.c Sun Feb 13 19:20:11 2022 @@ -47,7 +47,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.17 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.18 2022/02/13 19:20:11 riastradh Exp $"); #include #include @@ -153,8 +153,7 @@ npf_config_load(npf_t *npf, npf_config_t /* * Set the new config and release the lock. */ - membar_sync(); - atomic_store_relaxed(>config, nc); + atomic_store_release(>config, nc); if (onc == NULL) { /* Initial load, done. */ npf_ifmap_flush(npf); @@ -247,7 +246,7 @@ npf_config_read_exit(npf_t *npf, int s) npf_ruleset_t * npf_config_ruleset(npf_t *npf) { - npf_config_t *config = atomic_load_relaxed(>config); + npf_config_t *config = atomic_load_consume(>config); KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr)); return config->ruleset; } @@ -255,7 +254,7 @@ npf_config_ruleset(npf_t *npf) npf_ruleset_t * npf_config_natset(npf_t *npf) { - npf_config_t *config = atomic_load_relaxed(>config); + npf_config_t *config = atomic_load_consume(>config); KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr)); return config->nat_ruleset; } @@ -263,7 +262,7 @@ npf_config_natset(npf_t *npf) npf_tableset_t * npf_config_tableset(npf_t *npf) { - npf_config_t *config = atomic_load_relaxed(>config); + npf_config_t *config = atomic_load_consume(>config); KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr)); return config->tableset; } @@ -271,7 +270,7 @@ npf_config_tableset(npf_t *npf) bool npf_default_pass(npf_t *npf) { - npf_config_t *config = atomic_load_relaxed(>config); + npf_config_t *config = atomic_load_consume(>config); KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr)); return config->default_pass; } Index: src/sys/net/npf/npf_ifaddr.c diff -u src/sys/net/npf/npf_ifaddr.c:1.7 src/sys/net/npf/npf_ifaddr.c:1.8 --- src/sys/net/npf/npf_ifaddr.c:1.7 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_ifaddr.c Sun Feb 13 19:20:11 2022 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.7 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.8 2022/02/13 19:20:11 riastradh Exp $"); #include #include @@ -87,9 +87,11 @@ out: static void replace_ifnet_table(npf_t *npf, npf_table_t *newt) { - npf_tableset_t *ts = npf->config->tableset; + npf_tableset_t *ts = atomic_load_relaxed(>config)->tableset; npf_table_t *oldt; + KASSERT(npf_config_locked_p(npf)); + KERNEL_UNLOCK_ONE(NULL); /*
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Sep 30 22:04:33 UTC 2019 Modified Files: src/sys/net/npf: npf_if.c Log Message: npf_ifmap_copylogname: be more defensive. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_if.c diff -u src/sys/net/npf/npf_if.c:1.11 src/sys/net/npf/npf_if.c:1.12 --- src/sys/net/npf/npf_if.c:1.11 Sun Sep 29 17:00:29 2019 +++ src/sys/net/npf/npf_if.c Mon Sep 30 22:04:33 2019 @@ -56,7 +56,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.12 2019/09/30 22:04:33 rmind Exp $"); #include #include @@ -191,20 +191,22 @@ npf_ifmap_getid(npf_t *npf, const ifnet_ } /* - * This function is toxic; it can return garbage since we don't - * lock, but it is only used temporarily and only for logging. + * npf_ifmap_copylogname: this function is toxic; it can return garbage + * as we don't lock, but it is only used temporarily and only for logging. */ void npf_ifmap_copylogname(npf_t *npf, unsigned id, char *buf, size_t len) { - if (id != NPF_IFMAP_NOID) { - const unsigned i = NPF_IFMAP_ID2SLOT(npf, id); - npf_ifmap_t *ifmap = >ifmap[i]; + const unsigned i = NPF_IFMAP_ID2SLOT(npf, id); + + membar_consumer(); + if (id != NPF_IFMAP_NOID && i < NPF_MAX_IFMAP) { /* * Lock-free access is safe as there is an extra byte * with a permanent NUL terminator at the end. */ + const npf_ifmap_t *ifmap = >ifmap[i]; strlcpy(buf, ifmap->ifname, MIN(len, IFNAMSIZ)); } else { strlcpy(buf, "???", len);
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Sep 30 22:04:33 UTC 2019 Modified Files: src/sys/net/npf: npf_if.c Log Message: npf_ifmap_copylogname: be more defensive. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Sep 29 17:00:29 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c Log Message: NPF ifmap: rework and fix a few small bugs. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Sep 29 17:00:29 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c Log Message: NPF ifmap: rework and fix a few small bugs. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.29 src/sys/net/npf/npf_conn.c:1.30 --- src/sys/net/npf/npf_conn.c:1.29 Tue Aug 6 11:40:15 2019 +++ src/sys/net/npf/npf_conn.c Sun Sep 29 17:00:29 2019 @@ -107,7 +107,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.29 2019/08/06 11:40:15 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.30 2019/09/29 17:00:29 rmind Exp $"); #include #include @@ -782,7 +782,8 @@ npf_conn_export(npf_t *npf, npf_conn_t * nvlist_add_number(cdict, "flags", con->c_flags); nvlist_add_number(cdict, "proto", con->c_proto); if (con->c_ifid) { - const char *ifname = npf_ifmap_getname(npf, con->c_ifid); + char ifname[IFNAMSIZ]; + npf_ifmap_copyname(npf, con->c_ifid, ifname, sizeof(ifname)); nvlist_add_string(cdict, "ifname", ifname); } nvlist_add_binary(cdict, "state", >c_state, sizeof(npf_state_t)); Index: src/sys/net/npf/npf_if.c diff -u src/sys/net/npf/npf_if.c:1.10 src/sys/net/npf/npf_if.c:1.11 --- src/sys/net/npf/npf_if.c:1.10 Sun Aug 11 20:26:33 2019 +++ src/sys/net/npf/npf_if.c Sun Sep 29 17:00:29 2019 @@ -1,4 +1,5 @@ /*- + * Copyright (c) 2019 Mindaugas Rasiukevicius * Copyright (c) 2013 The NetBSD Foundation, Inc. * All rights reserved. * @@ -28,23 +29,34 @@ */ /* - * NPF network interface handling module. + * NPF network interface handling. * - * NPF uses its own interface IDs (npf-if-id). When NPF configuration is - * (re)loaded, each required interface name is registered and a matching - * network interface gets an ID assigned. If an interface is not present, - * it gets an ID on attach. + * NPF uses its own interface IDs (npf-if-id). These IDs start from 1. + * Zero is reserved to indicate "no interface" case or an interface of + * no interest (i.e. not registered). * - * IDs start from 1. Zero is reserved to indicate "no interface" case or - * an interface of no interest (i.e. not registered). + * This module provides an interface to primarily handle the following: * - * The IDs are mapped synchronously based on interface events which are - * monitored using pfil(9) hooks. + * - Bind a symbolic interface name to NPF interface ID. + * - Associate NPF interface ID when the network interface is attached. + * + * When NPF configuration is (re)loaded, each referenced network interface + * name is registered with a unique ID. If the network interface is already + * attached, then the ID is associated with it immediately; otherwise, IDs + * are associated/disassociated on interface events which are monitored + * using pfil(9) hooks. + * + * To avoid race conditions when an active NPF configuration is updated or + * interfaces are detached/attached, the interface names are never removed + * and therefore IDs are never re-assigned. The only point when interface + * names and IDs are cleared is when the configuration is flushed. + * + * A linear counter is used for IDs. */ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.10 2019/08/11 20:26:33 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $"); #include #include @@ -55,9 +67,13 @@ __KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1 #include "npf_impl.h" typedef struct npf_ifmap { - char n_ifname[IFNAMSIZ]; + char ifname[IFNAMSIZ + 1]; } npf_ifmap_t; +#define NPF_IFMAP_NOID (0U) +#define NPF_IFMAP_SLOT2ID(npf, slot) ((npf)->ifmap_off + (slot) + 1) +#define NPF_IFMAP_ID2SLOT(npf, id) ((id) - (npf)->ifmap_off - 1) + void npf_ifmap_init(npf_t *npf, const npf_ifops_t *ifops) { @@ -66,8 +82,10 @@ npf_ifmap_init(npf_t *npf, const npf_ifo KASSERT(ifops != NULL); ifops->flush((void *)(uintptr_t)0); + mutex_init(>ifmap_lock, MUTEX_DEFAULT, IPL_SOFTNET); npf->ifmap = kmem_zalloc(nbytes, KM_SLEEP); npf->ifmap_cnt = 0; + npf->ifmap_off = 0; npf->ifops = ifops; } @@ -75,82 +93,101 @@ void npf_ifmap_fini(npf_t *npf) { const size_t nbytes = sizeof(npf_ifmap_t) * NPF_MAX_IFMAP; + mutex_destroy(>ifmap_lock); kmem_free(npf->ifmap, nbytes); } -static u_int -npf_ifmap_new(npf_t *npf) -{ - KASSERT(npf_config_locked_p(npf)); - - for (u_int i = 0; i < npf->ifmap_cnt; i++) - if (npf->ifmap[i].n_ifname[0] == '\0') - return i + 1; - - if (npf->ifmap_cnt == NPF_MAX_IFMAP) { - printf("npf_ifmap_new: out of slots; bump NPF_MAX_IFMAP\n"); -
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Sep 26 18:44:45 UTC 2019 Modified Files: src/sys/net/npf: npf_mbuf.c Log Message: Cast m_mbuflen() result to "size_t". It could also be "u_int" since it is assigned to "u_int", but all the other "standalone" equivalent functions return "size_t". To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Sep 26 18:44:45 UTC 2019 Modified Files: src/sys/net/npf: npf_mbuf.c Log Message: Cast m_mbuflen() result to "size_t". It could also be "u_int" since it is assigned to "u_int", but all the other "standalone" equivalent functions return "size_t". To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.22 src/sys/net/npf/npf_mbuf.c:1.23 --- src/sys/net/npf/npf_mbuf.c:1.22 Thu Nov 15 05:23:56 2018 +++ src/sys/net/npf/npf_mbuf.c Thu Sep 26 14:44:45 2019 @@ -36,7 +36,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.22 2018/11/15 10:23:56 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.23 2019/09/26 18:44:45 christos Exp $"); #include #include @@ -62,7 +62,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v #define m_flags_p(m,f) true #else #define m_next_ptr(m) (m)->m_next -#define m_buflen(m) (m)->m_len +#define m_buflen(m) ((size_t)(m)->m_len) #define m_flags_p(m,f) (((m)->m_flags & (f)) != 0) #endif
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Aug 25 17:38:25 UTC 2019 Modified Files: src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c Log Message: ake npfctl_switch() and pfil private to OS-specific module. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.57 src/sys/net/npf/npf_ctl.c:1.58 --- src/sys/net/npf/npf_ctl.c:1.57 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_ctl.c Sun Aug 25 17:38:25 2019 @@ -36,7 +36,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.57 2019/08/25 13:21:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.58 2019/08/25 17:38:25 rmind Exp $"); #include #include @@ -53,28 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v nvlist_add_string((e), "source-file", __FILE__); \ nvlist_add_number((e), "source-line", __LINE__); -#ifdef _KERNEL -/* - * npfctl_switch: enable or disable packet inspection. - */ -int -npfctl_switch(void *data) -{ - const bool onoff = *(int *)data ? true : false; - int error; - - if (onoff) { - /* Enable: add pfil hooks. */ - error = npf_pfil_register(false); - } else { - /* Disable: remove pfil hooks. */ - npf_pfil_unregister(false); - error = 0; - } - return error; -} -#endif - static int npf_nvlist_copyin(npf_t *npf, void *data, nvlist_t **nvl) { @@ -731,7 +709,7 @@ npfctl_save(npf_t *npf, u_long cmd, void if (error) { goto out; } - nvlist_add_bool(npf_dict, "active", npf_pfil_registered_p()); + nvlist_add_bool(npf_dict, "active", npf_active_p()); error = npf_nvlist_copyout(npf, data, npf_dict); npf_dict = NULL; out: Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.78 src/sys/net/npf/npf_impl.h:1.79 --- src/sys/net/npf/npf_impl.h:1.78 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_impl.h Sun Aug 25 17:38:25 2019 @@ -289,6 +289,7 @@ npf_ruleset_t * npf_config_ruleset(npf_t npf_ruleset_t * npf_config_natset(npf_t *npf); npf_tableset_t *npf_config_tableset(npf_t *npf); bool npf_default_pass(npf_t *); +bool npf_active_p(void); int npf_worker_sysinit(unsigned); void npf_worker_sysfini(void); @@ -296,8 +297,6 @@ void npf_worker_signal(npf_t *); void npf_worker_register(npf_t *, npf_workfunc_t); void npf_worker_unregister(npf_t *, npf_workfunc_t); -int npfctl_switch(void *); -int npfctl_reload(u_long, void *); int npfctl_save(npf_t *, u_long, void *); int npfctl_load(npf_t *, u_long, void *); int npfctl_rule(npf_t *, u_long, void *); @@ -327,11 +326,6 @@ void npf_ifaddr_sync(npf_t *, ifnet_t * void npf_ifaddr_flush(npf_t *, ifnet_t *); void npf_ifaddr_syncall(npf_t *); -/* Packet filter hooks. */ -int npf_pfil_register(bool); -void npf_pfil_unregister(bool); -bool npf_pfil_registered_p(void); - /* Protocol helpers. */ int npf_cache_all(npf_cache_t *); void npf_recache(npf_cache_t *); Index: src/sys/net/npf/npf_os.c diff -u src/sys/net/npf/npf_os.c:1.16 src/sys/net/npf/npf_os.c:1.17 --- src/sys/net/npf/npf_os.c:1.16 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_os.c Sun Aug 25 17:38:25 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.16 2019/08/25 13:21:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.17 2019/08/25 17:38:25 rmind Exp $"); #ifdef _KERNEL_OPT #include "pf.h" @@ -84,6 +84,9 @@ MODULE(MODULE_CLASS_MISC, npf, "bpf"); MODULE(MODULE_CLASS_DRIVER, npf, "bpf"); #endif +static int npf_pfil_register(bool); +static void npf_pfil_unregister(bool); + static int npf_dev_open(dev_t, int, int, lwp_t *); static int npf_dev_close(dev_t, int, int, lwp_t *); static int npf_dev_ioctl(dev_t, u_long, void *, int, lwp_t *); @@ -226,6 +229,26 @@ npf_stats_export(npf_t *npf, void *data) return error; } +/* + * npfctl_switch: enable or disable packet inspection. + */ +static int +npfctl_switch(void *data) +{ + const bool onoff = *(int *)data ? true : false; + int error; + + if (onoff) { + /* Enable: add pfil hooks. */ + error = npf_pfil_register(false); + } else { + /* Disable: remove pfil hooks. */ + npf_pfil_unregister(false); + error = 0; + } + return error; +} + static int npf_dev_ioctl(dev_t dev, u_long cmd, void *data, int flag, lwp_t *l) { @@ -290,7 +313,7 @@ bool npf_autounload_p(void) { npf_t *npf = npf_getkernctx(); - return !npf_pfil_registered_p() && npf_default_pass(npf); + return !npf_active_p() && npf_default_pass(npf); } /* @@ -394,7 +417,7 @@ npf_ifaddrhook(void *arg, u_long cmd, vo /* * npf_pfil_register: register pfil(9) hooks. */ -int +static int npf_pfil_register(bool init) { npf_t *npf = npf_getkernctx(); @@ -463,7 +486,7 @@ out: /* * npf_pfil_unregister:
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Aug 25 17:38:25 UTC 2019 Modified Files: src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c Log Message: ake npfctl_switch() and pfil private to OS-specific module. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/sys/net/npf
Le 06/08/2019 à 12:31, Christos Zoulas a écrit : I did not see any messages about it, and the fix is fine until rmind comes up with something better. Yes turns out it was an off-list email It is not nice to have HEAD unusable for 2 weeks now (since July 22nd). Given your second commit, I should understand that rmind is ok with this change right? christos On Aug 6, 2019, at 1:26 PM, Maxime Villard wrote: Le 06/08/2019 à 12:25, Christos Zoulas a écrit : Module Name:src Committed By: christos Date: Tue Aug 6 10:25:13 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Rmind said he had a fix and was testing it. Please revert this.
Re: CVS commit: src/sys/net/npf
Yes, rmind asked me to commit the change in private email. christos > On Aug 6, 2019, at 3:59 PM, Maxime Villard wrote: > > Le 06/08/2019 à 12:31, Christos Zoulas a écrit : >> I did not see any messages about it, and the fix is fine until rmind comes >> up with something better. > > Yes turns out it was an off-list email > >> It is not nice to have HEAD unusable for 2 weeks now (since July 22nd). > > Given your second commit, I should understand that rmind is ok with this > change right? > >> christos >>> On Aug 6, 2019, at 1:26 PM, Maxime Villard wrote: >>> >>> Le 06/08/2019 à 12:25, Christos Zoulas a écrit : Module Name: src Committed By: christos Date: Tue Aug 6 10:25:13 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. >>> >>> Rmind said he had a fix and was testing it. Please revert this.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Aug 6 11:40:15 UTC 2019 Modified Files: src/sys/net/npf: npf.c npf_conn.c npf_conn.h Log Message: - npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@) To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf.c cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Aug 6 11:40:15 UTC 2019 Modified Files: src/sys/net/npf: npf.c npf_conn.c npf_conn.h Log Message: - npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@) To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf.c cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.c diff -u src/sys/net/npf/npf.c:1.38 src/sys/net/npf/npf.c:1.39 --- src/sys/net/npf/npf.c:1.38 Mon Jul 22 20:52:01 2019 +++ src/sys/net/npf/npf.c Tue Aug 6 07:40:15 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.39 2019/08/06 11:40:15 christos Exp $"); #include #include @@ -79,13 +79,17 @@ npf_create(int flags, const npf_mbufops_ npf_param_init(npf); npf_state_sysinit(npf); npf_ifmap_init(npf, ifops); - npf_conn_init(npf, flags); + npf_conn_init(npf); npf_portmap_init(npf); npf_alg_init(npf); npf_ext_init(npf); /* Load an empty configuration. */ npf_config_init(npf); + + if ((flags & NPF_NO_GC) == 0) { + npf_worker_register(npf, npf_conn_worker); + } return npf; } Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.28 src/sys/net/npf/npf_conn.c:1.29 --- src/sys/net/npf/npf_conn.c:1.28 Tue Aug 6 06:25:13 2019 +++ src/sys/net/npf/npf_conn.c Tue Aug 6 07:40:15 2019 @@ -107,7 +107,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.28 2019/08/06 10:25:13 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.29 2019/08/06 11:40:15 christos Exp $"); #include #include @@ -143,14 +143,13 @@ CTASSERT(PFIL_ALL == (0x001 | 0x002)); enum { CONN_TRACKING_OFF, CONN_TRACKING_ON }; static nvlist_t *npf_conn_export(npf_t *, npf_conn_t *); -static void npf_conn_destroy_idx(npf_t *, npf_conn_t *, unsigned); /* * npf_conn_sys{init,fini}: initialise/destroy connection tracking. */ void -npf_conn_init(npf_t *npf, int flags) +npf_conn_init(npf_t *npf) { npf->conn_cache[0] = pool_cache_init( offsetof(npf_conn_t, c_keys[NPF_CONNKEY_V4WORDS * 2]), @@ -162,10 +161,6 @@ npf_conn_init(npf_t *npf, int flags) mutex_init(>conn_lock, MUTEX_DEFAULT, IPL_NONE); npf->conn_tracking = CONN_TRACKING_OFF; npf->conn_db = npf_conndb_create(); - - if ((flags & NPF_NO_GC) == 0) { - npf_worker_register(npf, npf_conn_worker); - } npf_conndb_sysinit(npf); } @@ -430,10 +425,11 @@ npf_conn_establish(npf_cache_t *npc, int con->c_proto = npc->npc_proto; CTASSERT(sizeof(con->c_proto) >= sizeof(npc->npc_proto)); + con->c_alen = alen; /* Initialize the protocol state. */ if (!npf_state_init(npc, >c_state)) { - npf_conn_destroy_idx(npf, con, idx); + npf_conn_destroy(npf, con); return NULL; } KASSERT(npf_iscached(npc, NPC_IP46)); @@ -447,7 +443,7 @@ npf_conn_establish(npf_cache_t *npc, int */ if (!npf_conn_conkey(npc, fw, true) || !npf_conn_conkey(npc, bk, false)) { - npf_conn_destroy_idx(npf, con, idx); + npf_conn_destroy(npf, con); return NULL; } con->c_ifid = global ? nbuf->nb_ifid : 0; @@ -500,14 +496,8 @@ err: void npf_conn_destroy(npf_t *npf, npf_conn_t *con) { - const npf_connkey_t *key = npf_conn_getforwkey(con); - const unsigned alen = NPF_CONNKEY_ALEN(key); - npf_conn_destroy_idx(npf, con, NPF_CONNCACHE(alen)); -} + const unsigned idx __unused = NPF_CONNCACHE(con->c_alen); -static void -npf_conn_destroy_idx(npf_t *npf, npf_conn_t *con, unsigned idx) -{ KASSERT(con->c_refcnt == 0); if (con->c_nat) { @@ -799,6 +789,7 @@ npf_conn_export(npf_t *npf, npf_conn_t * fw = npf_conn_getforwkey(con); alen = NPF_CONNKEY_ALEN(fw); + KASSERT(alen == con->c_alen); bk = npf_conn_getbackkey(con, alen); kdict = npf_connkey_export(fw); @@ -899,7 +890,7 @@ npf_conn_import(npf_t *npf, npf_conndb_t npf_conndb_enqueue(cd, con); return 0; err: - npf_conn_destroy_idx(npf, con, idx); + npf_conn_destroy(npf, con); return EINVAL; } Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.16 src/sys/net/npf/npf_conn.h:1.17 --- src/sys/net/npf/npf_conn.h:1.16 Mon Jul 22 20:52:01 2019 +++ src/sys/net/npf/npf_conn.h Tue Aug 6 07:40:15 2019 @@ -50,7 +50,8 @@ struct npf_conn { * Protocol, address length, the interface ID (if zero, * then the state is global) and connection flags. */ - unsigned c_proto; + uint16_t c_proto; + uint16_t c_alen; unsigned c_ifid; unsigned c_flags; @@ -123,7 +124,7 @@ void npf_connkey_print(const npf_connke /* * Connection tracking interface. */ -void npf_conn_init(npf_t *, int); +void npf_conn_init(npf_t *); void npf_conn_fini(npf_t
Re: CVS commit: src/sys/net/npf
I did not see any messages about it, and the fix is fine until rmind comes up with something better. It is not nice to have HEAD unusable for 2 weeks now (since July 22nd). christos > On Aug 6, 2019, at 1:26 PM, Maxime Villard wrote: > > Le 06/08/2019 à 12:25, Christos Zoulas a écrit : >> Module Name: src >> Committed By:christos >> Date:Tue Aug 6 10:25:13 UTC 2019 >> Modified Files: >> src/sys/net/npf: npf_conn.c >> Log Message: >> Introduce an npf_conn_destroy_idx() that can handle partially constructed >> conn structures. >> To generate a diff of this commit: >> cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c >> Please note that diffs are not public domain; they are subject to the >> copyright notices on the relevant files. > > Rmind said he had a fix and was testing it. Please revert this.
Re: CVS commit: src/sys/net/npf
Le 06/08/2019 à 12:25, Christos Zoulas a écrit : Module Name:src Committed By: christos Date: Tue Aug 6 10:25:13 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Rmind said he had a fix and was testing it. Please revert this.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Aug 6 10:25:13 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Aug 6 10:25:13 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.27 src/sys/net/npf/npf_conn.c:1.28 --- src/sys/net/npf/npf_conn.c:1.27 Mon Jul 22 20:52:01 2019 +++ src/sys/net/npf/npf_conn.c Tue Aug 6 06:25:13 2019 @@ -107,7 +107,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.27 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.28 2019/08/06 10:25:13 christos Exp $"); #include #include @@ -143,6 +143,7 @@ CTASSERT(PFIL_ALL == (0x001 | 0x002)); enum { CONN_TRACKING_OFF, CONN_TRACKING_ON }; static nvlist_t *npf_conn_export(npf_t *, npf_conn_t *); +static void npf_conn_destroy_idx(npf_t *, npf_conn_t *, unsigned); /* * npf_conn_sys{init,fini}: initialise/destroy connection tracking. @@ -432,7 +433,7 @@ npf_conn_establish(npf_cache_t *npc, int /* Initialize the protocol state. */ if (!npf_state_init(npc, >c_state)) { - npf_conn_destroy(npf, con); + npf_conn_destroy_idx(npf, con, idx); return NULL; } KASSERT(npf_iscached(npc, NPC_IP46)); @@ -446,7 +447,7 @@ npf_conn_establish(npf_cache_t *npc, int */ if (!npf_conn_conkey(npc, fw, true) || !npf_conn_conkey(npc, bk, false)) { - npf_conn_destroy(npf, con); + npf_conn_destroy_idx(npf, con, idx); return NULL; } con->c_ifid = global ? nbuf->nb_ifid : 0; @@ -501,8 +502,12 @@ npf_conn_destroy(npf_t *npf, npf_conn_t { const npf_connkey_t *key = npf_conn_getforwkey(con); const unsigned alen = NPF_CONNKEY_ALEN(key); - const unsigned idx __unused = NPF_CONNCACHE(alen); + npf_conn_destroy_idx(npf, con, NPF_CONNCACHE(alen)); +} +static void +npf_conn_destroy_idx(npf_t *npf, npf_conn_t *con, unsigned idx) +{ KASSERT(con->c_refcnt == 0); if (con->c_nat) { @@ -894,7 +899,7 @@ npf_conn_import(npf_t *npf, npf_conndb_t npf_conndb_enqueue(cd, con); return 0; err: - npf_conn_destroy(npf, con); + npf_conn_destroy_idx(npf, con, idx); return EINVAL; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Jul 25 01:00:28 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: npf_portmap_flush: remove invalid assert (this routine can be callied via the npf_destroy() path where the constraint is not applicable). To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_portmap.c diff -u src/sys/net/npf/npf_portmap.c:1.2 src/sys/net/npf/npf_portmap.c:1.3 --- src/sys/net/npf/npf_portmap.c:1.2 Tue Jul 23 08:25:52 2019 +++ src/sys/net/npf/npf_portmap.c Thu Jul 25 01:00:28 2019 @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.3 2019/07/25 01:00:28 rmind Exp $"); #include #include @@ -461,8 +461,6 @@ npf_portmap_flush(npf_t *npf) npf_portmap_t *pm = npf->portmap; bitmap_t *bm; - KASSERT(npf_config_locked_p(npf)); - while ((bm = LIST_FIRST(>bitmap_list)) != NULL) { for (unsigned i = 0; i < PORTMAP_L0_WORDS; i++) { uintptr_t bm1 = bm->bits0[i];
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Jul 25 01:00:28 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: npf_portmap_flush: remove invalid assert (this routine can be callied via the npf_destroy() path where the constraint is not applicable). To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Tue Jul 23 08:25:52 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: NPF portmap: add a workaround for archs without 64-bit CAS. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Tue Jul 23 08:25:52 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: NPF portmap: add a workaround for archs without 64-bit CAS. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_portmap.c diff -u src/sys/net/npf/npf_portmap.c:1.1 src/sys/net/npf/npf_portmap.c:1.2 --- src/sys/net/npf/npf_portmap.c:1.1 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_portmap.c Tue Jul 23 08:25:52 2019 @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.1 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $"); #include #include @@ -106,6 +106,8 @@ typedef struct { int max_port; } npf_portmap_params_t; +static kmutex_t portmap_lock; + void npf_portmap_init(npf_t *npf) { @@ -130,6 +132,8 @@ npf_portmap_init(npf_t *npf) npf->portmap = kmem_zalloc(sizeof(npf_portmap_t), KM_SLEEP); mutex_init(>portmap->list_lock, MUTEX_DEFAULT, IPL_SOFTNET); npf->portmap->addr_map = thmap_create(0, NULL, THMAP_NOCOPY); + + mutex_init(_lock, MUTEX_DEFAULT, IPL_SOFTNET); } void @@ -146,10 +150,31 @@ npf_portmap_fini(npf_t *npf) thmap_destroy(pm->addr_map); mutex_destroy(>list_lock); kmem_free(pm, sizeof(npf_portmap_t)); + + mutex_destroy(_lock); } / +#if defined(_LP64) +#define __npf_atomic_cas_64 atomic_cas_64 +#else +static uint64_t +__npf_atomic_cas_64(volatile uint64_t *ptr, uint64_t old, uint64_t new) +{ + uint64_t prev; + + mutex_enter(_lock); + prev = *ptr; + if (prev == old) { + *ptr = new; + } + mutex_exit(_lock); + + return prev; +} +#endif + /* * bitmap_word_isset: test whether the bit value is in the packed array. * @@ -283,7 +308,7 @@ again: */ if ((nval = bitmap_word_cax(bval, -1, chunk_bit)) != 0) { KASSERT((nval & PORTMAP_L1_TAG) == 0); - if (atomic_cas_64(>bits0[i], bval, nval) != bval) { + if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) { goto again; } return true; @@ -315,7 +340,7 @@ again: bm1p = (uintptr_t)bm1; KASSERT((bm1p & PORTMAP_L1_TAG) == 0); bm1p |= PORTMAP_L1_TAG; - if (atomic_cas_64(>bits0[i], bval, bm1p) != bval) { + if (__npf_atomic_cas_64(>bits0[i], bval, bm1p) != bval) { kmem_intr_free(bm1, sizeof(bitmap_l1_t)); goto again; } @@ -332,7 +357,7 @@ again: return false; } nval = oval | b; - if (atomic_cas_64(>bits1[i], oval, nval) != oval) { + if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) { goto again; } return true; @@ -356,7 +381,7 @@ again: } nval = bitmap_word_cax(bval, chunk_bit, chunk_bit); KASSERT((nval & PORTMAP_L1_TAG) == 0); - if (atomic_cas_64(>bits0[i], bval, nval) != bval) { + if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) { goto again; } return true; @@ -372,7 +397,7 @@ again: return false; } nval = oval & ~b; - if (atomic_cas_64(>bits1[i], oval, nval) != oval) { + if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) { goto again; } return true;
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Jun 20 17:12:37 UTC 2019 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: Add error checking for previous memory allocation failure. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Jun 20 17:12:37 UTC 2019 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: Add error checking for previous memory allocation failure. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.31 src/sys/net/npf/npf_tableset.c:1.32 --- src/sys/net/npf/npf_tableset.c:1.31 Thu Jun 20 13:08:52 2019 +++ src/sys/net/npf/npf_tableset.c Thu Jun 20 13:12:37 2019 @@ -39,7 +39,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.31 2019/06/20 17:08:52 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.32 2019/06/20 17:12:37 christos Exp $"); #include #include @@ -495,7 +495,7 @@ table_cidr_check(int alen, const npf_add return 0; } -static void +static int table_ifaddr_insert(npf_table_t *t, const int alen, npf_tblent_t *ent) { const unsigned aidx = NPF_ADDRLEN2IDX(alen); @@ -514,6 +514,9 @@ table_ifaddr_insert(npf_table_t *t, cons newsize = toalloc * sizeof(npf_tblent_t *); elements = kmem_zalloc(newsize, KM_NOSLEEP); + if (elements == NULL) { + return ENOMEM; + } for (unsigned i = 0; i < used; i++) { elements[i] = old_elements[i]; } @@ -527,6 +530,7 @@ table_ifaddr_insert(npf_table_t *t, cons } t->t_elements[aidx][used] = ent; t->t_used[aidx]++; + return 0; } /* @@ -590,7 +594,9 @@ npf_table_insert(npf_table_t *t, const i error = EINVAL; break; case NPF_TABLE_IFADDR: - table_ifaddr_insert(t, alen, ent); + if ((error = table_ifaddr_insert(t, alen, ent)) != 0) { + break; + } LIST_INSERT_HEAD(>t_list, ent, te_listent); t->t_nitems++; break;
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Jun 20 17:08:52 UTC 2019 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: PR/54314: Frank Kardel: LOCKDEBUG: Mutex error: assert_sleepable,70: spin lock held when loading NPF To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.30 src/sys/net/npf/npf_tableset.c:1.31 --- src/sys/net/npf/npf_tableset.c:1.30 Wed Jun 12 10:36:32 2019 +++ src/sys/net/npf/npf_tableset.c Thu Jun 20 13:08:52 2019 @@ -39,7 +39,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.30 2019/06/12 14:36:32 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.31 2019/06/20 17:08:52 christos Exp $"); #include #include @@ -513,7 +513,7 @@ table_ifaddr_insert(npf_table_t *t, cons toalloc = roundup2(allocated + 1, NPF_IFADDR_STEP); newsize = toalloc * sizeof(npf_tblent_t *); - elements = kmem_zalloc(newsize, KM_SLEEP); + elements = kmem_zalloc(newsize, KM_NOSLEEP); for (unsigned i = 0; i < used; i++) { elements[i] = old_elements[i]; }
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Jun 20 17:08:52 UTC 2019 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: PR/54314: Frank Kardel: LOCKDEBUG: Mutex error: assert_sleepable,70: spin lock held when loading NPF To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Jun 12 14:36:32 UTC 2019 Modified Files: src/sys/net/npf: lpm.c lpm.h npf_tableset.c Log Message: Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html: Convert the mutex to spin-lock at IPL_NET (but it is excessive) and convert the memory allocations in that code path to KM_NOSLEEP. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/lpm.c cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.h cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Jun 12 14:36:32 UTC 2019 Modified Files: src/sys/net/npf: lpm.c lpm.h npf_tableset.c Log Message: Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html: Convert the mutex to spin-lock at IPL_NET (but it is excessive) and convert the memory allocations in that code path to KM_NOSLEEP. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/lpm.c cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.h cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/lpm.c diff -u src/sys/net/npf/lpm.c:1.5 src/sys/net/npf/lpm.c:1.6 --- src/sys/net/npf/lpm.c:1.5 Sat Sep 29 10:41:36 2018 +++ src/sys/net/npf/lpm.c Wed Jun 12 10:36:32 2019 @@ -38,7 +38,7 @@ #if defined(_KERNEL) #include -__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.5 2018/09/29 14:41:36 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.6 2019/06/12 14:36:32 christos Exp $"); #include #include @@ -90,6 +90,7 @@ typedef struct { struct lpm { uint32_t bitmask[LPM_MAX_WORDS]; + int flags; void * defvals[2]; lpm_hmap_t prefix[LPM_MAX_PREFIX + 1]; }; @@ -97,9 +98,11 @@ struct lpm { static const uint32_t zero_address[LPM_MAX_WORDS]; lpm_t * -lpm_create(void) +lpm_create(int flags) { - return kmem_zalloc(sizeof(lpm_t), KM_SLEEP); + lpm_t *lpm = kmem_zalloc(sizeof(*lpm), KM_SLEEP); + lpm->flags = flags; + return lpm; } void @@ -164,7 +167,7 @@ fnv1a_hash(const void *buf, size_t len) } static bool -hashmap_rehash(lpm_hmap_t *hmap, unsigned size) +hashmap_rehash(lpm_hmap_t *hmap, unsigned size, int flags) { lpm_ent_t **bucket; unsigned hashsize; @@ -172,7 +175,9 @@ hashmap_rehash(lpm_hmap_t *hmap, unsigne for (hashsize = 1; hashsize < size; hashsize <<= 1) { continue; } - bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), KM_SLEEP); + bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), flags); + if (bucket == NULL) + return false; for (unsigned n = 0; n < hmap->hashsize; n++) { lpm_ent_t *list = hmap->bucket[n]; @@ -194,14 +199,14 @@ hashmap_rehash(lpm_hmap_t *hmap, unsigne } static lpm_ent_t * -hashmap_insert(lpm_hmap_t *hmap, const void *key, size_t len) +hashmap_insert(lpm_hmap_t *hmap, const void *key, size_t len, int flags) { const unsigned target = hmap->nitems + LPM_HASH_STEP; const size_t entlen = offsetof(lpm_ent_t, key[len]); uint32_t hash, i; lpm_ent_t *entry; - if (hmap->hashsize < target && !hashmap_rehash(hmap, target)) { + if (hmap->hashsize < target && !hashmap_rehash(hmap, target, flags)) { return NULL; } @@ -215,7 +220,7 @@ hashmap_insert(lpm_hmap_t *hmap, const v entry = entry->next; } - if ((entry = kmem_alloc(entlen, KM_SLEEP)) != NULL) { + if ((entry = kmem_alloc(entlen, flags)) != NULL) { memcpy(entry->key, key, len); entry->next = hmap->bucket[i]; entry->len = len; @@ -326,7 +331,7 @@ lpm_insert(lpm_t *lpm, const void *addr, return 0; } compute_prefix(nwords, addr, preflen, prefix); - entry = hashmap_insert(>prefix[preflen], prefix, len); + entry = hashmap_insert(>prefix[preflen], prefix, len, lpm->flags); if (entry) { const unsigned n = --preflen >> 5; lpm->bitmask[n] |= 0x8000U >> (preflen & 31); Index: src/sys/net/npf/lpm.h diff -u src/sys/net/npf/lpm.h:1.2 src/sys/net/npf/lpm.h:1.3 --- src/sys/net/npf/lpm.h:1.2 Sat Sep 29 10:41:36 2018 +++ src/sys/net/npf/lpm.h Wed Jun 12 10:36:32 2019 @@ -32,7 +32,7 @@ __BEGIN_DECLS typedef struct lpm lpm_t; typedef void (*lpm_dtor_t)(void *, const void *, size_t, void *); -lpm_t * lpm_create(void); +lpm_t * lpm_create(int); void lpm_destroy(lpm_t *); void lpm_clear(lpm_t *, lpm_dtor_t, void *); Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.29 src/sys/net/npf/npf_tableset.c:1.30 --- src/sys/net/npf/npf_tableset.c:1.29 Sat Jan 19 16:19:32 2019 +++ src/sys/net/npf/npf_tableset.c Wed Jun 12 10:36:32 2019 @@ -39,7 +39,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.29 2019/01/19 21:19:32 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.30 2019/06/12 14:36:32 christos Exp $"); #include #include @@ -365,7 +365,7 @@ npf_table_create(const char *name, u_int switch (type) { case NPF_TABLE_LPM: - t->t_lpm = lpm_create(); + t->t_lpm = lpm_create(KM_NOSLEEP); if (t->t_lpm == NULL) { goto out; } @@ -398,7 +398,7 @@ npf_table_create(const char *name, u_int default: KASSERT(false); } - mutex_init(>t_lock, MUTEX_DEFAULT, IPL_NONE); + mutex_init(>t_lock, MUTEX_DEFAULT, IPL_NET); t->t_type = type; t->t_id = tid; return t;
Re: CVS commit: src/sys/net/npf
Le 07/04/2018 à 23:28, Christos Zoulas a écrit : In article <20180407090627.20058f...@cvs.netbsd.org>, Maxime Villardwrote: -=-=-=-=-=- Module Name:src Committed By: maxv Date: Sat Apr 7 09:06:27 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Rewrite npf_fetch_tcpopts: * Instead of doing several nbuf_advance/nbuf_ensure_contig and playing with gotos, fetch the TCP options only once, and iterate over the (safe) area. The code is similar to tcp_dooptions. * When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is the one we're expecting. If it isn't, then skip the option. This wasn't done before, and not doing it allowed a packet to bypass the max-mss clamping procedure. Discussed on tech-net@. This seems to break cvs -d cvs.netbsd.org:/cvsroot diff, with write via ssh returning ENETUNREACH. christos My bad (again). Seems like the TCP code is getting me confused all the time.
Re: CVS commit: src/sys/net/npf
In article <20180407090627.20058f...@cvs.netbsd.org>, Maxime Villardwrote: >-=-=-=-=-=- > >Module Name: src >Committed By: maxv >Date: Sat Apr 7 09:06:27 UTC 2018 > >Modified Files: > src/sys/net/npf: npf_inet.c > >Log Message: >Rewrite npf_fetch_tcpopts: > > * Instead of doing several nbuf_advance/nbuf_ensure_contig and > playing with gotos, fetch the TCP options only once, and iterate over > the (safe) area. The code is similar to tcp_dooptions. > > * When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is > the one we're expecting. If it isn't, then skip the option. This > wasn't done before, and not doing it allowed a packet to bypass the > max-mss clamping procedure. Discussed on tech-net@. > This seems to break cvs -d cvs.netbsd.org:/cvsroot diff, with write via ssh returning ENETUNREACH. christos
Re: CVS commit: src/sys/net/npf
Le 31/01/2018 à 00:18, Mindaugas Rasiukevicius a écrit : [...] Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. [...] If the npc_hlen value is beyond the packet length, NPF's nbuf interface will catch that, since it performs the bounds check. I meant to say that the IPv6 loop in npf_cache_ip seems suspicious to me. while (nbuf_advance(nbuf, hlen, 0) != NULL) { [...] hlen = (ip6e->ip6e_len + 1) << 3; [...] npc->npc_hlen += hlen; } [continue execution...] Here, if you have a 'hlen' that goes beyond the mbuf, nbuf_advance will fail, and we're not handling this case. npc_hlen got incremented along the way, and it now points past the end of the mbuf. Perhaps that's handled properly later, but in all cases, we ought to handle the error right here instead of processing the packet any further. Note however that NPF is rather at the end of my TODO list, and I'll come back to it later. Maxime
Re: CVS commit: src/sys/net/npf
"Maxime Villard"wrote: > Module Name: src > Committed By: maxv > Date: Fri Dec 15 21:00:26 UTC 2017 > > Modified Files: > src/sys/net/npf: npf.h > > Log Message: > Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to > bypass a certain number of filtering rules. > > Basically there is an integer overflow in npf_cache_ip: npc_hlen is a > 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed > has large extensions. Thanks for discovering and fixing this. I think this is the first serious remote vulnerability in NPF, although limited to IPv6 only. > Fix this by using uint32_t. While here, it seems to me there is also a > memory overflow: still in npf_cache_ip, npc_hlen may be incremented with > a value that goes beyond the mbuf. A minor aspect, but promoting npf_hlen to uint32_t results in wasteful padding in the struct, so it is better to re-order the struct members in this case. If the npc_hlen value is beyond the packet length, NPF's nbuf interface will catch that, since it performs the bounds check. However, I think we should implement some sanity check for the npc_hlen value. RFC 7112 suggests that the IPv6 header chain should not exceed the MTU size (and thus fit in the first fragment, in case of fragmentation). Some value along these lines could be the basis for a sanity check.. -- Mindaugas
Re: CVS commit: src/sys/net/npf
In article <20151019002957.b972...@cvs.netbsd.org>, Christos Zoulaswrote: >Log Message: >Fix the code so that it works in all 3 cases: non-modular, modular/builtin, >modular/filesystem. In the non-modular case we initialize through attach. >In the modular/builtin case we define the module to be class misc so it >attaches late (after percpu is initialized) since driver modules attach >too early. In the modular/filesystem case we define it to be a driver >module since we autoload it via /dev/npf open. I still don't like my fix, perhaps jared's is better. Having a single attach()/detach() entry point for both modular and non-modular kernels certainly seems desirable. Also there needs a way to specify a dependency graph for modules so that they can be loaded after their dependencies. Finally resource management (things that the modules need to cleanup and may be busy) need to be handled better. christos
Re: CVS commit: src/sys/net/npf
On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote: Module Name:src Committed By: rmind Date: Tue Oct 29 16:39:10 UTC 2013 Modified Files: src/sys/net/npf: npf_impl.h npf_nat.c npf_session.c Log Message: npf_session_setnat: fix the race condition when the old connection is still being expired while a new/duplicate is being created. Should we have (or do we have) a regression test to catch this race condition? - | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | | Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com| | Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net | | Kernel Developer | | pgoyette at netbsd.org | -
Re: CVS commit: src/sys/net/npf
Paul Goyette p...@whooppee.com wrote: On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote: Module Name:src Committed By: rmind Date: Tue Oct 29 16:39:10 UTC 2013 Modified Files: src/sys/net/npf: npf_impl.h npf_nat.c npf_session.c Log Message: npf_session_setnat: fix the race condition when the old connection is still being expired while a new/duplicate is being created. Should we have (or do we have) a regression test to catch this race condition? You would need to write a test simulating a particular condition and then trying to brute-force the race. It requires a bit of coding as it is not an easy race to trigger. Let me know if you want to volunteer. -- Mindaugas
Re: CVS commit: src/sys/net/npf
On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote: npf_session_setnat: fix the race condition when the old connection is still being expired while a new/duplicate is being created. Should we have (or do we have) a regression test to catch this race condition? You would need to write a test simulating a particular condition and then trying to brute-force the race. It requires a bit of coding as it is not an easy race to trigger. Let me know if you want to volunteer. Thanks! :) Unfortuantely I don't think I can volunteer (probably wouldn't be productive, anyway). - | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | | Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com| | Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net | | Kernel Developer | | pgoyette at netbsd.org | -