subject:"CVS commit\: src\/sys\/net\/npf"

CVS commit: src/sys/net/npf

2023-08-08 Thread Frank Kardel

Module Name:src
Committed By:   kardel
Date:   Tue Aug  8 16:10:42 UTC 2023

Modified Files:
src/sys/net/npf: npf_ruleset.c

Log Message:
The analysis documented in PR misc/56990 is correct.
Fix by not returning when encountering a ruleset rule.

The code up to now would stop at any group rule.

ruleset rules are marked as group rule and a dynamic rule.

processing is only finished when a result is present AND
we are looking at a plain group rule.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.51 src/sys/net/npf/npf_ruleset.c:1.52
--- src/sys/net/npf/npf_ruleset.c:1.51	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_ruleset.c	Tue Aug  8 16:10:41 2023
@@ -34,7 +34,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.51 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.52 2023/08/08 16:10:41 kardel Exp $");
 
 #include 
 #include 
@@ -891,7 +891,7 @@ npf_ruleset_inspect(npf_cache_t *npc, co
 		KASSERT(n < skip_to);
 
 		/* Group is a barrier: return a matching if found any. */
-		if ((attr & NPF_RULE_GROUP) != 0 && final_rl) {
+		if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP && final_rl) {
 			break;
 		}

CVS commit: src/sys/net/npf

2023-08-08 Thread Frank Kardel

Module Name:src
Committed By:   kardel
Date:   Tue Aug  8 16:10:42 UTC 2023

Modified Files:
src/sys/net/npf: npf_ruleset.c

Log Message:
The analysis documented in PR misc/56990 is correct.
Fix by not returning when encountering a ruleset rule.

The code up to now would stop at any group rule.

ruleset rules are marked as group rule and a dynamic rule.

processing is only finished when a result is present AND
we are looking at a plain group rule.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2023-02-24 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Fri Feb 24 11:03:01 UTC 2023

Modified Files:
src/sys/net/npf: npf_nat.c npf_rproc.c npf_tableset.c

Log Message:
npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.

Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html

Requested by rmind@:
https://github.com/rmind/npf/pull/127#issuecomment-1399573125


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_rproc.c
cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.52 src/sys/net/npf/npf_nat.c:1.53
--- src/sys/net/npf/npf_nat.c:1.52	Sat Apr  9 23:38:33 2022
+++ src/sys/net/npf/npf_nat.c	Fri Feb 24 11:03:01 2023
@@ -67,7 +67,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.52 2022/04/09 23:38:33 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.53 2023/02/24 11:03:01 riastradh Exp $");
 
 #include 
 #include 
@@ -279,15 +279,11 @@ npf_natpolicy_release(npf_natpolicy_t *n
 {
 	KASSERT(atomic_load_relaxed(>n_refcnt) > 0);
 
-#ifndef __HAVE_ATOMIC_AS_MEMBAR
 	membar_release();
-#endif
 	if (atomic_dec_uint_nv(>n_refcnt) != 0) {
 		return;
 	}
-#ifndef __HAVE_ATOMIC_AS_MEMBAR
 	membar_acquire();
-#endif
 	KASSERT(LIST_EMPTY(>n_nat_list));
 	mutex_destroy(>n_lock);
 	kmem_free(np, sizeof(npf_natpolicy_t));

Index: src/sys/net/npf/npf_rproc.c
diff -u src/sys/net/npf/npf_rproc.c:1.22 src/sys/net/npf/npf_rproc.c:1.23
--- src/sys/net/npf/npf_rproc.c:1.22	Sat Apr  9 23:38:33 2022
+++ src/sys/net/npf/npf_rproc.c	Fri Feb 24 11:03:01 2023
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_rproc.c,v 1.22 2022/04/09 23:38:33 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_rproc.c,v 1.23 2023/02/24 11:03:01 riastradh Exp $");
 
 #include 
 #include 
@@ -330,15 +330,12 @@ npf_rproc_release(npf_rproc_t *rp)
 {
 	KASSERT(atomic_load_relaxed(>rp_refcnt) > 0);
 
-#ifndef __HAVE_ATOMIC_AS_MEMBAR
 	membar_release();
-#endif
 	if (atomic_dec_uint_nv(>rp_refcnt) != 0) {
 		return;
 	}
-#ifndef __HAVE_ATOMIC_AS_MEMBAR
 	membar_acquire();
-#endif
+
 	/* XXXintr */
 	for (unsigned i = 0; i < rp->rp_ext_count; i++) {
 		npf_ext_t *ext = rp->rp_ext[i];

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.41 src/sys/net/npf/npf_tableset.c:1.42
--- src/sys/net/npf/npf_tableset.c:1.41	Mon Jan 23 13:40:04 2023
+++ src/sys/net/npf/npf_tableset.c	Fri Feb 24 11:03:01 2023
@@ -46,7 +46,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.41 2023/01/23 13:40:04 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.42 2023/02/24 11:03:01 riastradh Exp $");
 
 #include 
 #include 
@@ -160,14 +160,10 @@ npf_tableset_destroy(npf_tableset_t *ts)
 
 		if (t == NULL)
 			continue;
-#ifndef __HAVE_ATOMIC_AS_MEMBAR
 		membar_release();
-#endif
 		if (atomic_dec_uint_nv(>t_refcnt) > 0)
 			continue;
-#ifndef __HAVE_ATOMIC_AS_MEMBAR
 		membar_acquire();
-#endif
 		npf_table_destroy(t);
 	}
 	kmem_free(ts, NPF_TABLESET_SIZE(ts->ts_nitems));

CVS commit: src/sys/net/npf

2023-02-24 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Fri Feb 24 11:03:01 UTC 2023

Modified Files:
src/sys/net/npf: npf_nat.c npf_rproc.c npf_tableset.c

Log Message:
npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.

Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html

Requested by rmind@:
https://github.com/rmind/npf/pull/127#issuecomment-1399573125


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_rproc.c
cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2023-02-12 Thread Frank Kardel

Module Name:src
Committed By:   kardel
Date:   Sun Feb 12 13:38:37 UTC 2023

Modified Files:
src/sys/net/npf: npf.h npf_mbuf.c npf_sendpkt.c

Log Message:
PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream as https://github.com/rmind/npf/pull/115


To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/sys/net/npf/npf.h
cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_sendpkt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.63 src/sys/net/npf/npf.h:1.64
--- src/sys/net/npf/npf.h:1.63	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf.h	Sun Feb 12 13:38:37 2023
@@ -122,6 +122,7 @@ void *		nbuf_ensure_writable(nbuf_t *, s
 
 bool		nbuf_cksum_barrier(nbuf_t *, int);
 int		nbuf_add_tag(nbuf_t *, uint32_t);
+int		npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t);
 int		nbuf_find_tag(nbuf_t *, uint32_t *);
 
 /*

Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.24 src/sys/net/npf/npf_mbuf.c:1.25
--- src/sys/net/npf/npf_mbuf.c:1.24	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_mbuf.c	Sun Feb 12 13:38:37 2023
@@ -36,7 +36,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.24 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.25 2023/02/12 13:38:37 kardel Exp $");
 
 #include 
 #include 
@@ -297,14 +297,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di)
 }
 
 /*
- * nbuf_add_tag: associate a tag with the network buffer.
+ * npf_mbuf_add_tag: associate a tag with the network buffer.
  *
  * => Returns 0 on success or error number on failure.
  */
 int
-nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
+npf_mbuf_add_tag(nbuf_t *nbuf, struct mbuf *m, uint32_t val)
 {
-	struct mbuf *m = nbuf->nb_mbuf0;
 #ifdef _KERNEL
 	struct m_tag *mt;
 	uint32_t *dat;
@@ -328,6 +327,18 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
 }
 
 /*
+ * nbuf_add_tag: associate a tag with the network buffer.
+ *
+ * => Returns 0 on success or error number on failure.
+ */
+int
+nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
+{
+	struct mbuf *m = nbuf->nb_mbuf0;
+	return npf_mbuf_add_tag(nbuf, m, val);
+}
+
+/*
  * nbuf_find_tag: find a tag associated with a network buffer.
  *
  * => Returns 0 on success or error number on failure.

Index: src/sys/net/npf/npf_sendpkt.c
diff -u src/sys/net/npf/npf_sendpkt.c:1.22 src/sys/net/npf/npf_sendpkt.c:1.23
--- src/sys/net/npf/npf_sendpkt.c:1.22	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_sendpkt.c	Sun Feb 12 13:38:37 2023
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.22 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.23 2023/02/12 13:38:37 kardel Exp $");
 
 #include 
 #include 
@@ -197,6 +197,9 @@ npf_return_tcp(npf_cache_t *npc)
 		}
 	}
 
+	/* don't look at our generated reject packets going out */
+	(void)npf_mbuf_add_tag(npc->npc_nbuf, m, NPF_NTAG_PASS);
+
 	/* Pass to IP layer. */
 	if (npf_iscached(npc, NPC_IP4)) {
 		return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
@@ -215,6 +218,9 @@ npf_return_icmp(const npf_cache_t *npc)
 {
 	struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf);
 
+	/* don't look at our generated reject packets going out */
+	(void)nbuf_add_tag(npc->npc_nbuf, NPF_NTAG_PASS);
+
 	if (npf_iscached(npc, NPC_IP4)) {
 		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT, 0, 0);
 		return 0;

CVS commit: src/sys/net/npf

2023-02-12 Thread Frank Kardel

Module Name:src
Committed By:   kardel
Date:   Sun Feb 12 13:38:37 UTC 2023

Modified Files:
src/sys/net/npf: npf.h npf_mbuf.c npf_sendpkt.c

Log Message:
PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream as https://github.com/rmind/npf/pull/115


To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/sys/net/npf/npf.h
cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_sendpkt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2023-01-23 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Mon Jan 23 13:40:05 UTC 2023

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
npf(9): Drop table lock around copyout.

It is forbidden to hold a spin lock around copyout, and t_lock is a
spin lock.

We need t_lock in order to iterate over the list of entries.
However, during copyout itself, we only need to ensure that the
object we're copying out isn't freed by npf_table_remove or
npf_table_gc.

Fortunately, the only caller of npf_table_list, npf_table_remove, and
npf_table_gc is npfctl_table, and it serializes all of them by the
npf config lock.  So we can safely drop t_lock across copyout.

PR kern/57136
PR kern/57181


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.40 src/sys/net/npf/npf_tableset.c:1.41
--- src/sys/net/npf/npf_tableset.c:1.40	Sun Jan 22 18:45:43 2023
+++ src/sys/net/npf/npf_tableset.c	Mon Jan 23 13:40:04 2023
@@ -46,7 +46,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.40 2023/01/22 18:45:43 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.41 2023/01/23 13:40:04 riastradh Exp $");
 
 #include 
 #include 
@@ -766,15 +766,17 @@ table_ent_copyout(const npf_addr_t *addr
 }
 
 static int
-table_generic_list(const npf_table_t *t, void *ubuf, size_t len)
+table_generic_list(npf_table_t *t, void *ubuf, size_t len)
 {
 	npf_tblent_t *ent;
 	size_t off = 0;
 	int error = 0;
 
 	LIST_FOREACH(ent, >t_list, te_listent) {
+		mutex_exit(>t_lock);
 		error = table_ent_copyout(>te_addr,
 		ent->te_alen, ent->te_preflen, ubuf, len, );
+		mutex_enter(>t_lock);
 		if (error)
 			break;
 	}

CVS commit: src/sys/net/npf

2023-01-23 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Mon Jan 23 13:40:05 UTC 2023

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
npf(9): Drop table lock around copyout.

It is forbidden to hold a spin lock around copyout, and t_lock is a
spin lock.

We need t_lock in order to iterate over the list of entries.
However, during copyout itself, we only need to ensure that the
object we're copying out isn't freed by npf_table_remove or
npf_table_gc.

Fortunately, the only caller of npf_table_list, npf_table_remove, and
npf_table_gc is npfctl_table, and it serializes all of them by the
npf config lock.  So we can safely drop t_lock across copyout.

PR kern/57136
PR kern/57181


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2023-01-22 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Jan 22 18:45:43 UTC 2023

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
npf(9): Another comment tweak to match upstream.

No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.39 src/sys/net/npf/npf_tableset.c:1.40
--- src/sys/net/npf/npf_tableset.c:1.39	Sun Jan 22 18:39:22 2023
+++ src/sys/net/npf/npf_tableset.c	Sun Jan 22 18:45:43 2023
@@ -46,7 +46,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.39 2023/01/22 18:39:22 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.40 2023/01/22 18:45:43 riastradh Exp $");
 
 #include 
 #include 
@@ -101,7 +101,7 @@ struct npf_table {
 
 	/*
 	 * Table ID, type and lock.  The ID may change during the
-	 * config reload, it is protected by the npf->config_lock.
+	 * config reload, it is protected by the npf_t::config_lock.
 	 */
 	int			t_type;
 	unsigned		t_id;

CVS commit: src/sys/net/npf

2023-01-22 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Jan 22 18:45:43 UTC 2023

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
npf(9): Another comment tweak to match upstream.

No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2023-01-22 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Jan 22 18:39:35 UTC 2023

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
npf(9): Update comment to reduce diff from upstream.

No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.34 src/sys/net/npf/npf_conn.c:1.35
--- src/sys/net/npf/npf_conn.c:1.34	Sun Feb 13 19:20:23 2022
+++ src/sys/net/npf/npf_conn.c	Sun Jan 22 18:39:35 2023
@@ -97,14 +97,14 @@
  *
  * Lock order
  *
- *	npf->config_lock ->
+ *	npf_t::config_lock ->
  *		conn_lock ->
  *			npf_conn_t::c_lock
  */
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.34 2022/02/13 19:20:23 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.35 2023/01/22 18:39:35 riastradh Exp $");
 
 #include 
 #include

CVS commit: src/sys/net/npf

2023-01-22 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Jan 22 18:39:35 UTC 2023

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
npf(9): Update comment to reduce diff from upstream.

No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2023-01-22 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Jan 22 18:39:22 UTC 2023

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
npf(9): Use __HAVE_ATOMIC_AS_MEMBAR around refcnt consistently.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.38 src/sys/net/npf/npf_tableset.c:1.39
--- src/sys/net/npf/npf_tableset.c:1.38	Sat Apr  9 23:38:33 2022
+++ src/sys/net/npf/npf_tableset.c	Sun Jan 22 18:39:22 2023
@@ -46,7 +46,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.38 2022/04/09 23:38:33 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.39 2023/01/22 18:39:22 riastradh Exp $");
 
 #include 
 #include 
@@ -160,10 +160,14 @@ npf_tableset_destroy(npf_tableset_t *ts)
 
 		if (t == NULL)
 			continue;
+#ifndef __HAVE_ATOMIC_AS_MEMBAR
 		membar_release();
+#endif
 		if (atomic_dec_uint_nv(>t_refcnt) > 0)
 			continue;
+#ifndef __HAVE_ATOMIC_AS_MEMBAR
 		membar_acquire();
+#endif
 		npf_table_destroy(t);
 	}
 	kmem_free(ts, NPF_TABLESET_SIZE(ts->ts_nitems));

CVS commit: src/sys/net/npf

2023-01-22 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Jan 22 18:39:22 UTC 2023

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
npf(9): Use __HAVE_ATOMIC_AS_MEMBAR around refcnt consistently.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2022-04-28 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr 28 17:28:15 UTC 2022

Modified Files:
src/sys/net/npf: npf_params.c

Log Message:
Make the thmap(9) used for params use sleepable allocations,
suggested by rmind@. Should fix PR 56802.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_params.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_params.c
diff -u src/sys/net/npf/npf_params.c:1.4 src/sys/net/npf/npf_params.c:1.5
--- src/sys/net/npf/npf_params.c:1.4	Thu Apr 28 15:43:51 2022
+++ src/sys/net/npf/npf_params.c	Thu Apr 28 17:28:15 2022
@@ -26,7 +26,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.4 2022/04/28 15:43:51 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.5 2022/04/28 17:28:15 martin Exp $");
 
 #include 
 #include 
@@ -69,13 +69,30 @@ npf_param_general_register(npf_t *npf)
 	npf_param_register(npf, param_map, __arraycount(param_map));
 }
 
+static uintptr_t
+npf_param_thmap_alloc(size_t len)
+{
+	return (uintptr_t)kmem_alloc(len, KM_SLEEP);
+}
+
+static void
+npf_param_thmap_free(uintptr_t addr, size_t len)  
+{
+kmem_free((void *)addr, len);
+} 
+
+static const thmap_ops_t npf_param_thmap_ops = {
+.alloc = npf_param_thmap_alloc,
+.free = npf_param_thmap_free
+};
+
 void
 npf_param_init(npf_t *npf)
 {
 	npf_paraminfo_t *paraminfo;
 
 	paraminfo = kmem_zalloc(sizeof(npf_paraminfo_t), KM_SLEEP);
-	paraminfo->map = thmap_create(0, NULL, THMAP_NOCOPY);
+	paraminfo->map = thmap_create(0, _param_thmap_ops, THMAP_NOCOPY);
 	npf->paraminfo = paraminfo;
 
 	/* Register some general parameters. */

CVS commit: src/sys/net/npf

2022-04-28 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr 28 17:28:15 UTC 2022

Modified Files:
src/sys/net/npf: npf_params.c

Log Message:
Make the thmap(9) used for params use sleepable allocations,
suggested by rmind@. Should fix PR 56802.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_params.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2022-04-28 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr 28 15:43:51 UTC 2022

Modified Files:
src/sys/net/npf: npf_params.c

Log Message:
Temporary hack to make PR 56802 (when it happens) tell us for sure that
it is caused by KM_NOSLEEP memory allocation failure.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_params.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2022-04-28 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr 28 15:43:51 UTC 2022

Modified Files:
src/sys/net/npf: npf_params.c

Log Message:
Temporary hack to make PR 56802 (when it happens) tell us for sure that
it is caused by KM_NOSLEEP memory allocation failure.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_params.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_params.c
diff -u src/sys/net/npf/npf_params.c:1.3 src/sys/net/npf/npf_params.c:1.4
--- src/sys/net/npf/npf_params.c:1.3	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_params.c	Thu Apr 28 15:43:51 2022
@@ -26,7 +26,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.3 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_params.c,v 1.4 2022/04/28 15:43:51 martin Exp $");
 
 #include 
 #include 
@@ -184,7 +184,9 @@ npf_param_register(npf_t *npf, npf_param
 		void *ret __diagused;
 
 		ret = thmap_put(pinfo->map, name, strlen(name), param);
-		KASSERT(ret == param);
+		KASSERTMSG(ret == param,
+		"parameter insertion failed: ret=%p, param=%p",
+		ret, param);
 
 		/* Assign the default value. */
 		KASSERT(param->default_val >= param->min);

CVS commit: src/sys/net/npf

2022-02-13 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Feb 13 19:20:23 UTC 2022

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
npf(4): Use atomic_store_release and atomic_load_consume for conn_db.

...or atomic_load_relaxed, when npf->conn_lock is held, for the sake
of C11.

No need for store-before-load implied by membar_sync.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2022-02-13 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Feb 13 19:20:23 UTC 2022

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
npf(4): Use atomic_store_release and atomic_load_consume for conn_db.

...or atomic_load_relaxed, when npf->conn_lock is held, for the sake
of C11.

No need for store-before-load implied by membar_sync.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.33 src/sys/net/npf/npf_conn.c:1.34
--- src/sys/net/npf/npf_conn.c:1.33	Mon Jan 25 17:18:55 2021
+++ src/sys/net/npf/npf_conn.c	Sun Feb 13 19:20:23 2022
@@ -104,7 +104,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.33 2021/01/25 17:18:55 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.34 2022/02/13 19:20:23 riastradh Exp $");
 
 #include 
 #include 
@@ -221,8 +221,7 @@ npf_conn_load(npf_t *npf, npf_conndb_t *
 		KASSERT(atomic_load_relaxed(>conn_tracking)
 		== CONN_TRACKING_OFF);
 		odb = atomic_load_relaxed(>conn_db);
-		membar_sync();
-		atomic_store_relaxed(>conn_db, ndb);
+		atomic_store_release(>conn_db, ndb);
 	}
 	if (track) {
 		/* After this point lookups start flying in. */
@@ -492,7 +491,7 @@ npf_conn_establish(npf_cache_t *npc, con
 	 * the connection later.
 	 */
 	mutex_enter(>c_lock);
-	conn_db = atomic_load_relaxed(>conn_db);
+	conn_db = atomic_load_consume(>conn_db);
 	if (!npf_conndb_insert(conn_db, fw, con, NPF_FLOW_FORW)) {
 		error = EISCONN;
 		goto err;
@@ -597,7 +596,7 @@ npf_conn_setnat(const npf_cache_t *npc, 
 	}
 
 	/* Remove the "backwards" key. */
-	conn_db = atomic_load_relaxed(>conn_db);
+	conn_db = atomic_load_consume(>conn_db);
 	bk = npf_conn_getbackkey(con, con->c_alen);
 	ret = npf_conndb_remove(conn_db, bk);
 	KASSERT(ret == con);
@@ -762,7 +761,7 @@ npf_conn_remove(npf_conndb_t *cd, npf_co
 void
 npf_conn_worker(npf_t *npf)
 {
-	npf_conndb_t *conn_db = atomic_load_relaxed(>conn_db);
+	npf_conndb_t *conn_db = atomic_load_consume(>conn_db);
 	npf_conndb_gc(npf, conn_db, false, true);
 }

CVS commit: src/sys/net/npf

2022-02-13 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Feb 13 19:20:11 UTC 2022

Modified Files:
src/sys/net/npf: npf_conf.c npf_ifaddr.c

Log Message:
npf(4): Use atomic_store_release and atomic_load_consume for config.

...or atomic_load_relaxed, when the config is locked.  (Not necessary
to use atomic_* at all in NetBSD, but in C11 it will be cheaper to
say atomic_load_relaxed explicitly so an _Atomic-qualified object
doesn't cause the load to be surrounded by unnecessary membars.)

No need for store-before-load ordering here, so no need to
membar_sync.


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_ifaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2022-02-13 Thread Taylor R Campbell

Module Name:src
Committed By:   riastradh
Date:   Sun Feb 13 19:20:11 UTC 2022

Modified Files:
src/sys/net/npf: npf_conf.c npf_ifaddr.c

Log Message:
npf(4): Use atomic_store_release and atomic_load_consume for config.

...or atomic_load_relaxed, when the config is locked.  (Not necessary
to use atomic_* at all in NetBSD, but in C11 it will be cheaper to
say atomic_load_relaxed explicitly so an _Atomic-qualified object
doesn't cause the load to be surrounded by unnecessary membars.)

No need for store-before-load ordering here, so no need to
membar_sync.


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_ifaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.17 src/sys/net/npf/npf_conf.c:1.18
--- src/sys/net/npf/npf_conf.c:1.17	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_conf.c	Sun Feb 13 19:20:11 2022
@@ -47,7 +47,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.17 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.18 2022/02/13 19:20:11 riastradh Exp $");
 
 #include 
 #include 
@@ -153,8 +153,7 @@ npf_config_load(npf_t *npf, npf_config_t
 	/*
 	 * Set the new config and release the lock.
 	 */
-	membar_sync();
-	atomic_store_relaxed(>config, nc);
+	atomic_store_release(>config, nc);
 	if (onc == NULL) {
 		/* Initial load, done. */
 		npf_ifmap_flush(npf);
@@ -247,7 +246,7 @@ npf_config_read_exit(npf_t *npf, int s)
 npf_ruleset_t *
 npf_config_ruleset(npf_t *npf)
 {
-	npf_config_t *config = atomic_load_relaxed(>config);
+	npf_config_t *config = atomic_load_consume(>config);
 	KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
 	return config->ruleset;
 }
@@ -255,7 +254,7 @@ npf_config_ruleset(npf_t *npf)
 npf_ruleset_t *
 npf_config_natset(npf_t *npf)
 {
-	npf_config_t *config = atomic_load_relaxed(>config);
+	npf_config_t *config = atomic_load_consume(>config);
 	KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
 	return config->nat_ruleset;
 }
@@ -263,7 +262,7 @@ npf_config_natset(npf_t *npf)
 npf_tableset_t *
 npf_config_tableset(npf_t *npf)
 {
-	npf_config_t *config = atomic_load_relaxed(>config);
+	npf_config_t *config = atomic_load_consume(>config);
 	KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
 	return config->tableset;
 }
@@ -271,7 +270,7 @@ npf_config_tableset(npf_t *npf)
 bool
 npf_default_pass(npf_t *npf)
 {
-	npf_config_t *config = atomic_load_relaxed(>config);
+	npf_config_t *config = atomic_load_consume(>config);
 	KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
 	return config->default_pass;
 }

Index: src/sys/net/npf/npf_ifaddr.c
diff -u src/sys/net/npf/npf_ifaddr.c:1.7 src/sys/net/npf/npf_ifaddr.c:1.8
--- src/sys/net/npf/npf_ifaddr.c:1.7	Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_ifaddr.c	Sun Feb 13 19:20:11 2022
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.7 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.8 2022/02/13 19:20:11 riastradh Exp $");
 
 #include 
 #include 
@@ -87,9 +87,11 @@ out:
 static void
 replace_ifnet_table(npf_t *npf, npf_table_t *newt)
 {
-	npf_tableset_t *ts = npf->config->tableset;
+	npf_tableset_t *ts = atomic_load_relaxed(>config)->tableset;
 	npf_table_t *oldt;
 
+	KASSERT(npf_config_locked_p(npf));
+
 	KERNEL_UNLOCK_ONE(NULL);
 
 	/*

CVS commit: src/sys/net/npf

2019-09-30 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Mon Sep 30 22:04:33 UTC 2019

Modified Files:
src/sys/net/npf: npf_if.c

Log Message:
npf_ifmap_copylogname: be more defensive.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_if.c
diff -u src/sys/net/npf/npf_if.c:1.11 src/sys/net/npf/npf_if.c:1.12
--- src/sys/net/npf/npf_if.c:1.11	Sun Sep 29 17:00:29 2019
+++ src/sys/net/npf/npf_if.c	Mon Sep 30 22:04:33 2019
@@ -56,7 +56,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.12 2019/09/30 22:04:33 rmind Exp $");
 
 #include 
 #include 
@@ -191,20 +191,22 @@ npf_ifmap_getid(npf_t *npf, const ifnet_
 }
 
 /*
- * This function is toxic; it can return garbage since we don't
- * lock, but it is only used temporarily and only for logging.
+ * npf_ifmap_copylogname: this function is toxic; it can return garbage
+ * as we don't lock, but it is only used temporarily and only for logging.
  */
 void
 npf_ifmap_copylogname(npf_t *npf, unsigned id, char *buf, size_t len)
 {
-	if (id != NPF_IFMAP_NOID) {
-		const unsigned i = NPF_IFMAP_ID2SLOT(npf, id);
-		npf_ifmap_t *ifmap = >ifmap[i];
+	const unsigned i = NPF_IFMAP_ID2SLOT(npf, id);
+
+	membar_consumer();
 
+	if (id != NPF_IFMAP_NOID && i < NPF_MAX_IFMAP) {
 		/*
 		 * Lock-free access is safe as there is an extra byte
 		 * with a permanent NUL terminator at the end.
 		 */
+		const npf_ifmap_t *ifmap = >ifmap[i];
 		strlcpy(buf, ifmap->ifname, MIN(len, IFNAMSIZ));
 	} else {
 		strlcpy(buf, "???", len);

CVS commit: src/sys/net/npf

2019-09-30 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Mon Sep 30 22:04:33 UTC 2019

Modified Files:
src/sys/net/npf: npf_if.c

Log Message:
npf_ifmap_copylogname: be more defensive.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-09-29 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 17:00:29 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c

Log Message:
NPF ifmap: rework and fix a few small bugs.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c
cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-09-29 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 17:00:29 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c

Log Message:
NPF ifmap: rework and fix a few small bugs.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c
cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.29 src/sys/net/npf/npf_conn.c:1.30
--- src/sys/net/npf/npf_conn.c:1.29	Tue Aug  6 11:40:15 2019
+++ src/sys/net/npf/npf_conn.c	Sun Sep 29 17:00:29 2019
@@ -107,7 +107,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.29 2019/08/06 11:40:15 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.30 2019/09/29 17:00:29 rmind Exp $");
 
 #include 
 #include 
@@ -782,7 +782,8 @@ npf_conn_export(npf_t *npf, npf_conn_t *
 	nvlist_add_number(cdict, "flags", con->c_flags);
 	nvlist_add_number(cdict, "proto", con->c_proto);
 	if (con->c_ifid) {
-		const char *ifname = npf_ifmap_getname(npf, con->c_ifid);
+		char ifname[IFNAMSIZ];
+		npf_ifmap_copyname(npf, con->c_ifid, ifname, sizeof(ifname));
 		nvlist_add_string(cdict, "ifname", ifname);
 	}
 	nvlist_add_binary(cdict, "state", >c_state, sizeof(npf_state_t));

Index: src/sys/net/npf/npf_if.c
diff -u src/sys/net/npf/npf_if.c:1.10 src/sys/net/npf/npf_if.c:1.11
--- src/sys/net/npf/npf_if.c:1.10	Sun Aug 11 20:26:33 2019
+++ src/sys/net/npf/npf_if.c	Sun Sep 29 17:00:29 2019
@@ -1,4 +1,5 @@
 /*-
+ * Copyright (c) 2019 Mindaugas Rasiukevicius 
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
@@ -28,23 +29,34 @@
  */
 
 /*
- * NPF network interface handling module.
+ * NPF network interface handling.
  *
- * NPF uses its own interface IDs (npf-if-id).  When NPF configuration is
- * (re)loaded, each required interface name is registered and a matching
- * network interface gets an ID assigned.  If an interface is not present,
- * it gets an ID on attach.
+ * NPF uses its own interface IDs (npf-if-id).  These IDs start from 1.
+ * Zero is reserved to indicate "no interface" case or an interface of
+ * no interest (i.e. not registered).
  *
- * IDs start from 1.  Zero is reserved to indicate "no interface" case or
- * an interface of no interest (i.e. not registered).
+ * This module provides an interface to primarily handle the following:
  *
- * The IDs are mapped synchronously based on interface events which are
- * monitored using pfil(9) hooks.
+ * - Bind a symbolic interface name to NPF interface ID.
+ * - Associate NPF interface ID when the network interface is attached.
+ *
+ * When NPF configuration is (re)loaded, each referenced network interface
+ * name is registered with a unique ID.  If the network interface is already
+ * attached, then the ID is associated with it immediately; otherwise, IDs
+ * are associated/disassociated on interface events which are monitored
+ * using pfil(9) hooks.
+ *
+ * To avoid race conditions when an active NPF configuration is updated or
+ * interfaces are detached/attached, the interface names are never removed
+ * and therefore IDs are never re-assigned.  The only point when interface
+ * names and IDs are cleared is when the configuration is flushed.
+ *
+ * A linear counter is used for IDs.
  */
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.10 2019/08/11 20:26:33 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $");
 
 #include 
 #include 
@@ -55,9 +67,13 @@ __KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1
 #include "npf_impl.h"
 
 typedef struct npf_ifmap {
-	char		n_ifname[IFNAMSIZ];
+	char		ifname[IFNAMSIZ + 1];
 } npf_ifmap_t;
 
+#define	NPF_IFMAP_NOID			(0U)
+#define	NPF_IFMAP_SLOT2ID(npf, slot)	((npf)->ifmap_off + (slot) + 1)
+#define	NPF_IFMAP_ID2SLOT(npf, id)	((id) - (npf)->ifmap_off - 1)
+
 void
 npf_ifmap_init(npf_t *npf, const npf_ifops_t *ifops)
 {
@@ -66,8 +82,10 @@ npf_ifmap_init(npf_t *npf, const npf_ifo
 	KASSERT(ifops != NULL);
 	ifops->flush((void *)(uintptr_t)0);
 
+	mutex_init(>ifmap_lock, MUTEX_DEFAULT, IPL_SOFTNET);
 	npf->ifmap = kmem_zalloc(nbytes, KM_SLEEP);
 	npf->ifmap_cnt = 0;
+	npf->ifmap_off = 0;
 	npf->ifops = ifops;
 }
 
@@ -75,82 +93,101 @@ void
 npf_ifmap_fini(npf_t *npf)
 {
 	const size_t nbytes = sizeof(npf_ifmap_t) * NPF_MAX_IFMAP;
+	mutex_destroy(>ifmap_lock);
 	kmem_free(npf->ifmap, nbytes);
 }
 
-static u_int
-npf_ifmap_new(npf_t *npf)
-{
-	KASSERT(npf_config_locked_p(npf));
-
-	for (u_int i = 0; i < npf->ifmap_cnt; i++)
-		if (npf->ifmap[i].n_ifname[0] == '\0')
-			return i + 1;
-
-	if (npf->ifmap_cnt == NPF_MAX_IFMAP) {
-		printf("npf_ifmap_new: out of slots; bump NPF_MAX_IFMAP\n");
-

CVS commit: src/sys/net/npf

2019-09-26 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Sep 26 18:44:45 UTC 2019

Modified Files:
src/sys/net/npf: npf_mbuf.c

Log Message:
Cast m_mbuflen() result to "size_t". It could also be "u_int" since it is
assigned to "u_int", but all the other "standalone" equivalent functions return
"size_t".


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-09-26 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Sep 26 18:44:45 UTC 2019

Modified Files:
src/sys/net/npf: npf_mbuf.c

Log Message:
Cast m_mbuflen() result to "size_t". It could also be "u_int" since it is
assigned to "u_int", but all the other "standalone" equivalent functions return
"size_t".


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.22 src/sys/net/npf/npf_mbuf.c:1.23
--- src/sys/net/npf/npf_mbuf.c:1.22	Thu Nov 15 05:23:56 2018
+++ src/sys/net/npf/npf_mbuf.c	Thu Sep 26 14:44:45 2019
@@ -36,7 +36,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.22 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.23 2019/09/26 18:44:45 christos Exp $");
 
 #include 
 #include 
@@ -62,7 +62,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v
 #define	m_flags_p(m,f)		true
 #else
 #define	m_next_ptr(m)		(m)->m_next
-#define	m_buflen(m)		(m)->m_len
+#define	m_buflen(m)		((size_t)(m)->m_len)
 #define	m_flags_p(m,f)		(((m)->m_flags & (f)) != 0)
 #endif

CVS commit: src/sys/net/npf

2019-08-25 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 17:38:25 UTC 2019

Modified Files:
src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c

Log Message:
 ake npfctl_switch() and pfil private to OS-specific module.


To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.57 src/sys/net/npf/npf_ctl.c:1.58
--- src/sys/net/npf/npf_ctl.c:1.57	Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_ctl.c	Sun Aug 25 17:38:25 2019
@@ -36,7 +36,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.57 2019/08/25 13:21:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.58 2019/08/25 17:38:25 rmind Exp $");
 
 #include 
 #include 
@@ -53,28 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 
 	nvlist_add_string((e), "source-file", __FILE__); \
 	nvlist_add_number((e), "source-line", __LINE__);
 
-#ifdef _KERNEL
-/*
- * npfctl_switch: enable or disable packet inspection.
- */
-int
-npfctl_switch(void *data)
-{
-	const bool onoff = *(int *)data ? true : false;
-	int error;
-
-	if (onoff) {
-		/* Enable: add pfil hooks. */
-		error = npf_pfil_register(false);
-	} else {
-		/* Disable: remove pfil hooks. */
-		npf_pfil_unregister(false);
-		error = 0;
-	}
-	return error;
-}
-#endif
-
 static int
 npf_nvlist_copyin(npf_t *npf, void *data, nvlist_t **nvl)
 {
@@ -731,7 +709,7 @@ npfctl_save(npf_t *npf, u_long cmd, void
 	if (error) {
 		goto out;
 	}
-	nvlist_add_bool(npf_dict, "active", npf_pfil_registered_p());
+	nvlist_add_bool(npf_dict, "active", npf_active_p());
 	error = npf_nvlist_copyout(npf, data, npf_dict);
 	npf_dict = NULL;
 out:

Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.78 src/sys/net/npf/npf_impl.h:1.79
--- src/sys/net/npf/npf_impl.h:1.78	Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_impl.h	Sun Aug 25 17:38:25 2019
@@ -289,6 +289,7 @@ npf_ruleset_t *	npf_config_ruleset(npf_t
 npf_ruleset_t *	npf_config_natset(npf_t *npf);
 npf_tableset_t *npf_config_tableset(npf_t *npf);
 bool		npf_default_pass(npf_t *);
+bool		npf_active_p(void);
 
 int		npf_worker_sysinit(unsigned);
 void		npf_worker_sysfini(void);
@@ -296,8 +297,6 @@ void		npf_worker_signal(npf_t *);
 void		npf_worker_register(npf_t *, npf_workfunc_t);
 void		npf_worker_unregister(npf_t *, npf_workfunc_t);
 
-int		npfctl_switch(void *);
-int		npfctl_reload(u_long, void *);
 int		npfctl_save(npf_t *, u_long, void *);
 int		npfctl_load(npf_t *, u_long, void *);
 int		npfctl_rule(npf_t *, u_long, void *);
@@ -327,11 +326,6 @@ void		npf_ifaddr_sync(npf_t *, ifnet_t *
 void		npf_ifaddr_flush(npf_t *, ifnet_t *);
 void		npf_ifaddr_syncall(npf_t *);
 
-/* Packet filter hooks. */
-int		npf_pfil_register(bool);
-void		npf_pfil_unregister(bool);
-bool		npf_pfil_registered_p(void);
-
 /* Protocol helpers. */
 int		npf_cache_all(npf_cache_t *);
 void		npf_recache(npf_cache_t *);

Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.16 src/sys/net/npf/npf_os.c:1.17
--- src/sys/net/npf/npf_os.c:1.16	Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_os.c	Sun Aug 25 17:38:25 2019
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.16 2019/08/25 13:21:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.17 2019/08/25 17:38:25 rmind Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pf.h"
@@ -84,6 +84,9 @@ MODULE(MODULE_CLASS_MISC, npf, "bpf");
 MODULE(MODULE_CLASS_DRIVER, npf, "bpf");
 #endif
 
+static int	npf_pfil_register(bool);
+static void	npf_pfil_unregister(bool);
+
 static int	npf_dev_open(dev_t, int, int, lwp_t *);
 static int	npf_dev_close(dev_t, int, int, lwp_t *);
 static int	npf_dev_ioctl(dev_t, u_long, void *, int, lwp_t *);
@@ -226,6 +229,26 @@ npf_stats_export(npf_t *npf, void *data)
 	return error;
 }
 
+/*
+ * npfctl_switch: enable or disable packet inspection.
+ */
+static int
+npfctl_switch(void *data)
+{
+	const bool onoff = *(int *)data ? true : false;
+	int error;
+
+	if (onoff) {
+		/* Enable: add pfil hooks. */
+		error = npf_pfil_register(false);
+	} else {
+		/* Disable: remove pfil hooks. */
+		npf_pfil_unregister(false);
+		error = 0;
+	}
+	return error;
+}
+
 static int
 npf_dev_ioctl(dev_t dev, u_long cmd, void *data, int flag, lwp_t *l)
 {
@@ -290,7 +313,7 @@ bool
 npf_autounload_p(void)
 {
 	npf_t *npf = npf_getkernctx();
-	return !npf_pfil_registered_p() && npf_default_pass(npf);
+	return !npf_active_p() && npf_default_pass(npf);
 }
 
 /*
@@ -394,7 +417,7 @@ npf_ifaddrhook(void *arg, u_long cmd, vo
 /*
  * npf_pfil_register: register pfil(9) hooks.
  */
-int
+static int
 npf_pfil_register(bool init)
 {
 	npf_t *npf = npf_getkernctx();
@@ -463,7 +486,7 @@ out:
 /*
  * npf_pfil_unregister:

CVS commit: src/sys/net/npf

2019-08-25 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 17:38:25 UTC 2019

Modified Files:
src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c

Log Message:
 ake npfctl_switch() and pfil private to OS-specific module.


To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Re: CVS commit: src/sys/net/npf

2019-08-06 Thread Maxime Villard


Le 06/08/2019 à 12:31, Christos Zoulas a écrit :

I did not see any messages about it, and the fix is fine until rmind comes up 
with something better.


Yes turns out it was an off-list email


It is not nice to have HEAD unusable for 2 weeks now (since July 22nd).


Given your second commit, I should understand that rmind is ok with this
change right?


christos


On Aug 6, 2019, at 1:26 PM, Maxime Villard  wrote:

Le 06/08/2019 à 12:25, Christos Zoulas a écrit :

Module Name:src
Committed By:   christos
Date:   Tue Aug  6 10:25:13 UTC 2019
Modified Files:
src/sys/net/npf: npf_conn.c
Log Message:
Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Rmind said he had a fix and was testing it. Please revert this.

Re: CVS commit: src/sys/net/npf

2019-08-06 Thread Christos Zoulas

Yes, rmind asked me to commit the change in private email.

christos

> On Aug 6, 2019, at 3:59 PM, Maxime Villard  wrote:
> 
> Le 06/08/2019 à 12:31, Christos Zoulas a écrit :
>> I did not see any messages about it, and the fix is fine until rmind comes 
>> up with something better.
> 
> Yes turns out it was an off-list email
> 
>> It is not nice to have HEAD unusable for 2 weeks now (since July 22nd).
> 
> Given your second commit, I should understand that rmind is ok with this
> change right?
> 
>> christos
>>> On Aug 6, 2019, at 1:26 PM, Maxime Villard  wrote:
>>> 
>>> Le 06/08/2019 à 12:25, Christos Zoulas a écrit :
 Module Name:   src
 Committed By:  christos
 Date:  Tue Aug  6 10:25:13 UTC 2019
 Modified Files:
src/sys/net/npf: npf_conn.c
 Log Message:
 Introduce an npf_conn_destroy_idx() that can handle partially constructed
 conn structures.
 To generate a diff of this commit:
 cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
>>> 
>>> Rmind said he had a fix and was testing it. Please revert this.

CVS commit: src/sys/net/npf

2019-08-06 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Tue Aug  6 11:40:15 UTC 2019

Modified Files:
src/sys/net/npf: npf.c npf_conn.c npf_conn.h

Log Message:
- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf.c
cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-08-06 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Tue Aug  6 11:40:15 UTC 2019

Modified Files:
src/sys/net/npf: npf.c npf_conn.c npf_conn.h

Log Message:
- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf.c
cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.c
diff -u src/sys/net/npf/npf.c:1.38 src/sys/net/npf/npf.c:1.39
--- src/sys/net/npf/npf.c:1.38	Mon Jul 22 20:52:01 2019
+++ src/sys/net/npf/npf.c	Tue Aug  6 07:40:15 2019
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.39 2019/08/06 11:40:15 christos Exp $");
 
 #include 
 #include 
@@ -79,13 +79,17 @@ npf_create(int flags, const npf_mbufops_
 	npf_param_init(npf);
 	npf_state_sysinit(npf);
 	npf_ifmap_init(npf, ifops);
-	npf_conn_init(npf, flags);
+	npf_conn_init(npf);
 	npf_portmap_init(npf);
 	npf_alg_init(npf);
 	npf_ext_init(npf);
 
 	/* Load an empty configuration. */
 	npf_config_init(npf);
+
+	if ((flags & NPF_NO_GC) == 0) {
+		npf_worker_register(npf, npf_conn_worker);
+	}
 	return npf;
 }
 

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.28 src/sys/net/npf/npf_conn.c:1.29
--- src/sys/net/npf/npf_conn.c:1.28	Tue Aug  6 06:25:13 2019
+++ src/sys/net/npf/npf_conn.c	Tue Aug  6 07:40:15 2019
@@ -107,7 +107,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.28 2019/08/06 10:25:13 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.29 2019/08/06 11:40:15 christos Exp $");
 
 #include 
 #include 
@@ -143,14 +143,13 @@ CTASSERT(PFIL_ALL == (0x001 | 0x002));
 enum { CONN_TRACKING_OFF, CONN_TRACKING_ON };
 
 static nvlist_t *npf_conn_export(npf_t *, npf_conn_t *);
-static void npf_conn_destroy_idx(npf_t *, npf_conn_t *, unsigned);
 
 /*
  * npf_conn_sys{init,fini}: initialise/destroy connection tracking.
  */
 
 void
-npf_conn_init(npf_t *npf, int flags)
+npf_conn_init(npf_t *npf)
 {
 	npf->conn_cache[0] = pool_cache_init(
 	offsetof(npf_conn_t, c_keys[NPF_CONNKEY_V4WORDS * 2]),
@@ -162,10 +161,6 @@ npf_conn_init(npf_t *npf, int flags)
 	mutex_init(>conn_lock, MUTEX_DEFAULT, IPL_NONE);
 	npf->conn_tracking = CONN_TRACKING_OFF;
 	npf->conn_db = npf_conndb_create();
-
-	if ((flags & NPF_NO_GC) == 0) {
-		npf_worker_register(npf, npf_conn_worker);
-	}
 	npf_conndb_sysinit(npf);
 }
 
@@ -430,10 +425,11 @@ npf_conn_establish(npf_cache_t *npc, int
 
 	con->c_proto = npc->npc_proto;
 	CTASSERT(sizeof(con->c_proto) >= sizeof(npc->npc_proto));
+	con->c_alen = alen;
 
 	/* Initialize the protocol state. */
 	if (!npf_state_init(npc, >c_state)) {
-		npf_conn_destroy_idx(npf, con, idx);
+		npf_conn_destroy(npf, con);
 		return NULL;
 	}
 	KASSERT(npf_iscached(npc, NPC_IP46));
@@ -447,7 +443,7 @@ npf_conn_establish(npf_cache_t *npc, int
 	 */
 	if (!npf_conn_conkey(npc, fw, true) ||
 	!npf_conn_conkey(npc, bk, false)) {
-		npf_conn_destroy_idx(npf, con, idx);
+		npf_conn_destroy(npf, con);
 		return NULL;
 	}
 	con->c_ifid = global ? nbuf->nb_ifid : 0;
@@ -500,14 +496,8 @@ err:
 void
 npf_conn_destroy(npf_t *npf, npf_conn_t *con)
 {
-	const npf_connkey_t *key = npf_conn_getforwkey(con);
-	const unsigned alen = NPF_CONNKEY_ALEN(key);
-	npf_conn_destroy_idx(npf, con, NPF_CONNCACHE(alen));
-}
+	const unsigned idx __unused = NPF_CONNCACHE(con->c_alen);
 
-static void
-npf_conn_destroy_idx(npf_t *npf, npf_conn_t *con, unsigned idx)
-{
 	KASSERT(con->c_refcnt == 0);
 
 	if (con->c_nat) {
@@ -799,6 +789,7 @@ npf_conn_export(npf_t *npf, npf_conn_t *
 
 	fw = npf_conn_getforwkey(con);
 	alen = NPF_CONNKEY_ALEN(fw);
+	KASSERT(alen == con->c_alen);
 	bk = npf_conn_getbackkey(con, alen);
 
 	kdict = npf_connkey_export(fw);
@@ -899,7 +890,7 @@ npf_conn_import(npf_t *npf, npf_conndb_t
 	npf_conndb_enqueue(cd, con);
 	return 0;
 err:
-	npf_conn_destroy_idx(npf, con, idx);
+	npf_conn_destroy(npf, con);
 	return EINVAL;
 }
 

Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.16 src/sys/net/npf/npf_conn.h:1.17
--- src/sys/net/npf/npf_conn.h:1.16	Mon Jul 22 20:52:01 2019
+++ src/sys/net/npf/npf_conn.h	Tue Aug  6 07:40:15 2019
@@ -50,7 +50,8 @@ struct npf_conn {
 	 * Protocol, address length, the interface ID (if zero,
 	 * then the state is global) and connection flags.
 	 */
-	unsigned		c_proto;
+	uint16_t		c_proto;
+	uint16_t		c_alen;
 	unsigned		c_ifid;
 	unsigned		c_flags;
 
@@ -123,7 +124,7 @@ void		npf_connkey_print(const npf_connke
 /*
  * Connection tracking interface.
  */
-void		npf_conn_init(npf_t *, int);
+void		npf_conn_init(npf_t *);
 void		npf_conn_fini(npf_t

Re: CVS commit: src/sys/net/npf

2019-08-06 Thread Christos Zoulas

I did not see any messages about it, and the fix is fine until rmind comes up 
with something better.
It is not nice to have HEAD unusable for 2 weeks now (since July 22nd).

christos

> On Aug 6, 2019, at 1:26 PM, Maxime Villard  wrote:
> 
> Le 06/08/2019 à 12:25, Christos Zoulas a écrit :
>> Module Name: src
>> Committed By:christos
>> Date:Tue Aug  6 10:25:13 UTC 2019
>> Modified Files:
>>  src/sys/net/npf: npf_conn.c
>> Log Message:
>> Introduce an npf_conn_destroy_idx() that can handle partially constructed
>> conn structures.
>> To generate a diff of this commit:
>> cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c
>> Please note that diffs are not public domain; they are subject to the
>> copyright notices on the relevant files.
> 
> Rmind said he had a fix and was testing it. Please revert this.

Re: CVS commit: src/sys/net/npf

2019-08-06 Thread Maxime Villard


Le 06/08/2019 à 12:25, Christos Zoulas a écrit :

Module Name:src
Committed By:   christos
Date:   Tue Aug  6 10:25:13 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Rmind said he had a fix and was testing it. Please revert this.

CVS commit: src/sys/net/npf

2019-08-06 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Tue Aug  6 10:25:13 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-08-06 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Tue Aug  6 10:25:13 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c

Log Message:
Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.27 src/sys/net/npf/npf_conn.c:1.28
--- src/sys/net/npf/npf_conn.c:1.27	Mon Jul 22 20:52:01 2019
+++ src/sys/net/npf/npf_conn.c	Tue Aug  6 06:25:13 2019
@@ -107,7 +107,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.27 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.28 2019/08/06 10:25:13 christos Exp $");
 
 #include 
 #include 
@@ -143,6 +143,7 @@ CTASSERT(PFIL_ALL == (0x001 | 0x002));
 enum { CONN_TRACKING_OFF, CONN_TRACKING_ON };
 
 static nvlist_t *npf_conn_export(npf_t *, npf_conn_t *);
+static void npf_conn_destroy_idx(npf_t *, npf_conn_t *, unsigned);
 
 /*
  * npf_conn_sys{init,fini}: initialise/destroy connection tracking.
@@ -432,7 +433,7 @@ npf_conn_establish(npf_cache_t *npc, int
 
 	/* Initialize the protocol state. */
 	if (!npf_state_init(npc, >c_state)) {
-		npf_conn_destroy(npf, con);
+		npf_conn_destroy_idx(npf, con, idx);
 		return NULL;
 	}
 	KASSERT(npf_iscached(npc, NPC_IP46));
@@ -446,7 +447,7 @@ npf_conn_establish(npf_cache_t *npc, int
 	 */
 	if (!npf_conn_conkey(npc, fw, true) ||
 	!npf_conn_conkey(npc, bk, false)) {
-		npf_conn_destroy(npf, con);
+		npf_conn_destroy_idx(npf, con, idx);
 		return NULL;
 	}
 	con->c_ifid = global ? nbuf->nb_ifid : 0;
@@ -501,8 +502,12 @@ npf_conn_destroy(npf_t *npf, npf_conn_t 
 {
 	const npf_connkey_t *key = npf_conn_getforwkey(con);
 	const unsigned alen = NPF_CONNKEY_ALEN(key);
-	const unsigned idx __unused = NPF_CONNCACHE(alen);
+	npf_conn_destroy_idx(npf, con, NPF_CONNCACHE(alen));
+}
 
+static void
+npf_conn_destroy_idx(npf_t *npf, npf_conn_t *con, unsigned idx)
+{
 	KASSERT(con->c_refcnt == 0);
 
 	if (con->c_nat) {
@@ -894,7 +899,7 @@ npf_conn_import(npf_t *npf, npf_conndb_t
 	npf_conndb_enqueue(cd, con);
 	return 0;
 err:
-	npf_conn_destroy(npf, con);
+	npf_conn_destroy_idx(npf, con, idx);
 	return EINVAL;
 }

CVS commit: src/sys/net/npf

2019-07-24 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 01:00:28 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
npf_portmap_flush: remove invalid assert (this routine can be callied via
the npf_destroy() path where the constraint is not applicable).


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_portmap.c
diff -u src/sys/net/npf/npf_portmap.c:1.2 src/sys/net/npf/npf_portmap.c:1.3
--- src/sys/net/npf/npf_portmap.c:1.2	Tue Jul 23 08:25:52 2019
+++ src/sys/net/npf/npf_portmap.c	Thu Jul 25 01:00:28 2019
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.3 2019/07/25 01:00:28 rmind Exp $");
 
 #include 
 #include 
@@ -461,8 +461,6 @@ npf_portmap_flush(npf_t *npf)
 	npf_portmap_t *pm = npf->portmap;
 	bitmap_t *bm;
 
-	KASSERT(npf_config_locked_p(npf));
-
 	while ((bm = LIST_FIRST(>bitmap_list)) != NULL) {
 		for (unsigned i = 0; i < PORTMAP_L0_WORDS; i++) {
 			uintptr_t bm1 = bm->bits0[i];

CVS commit: src/sys/net/npf

2019-07-24 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 01:00:28 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
npf_portmap_flush: remove invalid assert (this routine can be callied via
the npf_destroy() path where the constraint is not applicable).


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-07-23 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 08:25:52 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
NPF portmap: add a workaround for archs without 64-bit CAS.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-07-23 Thread Mindaugas Rasiukevicius

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 08:25:52 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
NPF portmap: add a workaround for archs without 64-bit CAS.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_portmap.c
diff -u src/sys/net/npf/npf_portmap.c:1.1 src/sys/net/npf/npf_portmap.c:1.2
--- src/sys/net/npf/npf_portmap.c:1.1	Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_portmap.c	Tue Jul 23 08:25:52 2019
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.1 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $");
 
 #include 
 #include 
@@ -106,6 +106,8 @@ typedef struct {
 	int		max_port;
 } npf_portmap_params_t;
 
+static kmutex_t			portmap_lock;
+
 void
 npf_portmap_init(npf_t *npf)
 {
@@ -130,6 +132,8 @@ npf_portmap_init(npf_t *npf)
 	npf->portmap = kmem_zalloc(sizeof(npf_portmap_t), KM_SLEEP);
 	mutex_init(>portmap->list_lock, MUTEX_DEFAULT, IPL_SOFTNET);
 	npf->portmap->addr_map = thmap_create(0, NULL, THMAP_NOCOPY);
+
+	mutex_init(_lock, MUTEX_DEFAULT, IPL_SOFTNET);
 }
 
 void
@@ -146,10 +150,31 @@ npf_portmap_fini(npf_t *npf)
 	thmap_destroy(pm->addr_map);
 	mutex_destroy(>list_lock);
 	kmem_free(pm, sizeof(npf_portmap_t));
+
+	mutex_destroy(_lock);
 }
 
 /
 
+#if defined(_LP64)
+#define	__npf_atomic_cas_64	atomic_cas_64
+#else
+static uint64_t
+__npf_atomic_cas_64(volatile uint64_t *ptr, uint64_t old, uint64_t new)
+{
+	uint64_t prev;
+
+	mutex_enter(_lock);
+	prev = *ptr;
+	if (prev == old) {
+		*ptr = new;
+	}
+	mutex_exit(_lock);
+
+	return prev;
+}
+#endif
+
 /*
  * bitmap_word_isset: test whether the bit value is in the packed array.
  *
@@ -283,7 +308,7 @@ again:
 		 */
 		if ((nval = bitmap_word_cax(bval, -1, chunk_bit)) != 0) {
 			KASSERT((nval & PORTMAP_L1_TAG) == 0);
-			if (atomic_cas_64(>bits0[i], bval, nval) != bval) {
+			if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) {
 goto again;
 			}
 			return true;
@@ -315,7 +340,7 @@ again:
 		bm1p = (uintptr_t)bm1;
 		KASSERT((bm1p & PORTMAP_L1_TAG) == 0);
 		bm1p |= PORTMAP_L1_TAG;
-		if (atomic_cas_64(>bits0[i], bval, bm1p) != bval) {
+		if (__npf_atomic_cas_64(>bits0[i], bval, bm1p) != bval) {
 			kmem_intr_free(bm1, sizeof(bitmap_l1_t));
 			goto again;
 		}
@@ -332,7 +357,7 @@ again:
 		return false;
 	}
 	nval = oval | b;
-	if (atomic_cas_64(>bits1[i], oval, nval) != oval) {
+	if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) {
 		goto again;
 	}
 	return true;
@@ -356,7 +381,7 @@ again:
 		}
 		nval = bitmap_word_cax(bval, chunk_bit, chunk_bit);
 		KASSERT((nval & PORTMAP_L1_TAG) == 0);
-		if (atomic_cas_64(>bits0[i], bval, nval) != bval) {
+		if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) {
 			goto again;
 		}
 		return true;
@@ -372,7 +397,7 @@ again:
 		return false;
 	}
 	nval = oval & ~b;
-	if (atomic_cas_64(>bits1[i], oval, nval) != oval) {
+	if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) {
 		goto again;
 	}
 	return true;

CVS commit: src/sys/net/npf

2019-06-20 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Jun 20 17:12:37 UTC 2019

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
Add error checking for previous memory allocation failure.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-06-20 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Jun 20 17:12:37 UTC 2019

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
Add error checking for previous memory allocation failure.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.31 src/sys/net/npf/npf_tableset.c:1.32
--- src/sys/net/npf/npf_tableset.c:1.31	Thu Jun 20 13:08:52 2019
+++ src/sys/net/npf/npf_tableset.c	Thu Jun 20 13:12:37 2019
@@ -39,7 +39,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.31 2019/06/20 17:08:52 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.32 2019/06/20 17:12:37 christos Exp $");
 
 #include 
 #include 
@@ -495,7 +495,7 @@ table_cidr_check(int alen, const npf_add
 	return 0;
 }
 
-static void
+static int
 table_ifaddr_insert(npf_table_t *t, const int alen, npf_tblent_t *ent)
 {
 	const unsigned aidx = NPF_ADDRLEN2IDX(alen);
@@ -514,6 +514,9 @@ table_ifaddr_insert(npf_table_t *t, cons
 		newsize = toalloc * sizeof(npf_tblent_t *);
 
 		elements = kmem_zalloc(newsize, KM_NOSLEEP);
+		if (elements == NULL) {
+			return ENOMEM;
+		}
 		for (unsigned i = 0; i < used; i++) {
 			elements[i] = old_elements[i];
 		}
@@ -527,6 +530,7 @@ table_ifaddr_insert(npf_table_t *t, cons
 	}
 	t->t_elements[aidx][used] = ent;
 	t->t_used[aidx]++;
+	return 0;
 }
 
 /*
@@ -590,7 +594,9 @@ npf_table_insert(npf_table_t *t, const i
 		error = EINVAL;
 		break;
 	case NPF_TABLE_IFADDR:
-		table_ifaddr_insert(t, alen, ent);
+		if ((error = table_ifaddr_insert(t, alen, ent)) != 0) {
+			break;
+		}
 		LIST_INSERT_HEAD(>t_list, ent, te_listent);
 		t->t_nitems++;
 		break;

CVS commit: src/sys/net/npf

2019-06-20 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Jun 20 17:08:52 UTC 2019

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
PR/54314: Frank Kardel: LOCKDEBUG: Mutex error: assert_sleepable,70:
spin lock held when loading NPF


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.30 src/sys/net/npf/npf_tableset.c:1.31
--- src/sys/net/npf/npf_tableset.c:1.30	Wed Jun 12 10:36:32 2019
+++ src/sys/net/npf/npf_tableset.c	Thu Jun 20 13:08:52 2019
@@ -39,7 +39,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.30 2019/06/12 14:36:32 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.31 2019/06/20 17:08:52 christos Exp $");
 
 #include 
 #include 
@@ -513,7 +513,7 @@ table_ifaddr_insert(npf_table_t *t, cons
 		toalloc = roundup2(allocated + 1, NPF_IFADDR_STEP);
 		newsize = toalloc * sizeof(npf_tblent_t *);
 
-		elements = kmem_zalloc(newsize, KM_SLEEP);
+		elements = kmem_zalloc(newsize, KM_NOSLEEP);
 		for (unsigned i = 0; i < used; i++) {
 			elements[i] = old_elements[i];
 		}

CVS commit: src/sys/net/npf

2019-06-20 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Jun 20 17:08:52 UTC 2019

Modified Files:
src/sys/net/npf: npf_tableset.c

Log Message:
PR/54314: Frank Kardel: LOCKDEBUG: Mutex error: assert_sleepable,70:
spin lock held when loading NPF


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-06-12 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Wed Jun 12 14:36:32 UTC 2019

Modified Files:
src/sys/net/npf: lpm.c lpm.h npf_tableset.c

Log Message:
Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/lpm.c
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.h
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

2019-06-12 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Wed Jun 12 14:36:32 UTC 2019

Modified Files:
src/sys/net/npf: lpm.c lpm.h npf_tableset.c

Log Message:
Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/lpm.c
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.h
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/lpm.c
diff -u src/sys/net/npf/lpm.c:1.5 src/sys/net/npf/lpm.c:1.6
--- src/sys/net/npf/lpm.c:1.5	Sat Sep 29 10:41:36 2018
+++ src/sys/net/npf/lpm.c	Wed Jun 12 10:36:32 2019
@@ -38,7 +38,7 @@
 
 #if defined(_KERNEL)
 #include 
-__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.5 2018/09/29 14:41:36 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.6 2019/06/12 14:36:32 christos Exp $");
 
 #include 
 #include 
@@ -90,6 +90,7 @@ typedef struct {
 
 struct lpm {
 	uint32_t	bitmask[LPM_MAX_WORDS];
+	int		flags;
 	void *		defvals[2];
 	lpm_hmap_t	prefix[LPM_MAX_PREFIX + 1];
 };
@@ -97,9 +98,11 @@ struct lpm {
 static const uint32_t zero_address[LPM_MAX_WORDS];
 
 lpm_t *
-lpm_create(void)
+lpm_create(int flags)
 {
-	return kmem_zalloc(sizeof(lpm_t), KM_SLEEP);
+	lpm_t *lpm = kmem_zalloc(sizeof(*lpm), KM_SLEEP);
+	lpm->flags = flags;
+	return lpm;
 }
 
 void
@@ -164,7 +167,7 @@ fnv1a_hash(const void *buf, size_t len)
 }
 
 static bool
-hashmap_rehash(lpm_hmap_t *hmap, unsigned size)
+hashmap_rehash(lpm_hmap_t *hmap, unsigned size, int flags)
 {
 	lpm_ent_t **bucket;
 	unsigned hashsize;
@@ -172,7 +175,9 @@ hashmap_rehash(lpm_hmap_t *hmap, unsigne
 	for (hashsize = 1; hashsize < size; hashsize <<= 1) {
 		continue;
 	}
-	bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), KM_SLEEP);
+	bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), flags);
+	if (bucket == NULL)
+		return false;
 	for (unsigned n = 0; n < hmap->hashsize; n++) {
 		lpm_ent_t *list = hmap->bucket[n];
 
@@ -194,14 +199,14 @@ hashmap_rehash(lpm_hmap_t *hmap, unsigne
 }
 
 static lpm_ent_t *
-hashmap_insert(lpm_hmap_t *hmap, const void *key, size_t len)
+hashmap_insert(lpm_hmap_t *hmap, const void *key, size_t len, int flags)
 {
 	const unsigned target = hmap->nitems + LPM_HASH_STEP;
 	const size_t entlen = offsetof(lpm_ent_t, key[len]);
 	uint32_t hash, i;
 	lpm_ent_t *entry;
 
-	if (hmap->hashsize < target && !hashmap_rehash(hmap, target)) {
+	if (hmap->hashsize < target && !hashmap_rehash(hmap, target, flags)) {
 		return NULL;
 	}
 
@@ -215,7 +220,7 @@ hashmap_insert(lpm_hmap_t *hmap, const v
 		entry = entry->next;
 	}
 
-	if ((entry = kmem_alloc(entlen, KM_SLEEP)) != NULL) {
+	if ((entry = kmem_alloc(entlen, flags)) != NULL) {
 		memcpy(entry->key, key, len);
 		entry->next = hmap->bucket[i];
 		entry->len = len;
@@ -326,7 +331,7 @@ lpm_insert(lpm_t *lpm, const void *addr,
 		return 0;
 	}
 	compute_prefix(nwords, addr, preflen, prefix);
-	entry = hashmap_insert(>prefix[preflen], prefix, len);
+	entry = hashmap_insert(>prefix[preflen], prefix, len, lpm->flags);
 	if (entry) {
 		const unsigned n = --preflen >> 5;
 		lpm->bitmask[n] |= 0x8000U >> (preflen & 31);

Index: src/sys/net/npf/lpm.h
diff -u src/sys/net/npf/lpm.h:1.2 src/sys/net/npf/lpm.h:1.3
--- src/sys/net/npf/lpm.h:1.2	Sat Sep 29 10:41:36 2018
+++ src/sys/net/npf/lpm.h	Wed Jun 12 10:36:32 2019
@@ -32,7 +32,7 @@ __BEGIN_DECLS
 typedef struct lpm lpm_t;
 typedef void (*lpm_dtor_t)(void *, const void *, size_t, void *);
 
-lpm_t *		lpm_create(void);
+lpm_t *		lpm_create(int);
 void		lpm_destroy(lpm_t *);
 void		lpm_clear(lpm_t *, lpm_dtor_t, void *);
 

Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.29 src/sys/net/npf/npf_tableset.c:1.30
--- src/sys/net/npf/npf_tableset.c:1.29	Sat Jan 19 16:19:32 2019
+++ src/sys/net/npf/npf_tableset.c	Wed Jun 12 10:36:32 2019
@@ -39,7 +39,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.29 2019/01/19 21:19:32 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.30 2019/06/12 14:36:32 christos Exp $");
 
 #include 
 #include 
@@ -365,7 +365,7 @@ npf_table_create(const char *name, u_int
 
 	switch (type) {
 	case NPF_TABLE_LPM:
-		t->t_lpm = lpm_create();
+		t->t_lpm = lpm_create(KM_NOSLEEP);
 		if (t->t_lpm == NULL) {
 			goto out;
 		}
@@ -398,7 +398,7 @@ npf_table_create(const char *name, u_int
 	default:
 		KASSERT(false);
 	}
-	mutex_init(>t_lock, MUTEX_DEFAULT, IPL_NONE);
+	mutex_init(>t_lock, MUTEX_DEFAULT, IPL_NET);
 	t->t_type = type;
 	t->t_id = tid;
 	return t;

Re: CVS commit: src/sys/net/npf

2018-04-08 Thread Maxime Villard


Le 07/04/2018 à 23:28, Christos Zoulas a écrit :

In article <20180407090627.20058f...@cvs.netbsd.org>,
Maxime Villard  wrote:

-=-=-=-=-=-

Module Name:src
Committed By:   maxv
Date:   Sat Apr  7 09:06:27 UTC 2018

Modified Files:
src/sys/net/npf: npf_inet.c

Log Message:
Rewrite npf_fetch_tcpopts:

* Instead of doing several nbuf_advance/nbuf_ensure_contig and
   playing with gotos, fetch the TCP options only once, and iterate over
   the (safe) area. The code is similar to tcp_dooptions.

* When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is
   the one we're expecting. If it isn't, then skip the option. This
   wasn't done before, and not doing it allowed a packet to bypass the
   max-mss clamping procedure. Discussed on tech-net@.



This seems to break

cvs -d cvs.netbsd.org:/cvsroot diff, with write via ssh returning
ENETUNREACH.

christos


My bad (again).

Seems like the TCP code is getting me confused all the time.

Re: CVS commit: src/sys/net/npf

2018-04-07 Thread Christos Zoulas

In article <20180407090627.20058f...@cvs.netbsd.org>,
Maxime Villard  wrote:
>-=-=-=-=-=-
>
>Module Name:   src
>Committed By:  maxv
>Date:  Sat Apr  7 09:06:27 UTC 2018
>
>Modified Files:
>   src/sys/net/npf: npf_inet.c
>
>Log Message:
>Rewrite npf_fetch_tcpopts:
>
> * Instead of doing several nbuf_advance/nbuf_ensure_contig and
>   playing with gotos, fetch the TCP options only once, and iterate over
>   the (safe) area. The code is similar to tcp_dooptions.
>
> * When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is
>   the one we're expecting. If it isn't, then skip the option. This
>   wasn't done before, and not doing it allowed a packet to bypass the
>   max-mss clamping procedure. Discussed on tech-net@.
>

This seems to break

cvs -d cvs.netbsd.org:/cvsroot diff, with write via ssh returning
ENETUNREACH.

christos

Re: CVS commit: src/sys/net/npf

2018-01-30 Thread Maxime Villard


Le 31/01/2018 à 00:18, Mindaugas Rasiukevicius a écrit :

[...]

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.

[...]
If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.


I meant to say that the IPv6 loop in npf_cache_ip seems suspicious to me.

while (nbuf_advance(nbuf, hlen, 0) != NULL) {
[...]
hlen = (ip6e->ip6e_len + 1) << 3;
[...]
npc->npc_hlen += hlen;
}
[continue execution...]

Here, if you have a 'hlen' that goes beyond the mbuf, nbuf_advance will fail,
and we're not handling this case. npc_hlen got incremented along the way, and
it now points past the end of the mbuf.

Perhaps that's handled properly later, but in all cases, we ought to handle
the error right here instead of processing the packet any further.

Note however that NPF is rather at the end of my TODO list, and I'll come back
to it later.

Maxime

Re: CVS commit: src/sys/net/npf

2018-01-30 Thread Mindaugas Rasiukevicius

"Maxime Villard"  wrote:
> Module Name:  src
> Committed By: maxv
> Date: Fri Dec 15 21:00:26 UTC 2017
> 
> Modified Files:
>   src/sys/net/npf: npf.h
> 
> Log Message:
> Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
> bypass a certain number of filtering rules.
> 
> Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
> 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
> has large extensions.

Thanks for discovering and fixing this.  I think this is the first
serious remote vulnerability in NPF, although limited to IPv6 only.

> Fix this by using uint32_t. While here, it seems to me there is also a
> memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
> a value that goes beyond the mbuf.

A minor aspect, but promoting npf_hlen to uint32_t results in wasteful
padding in the struct, so it is better to re-order the struct members
in this case.

If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.  However, I think
we should implement some sanity check for the npc_hlen value.  RFC 7112
suggests that the IPv6 header chain should not exceed the MTU size (and
thus fit in the first fragment, in case of fragmentation).  Some value
along these lines could be the basis for a sanity check..

-- 
Mindaugas

Re: CVS commit: src/sys/net/npf

2015-10-18 Thread Christos Zoulas

In article <20151019002957.b972...@cvs.netbsd.org>,
Christos Zoulas  wrote:
>Log Message:
>Fix the code so that it works in all 3 cases: non-modular, modular/builtin,
>modular/filesystem. In the non-modular case we initialize through attach.
>In the modular/builtin case we define the module to be class misc so it
>attaches late (after percpu is initialized) since driver modules attach
>too early.  In the modular/filesystem case we define it to be a driver
>module since we autoload it via /dev/npf open.

I still don't like my fix, perhaps jared's is better. Having a single
attach()/detach() entry point for both modular and non-modular kernels
certainly seems desirable. Also there needs a way to specify a dependency
graph for modules so that they can be loaded after their dependencies.
Finally resource management (things that the modules need to cleanup
and may be busy) need to be handled better.

christos

Re: CVS commit: src/sys/net/npf

2013-10-29 Thread Paul Goyette


On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote:


Module Name:src
Committed By:   rmind
Date:   Tue Oct 29 16:39:10 UTC 2013

Modified Files:
src/sys/net/npf: npf_impl.h npf_nat.c npf_session.c

Log Message:
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.


Should we have (or do we have) a regression test to catch this race 
condition?



-
| Paul Goyette | PGP Key fingerprint: | E-mail addresses:   |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com|
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |  | pgoyette at netbsd.org  |
-

Re: CVS commit: src/sys/net/npf

2013-10-29 Thread Mindaugas Rasiukevicius

Paul Goyette p...@whooppee.com wrote:
 On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote:
 
  Module Name:src
  Committed By:   rmind
  Date:   Tue Oct 29 16:39:10 UTC 2013
 
  Modified Files:
  src/sys/net/npf: npf_impl.h npf_nat.c npf_session.c
 
  Log Message:
  npf_session_setnat: fix the race condition when the old connection is
  still being expired while a new/duplicate is being created.
 
 Should we have (or do we have) a regression test to catch this race 
 condition?

You would need to write a test simulating a particular condition and then
trying to brute-force the race.  It requires a bit of coding as it is not
an easy race to trigger.  Let me know if you want to volunteer.

-- 
Mindaugas

Re: CVS commit: src/sys/net/npf

2013-10-29 Thread Paul Goyette


On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote:


npf_session_setnat: fix the race condition when the old connection is
still being expired while a new/duplicate is being created.


Should we have (or do we have) a regression test to catch this race
condition?


You would need to write a test simulating a particular condition and then
trying to brute-force the race.  It requires a bit of coding as it is not
an easy race to trigger.  Let me know if you want to volunteer.


Thanks!   :)

Unfortuantely I don't think I can volunteer (probably wouldn't be 
productive, anyway).




-
| Paul Goyette | PGP Key fingerprint: | E-mail addresses:   |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com|
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |  | pgoyette at netbsd.org  |
-

56 matches

Mail list logo