CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun May 31 15:57:15 UTC 2020 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: npf-params(7): fix the state.key defaults. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.4 src/usr.sbin/npf/npf-params.7:1.5 --- src/usr.sbin/npf/npf-params.7:1.4 Sat May 30 14:16:56 2020 +++ src/usr.sbin/npf/npf-params.7 Sun May 31 15:57:15 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.4 2020/05/30 14:16:56 rmind Exp $ +.\" $NetBSD: npf-params.7,v 1.5 2020/05/31 15:57:15 rmind Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -94,10 +94,10 @@ some of the information in (from) the ke .It Li interface Include interface identifier into the keys, making the connection state strictly per-interface. -Default: 0. +Default: 1. .It Li direction Include packet direction into the keys. -Default: 0. +Default: 1. .El .\" --- .It Li state.generic
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src
Committed By: rmind
Date: Sat May 30 21:00:31 UTC 2020
Modified Files:
src/usr.sbin/npf/npftest/libnpftest: npf_test_subr.c
Log Message:
npftest -- npf_test_init(): add a workaround for NetBSD.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 \
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c
diff -u src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.17 src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.18
--- src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.17 Sat May 30 14:16:57 2020
+++ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Sat May 30 21:00:31 2020
@@ -64,6 +64,13 @@ npf_test_init(int (*pton_func)(int, cons
{
npf_t *npf;
+#ifdef __NetBSD__
+ // XXX: Workaround for npf_init()
+ if ((npf = npf_getkernctx()) != NULL) {
+ npf_worker_discharge(npf);
+ npf_worker_sysfini();
+ }
+#endif
npfk_sysinit(0);
npf = npfk_create(0, _mbufops, _ifops, NULL);
npfk_thread_register(npf);
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sat May 30 20:54:54 UTC 2020
Modified Files:
src/sys/net/npf: npf_worker.c
Log Message:
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_worker.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_worker.c
diff -u src/sys/net/npf/npf_worker.c:1.8 src/sys/net/npf/npf_worker.c:1.9
--- src/sys/net/npf/npf_worker.c:1.8 Sat May 30 14:16:56 2020
+++ src/sys/net/npf/npf_worker.c Sat May 30 20:54:54 2020
@@ -29,7 +29,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.8 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.9 2020/05/30 20:54:54 rmind Exp $");
#include
#include
@@ -81,7 +81,8 @@ npf_worker_sysinit(unsigned nworkers)
winfo = kmem_zalloc(len, KM_SLEEP);
winfo->worker_count = nworkers;
mutex_init(>lock, MUTEX_DEFAULT, IPL_SOFTNET);
- cv_init(>cv, "npfgccv");
+ cv_init(>exit_cv, "npfgcx");
+ cv_init(>cv, "npfgcw");
LIST_INIT(>instances);
worker_info = winfo;
@@ -121,6 +122,7 @@ npf_worker_sysfini(void)
}
}
cv_destroy(>cv);
+ cv_destroy(>exit_cv);
mutex_destroy(>lock);
kmem_free(winfo, offsetof(npf_workerinfo_t, worker[nworkers]));
worker_info = NULL;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun May 24 15:35:40 UTC 2020
Modified Files:
src/usr.sbin/npf/npfctl: npf_scan.l
Log Message:
PR/55288: npfctl: change parameter syntax to be more permissive.
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_scan.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.30 src/usr.sbin/npf/npfctl/npf_scan.l:1.31
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.30 Mon Sep 30 00:37:11 2019
+++ src/usr.sbin/npf/npfctl/npf_scan.l Sun May 24 15:35:39 2020
@@ -91,6 +91,7 @@ npfctl_parse_string(const char *str, par
ID [a-zA-Z_][a-zA-Z_0-9]*
DID [a-zA-Z_][a-zA-Z_0-9-]*
+SPID [a-zA-Z][a-zA-Z_0-9.]*
NUMBER [0-9]+
HEXDIG [0-9a-fA-F]+
@@ -227,7 +228,7 @@ any return ANY;
return VAR_ID;
}
-[a-z]*"."[a-z.]* {
+{ID}"."{SPID}+ {
yylval.str = estrndup(yytext, yyleng);
return PARAM;
}
CVS commit: src
Module Name:src
Committed By: rmind
Date: Sat May 23 19:56:00 UTC 2020
Modified Files:
src/sys/net/npf: npf_conf.c npf_conn.c npf_conn.h npf_conndb.c
npf_inet.c npf_nat.c
src/usr.sbin/npf/npfctl: npf_build.c npf_show.c npfctl.h
Log Message:
Backport selected NPF fixes from the upstream (to be pulled up):
- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).
- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.
- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.
- npf_nat_{export,import}: fix a regression since dynamic NAT rules.
- npfctl: fix a regression and restore the default group behaviour.
- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conndb.c
cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_show.c
cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npfctl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.15 src/sys/net/npf/npf_conf.c:1.16
--- src/sys/net/npf/npf_conf.c:1.15 Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_conf.c Sat May 23 19:56:00 2020
@@ -47,7 +47,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.15 2019/08/25 13:21:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.16 2020/05/23 19:56:00 rmind Exp $");
#include
#include
@@ -94,10 +94,18 @@ npf_config_destroy(npf_config_t *nc)
* Note: the rulesets must be destroyed first, in order to drop
* any references to the tableset.
*/
- npf_ruleset_destroy(nc->ruleset);
- npf_ruleset_destroy(nc->nat_ruleset);
- npf_rprocset_destroy(nc->rule_procs);
- npf_tableset_destroy(nc->tableset);
+ if (nc->ruleset) {
+ npf_ruleset_destroy(nc->ruleset);
+ }
+ if (nc->nat_ruleset) {
+ npf_ruleset_destroy(nc->nat_ruleset);
+ }
+ if (nc->rule_procs) {
+ npf_rprocset_destroy(nc->rule_procs);
+ }
+ if (nc->tableset) {
+ npf_tableset_destroy(nc->tableset);
+ }
kmem_free(nc, sizeof(npf_config_t));
}
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.30 src/sys/net/npf/npf_conn.c:1.31
--- src/sys/net/npf/npf_conn.c:1.30 Sun Sep 29 17:00:29 2019
+++ src/sys/net/npf/npf_conn.c Sat May 23 19:56:00 2020
@@ -107,7 +107,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.30 2019/09/29 17:00:29 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.31 2020/05/23 19:56:00 rmind Exp $");
#include
#include
@@ -311,7 +311,7 @@ npf_conn_lookup(const npf_cache_t *npc,
if (!npf_conn_conkey(npc, , true)) {
return NULL;
}
- con = npf_conndb_lookup(npf->conn_db, , forw);
+ con = npf_conndb_lookup(npf, , forw);
if (con == NULL) {
return NULL;
}
@@ -908,7 +908,7 @@ npf_conn_find(npf_t *npf, const nvlist_t
if (!kdict || !npf_connkey_import(kdict, )) {
return EINVAL;
}
- con = npf_conndb_lookup(npf->conn_db, , );
+ con = npf_conndb_lookup(npf, , );
if (con == NULL) {
return ESRCH;
}
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.18 src/sys/net/npf/npf_conn.h:1.19
--- src/sys/net/npf/npf_conn.h:1.18 Sun Aug 11 20:26:33 2019
+++ src/sys/net/npf/npf_conn.h Sat May 23 19:56:00 2020
@@ -157,7 +157,7 @@ void npf_conndb_sysfini(npf_t *);
npf_conndb_t * npf_conndb_create(void);
void npf_conndb_destroy(npf_conndb_t *);
-npf_conn_t * npf_conndb_lookup(npf_conndb_t *, const npf_connkey_t *, bool *);
+npf_conn_t * npf_conndb_lookup(npf_t *, const npf_connkey_t *, bool *);
bool npf_conndb_insert(npf_conndb_t *, const npf_connkey_t *,
npf_conn_t *, bool);
npf_conn_t * npf_conndb_remove(npf_conndb_t *, npf_connkey_t *);
Index: src/sys/net/npf/npf_conndb.c
diff -u src/sys/net/npf/npf_conndb.c:1.7 src/sys/net/npf/npf_conndb.c:1.8
--- src/sys/net/npf/npf_conndb.c:1.7 Sat Dec 14 15:21:51 2019
+++ src/sys/net/npf/npf_conndb.c Sat May 23 19:56:00 2020
@@ -46,7 +46,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conndb.c,v 1.7 2019/12/14 15:21:51 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conndb.c,v 1.8 2020/05/23 19:56:00 rmind Exp $");
#include
#include
@@ -143,8 +143,9 @@
CVS commit: src/sys/kern
Module Name:src
Committed By: rmind
Date: Sat May 23 19:52:12 UTC 2020
Modified Files:
src/sys/kern: subr_thmap.c
Log Message:
thmap(9): merge changes from the upstream -- primarily, switch to the
C11-style memory fences and atomic primitives; in NetBSD, this translates
to using the atomic_loadstore(9) primitives.
To be pulled up (just in case).
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/kern/subr_thmap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_thmap.c
diff -u src/sys/kern/subr_thmap.c:1.5 src/sys/kern/subr_thmap.c:1.6
--- src/sys/kern/subr_thmap.c:1.5 Mon Feb 4 08:00:27 2019
+++ src/sys/kern/subr_thmap.c Sat May 23 19:52:12 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_thmap.c,v 1.5 2019/02/04 08:00:27 mrg Exp $ */
+/* $NetBSD: subr_thmap.c,v 1.6 2020/05/23 19:52:12 rmind Exp $ */
/*-
* Copyright (c) 2018 Mindaugas Rasiukevicius
@@ -53,7 +53,7 @@
* re-try from the root; this is a case for deletions and is achieved
* using the NODE_DELETED flag.
*
- * iii) the node destruction must be synchronised with the readers,
+ * iii) the node destruction must be synchronized with the readers,
* e.g. by using the Epoch-based reclamation or other techniques.
*
* - WRITERS AND LOCKING: Each intermediate node has a spin-lock (which
@@ -87,7 +87,6 @@
* https://www.csd.uoc.gr/~hy460/pdf/p650-lehman.pdf
*/
-
#ifdef _KERNEL
#include
#include
@@ -112,20 +111,19 @@
#include "utils.h"
#endif
-THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.5 2019/02/04 08:00:27 mrg Exp $");
+THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.6 2020/05/23 19:52:12 rmind Exp $");
/*
* NetBSD kernel wrappers
*/
#ifdef _KERNEL
#define ASSERT KASSERT
-#define atomic_thread_fence(x) x
-#define memory_order_stores membar_producer()
-#define memory_order_loads membar_consumer()
-#define atomic_cas_32_p(p, e, n) (atomic_cas_32((p), (e), (n)) == (e))
-#define atomic_cas_ptr_p(p, e, n) \
-(atomic_cas_ptr((p), (void *)(e), (void *)(n)) == (e))
-#define atomic_exchange atomic_swap_ptr
+#define atomic_thread_fence(x) membar_sync()
+#define atomic_compare_exchange_weak_explicit_32(p, e, n, m1, m2) \
+(atomic_cas_32((p), *(e), (n)) == *(e))
+#define atomic_compare_exchange_weak_explicit_ptr(p, e, n, m1, m2) \
+(atomic_cas_ptr((p), *(void **)(e), (void *)(n)) == *(void **)(e))
+#define atomic_exchange_explicit(o, n, m1) atomic_swap_ptr((o), (n))
#define murmurhash3 murmurhash2
#endif
@@ -160,6 +158,7 @@ THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.5
* least significant bit.
*/
typedef uintptr_t thmap_ptr_t;
+typedef uintptr_t atomic_thmap_ptr_t; // C11 _Atomic
#define THMAP_NULL ((thmap_ptr_t)0)
@@ -188,9 +187,9 @@ typedef uintptr_t thmap_ptr_t;
*/
typedef struct {
- uint32_t state;
- thmap_ptr_t parent;
- thmap_ptr_t slots[LEVEL_SIZE];
+ uint32_t state; // C11 _Atomic
+ thmap_ptr_t parent;
+ atomic_thmap_ptr_t slots[LEVEL_SIZE];
} thmap_inode_t;
#define THMAP_INODE_LEN sizeof(thmap_inode_t)
@@ -217,11 +216,11 @@ typedef struct {
#define THMAP_ROOT_LEN (sizeof(thmap_ptr_t) * ROOT_SIZE)
struct thmap {
- uintptr_t baseptr;
- thmap_ptr_t * root;
- unsigned flags;
- const thmap_ops_t *ops;
- thmap_gc_t * gc_list;
+ uintptr_t baseptr;
+ atomic_thmap_ptr_t * root;
+ unsigned flags;
+ const thmap_ops_t * ops;
+ thmap_gc_t * gc_list; // C11 _Atomic
};
static void stage_mem_gc(thmap_t *, uintptr_t, size_t);
@@ -253,9 +252,9 @@ static const thmap_ops_t thmap_default_o
#ifdef DIAGNOSTIC
static inline bool
-node_locked_p(const thmap_inode_t *node)
+node_locked_p(thmap_inode_t *node)
{
- return (node->state & NODE_LOCKED) != 0;
+ return (atomic_load_relaxed(>state) & NODE_LOCKED) != 0;
}
#endif
@@ -265,18 +264,14 @@ lock_node(thmap_inode_t *node)
unsigned bcount = SPINLOCK_BACKOFF_MIN;
uint32_t s;
again:
- s = node->state;
+ s = atomic_load_relaxed(>state);
if (s & NODE_LOCKED) {
SPINLOCK_BACKOFF(bcount);
goto again;
}
- /*
- * CAS will issue a full memory fence for us.
- *
- * WARNING: for optimisations purposes, callers rely on us
- * issuing load and store fence
- */
- if (!atomic_cas_32_p(>state, s, s | NODE_LOCKED)) {
+ /* Acquire from prior release in unlock_node.() */
+ if (!atomic_compare_exchange_weak_explicit_32(>state,
+ , s | NODE_LOCKED, memory_order_acquire, memory_order_relaxed)) {
bcount = SPINLOCK_BACKOFF_MIN;
goto again;
}
@@ -285,11 +280,11 @@ again:
static void
unlock_node(thmap_inode_t *node)
{
- uint32_t s = node->state & ~NODE_LOCKED;
+ uint32_t s = atomic_load_relaxed(>state) & ~NODE_LOCKED;
ASSERT(node_locked_p(node));
- atomic_thread_fence(memory_order_stores);
- node->state = s; // atomic store
+ /* Release to subsequent acquire in lock_node(). */
+ atomic_store_release(>state,
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun Apr 7 22:23:40 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
npf.conf(5): Add more info about ifaddrs().
To generate a diff of this commit:
cvs rdiff -u -r1.84 -r1.85 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.84 src/usr.sbin/npf/npfctl/npf.conf.5:1.85
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.84 Sat Jan 19 21:19:32 2019
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Apr 7 22:23:40 2019
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.84 2019/01/19 21:19:32 rmind Exp $
+.\"$NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $
.\"
.\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 14, 2019
+.Dd February 2, 2019
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -148,12 +148,16 @@ The
.Cm family
keyword of a filtering rule can be used in combination to explicitly select
an IP address type.
+This function can also be used with
+.Cm map
+to specify the translation address, see below.
.El
.Pp
Example of configuration:
.Bd -literal -offset indent
$var1 = inet4(wm0)
$var2 = ifaddrs(wm0)
+
group default {
block in on wm0 all # rule 1
block in on $var1 all # rule 2
@@ -350,6 +354,11 @@ redirecting the public port 9022 to the
.Pp
.Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
.Pp
+The translation address can also by dynamic, based on the interface.
+The following would select IPv4 address currently assigned to the interface:
+.Pp
+.Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if)
+.Pp
If the dynamic NAT is configured with multiple translation addresses,
then a custom selection algorithm can be chosen using the
.Cm algo
@@ -587,10 +596,9 @@ $localnet = { 10.1.1.0/24 }
alg "icmp"
-# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
-# then the translation address has to be specified explicitly.
-map $ext_if dynamic 10.1.1.0/24 -> $ext_if
-map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
+# These NAT rules will dynamically select the interface address(es).
+map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if)
+map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- ifaddrs($ext_if) port 9022
procedure "log" {
# The logging facility can be used together with npfd(8).
@@ -635,7 +643,7 @@ group default {
.Xr npfctl 8 ,
.Xr npfd 8
.Pp
-.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website"
+.Lk http://rmind.github.io/npf/ "NPF documentation website"
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src
Committed By: rmind
Date: Fri Feb 15 22:49:24 UTC 2019
Modified Files:
src/sys/external/bsd/libnv/dist: nvpair.c
Log Message:
nvpair_remove_nvlist_array: revert part of the rev 1.4 change (it was applied
by mistake because the libnv upsteam code on Github has deviated from FreeBSD,
i.e. it has a different nvlist_set_array_next() logic).
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nvpair.c
diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.5 src/sys/external/bsd/libnv/dist/nvpair.c:1.6
--- src/sys/external/bsd/libnv/dist/nvpair.c:1.5 Tue Feb 12 12:52:49 2019
+++ src/sys/external/bsd/libnv/dist/nvpair.c Fri Feb 15 22:49:24 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $ */
+/* $NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $");
#else
-__RCSID("$NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $");
+__RCSID("$NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $");
#endif
#include
@@ -251,16 +251,8 @@ nvpair_remove_nvlist_array(nvpair_t *nvp
nvlarray = __DECONST(nvlist_t **,
nvpair_get_nvlist_array(nvp, ));
for (i = 0; i < count; i++) {
- nvlist_t *nvl;
- nvpair_t *nnvp;
-
- nvl = nvlarray[i];
- nnvp = nvlist_get_array_next_nvpair(nvl);
- if (nnvp != NULL) {
- nvpair_free_structure(nnvp);
- }
- nvlist_set_array_next(nvl, NULL);
- nvlist_set_parent(nvl, NULL);
+ nvlist_set_array_next(nvlarray[i], NULL);
+ nvlist_set_parent(nvlarray[i], NULL);
}
}
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src
Committed By: rmind
Date: Tue Feb 12 12:52:49 UTC 2019
Modified Files:
src/sys/external/bsd/libnv/dist: nvpair.c
Log Message:
libnv: Free the data array for NV_TYPE_DESCRIPTOR_ARRAY case.
Obtained from FreeBSD rev 343987 by oshogbo@.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nvpair.c
diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.4 src/sys/external/bsd/libnv/dist/nvpair.c:1.5
--- src/sys/external/bsd/libnv/dist/nvpair.c:1.4 Tue Feb 12 12:49:23 2019
+++ src/sys/external/bsd/libnv/dist/nvpair.c Tue Feb 12 12:52:49 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $ */
+/* $NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $");
#else
-__RCSID("$NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $");
+__RCSID("$NetBSD: nvpair.c,v 1.5 2019/02/12 12:52:49 rmind Exp $");
#endif
#include
@@ -2099,6 +2099,7 @@ nvpair_free(nvpair_t *nvp)
case NV_TYPE_DESCRIPTOR_ARRAY:
for (i = 0; i < nvp->nvp_nitems; i++)
close(((int *)(intptr_t)nvp->nvp_data)[i]);
+ nv_free((int *)(intptr_t)nvp->nvp_data);
break;
#endif
case NV_TYPE_NVLIST:
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src
Committed By: rmind
Date: Tue Feb 12 12:49:23 UTC 2019
Modified Files:
src/sys/external/bsd/libnv/dist: nv_impl.h nvlist.c nvpair.c
Log Message:
libnv: fix multiple memory leaks.
- nvpair_create_stringv: free the temporary string; this fix affects
nvlist_add_stringf() and nvlist_add_stringv().
- nvpair_remove_nvlist_array (NV_TYPE_NVLIST_ARRAY case): free the chain
of nvpairs (as resetting it prevents nvlist_destroy() from freeing it).
Note: freeing the chain in nvlist_destroy() is not sufficient, because
it would still leak through nvlist_take_nvlist_array(). This affects
all nvlist_*_nvlist_array() users.
Found by clang/gcc ASAN. These fixes have been contributed to the
upstream (FreeBSD) repository.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/external/bsd/libnv/dist/nv_impl.h
cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nvlist.c
cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nv_impl.h
diff -u src/sys/external/bsd/libnv/dist/nv_impl.h:1.5 src/sys/external/bsd/libnv/dist/nv_impl.h:1.6
--- src/sys/external/bsd/libnv/dist/nv_impl.h:1.5 Sun Sep 23 19:07:10 2018
+++ src/sys/external/bsd/libnv/dist/nv_impl.h Tue Feb 12 12:49:23 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: nv_impl.h,v 1.5 2018/09/23 19:07:10 rmind Exp $ */
+/* $NetBSD: nv_impl.h,v 1.6 2019/02/12 12:49:23 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -125,6 +125,7 @@ bool nvlist_move_nvpair(nvlist_t *nvl, n
void nvlist_set_parent(nvlist_t *nvl, nvpair_t *parent);
void nvlist_set_array_next(nvlist_t *nvl, nvpair_t *ele);
+nvpair_t *nvlist_get_array_next_nvpair(nvlist_t *nvl);
const nvpair_t *nvlist_get_nvpair(const nvlist_t *nvl, const char *name);
Index: src/sys/external/bsd/libnv/dist/nvlist.c
diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.6 src/sys/external/bsd/libnv/dist/nvlist.c:1.7
--- src/sys/external/bsd/libnv/dist/nvlist.c:1.6 Sat Sep 22 17:13:30 2018
+++ src/sys/external/bsd/libnv/dist/nvlist.c Tue Feb 12 12:49:23 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $ */
+/* $NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $");
#else
-__RCSID("$NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $");
+__RCSID("$NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $");
#endif
#include
@@ -269,6 +269,15 @@ nvlist_set_array_next(nvlist_t *nvl, nvp
nvl->nvl_array_next = ele;
}
+nvpair_t *
+nvlist_get_array_next_nvpair(nvlist_t *nvl)
+{
+
+ NVLIST_ASSERT(nvl);
+
+ return (nvl->nvl_array_next);
+}
+
bool
nvlist_in_array(const nvlist_t *nvl)
{
Index: src/sys/external/bsd/libnv/dist/nvpair.c
diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.3 src/sys/external/bsd/libnv/dist/nvpair.c:1.4
--- src/sys/external/bsd/libnv/dist/nvpair.c:1.3 Sat Sep 8 14:32:25 2018
+++ src/sys/external/bsd/libnv/dist/nvpair.c Tue Feb 12 12:49:23 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: nvpair.c,v 1.3 2018/09/08 14:32:25 christos Exp $ */
+/* $NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $");
#else
-__RCSID("$NetBSD: nvpair.c,v 1.3 2018/09/08 14:32:25 christos Exp $");
+__RCSID("$NetBSD: nvpair.c,v 1.4 2019/02/12 12:49:23 rmind Exp $");
#endif
#include
@@ -251,8 +251,16 @@ nvpair_remove_nvlist_array(nvpair_t *nvp
nvlarray = __DECONST(nvlist_t **,
nvpair_get_nvlist_array(nvp, ));
for (i = 0; i < count; i++) {
- nvlist_set_array_next(nvlarray[i], NULL);
- nvlist_set_parent(nvlarray[i], NULL);
+ nvlist_t *nvl;
+ nvpair_t *nnvp;
+
+ nvl = nvlarray[i];
+ nnvp = nvlist_get_array_next_nvpair(nvl);
+ if (nnvp != NULL) {
+ nvpair_free_structure(nnvp);
+ }
+ nvlist_set_array_next(nvl, NULL);
+ nvlist_set_parent(nvl, NULL);
}
}
@@ -1216,8 +1224,7 @@ nvpair_create_stringv(const char *name,
if (len < 0)
return (NULL);
nvp = nvpair_create_string(name, str);
- if (nvp == NULL)
- nv_free(str);
+ nv_free(str);
return (nvp);
}
#endif
CVS commit: src/doc
Module Name:src Committed By: rmind Date: Sat Jan 19 21:36:09 UTC 2019 Modified Files: src/doc: CHANGES Log Message: Mention NPF improvements. To generate a diff of this commit: cvs rdiff -u -r1.2491 -r1.2492 src/doc/CHANGES Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES diff -u src/doc/CHANGES:1.2491 src/doc/CHANGES:1.2492 --- src/doc/CHANGES:1.2491 Fri Jan 18 04:14:47 2019 +++ src/doc/CHANGES Sat Jan 19 21:36:09 2019 @@ -1,4 +1,4 @@ -# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2491 $> +# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2492 $> # # # [Note: This file does not mention every change made to the NetBSD source tree. @@ -308,3 +308,7 @@ Changes from NetBSD 8.0 to NetBSD 9.0: sgimips: Import irisboot, yet another bootloader for pre-ARC sgimips machines. Submitted by Naruaki Etomi via PR port-sgimips/53539. [tsutsui 20190112] + npf: Major NPF improvements (added support for dynamic NAT address, + NETMAP algorithm for static NAT, lock-free lookup for 'ipset' + tables, lock-free state lookup, incremental state G/C, etc). + [rmind 20190119]
CVS commit: src/sys/kern
Module Name:src
Committed By: rmind
Date: Sat Jan 19 20:42:54 UTC 2019
Modified Files:
src/sys/kern: subr_thmap.c
Log Message:
thmap: use KM_NOSLEEP for now; might revisit later.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/sys/kern/subr_thmap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_thmap.c
diff -u src/sys/kern/subr_thmap.c:1.3 src/sys/kern/subr_thmap.c:1.4
--- src/sys/kern/subr_thmap.c:1.3 Sat Dec 22 21:53:06 2018
+++ src/sys/kern/subr_thmap.c Sat Jan 19 20:42:54 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_thmap.c,v 1.3 2018/12/22 21:53:06 christos Exp $ */
+/* $NetBSD: subr_thmap.c,v 1.4 2019/01/19 20:42:54 rmind Exp $ */
/*-
* Copyright (c) 2018 Mindaugas Rasiukevicius
@@ -112,7 +112,7 @@
#include "utils.h"
#endif
-THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.3 2018/12/22 21:53:06 christos Exp $");
+THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.4 2019/01/19 20:42:54 rmind Exp $");
/*
* NetBSD kernel wrappers
@@ -233,7 +233,7 @@ static void stage_mem_gc(thmap_t *, uint
static uintptr_t
alloc_wrapper(size_t len)
{
- return (uintptr_t)kmem_intr_alloc(len, KM_SLEEP);
+ return (uintptr_t)kmem_intr_alloc(len, KM_NOSLEEP);
}
static void
@@ -843,7 +843,7 @@ stage_mem_gc(thmap_t *thmap, uintptr_t a
{
thmap_gc_t *head, *gc;
- gc = kmem_intr_alloc(sizeof(thmap_gc_t), KM_SLEEP);
+ gc = kmem_intr_alloc(sizeof(thmap_gc_t), KM_NOSLEEP);
gc->addr = addr;
gc->len = len;
retry:
CVS commit: src/sys
Module Name:src
Committed By: rmind
Date: Sun Dec 16 14:06:56 UTC 2018
Modified Files:
src/sys/kern: files.kern
src/sys/rump/librump/rumpkern: Makefile.rumpkern
Added Files:
src/sys/kern: subr_thmap.c
src/sys/sys: thmap.h
Log Message:
Import thmap -- a concurrent trie-hash map, combining the elements of
hashing and radix trie. It supports lock-free lookups and concurrent
inserts/deletes. It is designed to be optimal as a general purpose
*concurrent* associative array.
Upstream: https://github.com/rmind/thmap
Discussed on tech-kern@
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/kern/files.kern
cvs rdiff -u -r0 -r1.1 src/sys/kern/subr_thmap.c
cvs rdiff -u -r1.171 -r1.172 src/sys/rump/librump/rumpkern/Makefile.rumpkern
cvs rdiff -u -r0 -r1.1 src/sys/sys/thmap.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/files.kern
diff -u src/sys/kern/files.kern:1.27 src/sys/kern/files.kern:1.28
--- src/sys/kern/files.kern:1.27 Mon Dec 3 00:11:02 2018
+++ src/sys/kern/files.kern Sun Dec 16 14:06:56 2018
@@ -1,4 +1,4 @@
-# $NetBSD: files.kern,v 1.27 2018/12/03 00:11:02 christos Exp $
+# $NetBSD: files.kern,v 1.28 2018/12/16 14:06:56 rmind Exp $
#
# kernel sources
@@ -142,6 +142,7 @@ file kern/subr_psref.c kern
file kern/subr_specificdata.c kern
file kern/subr_tftproot.c tftproot
file kern/subr_time.c kern
+file kern/subr_thmap.c kern
file kern/subr_userconf.c userconf
file kern/subr_vmem.c kern
file kern/subr_workqueue.c kern
Index: src/sys/rump/librump/rumpkern/Makefile.rumpkern
diff -u src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.171 src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.172
--- src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.171 Fri Sep 14 01:55:20 2018
+++ src/sys/rump/librump/rumpkern/Makefile.rumpkern Sun Dec 16 14:06:56 2018
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.rumpkern,v 1.171 2018/09/14 01:55:20 mrg Exp $
+# $NetBSD: Makefile.rumpkern,v 1.172 2018/12/16 14:06:56 rmind Exp $
#
.include "${RUMPTOP}/Makefile.rump"
@@ -122,6 +122,7 @@ SRCS+= init_sysctl_base.c \
subr_psref.c \
subr_specificdata.c \
subr_time.c \
+ subr_thmap.c \
subr_vmem.c \
subr_workqueue.c \
subr_xcall.c \
Added files:
Index: src/sys/kern/subr_thmap.c
diff -u /dev/null src/sys/kern/subr_thmap.c:1.1
--- /dev/null Sun Dec 16 14:06:56 2018
+++ src/sys/kern/subr_thmap.c Sun Dec 16 14:06:56 2018
@@ -0,0 +1,934 @@
+/*-
+ * Copyright (c) 2018 Mindaugas Rasiukevicius
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * Upstream: https://github.com/rmind/thmap/
+ */
+
+/*
+ * Concurrent trie-hash map.
+ *
+ * The data structure is conceptually a radix trie on hashed keys.
+ * Keys are hashed using a 32-bit function. The root level is a special
+ * case: it is managed using the compare-and-swap (CAS) atomic operation
+ * and has a fanout of 64. The subsequent levels are constructed using
+ * intermediate nodes with a fanout of 16 (using 4 bits). As more levels
+ * are created, more blocks of the 32-bit hash value might be generated
+ * by incrementing the seed parameter of the hash function.
+ *
+ * Concurrency
+ *
+ * - READERS: Descending is simply walking through the slot values of
+ * the intermediate nodes. It is lock-free as there is no intermediate
+ * state: the slot is either empty or has a pointer to the child node.
+ * The main assumptions here are the following:
+ *
+ * i) modifications must preserve consistency with the respect to the
+ * readers i.e. the readers can only see the valid node values;
+ *
+ * ii) any in
CVS commit: src/doc
Module Name:src Committed By: rmind Date: Sat Sep 29 18:48:55 UTC 2018 Modified Files: src/doc: CHANGES Log Message: Mention that NPF was converted to use libnv. To generate a diff of this commit: cvs rdiff -u -r1.2443 -r1.2444 src/doc/CHANGES Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES diff -u src/doc/CHANGES:1.2443 src/doc/CHANGES:1.2444 --- src/doc/CHANGES:1.2443 Sun Sep 23 13:46:53 2018 +++ src/doc/CHANGES Sat Sep 29 18:48:55 2018 @@ -1,4 +1,4 @@ -# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2443 $> +# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2444 $> # # # [Note: This file does not mention every change made to the NetBSD source tree. @@ -228,3 +228,4 @@ Changes from NetBSD 8.0 to NetBSD 9.0: kernel: Remove the ISDN code, including daic(4), iavc(4), isic(4), ifpci(4), ifritz, iwic(4), and all the ISDN-related userland tools. [maxv 20180923] + npf: Converted to use libnv [rmind 20180929]
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sat Sep 29 18:00:36 UTC 2018
Modified Files:
src/sys/net/npf: npf_sendpkt.c
Log Message:
npf_return_tcp: fix no-INET6 case.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_sendpkt.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_sendpkt.c
diff -u src/sys/net/npf/npf_sendpkt.c:1.20 src/sys/net/npf/npf_sendpkt.c:1.21
--- src/sys/net/npf/npf_sendpkt.c:1.20 Sat Sep 29 14:41:36 2018
+++ src/sys/net/npf/npf_sendpkt.c Sat Sep 29 18:00:35 2018
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.20 2018/09/29 14:41:36 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.21 2018/09/29 18:00:35 rmind Exp $");
#include
#include
@@ -56,16 +56,16 @@ __KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.
#define DEFAULT_IP_TTL (ip_defttl)
#if defined(_NPF_STANDALONE)
-#define m_gethdr(t, f) npf->mbufops->alloc(0, 0)
-#define m_freem(m) npc->npc_ctx->mbufops->free(m)
-#define mtod(m,t) ((t)((npf)->mbufops->getdata(m)))
+#define m_gethdr(t, f) (npf)->mbufops->alloc(0, 0)
+#define m_freem(m) (npc)->npc_ctx->mbufops->free(m)
+#define mtod(m,t) ((t)((npc)->npc_ctx->mbufops->getdata(m)))
#endif
#if !defined(INET6) || defined(_NPF_STANDALONE)
#define in6_cksum(...) 0
#define ip6_output(...) 0
#define icmp6_error(m, ...) m_freem(m)
-#define npf_ip6_setscope(n, i) 0
+#define npf_ip6_setscope(n, i) ((void)(i), 0)
#endif
#if defined(INET6)
@@ -190,21 +190,19 @@ npf_return_tcp(npf_cache_t *npc)
KASSERT(npf_iscached(npc, NPC_IP6));
th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr),
sizeof(struct tcphdr));
- }
- /* Handle IPv6 scopes */
- if (npf_iscached(npc, NPC_IP6) && npf_ip6_setscope(npc, ip6) != 0) {
- goto bad;
+ /* Handle IPv6 scopes */
+ if (npf_ip6_setscope(npc, ip6) != 0) {
+ goto bad;
+ }
}
/* Pass to IP layer. */
if (npf_iscached(npc, NPC_IP4)) {
return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
}
-#if defined(INET6)
return ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);
bad:
-#endif
m_freem(m);
return EINVAL;
}
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src
Committed By: rmind
Date: Sun Sep 23 21:35:26 UTC 2018
Modified Files:
src/sys/external/bsd/libnv/dist: nv_kern_netbsd.c
Log Message:
nvlist_copyin: fix the flag handling.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
diff -u src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.4 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.5
--- src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.4 Sun Sep 23 19:07:10 2018
+++ src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Sun Sep 23 21:35:26 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $ */
+/* $NetBSD: nv_kern_netbsd.c,v 1.5 2018/09/23 21:35:26 rmind Exp $ */
/*-
* Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $");
+__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.5 2018/09/23 21:35:26 rmind Exp $");
#if !defined(_KERNEL) && !defined(_STANDALONE)
#include
@@ -74,9 +74,9 @@ int
nvlist_copyin(const nvlist_ref_t *nref, nvlist_t **nvlp, size_t lim)
{
const size_t len = nref->len;
+ int flags, error;
nvlist_t *nvl;
void *buf;
- int error;
if (len >= lim) {
return E2BIG;
@@ -87,7 +87,8 @@ nvlist_copyin(const nvlist_ref_t *nref,
kmem_free(buf, len);
return error;
}
- nvl = nvlist_unpack(buf, len, nref->flags);
+ flags = nref->flags & (NV_FLAG_IGNORE_CASE | NV_FLAG_NO_UNIQUE);
+ nvl = nvlist_unpack(buf, len, flags);
kmem_free(buf, len);
if (nvl == NULL) {
return EINVAL;
@@ -126,7 +127,7 @@ nvlist_copyout(nvlist_ref_t *nref, const
(vaddr_t)uaddr + len);
goto err;
}
- nref->flags = nvlist_error(nvl);
+ nref->flags = nvlist_flags(nvl);
nref->buf = uaddr;
nref->len = len;
err:
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src
Committed By: rmind
Date: Sun Sep 23 19:07:10 UTC 2018
Modified Files:
src/sys/external/bsd/libnv/dist: nv_impl.h nv_kern_netbsd.c
Log Message:
libnv: add a wrapper around free(9) since in FreeBSD it can take NULL.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/libnv/dist/nv_impl.h
cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nv_impl.h
diff -u src/sys/external/bsd/libnv/dist/nv_impl.h:1.4 src/sys/external/bsd/libnv/dist/nv_impl.h:1.5
--- src/sys/external/bsd/libnv/dist/nv_impl.h:1.4 Sat Sep 22 17:13:30 2018
+++ src/sys/external/bsd/libnv/dist/nv_impl.h Sun Sep 23 19:07:10 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nv_impl.h,v 1.4 2018/09/22 17:13:30 rmind Exp $ */
+/* $NetBSD: nv_impl.h,v 1.5 2018/09/23 19:07:10 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -65,10 +65,11 @@ extern void *nv_calloc(size_t, size_t);
# endif
# define nv_realloc(buf, size) realloc((buf), (size), M_NVLIST, \
M_WAITOK)
-# define nv_free(buf) free((buf), M_NVLIST)
# ifdef __FreeBSD__
+# define nv_free(buf) free((buf), M_NVLIST)
# define nv_strdup(buf) strdup((buf), M_NVLIST)
# else
+extern void nv_free(void *);
extern char *nv_strdup(const char *);
# endif
# define nv_vasprintf(ptr, ...) vasprintf(ptr, M_NVLIST, __VA_ARGS__)
Index: src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
diff -u src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.3 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.4
--- src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.3 Sat Sep 22 17:13:30 2018
+++ src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Sun Sep 23 19:07:10 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $ */
+/* $NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $ */
/*-
* Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $");
+__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.4 2018/09/23 19:07:10 rmind Exp $");
#if !defined(_KERNEL) && !defined(_STANDALONE)
#include
@@ -61,6 +61,15 @@ extern void dealloc(void *, unsigned int
#ifndef _STANDALONE
#ifdef _KERNEL
+void
+nv_free(void *buf)
+{
+ if (!buf) {
+ return;
+ }
+ free(buf, M_NVLIST);
+}
+
int
nvlist_copyin(const nvlist_ref_t *nref, nvlist_t **nvlp, size_t lim)
{
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src
Committed By: rmind
Date: Sat Sep 22 17:13:30 UTC 2018
Modified Files:
src/sys/external/bsd/libnv/dist: nv_impl.h nv_kern_netbsd.c nvlist.c
Log Message:
libnv: fix some NetBSD wrappers.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/libnv/dist/nv_impl.h
cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
cvs rdiff -u -r1.5 -r1.6 src/sys/external/bsd/libnv/dist/nvlist.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nv_impl.h
diff -u src/sys/external/bsd/libnv/dist/nv_impl.h:1.3 src/sys/external/bsd/libnv/dist/nv_impl.h:1.4
--- src/sys/external/bsd/libnv/dist/nv_impl.h:1.3 Sat Sep 8 14:12:53 2018
+++ src/sys/external/bsd/libnv/dist/nv_impl.h Sat Sep 22 17:13:30 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nv_impl.h,v 1.3 2018/09/08 14:12:53 christos Exp $ */
+/* $NetBSD: nv_impl.h,v 1.4 2018/09/22 17:13:30 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -82,11 +82,11 @@ extern char *nv_strdup(const char *);
#else /* USERLAND */
# define nv_malloc(size) malloc((size))
-# define nv_calloc(n, size) calloc(n, size)
# define nv_realloc(buf, size) realloc((buf), (size))
# define nv_free(buf) free((buf))
-# define nv_strdup(buf) strdup(buf)
# define nv_vasprintf(ptr, ...) vasprintf(ptr, __VA_ARGS__)
+void *nv_calloc(size_t, size_t);
+char *nv_strdup(const char *);
# define ERRNO_SET(var) do {\
errno = (var); \
Index: src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
diff -u src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.2 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.3
--- src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c:1.2 Sat Sep 8 14:12:53 2018
+++ src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c Sat Sep 22 17:13:30 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nv_kern_netbsd.c,v 1.2 2018/09/08 14:12:53 christos Exp $ */
+/* $NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $ */
/*-
* Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.2 2018/09/08 14:12:53 christos Exp $");
+__RCSID("$NetBSD: nv_kern_netbsd.c,v 1.3 2018/09/22 17:13:30 rmind Exp $");
#if !defined(_KERNEL) && !defined(_STANDALONE)
#include
@@ -198,11 +198,11 @@ nvlist_recv_ioctl(int fd, unsigned long
void *
nv_calloc(size_t n, size_t s)
{
- n *= s;
- void *buf = nv_malloc(n);
+ const size_t len = n * s;
+ void *buf = nv_malloc(len);
if (buf == NULL)
return NULL;
- memset(buf, 0, n);
+ memset(buf, 0, len);
return buf;
}
Index: src/sys/external/bsd/libnv/dist/nvlist.c
diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.5 src/sys/external/bsd/libnv/dist/nvlist.c:1.6
--- src/sys/external/bsd/libnv/dist/nvlist.c:1.5 Tue Sep 11 02:20:31 2018
+++ src/sys/external/bsd/libnv/dist/nvlist.c Sat Sep 22 17:13:30 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nvlist.c,v 1.5 2018/09/11 02:20:31 christos Exp $ */
+/* $NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $");
#else
-__RCSID("$NetBSD: nvlist.c,v 1.5 2018/09/11 02:20:31 christos Exp $");
+__RCSID("$NetBSD: nvlist.c,v 1.6 2018/09/22 17:13:30 rmind Exp $");
#endif
#include
@@ -1180,7 +1180,7 @@ nvlist_xunpack(const void *buf, size_t s
goto fail;
nvlist_set_parent(tmpnvl, nvp);
break;
-#if !defined(_KERNEL) && !defined(_STANDALONE)
+#if !defined(_KERNEL) && !defined(_STANDALONE) && !defined(__NetBSD__)
case NV_TYPE_DESCRIPTOR:
ptr = nvpair_unpack_descriptor(isbe, nvp, ptr, ,
fds, nfds);
CVS commit: src
Module Name:src Committed By: rmind Date: Sat Sep 22 12:54:34 UTC 2018 Modified Files: src/distrib/sets/lists/base: shl.mi src/distrib/sets/lists/comp: mi shl.mi src/distrib/sets/lists/debug: mi shl.mi src/sys/rump/kern: Makefile.rumpkerncomp Added Files: src/sys/rump/kern/lib/libnv: Makefile Log Message: Add rumpkern_nv (in-kernel RUMP libnv). To generate a diff of this commit: cvs rdiff -u -r1.847 -r1.848 src/distrib/sets/lists/base/shl.mi cvs rdiff -u -r1.2228 -r1.2229 src/distrib/sets/lists/comp/mi cvs rdiff -u -r1.321 -r1.322 src/distrib/sets/lists/comp/shl.mi cvs rdiff -u -r1.265 -r1.266 src/distrib/sets/lists/debug/mi cvs rdiff -u -r1.207 -r1.208 src/distrib/sets/lists/debug/shl.mi cvs rdiff -u -r1.12 -r1.13 src/sys/rump/kern/Makefile.rumpkerncomp cvs rdiff -u -r0 -r1.1 src/sys/rump/kern/lib/libnv/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/base/shl.mi diff -u src/distrib/sets/lists/base/shl.mi:1.847 src/distrib/sets/lists/base/shl.mi:1.848 --- src/distrib/sets/lists/base/shl.mi:1.847 Mon Sep 3 15:30:36 2018 +++ src/distrib/sets/lists/base/shl.mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.847 2018/09/03 15:30:36 christos Exp $ +# $NetBSD: shl.mi,v 1.848 2018/09/22 12:54:34 rmind Exp $ # # Note: Don't delete entries from here - mark them as "obsolete" instead, # unless otherwise stated below. @@ -689,6 +689,9 @@ ./usr/lib/librumpkern_ksem.so base-obsolete obsolete ./usr/lib/librumpkern_ksem.so.0 base-obsolete obsolete ./usr/lib/librumpkern_ksem.so.0.0 base-obsolete obsolete +./usr/lib/librumpkern_nv.so base-rump-shlib rump +./usr/lib/librumpkern_nv.so.0 base-rump-shlib rump +./usr/lib/librumpkern_nv.so.0.0 base-rump-shlib rump ./usr/lib/librumpkern_sljit.so base-rump-shlib rump,sljit ./usr/lib/librumpkern_sljit.so.0 base-rump-shlib rump,sljit ./usr/lib/librumpkern_sljit.so.0.0 base-rump-shlib rump,sljit Index: src/distrib/sets/lists/comp/mi diff -u src/distrib/sets/lists/comp/mi:1.2228 src/distrib/sets/lists/comp/mi:1.2229 --- src/distrib/sets/lists/comp/mi:1.2228 Thu Sep 6 19:19:44 2018 +++ src/distrib/sets/lists/comp/mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.2228 2018/09/06 19:19:44 maxv Exp $ +# $NetBSD: mi,v 1.2229 2018/09/22 12:54:34 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. ./etc/mtree/set.compcomp-sys-root @@ -3647,6 +3647,8 @@ ./usr/lib/librumpkern_crypto_p.a comp-c-proflib rump,profile ./usr/lib/librumpkern_ksem.a comp-obsolete obsolete ./usr/lib/librumpkern_ksem_p.a comp-obsolete obsolete +./usr/lib/librumpkern_nv.a comp-c-lib rump +./usr/lib/librumpkern_nv_p.a comp-c-proflib rump,profile ./usr/lib/librumpkern_sljit.a comp-c-lib rump,sljit ./usr/lib/librumpkern_sljit_p.a comp-c-proflib rump,sljit,profile ./usr/lib/librumpkern_solaris.a comp-c-lib rump,zfs Index: src/distrib/sets/lists/comp/shl.mi diff -u src/distrib/sets/lists/comp/shl.mi:1.321 src/distrib/sets/lists/comp/shl.mi:1.322 --- src/distrib/sets/lists/comp/shl.mi:1.321 Mon Aug 13 08:26:49 2018 +++ src/distrib/sets/lists/comp/shl.mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.321 2018/08/13 08:26:49 christos Exp $ +# $NetBSD: shl.mi,v 1.322 2018/09/22 12:54:34 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -213,6 +213,7 @@ ./usr/lib/librumphijack_pic.a comp-c-piclib compatfile,picinstall,rump ./usr/lib/librumpkern_crypto_pic.a comp-c-piclib picinstall,rump ./usr/lib/librumpkern_ksem_pic.a comp-obsolete obsolete +./usr/lib/librumpkern_nv_pic.a comp-c-piclib picinstall,rump ./usr/lib/librumpkern_sljit_pic.a comp-c-piclib picinstall,rump,sljit ./usr/lib/librumpkern_solaris_pic.a comp-c-piclib picinstall,rump,zfs ./usr/lib/librumpkern_sysproxy_pic.a comp-c-piclib picinstall,rump Index: src/distrib/sets/lists/debug/mi diff -u src/distrib/sets/lists/debug/mi:1.265 src/distrib/sets/lists/debug/mi:1.266 --- src/distrib/sets/lists/debug/mi:1.265 Wed Sep 19 13:58:26 2018 +++ src/distrib/sets/lists/debug/mi Sat Sep 22 12:54:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.265 2018/09/19 13:58:26 maxv Exp $ +# $NetBSD: mi,v 1.266 2018/09/22 12:54:34 rmind Exp $ ./etc/mtree/set.debug comp-sys-root ./usr/lib comp-sys-usr compatdir ./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile @@ -202,6 +202,7 @@ ./usr/lib/librumphijack_g.a comp-c-debuglib debuglib,compatfile,rump ./usr/lib/librumpkern_crypto_g.a comp-c-debuglib debuglib,rump ./usr/lib/librumpkern_ksem_g.a comp-obsolete obsolete,compatfile +./usr/lib/librumpkern_nv_g.a comp-c-debuglib debuglib,rump ./usr/lib/librumpkern_sljit_g.a comp-c-debuglib debuglib,rump,sljit ./usr/lib/librumpkern_solaris_g.a
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sat Sep 1 16:28:57 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
npf.conf(5): fix some of the previous incorrect or inaccurate changes.
The TCP flags option is not only for the stateful tracking. Dynamic NAT
implies NAPT; algorithms, at least for now, are for static NAT mappings.
Mention that ALG ICMP is also for traceroute behind NAT; also mention
"MSS clamping" (some users might search for this term, so keeping the
terminology is helpful).
To generate a diff of this commit:
cvs rdiff -u -r1.70 -r1.71 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.70 src/usr.sbin/npf/npfctl/npf.conf.5:1.71
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.70 Fri Aug 31 11:18:35 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Sep 1 16:28:57 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 31, 2018
+.Dd September 1, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -87,8 +87,8 @@ table type hash dynamic
.Pp
.Ed
Currently, tables support three data storage types: "hash", "tree", or "cdb".
-Tables can also be set as containing "dynamic" or "static" data i.e. loaded from
- a specified file.
+Tables can also be set as containing "dynamic" or "static" data i.e. loaded
+from a specified file.
Tables of type "hash" and "cdb" can only contain IP addresses.
Only static data can be used with a storage type of "cdb".
.Pp
@@ -166,9 +166,31 @@ option set, this rule is considered the
evaluation of subsequent rules is skipped.
Otherwise, the last matching rule is used.
.Pp
-A rule can also instruct NPF to create an entry in the state table
-when passing the packet, to notify the sender when blocking it, and
-to apply a procedure to the packet (e.g. "log") in either case.
+The
+.Cd proto
+keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP
+or other).
+Its parameter should be a protocol number or its symbolic name,
+as specified in the
+.Pa /etc/protocols
+file.
+The protocol keyword can additionally have protocol-specific options.
+The
+.Cd flags
+keyword can be used to match the packets against specific TCP flags,
+according to the following syntax:
+.Bl -tag -width protoXX -offset indent
+.It proto tcp flags Ar match[/mask]
+.El
+.Pp
+Where
+.Ar match
+is the set of TCP flags to be matched, out of the
+.Ar mask
+set, both sets being represented as a string combination of: S (SYN),
+A (ACK), F (FIN), R (RST). The flags that are not present in
+.Ar mask
+are ignored.
.Pp
To notify the sender of a blocking decision, three
.Cd return
@@ -187,20 +209,19 @@ Return an ICMP UNREACHABLE message, when
Applies to IPv4 and IPv6.
.El
.Pp
+Further packet specification at present is limited to TCP and UDP
+understanding source and destination ports, and ICMP and IPv6-ICMP
+understanding icmp-type.
+.Pp
+A rule can also instruct NPF to create an entry in the state table when
+passing the packet or to apply a procedure to the packet (e.g. "log").
+.Pp
A "fully-featured" rule would for example be:
.Bd -literal
pass stateful in final family inet4 proto tcp flags S/SA \\
from $source port $sport to $dest port $dport apply "someproc"
.Ed
.Pp
-Any protocol in
-.Pa /etc/protocols
-can be specified.
-Further packet
-specification at present is limited to protocol TCP understanding flags,
-TCP and UDP understanding source and destination ports, and ICMP and
-IPv6-ICMP understanding icmp-type.
-.Pp
Alternatively, NPF supports
.Xr pcap-filter 7
syntax, for example:
@@ -223,25 +244,6 @@ precaution.
In both cases, a full TCP state tracking is performed for TCP connections
and a limited tracking for message-based protocols (UDP and ICMP).
.Pp
-The
-.Cd flags
-keyword can be used in conjunction with the
-.Cd stateful
-keyword to match the packets against specific TCP flags, according to
-the following syntax:
-.Bl -tag -width flagsXX -offset indent
-.It flags Ar match[/mask]
-.El
-.Pp
-Where
-.Ar match
-is the set of TCP flags to be matched, out of the
-.Ar mask
-set, both sets being represented as a string combination of: S (SYN),
-A (ACK), F (FIN), R (RST). The flags that are not present in
-.Ar mask
-are ignored.
-.Pp
By default, a stateful rule implies SYN-only flag check ("flags S/SAFR")
for the TCP packets.
It is not advisable to change this behavior; however,
@@ -271,21 +273,32 @@ specified by $pub_ip for the packets on
map $ext_if dynamic 10.1.1.0/24 -> $pub_ip
.Ed
.Pp
-Several NAT
CVS commit: src/sys/netinet
Module Name:src
Committed By: rmind
Date: Thu Mar 29 21:40:53 UTC 2018
Modified Files:
src/sys/netinet: tcp_input.c
Log Message:
tcp_urp_drop: fix a bug introduced in 1.390 rev (hi maxv@).
To generate a diff of this commit:
cvs rdiff -u -r1.400 -r1.401 src/sys/netinet/tcp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.400 src/sys/netinet/tcp_input.c:1.401
--- src/sys/netinet/tcp_input.c:1.400 Thu Mar 29 18:54:48 2018
+++ src/sys/netinet/tcp_input.c Thu Mar 29 21:40:53 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.400 2018/03/29 18:54:48 maxv Exp $ */
+/* $NetBSD: tcp_input.c,v 1.401 2018/03/29 21:40:53 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.400 2018/03/29 18:54:48 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.401 2018/03/29 21:40:53 rmind Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -340,7 +340,7 @@ tcp_fields_to_net(struct tcphdr *th)
static void
tcp_urp_drop(struct tcphdr *th, int todrop, int *tiflags)
{
- if (th->th_urp > 1) {
+ if (th->th_urp > todrop) {
th->th_urp -= todrop;
} else {
*tiflags &= ~TH_URG;
CVS commit: src/usr.sbin/npf
Module Name:src
Committed By: rmind
Date: Sun Dec 10 22:04:41 UTC 2017
Modified Files:
src/usr.sbin/npf: npf.7
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l
npf_show.c npfctl.8 npfctl.h todo
Log Message:
npfctl: add support for the 'no-ports' flag in the 'map' statements.
This allows us to create a NAT policy without the port translation.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npf.7
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf_build.c \
src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.25 -r1.26 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_show.c
cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.8
cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/todo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npf.7
diff -u src/usr.sbin/npf/npf.7:1.3 src/usr.sbin/npf/npf.7:1.4
--- src/usr.sbin/npf/npf.7:1.3 Sun Jul 12 23:54:43 2015
+++ src/usr.sbin/npf/npf.7 Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $
+.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -78,7 +78,8 @@ documentation and other manual pages.
.Xr bpfjit 4 ,
.Xr npf.conf 5 ,
.Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
.Pp
.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation"
.Sh HISTORY
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.49 src/usr.sbin/npf/npfctl/npf.conf.5:1.50
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.49 Mon Jul 3 21:35:31 2017
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $
+.\"$NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 19, 2017
+.Dd December 10, 2017
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -233,6 +233,14 @@ procedure "someproc" {
.Ed
.Pp
In this case, the procedure calls the logging and normalisation modules.
+The logging facility requires the npf_ext_log kernel module which would
+normally get auto-loaded by NPF.
+The specified npflog interface would also be auto-created once the
+configuration is loaded.
+The log packets can be written to a file using the
+.Xr npfd 8
+daemon.
+.Pp
Traffic normalisation has a set of different mechanisms.
In the example above, the normalisation procedure has arguments which
apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
@@ -248,8 +256,7 @@ i.e., the next line is considered an ext
.Sh GRAMMAR
The following is a non-formal BNF-like definition of the grammar.
The definition is simplified and is intended to be human readable,
-therefore it does not strictly represent the full syntax, which
-is more flexible.
+therefore it does not strictly represent the formal grammar.
.Bd -literal
; Syntax of a single line. Lines can be separated by LF (\\n) or
; a semicolon. Comments start with a hash (#) character.
@@ -279,10 +286,13 @@ table-def = "table" table-id "type" ( "h
; Mapping for address translation.
map = "map" interface
- ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ]
+ ( "static" [ "algo" algorithm ] | "dynamic" )
+ [ map-flags ] [ proto ]
net-seg ( "->" | "<-" | "<->" ) net-seg
[ "pass" [ proto ] filt-opts ]
+map-flags = "no-ports"
+
; Rule procedure definition. The name should be in the double quotes.
;
; Each call can have its own options in a form of key-value pairs.
@@ -352,8 +362,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_
map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
procedure "log" {
- # Note: npf_ext_log kernel module should be loaded, if not built-in.
- # Also, the interface created, e.g.: ifconfig npflog0 create
+ # The logging facility can be used together with npfd(8).
log: npflog0
}
@@ -387,7 +396,8 @@ group default {
.Xr bpf 4 ,
.Xr npf 7 ,
.Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.44 src/usr.sbin/npf/npfctl/npf_build.c:1.45
--- src/usr.sbin/npf/npfctl/npf_build.c:1.44 Thu Jan 19 20:18:17 2017
+++ src/usr.sbin/npf/npfctl/npf_build.c Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
+/* $NetBSD: npf_build.c,v
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sun Dec 10 01:18:21 UTC 2017
Modified Files:
src/sys/net/npf: npf_ctl.c npf_impl.h npf_ruleset.c npf_worker.c
Log Message:
- npf_mk_rules: enforce unique names for the dynamic rulesets.
- npf_worker_unregister: merge fix for the standalone NPF.
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.69 -r1.70 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_worker.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.49 src/sys/net/npf/npf_ctl.c:1.50
--- src/sys/net/npf/npf_ctl.c:1.49 Mon Oct 30 03:02:35 2017
+++ src/sys/net/npf/npf_ctl.c Sun Dec 10 01:18:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.49 2017/10/30 03:02:35 ozaki-r Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.50 2017/12/10 01:18:21 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.49 2017/10/30 03:02:35 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.50 2017/12/10 01:18:21 rmind Exp $");
#include
#include
@@ -371,12 +371,18 @@ npf_mk_rules(npf_t *npf, npf_ruleset_t *
it = prop_array_iterator(rules);
while ((rldict = prop_object_iterator_next(it)) != NULL) {
npf_rule_t *rl = NULL;
+ const char *name;
- /* Generate a single rule. */
error = npf_mk_singlerule(npf, rldict, rpset, , errdict);
if (error) {
break;
}
+ if (prop_dictionary_get_cstring_nocopy(rldict, "name", ) &&
+ npf_ruleset_lookup(rlset, name) != NULL) {
+ NPF_ERR_DEBUG(errdict);
+ npf_rule_free(rl);
+ return EEXIST;
+ }
npf_ruleset_insert(rlset, rl);
}
prop_object_iterator_release(it);
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.69 src/sys/net/npf/npf_impl.h:1.70
--- src/sys/net/npf/npf_impl.h:1.69 Sun Feb 19 02:11:19 2017
+++ src/sys/net/npf/npf_impl.h Sun Dec 10 01:18:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.69 2017/02/19 02:11:19 christos Exp $ */
+/* $NetBSD: npf_impl.h,v 1.70 2017/12/10 01:18:21 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -330,6 +330,7 @@ npf_natpolicy_t *npf_ruleset_findnat(npf
void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
int npf_ruleset_export(npf_t *, const npf_ruleset_t *, prop_array_t);
+npf_rule_t * npf_ruleset_lookup(npf_ruleset_t *, const char *);
int npf_ruleset_add(npf_ruleset_t *, const char *, npf_rule_t *);
int npf_ruleset_remove(npf_ruleset_t *, const char *, uint64_t);
int npf_ruleset_remkey(npf_ruleset_t *, const char *,
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.45 src/sys/net/npf/npf_ruleset.c:1.46
--- src/sys/net/npf/npf_ruleset.c:1.45 Sun Jan 29 00:15:54 2017
+++ src/sys/net/npf/npf_ruleset.c Sun Dec 10 01:18:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.46 2017/12/10 01:18:21 rmind Exp $ */
/*-
* Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.46 2017/12/10 01:18:21 rmind Exp $");
#include
#include
@@ -208,7 +208,7 @@ npf_ruleset_insert(npf_ruleset_t *rlset,
}
}
-static npf_rule_t *
+npf_rule_t *
npf_ruleset_lookup(npf_ruleset_t *rlset, const char *name)
{
npf_rule_t *rl;
Index: src/sys/net/npf/npf_worker.c
diff -u src/sys/net/npf/npf_worker.c:1.3 src/sys/net/npf/npf_worker.c:1.4
--- src/sys/net/npf/npf_worker.c:1.3 Mon Jan 2 21:49:51 2017
+++ src/sys/net/npf/npf_worker.c Sun Dec 10 01:18:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_worker.c,v 1.3 2017/01/02 21:49:51 rmind Exp $ */
+/* $NetBSD: npf_worker.c,v 1.4 2017/12/10 01:18:21 rmind Exp $ */
/*-
* Copyright (c) 2010-2015 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.3 2017/01/02 21:49:51 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_worker.c,v 1.4 2017/12/10 01:18:21 rmind Exp $");
#include
#include
@@ -148,9 +148,12 @@ void
npf_worker_unregister(npf_t *npf, npf_workfunc_t func)
{
const unsigned idx = npf->worker_id;
- npf_worker_t *wrk = _workers[idx];
+ npf_worker_t *wrk;
npf_t *instance;
+ if (!npf_worker_count)
+ return;
+ wrk = _workers[idx];
mutex_enter(>worker_lock);
npf_worker_testset(wrk, func, NULL);
if ((instance = wrk->instances) == npf) {
CVS commit: src/sys/net/npf
/npf/npf_conn.c:1.23 src/sys/net/npf/npf_conn.c:1.24
--- src/sys/net/npf/npf_conn.c:1.23 Sun Jan 29 00:15:54 2017
+++ src/sys/net/npf/npf_conn.c Sun Dec 10 00:07:36 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $ */
+/* $NetBSD: npf_conn.c,v 1.24 2017/12/10 00:07:36 rmind Exp $ */
/*-
* Copyright (c) 2014-2015 Mindaugas Rasiukevicius
@@ -100,7 +100,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.24 2017/12/10 00:07:36 rmind Exp $");
#include
#include
@@ -727,7 +727,8 @@ npf_conn_pass(const npf_conn_t *con, npf
{
KASSERT(con->c_refcnt > 0);
if (__predict_true(con->c_flags & CONN_PASS)) {
- *mi = con->c_mi;
+ mi->mi_rid = con->c_rid;
+ mi->mi_retfl = con->c_retfl;
*rp = con->c_rproc;
return true;
}
@@ -752,8 +753,10 @@ npf_conn_setpass(npf_conn_t *con, const
*/
atomic_or_uint(>c_flags, CONN_PASS);
con->c_rproc = rp;
- if (rp)
- con->c_mi = *mi;
+ if (rp) {
+ con->c_rid = mi->mi_rid;
+ con->c_retfl = mi->mi_retfl;
+ }
}
/*
Index: src/sys/net/npf/npf_ext_normalize.c
diff -u src/sys/net/npf/npf_ext_normalize.c:1.5 src/sys/net/npf/npf_ext_normalize.c:1.6
--- src/sys/net/npf/npf_ext_normalize.c:1.5 Sun Jan 29 00:15:54 2017
+++ src/sys/net/npf/npf_ext_normalize.c Sun Dec 10 00:07:36 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */
+/* $NetBSD: npf_ext_normalize.c,v 1.6 2017/12/10 00:07:36 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.6 2017/12/10 00:07:36 rmind Exp $");
#include
#include
@@ -147,8 +147,8 @@ npf_normalize(npf_cache_t *npc, void *pa
int *decision)
{
npf_normalize_t *np = params;
- struct tcphdr *th = npc->npc_l4.tcp;
uint16_t cksum, mss, maxmss = np->n_maxmss;
+ struct tcphdr *th;
int wscale;
/* Skip, if already blocking. */
@@ -160,6 +160,7 @@ npf_normalize(npf_cache_t *npc, void *pa
if (npf_iscached(npc, NPC_IP4) && (np->n_random_id || np->n_minttl)) {
npf_normalize_ip4(npc, np);
}
+ th = npc->npc_l4.tcp;
/*
* TCP Maximum Segment Size (MSS) "clamping". Only if SYN packet.
@@ -180,8 +181,13 @@ npf_normalize(npf_cache_t *npc, void *pa
}
maxmss = htons(maxmss);
- /* Store new MSS, calculate TCP checksum and update it. */
- if (npf_fetch_tcpopts(npc, , )) {
+ /*
+ * Store new MSS, calculate TCP checksum and update it.
+ * WARNING: must re-fetch the TCP header after the modification.
+ */
+ if (npf_fetch_tcpopts(npc, , ) &&
+ nbuf_cksum_barrier(npc->npc_nbuf, mi->mi_di)) {
+ th = npc->npc_l4.tcp;
cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
th->th_sum = cksum;
}
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Thu Dec 7 00:22:06 UTC 2017 Modified Files: src/lib/libnpf: libnpf.3 Log Message: libnpf(3): improve the wording, fix and expand some sections. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libnpf/libnpf.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.4 src/lib/libnpf/libnpf.3:1.5 --- src/lib/libnpf/libnpf.3:1.4 Tue Dec 27 21:25:12 2016 +++ src/lib/libnpf/libnpf.3 Thu Dec 7 00:22:06 2017 @@ -1,6 +1,6 @@ -.\" $NetBSD: libnpf.3,v 1.4 2016/12/27 21:25:12 wiz Exp $ +.\" $NetBSD: libnpf.3,v 1.5 2017/12/07 00:22:06 rmind Exp $ .\" -.\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc. +.\" Copyright (c) 2011-2017 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 19, 2015 +.Dd December 7, 2017 .Dt LIBNPF 3 .Os .Sh NAME @@ -110,23 +110,24 @@ The configuration can be submitted to th .Ss Configuration .Bl -tag -width 4n .It Fn npf_config_create -Create a configuration. +Create a new configuration object. .It Fn npf_config_submit "ncf" "fd" "errinfo" -Submit configuration -.Fa ncf +Submit the configuration object, specified by +.Fa ncf , to the kernel. -On error, the the description is written into the structure specified by +On failure, the error information is written into the structure +specified by .Fa errinfo . .It Fn npf_config_export "fd" "len" -Serialize the given configuration and return binary object and its -length in +Serialize the current configuration and return the binary object as +well as its length in .Fa len parameter. The binary object is dynamically allocated and should be destroyed using .Xr free 3 . .It Fn npf_config_import "blob" "len" Read the configuration from a binary object of the specified length, -unserialize, construct and return the configuration object. +unserialize, and return the configuration object. .It Fn npf_config_flush "fd" Flush the current configuration. .It Fn npf_config_retrieve "fd" "active" "loaded" @@ -135,7 +136,7 @@ Retrieve and return the loaded configura Indicate whether the retrieved configuration is active (true if yes and false otherwise). .It Fn npf_config_destroy "ncf" -Destroy the configuration +Destroy the configuration object, specified by .Fa ncf . .El .\" --- @@ -143,91 +144,97 @@ Destroy the configuration .Bl -tag -width 4n .It Fn npf_rule_create "name" "attr" "ifname" Create a rule with a given name, attribute and priorty. -Name can be +If the name is specified, then it should be unique within the +configuration object. +Otherwise, the name can be .Dv NULL , -in which case rule has no unique identifier. -Otherwise, rules shall not have duplicate names. +in which case the rule will have no identifier. The following attributes, which can be ORed, are available: .Bl -tag -width indent .It Dv NPF_RULE_PASS -Decision of this rule is "pass". +The decision of this rule shall be "pass". If this attribute is not -specified, then packet "block" (drop) is the default. +specified, then "block" (drop the packet) is the default. .It Dv NPF_RULE_IN -Match incoming packets. +Match the incoming packets. .It Dv NPF_RULE_OUT -Match outgoing packets. +Match the outgoing packets. .It Dv NPF_RULE_FINAL -Indicates that on rule match, further processing of the -ruleset should be stopped and this rule applied instantly. +Indicate that on rule match, further processing of the ruleset should +be stopped and this rule should be applied instantly. .It Dv NPF_RULE_STATEFUL -Create a state (session) on match, track the connection and -therefore pass the backwards stream without inspection. +Create a state (session) on match, track the connection and pass the +backwards stream (the returning packets) without the ruleset inspection. The state is uniquely identified by a 5-tuple (source and destination IP addresses, port numbers and an interface identifier). .It Dv NPF_RULE_MULTIENDS -Exclude the interface from the state identifier. +Exclude the interface identifier from the state key i.e. use a 4-tuple. .It Dv NPF_RULE_RETRST Return TCP RST packet in a case of packet block. .It Dv NPF_RULE_RETICMP Return ICMP destination unreachable in a case of packet block. .It Dv NPF_RULE_GROUP Allow this rule to have sub-rules. -If used with +If this flag is used with the .Dv NPF_RULE_DYNAMIC -flag set, the can be added dynamically. +flag set, then it is a dynamic group. +The sub-rules can be added dynamically to a dynamic group, also meaning +that the sub-rules must have the +.Dv NPF_RULE_DYNAMIC +flag set. Otherwise rules must be added statically i.e. created with the configuration. .It Dv
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Fri Jan 20 23:00:30 UTC 2017
Modified Files:
src/usr.sbin/npf/npfctl: npf_parse.y
Log Message:
npfctl: fix shift/reduce conflicts, thanks to riastradh@.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf_parse.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_parse.y
diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.43 src/usr.sbin/npf/npfctl/npf_parse.y:1.44
--- src/usr.sbin/npf/npfctl/npf_parse.y:1.43 Fri Jan 20 03:16:40 2017
+++ src/usr.sbin/npf/npfctl/npf_parse.y Fri Jan 20 23:00:30 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.43 2017/01/20 03:16:40 kre Exp $ */
+/* $NetBSD: npf_parse.y,v 1.44 2017/01/20 23:00:30 rmind Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -180,7 +180,7 @@ yyerror(const char *fmt, ...)
%type element, list_elems, list, value
%type mapseg
%type filt_opts, all_or_filt_opts
-%type opt_proto
+%type proto opt_proto
%type group_opts
%type onoff
@@ -357,7 +357,11 @@ map
{
npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4);
}
- | MAP ifref map_sd map_algo opt_proto mapseg map_type mapseg
+ | MAP ifref map_sd map_algo mapseg map_type mapseg
+ {
+ npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4);
+ }
+ | MAP ifref map_sd map_algo proto mapseg map_type mapseg
{
npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4);
}
@@ -546,7 +550,7 @@ opt_family
| { $$ = AF_UNSPEC; }
;
-opt_proto
+proto
: PROTO TCP tcp_flags_and_mask
{
$$.op_proto = IPPROTO_TCP;
@@ -572,6 +576,10 @@ opt_proto
$$.op_proto = $2;
$$.op_opts = NULL;
}
+ ;
+
+opt_proto
+ : proto { $$ = $1; }
|
{
$$.op_proto = -1;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Thu Jan 19 20:18:18 UTC 2017
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_data.c npf_parse.y
npfctl.h
Log Message:
npfctl:
- Add protocol filter option for "map".
- Print user-friendly error if table contains an entry with invalid netmask.
- Add support for inline ports.
To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf_build.c \
src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/npf/npfctl/npf_data.c
cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf_parse.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.46 src/usr.sbin/npf/npfctl/npf.conf.5:1.47
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.46 Tue Jan 3 01:29:49 2017
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Jan 19 20:18:17 2017
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $
+.\"$NetBSD: npf.conf.5,v 1.47 2017/01/19 20:18:17 rmind Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -228,11 +228,15 @@ For example:
.Bd -literal
procedure "someproc" {
log: npflog0
- normalize: "random-id", "min-ttl" 64
+ normalize: "random-id", "min-ttl" 64, "max-mss" 1432
}
.Ed
.Pp
In this case, the procedure calls the logging and normalisation modules.
+Traffic normalisation has a set of different mechanisms.
+In the example above, the normalisation procedure has arguments which
+apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
+flag cleansing, minimum TTL enforcement and TCP MSS "clamping".
.Ss Misc
Text after a hash
.Pq Sq #
@@ -275,9 +279,9 @@ table-def = "table" table-id "type" ( "h
; Mapping for address translation.
map = "map" interface
- ( "static" [ "algo" algorithm ] | "dynamic" )
+ ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ]
net-seg ( "->" | "<-" | "<->" ) net-seg
- [ "pass" filt-opts ]
+ [ "pass" [ proto ] filt-opts ]
; Rule procedure definition. The name should be in the double quotes.
;
@@ -295,8 +299,7 @@ group = "group" ( "default" | group-opt
group-opts = name-string [ "in" | "out" ] [ "on" interface ]
rule-list = [ rule new-line ] rule-list
-npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ]
- ( "all" | filt-opts )
+npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts )
static-rule = ( "block" [ block-opts ] | "pass" )
[ "stateful" | "stateful-ends" ]
[ "in" | out" ] [ "final" ] [ "on" interface ]
@@ -306,6 +309,7 @@ static-rule = ( "block" [ block-opts ] |
dynamic-ruleset = "ruleset" group-opts
rule = static-rule | dynamic-ruleset
+proto = "proto" protocol [ proto-opts ]
block-opts = "return-rst" | "return-icmp" | "return"
family-opt = "inet4" | "inet6"
proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] |
@@ -345,7 +349,7 @@ alg "icmp"
# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic 10.1.1.0/24 -> $ext_if
-map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022
+map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
procedure "log" {
# Note: npf_ext_log kernel module should be loaded, if not built-in.
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.43 src/usr.sbin/npf/npfctl/npf_build.c:1.44
--- src/usr.sbin/npf/npfctl/npf_build.c:1.43 Tue Jan 3 01:29:49 2017
+++ src/usr.sbin/npf/npfctl/npf_build.c Thu Jan 19 20:18:17 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $");
#include
#include
@@ -586,9 +586,9 @@ npfctl_build_rule(uint32_t attr, const c
*/
static nl_nat_t *
npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap,
-const filt_opts_t *fopts, u_int flags)
+const opt_proto_t *op, const filt_opts_t *fopts, u_int flags)
{
- const opt_proto_t op = { .op_proto = -1, .op_opts = NULL };
+ const opt_proto_t def_op = { .op_proto = -1, .op_opts = NULL };
fam_addr_mask_t *am = npfctl_get_singlefam(ap->ap_netaddr);
in_port_t port;
nl_nat_t *nat;
@@ -600,10 +600,13 @@ npfctl_build_nat(int type, const char *i
} else {
port = 0;
}
+ if (!op) {
+ op = _op;
+ }
nat = npf_nat_create(type, flags, ifname, am->fam_family,
>fam_addr, am->fam_mask, port);
- npfctl_build_code(nat,
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Tue Jan 3 01:29:49 UTC 2017
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l
npfctl.h
Log Message:
npfctl: dynamic interface address handling; update npf.conf(8).
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npf_build.c \
src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.39 -r1.40 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_scan.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.45 src/usr.sbin/npf/npfctl/npf.conf.5:1.46
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.45 Tue Dec 27 22:35:33 2016
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 3 01:29:49 2017
@@ -1,6 +1,6 @@
-.\"$NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $
+.\"$NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $
.\"
-.\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 28, 2016
+.Dd January 3, 2017
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -110,6 +110,24 @@ Specific interface addresses can be sele
$pub_if4 = inet4(wm0)
$pub_if46 = { inet4(wm0), inet6(wm0) }
.Ed
+.Pp
+In the above examples, NPF will statically capture the interface
+addresses on configuration load.
+.Pp
+The following can be used for dynamic handling of the interface addresses:
+.Bd -literal
+$pub_if = ifaddrs(wm0)
+.Ed
+.Pp
+In this case, the expression will represent the runtime list of addresses,
+reflecting any changes to the interface, including the attach and detach.
+Marking the interface as ``down'' has no effect, i.e. all addresses will
+remain present.
+.Pp
+The dynamic address list represents both the IPv4 and IPv6 addresses,
+therefore the
+.Cd family
+keyword can be used in combination to make the filtering more narrow.
.Ss Groups
Groups may have the following options: name, interface, and direction.
They are defined in the following form:
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.42 src/usr.sbin/npf/npfctl/npf_build.c:1.43
--- src/usr.sbin/npf/npfctl/npf_build.c:1.42 Tue Dec 27 22:35:33 2016
+++ src/usr.sbin/npf/npfctl/npf_build.c Tue Jan 3 01:29:49 2017
@@ -1,7 +1,7 @@
-/* $NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $ */
/*-
- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
+ * Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $");
#include
#include
@@ -65,6 +65,7 @@ static nl_rule_t * the_rule = NULL;
static nl_rule_t * current_group[MAX_RULE_NESTING];
static unsigned rule_nesting_level = 0;
static nl_rule_t * defgroup = NULL;
+static unsigned npfctl_tid_counter = 0;
static void npfctl_dump_bpf(struct bpf_program *);
@@ -797,10 +798,9 @@ npfctl_fill_table(nl_table_t *tl, u_int
void
npfctl_build_table(const char *tname, u_int type, const char *fname)
{
- static unsigned tid = 0;
nl_table_t *tl;
- tl = npf_table_create(tname, tid++, type);
+ tl = npf_table_create(tname, npfctl_tid_counter++, type);
assert(tl != NULL);
if (npf_table_insert(npf_conf, tl)) {
@@ -814,6 +814,24 @@ npfctl_build_table(const char *tname, u_
}
}
+npfvar_t *
+npfctl_ifnet_table(const char *ifname)
+{
+ char tname[NPF_TABLE_MAXNAMELEN];
+ nl_table_t *tl;
+ u_int tid;
+
+ snprintf(tname, sizeof(tname), ".ifnet-%s", ifname);
+
+ tid = npfctl_table_getid(tname);
+ if (tid == (unsigned)-1) {
+ tid = npfctl_tid_counter++;
+ tl = npf_table_create(tname, tid, NPF_TABLE_TREE);
+ (void)npf_table_insert(npf_conf, tl);
+ }
+ return npfvar_create_element(NPFVAR_TABLE, , sizeof(u_int));
+}
+
/*
* npfctl_build_alg: create an NPF application level gateway and add it
* to the configuration.
Index: src/usr.sbin/npf/npfctl/npfctl.h
diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.42 src/usr.sbin/npf/npfctl/npfctl.h:1.43
--- src/usr.sbin/npf/npfctl/npfctl.h:1.42 Tue Dec 27 22:35:33 2016
+++ src/usr.sbin/npf/npfctl/npfctl.h Tue Jan 3 01:29:49 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.h,v 1.42 2016/12/27 22:35:33 rmind Exp $ */
+/* $NetBSD: npfctl.h,v 1.43 2017/01/03 01:29:49 rmind Exp $ */
/*-
*
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Tue Jan 3 00:58:05 UTC 2017
Modified Files:
src/sys/net/npf: npf_conf.c npf_ifaddr.c npf_impl.h npf_os.c
Log Message:
NPF: fix the interface table initialisation on load.
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_ifaddr.c
cvs rdiff -u -r1.66 -r1.67 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_os.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.10 src/sys/net/npf/npf_conf.c:1.11
--- src/sys/net/npf/npf_conf.c:1.10 Mon Dec 26 23:05:06 2016
+++ src/sys/net/npf/npf_conf.c Tue Jan 3 00:58:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conf.c,v 1.10 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_conf.c,v 1.11 2017/01/03 00:58:05 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -49,7 +49,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.10 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.11 2017/01/03 00:58:05 rmind Exp $");
#include
#include
@@ -157,7 +157,7 @@ npf_config_load(npf_t *npf, npf_ruleset_
npf_ifmap_flush(npf);
npf_conn_load(npf, conns, !flush);
mutex_exit(>config_lock);
- return;
+ goto done;
}
/*
@@ -183,6 +183,9 @@ npf_config_load(npf_t *npf, npf_ruleset_
/* Finally, it is safe to destroy the old config. */
npf_config_destroy(onc);
+done:
+ /* Sync all interface address tables (can be done asynchronously). */
+ npf_ifaddr_syncall(npf);
}
/*
Index: src/sys/net/npf/npf_ifaddr.c
diff -u src/sys/net/npf/npf_ifaddr.c:1.1 src/sys/net/npf/npf_ifaddr.c:1.2
--- src/sys/net/npf/npf_ifaddr.c:1.1 Mon Jan 2 21:49:51 2017
+++ src/sys/net/npf/npf_ifaddr.c Tue Jan 3 00:58:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $ */
+/* $NetBSD: npf_ifaddr.c,v 1.2 2017/01/03 00:58:05 rmind Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.2 2017/01/03 00:58:05 rmind Exp $");
#include
#include
@@ -46,20 +46,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c
#include "npf_impl.h"
-void
-npf_ifaddr_init(npf_t *npf)
-{
- ifnet_t *ifp;
-
- KERNEL_LOCK(1, NULL);
- IFNET_LOCK();
- IFNET_WRITER_FOREACH(ifp) {
- npf_ifaddr_sync(npf, ifp);
- }
- IFNET_UNLOCK();
- KERNEL_UNLOCK_ONE(NULL);
-}
-
static npf_table_t *
lookup_ifnet_table(npf_t *npf, ifnet_t *ifp)
{
@@ -177,3 +163,19 @@ npf_ifaddr_flush(npf_t *npf, ifnet_t *if
}
replace_ifnet_table(npf, t);
}
+
+void
+npf_ifaddr_syncall(npf_t *npf)
+{
+ ifnet_t *ifp;
+
+ KERNEL_LOCK(1, NULL);
+ IFNET_LOCK();
+ IFNET_WRITER_FOREACH(ifp) {
+ npf_ifaddr_sync(npf, ifp);
+ }
+ IFNET_UNLOCK();
+ KERNEL_UNLOCK_ONE(NULL);
+}
+
+
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.66 src/sys/net/npf/npf_impl.h:1.67
--- src/sys/net/npf/npf_impl.h:1.66 Mon Jan 2 21:49:51 2017
+++ src/sys/net/npf/npf_impl.h Tue Jan 3 00:58:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.66 2017/01/02 21:49:51 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.67 2017/01/03 00:58:05 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -247,9 +247,9 @@ void npf_ifmap_flush(npf_t *);
u_int npf_ifmap_getid(npf_t *, const ifnet_t *);
const char * npf_ifmap_getname(npf_t *, const u_int);
-void npf_ifaddr_init(npf_t *);
void npf_ifaddr_sync(npf_t *, ifnet_t *);
void npf_ifaddr_flush(npf_t *, ifnet_t *);
+void npf_ifaddr_syncall(npf_t *);
/* Packet filter hooks. */
int npf_pfil_register(bool);
Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.4 src/sys/net/npf/npf_os.c:1.5
--- src/sys/net/npf/npf_os.c:1.4 Mon Jan 2 23:02:04 2017
+++ src/sys/net/npf/npf_os.c Tue Jan 3 00:58:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_os.c,v 1.4 2017/01/02 23:02:04 christos Exp $ */
+/* $NetBSD: npf_os.c,v 1.5 2017/01/03 00:58:05 rmind Exp $ */
/*-
* Copyright (c) 2009-2016 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.4 2017/01/02 23:02:04 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.5 2017/01/03 00:58:05 rmind Exp $");
#ifdef _KERNEL_OPT
#include "pf.h"
@@ -153,7 +153,6 @@ npf_init(void)
npf = npf_create(0, NULL, _ifops);
npf_setkernctx(npf);
npf_pfil_register(true);
- npf_ifaddr_init(npf);
#ifdef _MODULE
devmajor_t bmajor = NODEVMAJOR, cmajor = NODEVMAJOR;
@@ -445,6 +444,12 @@ npf_pfil_register(bool init)
PFIL_ALL, npf_ph_inet6);
KASSERT(error == 0);
}
+
+ /*
+ * It is necessary to re-sync all/any interface address tables,
+ * since we did not listen
CVS commit: src/sys
BSD Foundation, Inc.
@@ -42,7 +42,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.25 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.26 2017/01/02 21:49:51 rmind Exp $");
#include
#include
@@ -183,6 +183,21 @@ npf_tableset_insert(npf_tableset_t *ts,
return error;
}
+npf_table_t *
+npf_tableset_swap(npf_tableset_t *ts, npf_table_t *newt)
+{
+ const u_int tid = newt->t_id;
+ npf_table_t *oldt = ts->ts_map[tid];
+
+ KASSERT(tid < ts->ts_nitems);
+ KASSERT(oldt->t_id == newt->t_id);
+
+ newt->t_refcnt = oldt->t_refcnt;
+ oldt->t_refcnt = 0;
+
+ return atomic_swap_ptr(>ts_map[tid], newt);
+}
+
/*
* npf_tableset_getbyname: look for a table in the set given the name.
*/
@@ -354,7 +369,8 @@ npf_table_create(const char *name, u_int
LIST_INIT(>t_list);
break;
case NPF_TABLE_HASH:
- t->t_hashl = hashinit(1024, HASH_LIST, true, >t_hashmask);
+ size = MIN(size, 128);
+ t->t_hashl = hashinit(size, HASH_LIST, true, >t_hashmask);
if (t->t_hashl == NULL) {
goto out;
}
@@ -409,6 +425,12 @@ npf_table_destroy(npf_table_t *t)
kmem_free(t, sizeof(npf_table_t));
}
+u_int
+npf_table_getid(npf_table_t *t)
+{
+ return t->t_id;
+}
+
/*
* npf_table_check: validate the name, ID and type.
*/
Added files:
Index: src/sys/net/npf/npf_ifaddr.c
diff -u /dev/null src/sys/net/npf/npf_ifaddr.c:1.1
--- /dev/null Mon Jan 2 21:49:51 2017
+++ src/sys/net/npf/npf_ifaddr.c Mon Jan 2 21:49:51 2017
@@ -0,0 +1,179 @@
+/* $NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $ */
+
+/*-
+ * Copyright (c) 2014 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Mindaugas Rasiukevicius.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * NPF network interface handling module.
+ */
+
+#include
+__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.1 2017/01/02 21:49:51 rmind Exp $");
+
+#include
+#include
+#include
+
+#include
+#include
+#include
+
+#include "npf_impl.h"
+
+void
+npf_ifaddr_init(npf_t *npf)
+{
+ ifnet_t *ifp;
+
+ KERNEL_LOCK(1, NULL);
+ IFNET_LOCK();
+ IFNET_WRITER_FOREACH(ifp) {
+ npf_ifaddr_sync(npf, ifp);
+ }
+ IFNET_UNLOCK();
+ KERNEL_UNLOCK_ONE(NULL);
+}
+
+static npf_table_t *
+lookup_ifnet_table(npf_t *npf, ifnet_t *ifp)
+{
+ const npf_ifops_t *ifops = npf->ifops;
+ char tname[NPF_TABLE_MAXNAMELEN];
+ npf_tableset_t *ts;
+ const char *ifname;
+ npf_table_t *t;
+ u_int tid;
+
+ /* Get the interface name and prefix it. */
+ ifname = ifops->getname(ifp);
+ snprintf(tname, sizeof(tname), ".ifnet-%s", ifname);
+
+ KERNEL_LOCK(1, NULL);
+ npf_config_enter(npf);
+ ts = npf_config_tableset(npf);
+
+ /*
+ * Check whether this interface is of any interest to us.
+ */
+ t = npf_tableset_getbyname(ts, tname);
+ if (!t) {
+ goto out;
+ }
+ tid = npf_table_getid(t);
+
+ /* Create a new NPF table for the interface. */
+ t = npf_table_create(tname, tid, NPF_TABLE_HASH, NULL, 16);
+ if (!t) {
+ goto out;
+ }
+ return t;
+out:
+ npf_config_exit(npf);
+ KERNEL_UNLOCK_ONE(NULL);
+ return NULL;
+}
+
+static void
+replace_ifnet_table(npf_t *npf, npf_table_t *newt)
+{
+ npf_tableset_t *ts = npf_config_tableset(npf);
+ npf_table_t *oldt;
+
+ KERNEL_UNLOCK_ONE(NULL);
+
+ /*
+ * Finally, swap the tables and issue a sync barrier.
+ */
+ oldt = npf_tableset_swap(ts, newt);
+ npf_config_sync(npf);
+ npf_config_exit(npf);
+
+ /* At this point, it is safe to destroy the old table. */
+ npf_table_destroy(oldt);
+}
+
+void
+npf_ifaddr_sync(npf_t *npf, ifnet_t *ifp)
+{
+ npf_ta
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Thu Dec 29 20:48:50 UTC 2016
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c npfctl.c
Log Message:
Improve 'npfctl debug' a little bit.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npf_show.c
cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.21 src/usr.sbin/npf/npfctl/npf_show.c:1.22
--- src/usr.sbin/npf/npfctl/npf_show.c:1.21 Tue Dec 27 20:14:35 2016
+++ src/usr.sbin/npf/npfctl/npf_show.c Thu Dec 29 20:48:50 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $ */
+/* $NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include
-__RCSID("$NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $");
#include
#define __FAVOR_BSD
@@ -506,8 +506,8 @@ npfctl_config_show(int fd)
loaded ? "loaded" : "empty");
print_linesep(ctx);
} else {
- npfctl_config_send(0, NULL);
ncf = npfctl_config_ref();
+ (void)npf_config_build(ncf);
loaded = true;
}
ctx->conf = ncf;
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.51 src/usr.sbin/npf/npfctl/npfctl.c:1.52
--- src/usr.sbin/npf/npfctl/npfctl.c:1.51 Tue Dec 27 20:24:32 2016
+++ src/usr.sbin/npf/npfctl/npfctl.c Thu Dec 29 20:48:50 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $ */
+/* $NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__RCSID("$NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $");
#include
#include
@@ -70,6 +70,7 @@ enum {
NPFCTL_STATS,
NPFCTL_SAVE,
NPFCTL_LOAD,
+ NPFCTL_DEBUG,
NPFCTL_CONN_LIST,
};
@@ -83,7 +84,6 @@ static const struct operations_s {
{ "reload", NPFCTL_RELOAD },
{ "show", NPFCTL_SHOWCONF, },
{ "flush", NPFCTL_FLUSH },
- { "valid", NPFCTL_VALIDATE },
/* Table */
{ "table", NPFCTL_TABLE },
/* Rule */
@@ -94,6 +94,9 @@ static const struct operations_s {
{ "save", NPFCTL_SAVE },
{ "load", NPFCTL_LOAD },
{ "list", NPFCTL_CONN_LIST },
+ /* Misc. */
+ { "valid", NPFCTL_VALIDATE },
+ { "debug", NPFCTL_DEBUG },
/* --- */
{ NULL, 0 }
};
@@ -247,14 +250,12 @@ npfctl_print_addrmask(int alen, const ch
switch (alen) {
case 4: {
struct sockaddr_in *sin = (void *)
- sin->sin_len = sizeof(*sin);
sin->sin_family = AF_INET;
memcpy(>sin_addr, addr, sizeof(sin->sin_addr));
break;
}
case 16: {
struct sockaddr_in6 *sin6 = (void *)
- sin6->sin6_len = sizeof(*sin6);
sin6->sin6_family = AF_INET6;
memcpy(>sin6_addr, addr, sizeof(sin6->sin6_addr));
break;
@@ -593,7 +594,7 @@ struct npf_conn_filter {
};
static int
-npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p,
+npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p,
const char *ifname, void *v)
{
struct npf_conn_filter *fil = v;
@@ -674,21 +675,19 @@ npfctl_conn_list(int fd, int argc, char
if (header)
fprintf(f.fp, "%*.*s %*.*s\n",
w, w, "From address:port ", w, w, "To address:port ");
-
+
npf_conn_list(fd, npfctl_conn_print, );
return 0;
}
-static void
-npfctl(int action, int argc, char **argv)
+static int
+npfctl_open_dev(const char *path)
{
- int fd, ver, boolval, ret = 0;
- nl_config_t *ncf;
- const char *fun = "";
+ int fd, ver;
- fd = open(NPF_DEV_PATH, O_RDONLY);
+ fd = open(path, O_RDONLY);
if (fd == -1) {
- err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH);
+ err(EXIT_FAILURE, "cannot open '%s'", path);
}
if (ioctl(fd, IOC_NPF_VERSION, ) == -1) {
err(EXIT_FAILURE, "ioctl(IOC_NPF_VERSION)");
@@ -698,6 +697,24 @@ npfctl(int action, int argc, char **argv
"incompatible NPF interface version (%d, kernel %d)\n"
"Hint: update userland?", NPF_VERSION, ver);
}
+ return fd;
+}
+
+static void
+npfctl(int action, int argc, char **argv)
+{
+ int fd, boolval, ret = 0;
+ const char *fun = "";
+ nl_config_t *ncf;
+
+ switch (action) {
+ case NPFCTL_VALIDATE:
+ case NPFCTL_DEBUG:
+ fd = 0;
+ break;
+ default:
+ fd = npfctl_open_dev(NPF_DEV_PATH);
+ }
switch (action) {
case NPFCTL_START:
@@ -725,12 +742,6 @@ npfctl(int action, int argc, char **argv
ret = npf_config_flush(fd);
fun = "npf_config_flush";
break;
- case NPFCTL_VALIDATE:
- npfctl_config_init(false);
- npfctl_parse_file(argc < 3 ? NPF_CONF_PATH : argv[2]);
- ret = npfctl_config_show(0);
- fun = "npfctl_config_show";
- break;
case
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Tue Dec 27 22:35:33 UTC 2016
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5 npf_bpf_comp.c npf_build.c
npf_data.c npf_parse.y npf_scan.l npfctl.h
Log Message:
npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf_build.c \
src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.26 -r1.27 src/usr.sbin/npf/npfctl/npf_data.c
cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npfctl/npf_scan.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.44 src/usr.sbin/npf/npfctl/npf.conf.5:1.45
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.44 Sun Feb 1 22:57:21 2015
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Dec 27 22:35:33 2016
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.44 2015/02/01 22:57:21 rmind Exp $
+.\"$NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $
.\"
.\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 1, 2015
+.Dd December 28, 2016
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -295,7 +295,8 @@ proto-opts = "flags" tcp-flags [ "/" tcp
addr-mask = addr [ "/" mask ]
filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ]
-filt-addr = [ interface | var-name | addr-mask | table-id | "any" ]
+filt-addr = [ "!" ] [ interface | var-name |
+ addr-mask | table-id | "any" ]
filt-port = "port" ( port-num | port-from "-" port-to | var-name )
.Ed
.\" -
Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.9 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.10
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.9 Mon Dec 26 23:05:05 2016
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Tue Dec 27 22:35:33 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf_comp.c,v 1.9 2016/12/26 23:05:05 christos Exp $ */
+/* $NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.9 2016/12/26 23:05:05 christos Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $");
#include
#include
@@ -244,18 +244,29 @@ npfctl_bpf_group(npf_bpf_t *ctx)
}
void
-npfctl_bpf_endgroup(npf_bpf_t *ctx)
+npfctl_bpf_endgroup(npf_bpf_t *ctx, bool invert)
{
struct bpf_program *bp = >prog;
const size_t curoff = bp->bf_len;
/* If there are no blocks or only one - nothing to do. */
- if ((ctx->nblocks - ctx->gblock) <= 1) {
+ if (!invert && (ctx->nblocks - ctx->gblock) <= 1) {
ctx->goff = ctx->gblock = 0;
return;
}
/*
+ * If inverting, then prepend a jump over the statement below.
+ * If matching, jump will jump below and the fail will happen.
+ */
+ if (invert) {
+ struct bpf_insn insns_ret[] = {
+ BPF_STMT(BPF_JMP+BPF_JA, 1),
+ };
+ add_insns(ctx, insns_ret, __arraycount(insns_ret));
+ }
+
+ /*
* Append a failure return as a fall-through i.e. if there is
* no match within the group.
*/
@@ -309,7 +320,7 @@ fetch_l3(npf_bpf_t *ctx, sa_family_t af,
*/
if (ingroup) {
assert(ctx->nblocks == ctx->gblock);
- npfctl_bpf_endgroup(ctx);
+ npfctl_bpf_endgroup(ctx, false);
}
/*
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.41 src/usr.sbin/npf/npfctl/npf_build.c:1.42
--- src/usr.sbin/npf/npfctl/npf_build.c:1.41 Mon Dec 26 23:05:05 2016
+++ src/usr.sbin/npf/npfctl/npf_build.c Tue Dec 27 22:35:33 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.41 2016/12/26 23:05:05 christos Exp $ */
+/* $NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $ */
/*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.41 2016/12/26 23:05:05 christos Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $");
#include
#include
@@ -268,7 +268,7 @@ npfctl_build_vars(npf_bpf_t *ctx, sa_fam
assert(false);
}
}
- npfctl_bpf_endgroup(ctx);
+ npfctl_bpf_endgroup(ctx, (opts & MATCH_INVERT) != 0);
}
static void
@@ -321,6 +321,7 @@ npfctl_build_code(nl_rule_t *rl, sa_fami
const addr_port_t *apto = >fo_to;
const int proto = op->op_proto;
npf_bpf_t *bc;
+ unsigned opts;
size_t len;
/* If none specified, then no byte-code. */
@@ -365,8 +366,10 @@ npfctl_build_code(nl_rule_t *rl, sa_fami
}
/* Build IP address blocks. */
CVS commit: src/usr.sbin/npf/npfd
Module Name:src
Committed By: rmind
Date: Tue Dec 27 22:20:00 UTC 2016
Added Files:
src/usr.sbin/npf/npfd: Makefile npfd.c npfd.h npfd_log.c
Log Message:
Add some very preliminary npfd(8) code.
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npfd/Makefile \
src/usr.sbin/npf/npfd/npfd.c src/usr.sbin/npf/npfd/npfd.h \
src/usr.sbin/npf/npfd/npfd_log.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Added files:
Index: src/usr.sbin/npf/npfd/Makefile
diff -u /dev/null src/usr.sbin/npf/npfd/Makefile:1.1
--- /dev/null Tue Dec 27 22:20:00 2016
+++ src/usr.sbin/npf/npfd/Makefile Tue Dec 27 22:20:00 2016
@@ -0,0 +1,17 @@
+# $NetBSD: Makefile,v 1.1 2016/12/27 22:20:00 rmind Exp $
+#
+# Public Domain
+#
+
+PROG= npfd
+
+SRCS= npfd.c
+CPPFLAGS+= -I${.CURDIR}
+
+LDADD+= -lnpf -lpcap
+DPADD+= ${LIBNPF} ${LIBPCAP}
+
+WARNS= 5
+NOLINT= # disabled deliberately
+
+.include
Index: src/usr.sbin/npf/npfd/npfd.c
diff -u /dev/null src/usr.sbin/npf/npfd/npfd.c:1.1
--- /dev/null Tue Dec 27 22:20:00 2016
+++ src/usr.sbin/npf/npfd/npfd.c Tue Dec 27 22:20:00 2016
@@ -0,0 +1,127 @@
+/* $NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $ */
+
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Mindaugas Rasiukevicius.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include
+__RCSID("$NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $");
+
+#include
+#include
+#include
+#include
+
+#include "npfd.h"
+
+static volatile sig_atomic_t hup = false;
+
+int
+npfd_getctl(void)
+{
+ int fd;
+
+ fd = open(NPF_DEV_PATH, O_RDONLY);
+ if (fd == -1) {
+ err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH);
+ }
+ if (ioctl(fd, IOC_NPF_VERSION, ) == -1) {
+ err(EXIT_FAILURE, "ioctl(IOC_NPF_VERSION)");
+ }
+ if (ver != NPF_VERSION) {
+ errx(EXIT_FAILURE,
+ "incompatible NPF interface version (%d, kernel %d)\n"
+ "Hint: update userland?", NPF_VERSION, ver);
+ }
+ return fd;
+}
+
+static void
+npfd_event_loop(void)
+{
+ int fds[8], fd, nfds = 0, maxfd = 0;
+ fd_set rfds;
+
+ FD_ZERO();
+
+ fd = npfd_log_create(0)
+ fds[nfds++] = fd;
+ FD_SET(fd, );
+
+ for (int i = 0; i < nfds; i++) {
+ maxfd = MAX(maxfd, fds[i] + 1);
+ }
+
+ while (!done) {
+ if ((ret = select(maxfd, , NULL, NULL, NULL)) == -1) {
+ syslog(LOG_ERR, "select failed: %m");
+ err(EXIT_FAILURE, "select");
+ }
+ if (hup) {
+ hup = false;
+ }
+
+ for (fd = 0; fd < maxfd; fd++) {
+ // TODO
+ }
+ }
+}
+
+static void
+sighup_handler(int sig)
+{
+ hup = true;
+}
+
+int
+main(int argc, char **argv)
+{
+ bool daemon_off = false;
+ int ch;
+
+ while ((ch = getopt(argc, argv, "d")) != -1) {
+ switch (ch) {
+ case 'd':
+ daemon_off = true;
+ break;
+ default:
+ errx(EXIT_FAILURE, "usage:\n\t%s [ -d ]", argv[0]);
+ }
+ }
+
+ openlog(argv[0], LOG_PID | LOG_NDELAY | LOG_CONS, LOG_DAEMON);
+ if (!daemon_off && daemon(0, 0) == -1) {
+ syslog(LOG_ERR, "daemon failed: %m");
+ err(EXIT_FAILURE, "daemon");
+ }
+ signal(SIGHUP, sighup_handler);
+ npfd_event_loop();
+ closelog();
+
+ return 0;
+}
Index: src/usr.sbin/npf/npfd/npfd.h
diff -u /dev/null src/usr.sbin/npf/npfd/npfd.h:1.1
--- /dev/null Tue Dec 27 22:20:00 2016
+++ src/usr.sbin/npf/npfd/npfd.h Tue Dec 27 22:20:00 2016
@@ -0,0 +1,49 @@
+/* $NetBSD: npfd.h,v 1.1 2016/12/27 22:20:00 rmind Exp $ */
+
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+
CVS commit: src/lib/libnpf
Module Name:src
Committed By: rmind
Date: Tue Dec 27 20:32:58 UTC 2016
Modified Files:
src/lib/libnpf: npf.c npf.h
Log Message:
KNF
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/lib/libnpf/npf.c
cvs rdiff -u -r1.32 -r1.33 src/lib/libnpf/npf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.41 src/lib/libnpf/npf.c:1.42
--- src/lib/libnpf/npf.c:1.41 Tue Dec 27 20:14:07 2016
+++ src/lib/libnpf/npf.c Tue Dec 27 20:32:58 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.41 2016/12/27 20:14:07 christos Exp $ */
+/* $NetBSD: npf.c,v 1.42 2016/12/27 20:32:58 rmind Exp $ */
/*-
* Copyright (c) 2010-2015 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.41 2016/12/27 20:14:07 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.42 2016/12/27 20:32:58 rmind Exp $");
#include
#include
@@ -1427,18 +1427,18 @@ npf_conn_list(int fd, npf_conn_func_t fu
if (ncf == NULL) {
return errno;
}
-
-/* Connection list - array */
-if (prop_object_type(ncf->ncf_conn_list) != PROP_TYPE_ARRAY) {
-return EINVAL;
-}
-
-prop_object_iterator_t it = prop_array_iterator(ncf->ncf_conn_list);
-prop_dictionary_t condict;
-while ((condict = prop_object_iterator_next(it)) != NULL) {
-if (prop_object_type(condict) != PROP_TYPE_DICTIONARY) {
+
+ /* Connection list - array */
+ if (prop_object_type(ncf->ncf_conn_list) != PROP_TYPE_ARRAY) {
+ return EINVAL;
+ }
+
+ prop_object_iterator_t it = prop_array_iterator(ncf->ncf_conn_list);
+ prop_dictionary_t condict;
+ while ((condict = prop_object_iterator_next(it)) != NULL) {
+ if (prop_object_type(condict) != PROP_TYPE_DICTIONARY) {
return EINVAL;
-}
+ }
npf_conn_handle(condict, fun, v);
}
return 0;
Index: src/lib/libnpf/npf.h
diff -u src/lib/libnpf/npf.h:1.32 src/lib/libnpf/npf.h:1.33
--- src/lib/libnpf/npf.h:1.32 Tue Dec 27 20:14:07 2016
+++ src/lib/libnpf/npf.h Tue Dec 27 20:32:58 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.32 2016/12/27 20:14:07 christos Exp $ */
+/* $NetBSD: npf.h,v 1.33 2016/12/27 20:32:58 rmind Exp $ */
/*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -150,10 +150,9 @@ void _npf_debug_addif(nl_config_t *, co
int _npf_alg_load(nl_config_t *, const char *);
int _npf_alg_unload(nl_config_t *, const char *);
-/* utils */
-typedef int (*npf_conn_func_t)(unsigned, const npf_addr_t *, const in_port_t *,
-const char *, void *);
-int npf_conn_list(int, npf_conn_func_t, void *);
+typedef int (*npf_conn_func_t)(unsigned, const npf_addr_t *,
+const in_port_t *, const char *, void *);
+int npf_conn_list(int, npf_conn_func_t, void *);
#endif
CVS commit: src/lib/libnpf
Module Name:src Committed By: rmind Date: Tue Dec 27 17:58:56 UTC 2016 Modified Files: src/lib/libnpf: libnpf.3 Log Message: Update libnpf(3) man page. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/lib/libnpf/libnpf.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.2 src/lib/libnpf/libnpf.3:1.3 --- src/lib/libnpf/libnpf.3:1.2 Sun Aug 3 00:02:56 2014 +++ src/lib/libnpf/libnpf.3 Tue Dec 27 17:58:56 2016 @@ -1,6 +1,6 @@ -.\" $NetBSD: libnpf.3,v 1.2 2014/08/03 00:02:56 rmind Exp $ +.\" $NetBSD: libnpf.3,v 1.3 2016/12/27 17:58:56 rmind Exp $ .\" -.\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc. +.\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 2, 2014 +.Dd April 19, 2015 .Dt LIBNPF 3 .Os .Sh NAME @@ -41,11 +41,19 @@ .Ft nl_config_t * .Fn npf_config_create "void" .Ft int -.Fn npf_config_submit "nl_config_t *ncf" "int fd" -.Ft void -.Fn npf_config_destroy "nl_config_t *ncf" +.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo" +.Ft nl_config_t * +.Fn npf_config_retrieve "int fd" "bool *active" "bool *loaded" .Ft int .Fn npf_config_flush "int fd" +.Ft void +.Fn npf_config_export "const nl_config_t *ncf" "size_t *len" +.Ft nl_config_t * +.Fn npf_config_import "const void *blob" "size_t len" +.Ft bool +.Fn npf_config_active_p "nl_config_t *ncf" +.Ft void +.Fn npf_config_destroy "nl_config_t *ncf" .\" --- .Ft nl_rule_t * .Fn npf_rule_create "char *name" "uint32_t attr" "const char *ifname" @@ -53,14 +61,18 @@ .Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len" .Ft int .Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len" +.Ft int +.Fn npf_rule_setinfo "nl_rule_t *rl" "const void *info" "size_t len" .Ft bool .Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name" .Ft int -.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" -.Ft int -.Fn npf_rule_setprio "nl_rule_t *rl" "pri_t pri" +.Fn npf_rule_setprio "nl_rule_t *rl" "int pri" .Ft int .Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name" +.Ft int +.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" +.Ft void * +.Fn npf_rule_export "nl_rule_t *rl" "size_t *length" .Ft void .Fn npf_rule_destroy "nl_rule_t *rl" .\" --- @@ -99,15 +111,32 @@ The configuration can be submitted to th .Bl -tag -width 4n .It Fn npf_config_create Create a configuration. -.It Fn npf_config_submit "ncf" "fd" +.It Fn npf_config_submit "ncf" "fd" "errinfo" Submit configuration .Fa ncf to the kernel. +On error, the the description is written into the structure specified by +.Fa errinfo . +.It Fn npf_config_export "fd" "len" +Serialize the given configuration and return binary object and its +length in +.Fa len +parameter. +The binary object is dynamically allocated and should be destroyed using +.Xr free 3 . +.It Fn npf_config_import "blob" "len" +Read the configuration from a binary object of the specified length, +unserialize, construct and return the configuration object. +.It Fn npf_config_flush "fd" +Flush the current configuration. +.It Fn npf_config_retrieve "fd" "active" "loaded" +Retrieve and return the loaded configuration from the kernel. +.It Fn npf_config_active_p "ncf" +Indicate whether the retrievied configuration is active (true if yes +and false otherwise). .It Fn npf_config_destroy "ncf" Destroy the configuration .Fa ncf . -.It Fn npf_config_flush "fd" -Flush the current configuration. .El .\" --- .Ss Rule interface @@ -124,20 +153,32 @@ The following attributes, which can be O Decision of this rule is "pass". If this attribute is not specified, then packet "block" (drop) is the default. +.It Dv NPF_RULE_IN +Match incoming packets. +.It Dv NPF_RULE_OUT +Match outgoing packets. .It Dv NPF_RULE_FINAL Indicates that on rule match, further processing of the ruleset should be stopped and this rule applied instantly. .It Dv NPF_RULE_STATEFUL Create a state (session) on match, track the connection and therefore pass the backwards stream without inspection. +The state is uniquely identified by a 5-tuple (source and destination +IP addresses, port numbers and an interface identifier). +.It Dv NPF_RULE_MULTIENDS +Exclude the interface from the state identifier. .It Dv NPF_RULE_RETRST Return TCP RST packet in a case of packet block. .It Dv NPF_RULE_RETICMP Return ICMP destination unreachable in a case of packet block. -.It Dv NPF_RULE_IN -Rule may match only if incoming packet. -.It Dv NPF_RULE_OUT -Rule may match only if outgoing packet. +.It Dv
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Mon Dec 26 23:59:48 UTC 2016
Modified Files:
src/sys/net/npf: npf_os.c
Log Message:
Convert NPF to the latest pfil(9) changes.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_os.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.1 src/sys/net/npf/npf_os.c:1.2
--- src/sys/net/npf/npf_os.c:1.1 Mon Dec 26 23:05:06 2016
+++ src/sys/net/npf/npf_os.c Mon Dec 26 23:59:47 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_os.c,v 1.1 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_os.c,v 1.2 2016/12/26 23:59:47 rmind Exp $ */
/*-
* Copyright (c) 2009-2016 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.1 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.2 2016/12/26 23:59:47 rmind Exp $");
#ifdef _KERNEL_OPT
#include "pf.h"
@@ -345,23 +345,20 @@ npfkern_packet_handler(void *arg, struct
/*
* npf_ifhook: hook handling interface changes.
*/
-static int
-npf_ifhook(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
+static void
+npf_ifhook(void *arg, unsigned long cmd, void *arg2)
{
npf_t *npf = npf_getkernctx();
- u_long cmd = (u_long)mp;
+ ifnet_t *ifp = arg2;
- if (di == PFIL_IFNET) {
- switch (cmd) {
- case PFIL_IFNET_ATTACH:
- npf_ifmap_attach(npf, ifp);
- break;
- case PFIL_IFNET_DETACH:
- npf_ifmap_detach(npf, ifp);
- break;
- }
+ switch (cmd) {
+ case PFIL_IFNET_ATTACH:
+ npf_ifmap_attach(npf, ifp);
+ break;
+ case PFIL_IFNET_DETACH:
+ npf_ifmap_detach(npf, ifp);
+ break;
}
- return 0;
}
/*
@@ -383,8 +380,7 @@ npf_pfil_register(bool init)
error = ENOENT;
goto out;
}
- error = pfil_add_hook(npf_ifhook, NULL,
- PFIL_IFADDR | PFIL_IFNET, npf_ph_if);
+ error = pfil_add_ihook(npf_ifhook, NULL, PFIL_IFNET, npf_ph_if);
KASSERT(error == 0);
}
if (init) {
@@ -436,8 +432,7 @@ npf_pfil_unregister(bool fini)
KERNEL_LOCK(1, NULL);
if (fini && npf_ph_if) {
- (void)pfil_remove_hook(npf_ifhook, NULL,
- PFIL_IFADDR | PFIL_IFNET, npf_ph_if);
+ (void)pfil_remove_ihook(npf_ifhook, NULL, PFIL_IFNET, npf_ph_if);
}
if (npf_ph_inet) {
(void)pfil_remove_hook(npfkern_packet_handler, npf,
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:39:18 UTC 2016 Modified Files: src/sys/net/npf: npf.h Log Message: Bump NPF_VERSION to 19. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.52 src/sys/net/npf/npf.h:1.53 --- src/sys/net/npf/npf.h:1.52 Mon Dec 26 23:05:06 2016 +++ src/sys/net/npf/npf.h Mon Dec 26 23:39:18 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.52 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf.h,v 1.53 2016/12/26 23:39:18 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -39,7 +39,7 @@ #include #include -#define NPF_VERSION 18 +#define NPF_VERSION 19 #if defined(_NPF_STANDALONE) #include "npf_stand.h"
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Mon Dec 26 23:10:46 UTC 2016
Modified Files:
src/sys/net/npf: npf_state_tcp.c
Log Message:
npf_tcp_fsm: fix for the NPF_TCPS_SYN_RECEIVED state.
SYN re-transmission after SYN-ACK was seen by NPF should not terminate
the connection. Thanks to: Alexander Kiselev
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_state_tcp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_state_tcp.c
diff -u src/sys/net/npf/npf_state_tcp.c:1.17 src/sys/net/npf/npf_state_tcp.c:1.18
--- src/sys/net/npf/npf_state_tcp.c:1.17 Mon Dec 26 23:05:06 2016
+++ src/sys/net/npf/npf_state_tcp.c Mon Dec 26 23:10:46 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_state_tcp.c,v 1.17 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_state_tcp.c,v 1.18 2016/12/26 23:10:46 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.17 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.18 2016/12/26 23:10:46 rmind Exp $");
#include
#include
@@ -192,6 +192,8 @@ static const uint8_t npf_tcp_fsm[NPF_TCP
[TCPFC_ACK] = NPF_TCPS_ESTABLISHED,
/* FIN may be sent early. */
[TCPFC_FIN] = NPF_TCPS_FIN_SENT,
+ /* Late SYN re-transmission. */
+ [TCPFC_SYN] = NPF_TCPS_OK,
},
[NPF_FLOW_BACK] = {
/* SYN-ACK may be retransmitted. */
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Mon Dec 26 21:16:06 UTC 2016
Modified Files:
src/sys/net/npf: lpm.c
Log Message:
Fix kmem_free() in hashmap_remove().
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/lpm.c
diff -u src/sys/net/npf/lpm.c:1.2 src/sys/net/npf/lpm.c:1.3
--- src/sys/net/npf/lpm.c:1.2 Mon Dec 26 12:44:10 2016
+++ src/sys/net/npf/lpm.c Mon Dec 26 21:16:06 2016
@@ -31,7 +31,7 @@
#if defined(_KERNEL)
#include
-__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.2 2016/12/26 12:44:10 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.3 2016/12/26 21:16:06 rmind Exp $");
#include
#include
@@ -245,7 +245,7 @@ hashmap_remove(lpm_hmap_t *hmap, const v
} else {
hmap->bucket[i] = entry->next;
}
- free(entry, M_TEMP);
+ kmem_free(entry, offsetof(lpm_ent_t, key[len]));
return 0;
}
prev = entry;
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Mon Dec 26 12:44:10 UTC 2016
Modified Files:
src/sys/net/npf: lpm.c
Log Message:
Fix kmem_free() sizes in hashmap_rehash() and lpm_clear().
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/lpm.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/lpm.c
diff -u src/sys/net/npf/lpm.c:1.1 src/sys/net/npf/lpm.c:1.2
--- src/sys/net/npf/lpm.c:1.1 Fri Dec 9 02:40:38 2016
+++ src/sys/net/npf/lpm.c Mon Dec 26 12:44:10 2016
@@ -31,7 +31,7 @@
#if defined(_KERNEL)
#include
-__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1 2016/12/09 02:40:38 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.2 2016/12/26 12:44:10 rmind Exp $");
#include
#include
@@ -117,7 +117,7 @@ lpm_clear(lpm_t *lpm, lpm_dtor_t dtor, v
entry = next;
}
}
- kmem_free(hmap->bucket, hmap->hashsize);
+ kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *));
hmap->bucket = NULL;
hmap->hashsize = 0;
hmap->nitems = 0;
@@ -158,7 +158,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_
for (hashsize = 1; hashsize < size; hashsize <<= 1) {
continue;
}
- bucket = kmem_zalloc(hashsize * sizeof(*bucket), KM_SLEEP);
+ bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), KM_SLEEP);
if (bucket == NULL)
return false;
for (unsigned n = 0; n < hmap->hashsize; n++) {
@@ -175,7 +175,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_
}
}
if (hmap->bucket)
- kmem_free(hmap->bucket, hmap->hashsize);
+ kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *));
hmap->bucket = bucket;
hmap->hashsize = hashsize;
return true;
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Thu Dec 8 23:07:12 UTC 2016
Modified Files:
src/sys/net/npf: npf.h npf_conn.c npf_handler.c npf_mbuf.c
Log Message:
NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf.h
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.c \
src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.48
--- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h Thu Dec 8 23:07:11 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.48 2016/12/08 23:07:11 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -116,8 +116,8 @@ void * nbuf_ensure_contig(nbuf_t *, siz
void * nbuf_ensure_writable(nbuf_t *, size_t);
bool nbuf_cksum_barrier(nbuf_t *, int);
-int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
-int nbuf_find_tag(nbuf_t *, uint32_t, void **);
+int nbuf_add_tag(nbuf_t *, uint32_t);
+int nbuf_find_tag(nbuf_t *, uint32_t *);
/*
* Packet information cache.
@@ -259,8 +259,8 @@ bool npf_autounload_p(void);
#define NPF_LAYER_2 2
#define NPF_LAYER_3 3
-/* XXX mbuf.h: just for now. */
-#define PACKET_TAG_NPF 10
+/* Packet tags. */
+#define NPF_NTAG_PASS 0x0001
/*
* Rule commands (non-ioctl).
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.16 src/sys/net/npf/npf_conn.c:1.17
--- src/sys/net/npf/npf_conn.c:1.16 Thu Feb 5 22:04:03 2015
+++ src/sys/net/npf/npf_conn.c Thu Dec 8 23:07:11 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $ */
/*-
* Copyright (c) 2014-2015 Mindaugas Rasiukevicius
@@ -99,7 +99,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $");
#include
#include
@@ -432,11 +432,21 @@ npf_conn_inspect(npf_cache_t *npc, const
ok = npf_state_inspect(npc, >c_state, forw);
mutex_exit(>c_lock);
+ /* If invalid state: let the rules deal with it. */
if (__predict_false(!ok)) {
- /* Invalid: let the rules deal with it. */
npf_conn_release(con);
npf_stats_inc(NPF_STAT_INVALID_STATE);
- con = NULL;
+ return NULL;
+ }
+
+ /*
+ * If this is multi-end state, then specially tag the packet
+ * so it will be just passed-through on other interfaces.
+ */
+ if (con->c_ifid == 0 && nbuf_add_tag(nbuf, NPF_NTAG_PASS) != 0) {
+ npf_conn_release(con);
+ *error = ENOMEM;
+ return NULL;
}
return con;
}
Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.16 src/sys/net/npf/npf_mbuf.c:1.17
--- src/sys/net/npf/npf_mbuf.c:1.16 Fri Mar 18 10:09:46 2016
+++ src/sys/net/npf/npf_mbuf.c Thu Dec 8 23:07:11 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $ */
+/* $NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $");
#include
#include
@@ -274,7 +274,7 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di)
* => Returns 0 on success or errno on failure.
*/
int
-nbuf_add_tag(nbuf_t *nbuf, uint32_t key, uint32_t val)
+nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
{
struct mbuf *m = nbuf->nb_mbuf0;
struct m_tag *mt;
@@ -298,7 +298,7 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t key,
* => Returns 0 on success or errno on failure.
*/
int
-nbuf_find_tag(nbuf_t *nbuf, uint32_t key, void **data)
+nbuf_find_tag(nbuf_t *nbuf, uint32_t *val)
{
struct mbuf *m = nbuf->nb_mbuf0;
struct m_tag *mt;
@@ -309,6 +309,6 @@ nbuf_find_tag(nbuf_t *nbuf, uint32_t key
if (mt == NULL) {
return EINVAL;
}
- *data = (void *)(mt + 1);
+ *val = *(uint32_t *)(mt + 1);
return 0;
}
Index: src/sys/net/npf/npf_handler.c
diff -u src/sys/net/npf/npf_handler.c:1.33 src/sys/net/npf/npf_handler.c:1.34
--- src/sys/net/npf/npf_handler.c:1.33 Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf_handler.c Thu Dec 8 23:07:11 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.33 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.34 2016/12/08 23:07:11 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include
-__KERNEL_
CVS commit: src/usr.sbin/npf
Module Name:src
Committed By: rmind
Date: Sun Jul 12 23:54:44 UTC 2015
Modified Files:
src/usr.sbin/npf: npf.7
src/usr.sbin/npf/npfctl: npf_var.c
Log Message:
- npfvar_get_type1: check for NULL first.
- Minor fix for the npf(7) man page.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npf.7
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npfctl/npf_var.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npf.7
diff -u src/usr.sbin/npf/npf.7:1.2 src/usr.sbin/npf/npf.7:1.3
--- src/usr.sbin/npf/npf.7:1.2 Sun Aug 10 19:09:43 2014
+++ src/usr.sbin/npf/npf.7 Sun Jul 12 23:54:43 2015
@@ -1,4 +1,4 @@
-.\ $NetBSD: npf.7,v 1.2 2014/08/10 19:09:43 rmind Exp $
+.\ $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $
.\
.\ Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\ All rights reserved.
@@ -27,7 +27,7 @@
.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\ POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd August 2, 2014
+.Dd July 13, 2015
.Dt NPF 7
.Os
.Sh NAME
@@ -69,7 +69,7 @@ Traffic normalization (extension).
Packet logging (extension).
.El
.Pp
-For a full set features and their description, see the NPF
+For a full set of features and their description, see the NPF
documentation and other manual pages.
.\ -
.Sh SEE ALSO
Index: src/usr.sbin/npf/npfctl/npf_var.c
diff -u src/usr.sbin/npf/npfctl/npf_var.c:1.8 src/usr.sbin/npf/npfctl/npf_var.c:1.9
--- src/usr.sbin/npf/npfctl/npf_var.c:1.8 Tue Nov 19 00:28:41 2013
+++ src/usr.sbin/npf/npfctl/npf_var.c Sun Jul 12 23:54:44 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_var.c,v 1.8 2013/11/19 00:28:41 rmind Exp $ */
+/* $NetBSD: npf_var.c,v 1.9 2015/07/12 23:54:44 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_var.c,v 1.8 2013/11/19 00:28:41 rmind Exp $);
+__RCSID($NetBSD: npf_var.c,v 1.9 2015/07/12 23:54:44 rmind Exp $);
#include stdlib.h
#include string.h
@@ -239,14 +239,14 @@ npfvar_get_type1(const npfvar_t *vp, siz
{
npf_element_t *el;
+ if (vp == NULL)
+ return -1;
+
if (level = var_num) {
yyerror(variable loop for '%s', vp-v_key);
return -1;
}
- if (vp == NULL)
- return -1;
-
if (vp-v_count = idx) {
yyerror(variable '%s' has only %zu elements, requested %zu,
vp-v_key, vp-v_count, idx);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Wed Jun 3 23:36:05 UTC 2015
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
npfctl: fix the from/to port mess up when showing the rules.
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.18 src/usr.sbin/npf/npfctl/npf_show.c:1.19
--- src/usr.sbin/npf/npfctl/npf_show.c:1.18 Sat Mar 21 00:49:07 2015
+++ src/usr.sbin/npf/npfctl/npf_show.c Wed Jun 3 23:36:05 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.19 2015/06/03 23:36:05 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $);
+__RCSID($NetBSD: npf_show.c,v 1.19 2015/06/03 23:36:05 rmind Exp $);
#include sys/socket.h
#include netinet/in.h
@@ -214,14 +214,14 @@ print_portrange(npf_conf_info_t *ctx, co
char *p;
if (ctx-curmark == BM_SRC_PORTS (ctx-flags SEEN_SRC) == 0)
- any_str = to any ;
- if (ctx-curmark == BM_DST_PORTS (ctx-flags SEEN_DST) == 0)
any_str = from any ;
+ if (ctx-curmark == BM_DST_PORTS (ctx-flags SEEN_DST) == 0)
+ any_str = to any ;
if (fport != tport) {
- easprintf(p, %s%u:%u, any_str, fport, tport);
+ easprintf(p, %sport %u:%u, any_str, fport, tport);
} else {
- easprintf(p, %s%u, any_str, fport);
+ easprintf(p, %sport %u, any_str, fport);
}
return p;
}
@@ -271,11 +271,11 @@ static const struct mark_keyword_mapent
{ BM_SRC_CIDR, from %s, , , SEEN_SRC, print_address, 6 },
{ BM_SRC_TABLE, from %s, NULL, SEEN_SRC, print_table, 1 },
- { BM_SRC_PORTS, port %s, , , 0, print_portrange,2 },
+ { BM_SRC_PORTS, %s, , , 0, print_portrange,2 },
{ BM_DST_CIDR, to %s, , , SEEN_DST, print_address, 6 },
{ BM_DST_TABLE, to %s, NULL, SEEN_DST, print_table, 1 },
- { BM_DST_PORTS, port %s, , , 0, print_portrange,2 },
+ { BM_DST_PORTS, %s, , , 0, print_portrange,2 },
};
static const char * __attribute__((format_arg(2)))
@@ -351,6 +351,7 @@ npfctl_print_filter(npf_conf_info_t *ctx
pcap-filter \...\ : unrecognized-bytecode);
return;
}
+ ctx-flags = 0;
/*
* BPF filter criteria described by the byte-code marks.
CVS commit: src/sys/uvm
Module Name:src
Committed By: rmind
Date: Wed May 27 19:43:40 UTC 2015
Modified Files:
src/sys/uvm: uvm_bio.c
Log Message:
ubc_alloc: perform pmap_update() in the error path as we might have
removed the mapping.
To generate a diff of this commit:
cvs rdiff -u -r1.82 -r1.83 src/sys/uvm/uvm_bio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/uvm/uvm_bio.c
diff -u src/sys/uvm/uvm_bio.c:1.82 src/sys/uvm/uvm_bio.c:1.83
--- src/sys/uvm/uvm_bio.c:1.82 Fri Sep 5 09:24:21 2014
+++ src/sys/uvm/uvm_bio.c Wed May 27 19:43:40 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_bio.c,v 1.82 2014/09/05 09:24:21 matt Exp $ */
+/* $NetBSD: uvm_bio.c,v 1.83 2015/05/27 19:43:40 rmind Exp $ */
/*
* Copyright (c) 1998 Chuck Silvers.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: uvm_bio.c,v 1.82 2014/09/05 09:24:21 matt Exp $);
+__KERNEL_RCSID(0, $NetBSD: uvm_bio.c,v 1.83 2015/05/27 19:43:40 rmind Exp $);
#include opt_uvmhist.h
#include opt_ubc.h
@@ -581,6 +581,10 @@ again_faultbusy:
npages, 0, VM_PROT_READ | VM_PROT_WRITE, advice, gpflags);
UVMHIST_LOG(ubchist, faultbusy getpages %d, error, 0, 0, 0);
if (error) {
+ /*
+ * Flush: the mapping above might have been removed.
+ */
+ pmap_update(pmap_kernel());
goto out;
}
for (i = 0; i npages; i++) {
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Fri Mar 20 23:36:28 UTC 2015
Modified Files:
src/sys/net/npf: npf_ctl.c npf_ruleset.c
Log Message:
NPF: replace the TAILQ of the dynamic rules with a linked list and fix the
inheriting of the active dynamic rules during the reload; also, fix a bug
in the insert path by putting a memory barrier in the right place.
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.40 src/sys/net/npf/npf_ctl.c:1.41
--- src/sys/net/npf/npf_ctl.c:1.40 Sun Aug 24 20:36:30 2014
+++ src/sys/net/npf/npf_ctl.c Fri Mar 20 23:36:28 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.41 2015/03/20 23:36:28 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.41 2015/03/20 23:36:28 rmind Exp $);
#include sys/param.h
#include sys/conf.h
@@ -778,6 +778,9 @@ npfctl_rule(u_long cmd, void *data)
}
case NPF_CMD_RULE_LIST: {
retdict = npf_ruleset_list(rlset, ruleset_name);
+ if (!retdict) {
+ error = ESRCH;
+ }
break;
}
case NPF_CMD_RULE_FLUSH: {
@@ -797,6 +800,7 @@ npfctl_rule(u_long cmd, void *data)
npf_config_exit();
if (rl) {
+ KASSERT(error);
npf_rule_free(rl);
}
out:
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.41 src/sys/net/npf/npf_ruleset.c:1.42
--- src/sys/net/npf/npf_ruleset.c:1.41 Mon Feb 2 00:31:39 2015
+++ src/sys/net/npf/npf_ruleset.c Fri Mar 20 23:36:28 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.42 2015/03/20 23:36:28 rmind Exp $ */
/*-
* Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.42 2015/03/20 23:36:28 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -89,21 +89,24 @@ struct npf_rule {
npf_natpolicy_t * r_natp;
npf_rproc_t * r_rproc;
- /* Rule priority: (highest) 1, 2 ... n (lowest). */
- pri_t r_priority;
-
- /*
- * Dynamic group: subset queue and a dynamic group list entry.
- * Dynamic rule: entry and the parent rule (the group).
- */
union {
- TAILQ_HEAD(npf_ruleq, npf_rule) r_subset;
- TAILQ_ENTRY(npf_rule) r_entry;
- } /* C11 */;
- union {
- LIST_ENTRY(npf_rule) r_dentry;
- npf_rule_t * r_parent;
- } /* C11 */;
+ /*
+ * Dynamic group: rule subset and a group list entry.
+ */
+ struct {
+ npf_rule_t * r_subset;
+ LIST_ENTRY(npf_rule) r_dentry;
+ };
+
+ /*
+ * Dynamic rule: priority, parent group and next rule.
+ */
+ struct {
+ int r_priority;
+ npf_rule_t * r_parent;
+ npf_rule_t * r_next;
+ };
+ };
/* Rule ID, name and the optional key. */
uint64_t r_id;
@@ -147,19 +150,6 @@ npf_ruleset_create(size_t slots)
return rlset;
}
-static void
-npf_ruleset_unlink(npf_ruleset_t *rlset, npf_rule_t *rl)
-{
- if (NPF_DYNAMIC_GROUP_P(rl-r_attr)) {
- LIST_REMOVE(rl, r_dentry);
- }
- if (NPF_DYNAMIC_RULE_P(rl-r_attr)) {
- npf_rule_t *rg = rl-r_parent;
- TAILQ_REMOVE(rg-r_subset, rl, r_entry);
- }
- LIST_REMOVE(rl, r_aentry);
-}
-
void
npf_ruleset_destroy(npf_ruleset_t *rlset)
{
@@ -167,7 +157,19 @@ npf_ruleset_destroy(npf_ruleset_t *rlset
npf_rule_t *rl;
while ((rl = LIST_FIRST(rlset-rs_all)) != NULL) {
- npf_ruleset_unlink(rlset, rl);
+ if (NPF_DYNAMIC_GROUP_P(rl-r_attr)) {
+ /*
+ * Note: r_subset may point to the rules which
+ * were inherited by a new ruleset.
+ */
+ rl-r_subset = NULL;
+ LIST_REMOVE(rl, r_dentry);
+ }
+ if (NPF_DYNAMIC_RULE_P(rl-r_attr)) {
+ /* Not removing from r_subset, see above. */
+ KASSERT(rl-r_parent != NULL);
+ }
+ LIST_REMOVE(rl, r_aentry);
npf_rule_free(rl);
}
KASSERT(LIST_EMPTY(rlset-rs_dynamic));
@@ -222,16 +224,16 @@ npf_ruleset_lookup(npf_ruleset_t *rlset,
int
npf_ruleset_add(npf_ruleset_t *rlset, const char *rname, npf_rule_t *rl)
{
- npf_rule_t *rg, *it;
- pri_t priocmd;
+ npf_rule_t *rg, *it, *target;
+ int priocmd;
+ if (!NPF_DYNAMIC_RULE_P(rl-r_attr)) {
+ return EINVAL;
+ }
rg = npf_ruleset_lookup(rlset, rname);
if (rg == NULL) {
return ESRCH;
}
- if (!NPF_DYNAMIC_RULE_P(rl-r_attr)) {
- return EINVAL;
- }
/* Dynamic rule - assign a unique ID and save the parent. */
rl-r_id = ++rlset-rs_idcnt;
@@ -245,29 +247,32 @@ npf_ruleset_add(npf_ruleset_t *rlset, co
rl-r_priority = 0;
}
+ /*
+ * WARNING: once rg-subset or
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sat Mar 21 00:49:07 UTC 2015
Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c npf_show.c
Log Message:
npfctl:
- Fix the filter criteria when to/from is omitted but port used.
- Print more user-friendly error if an NPF table has a duplicate entry.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.38 src/usr.sbin/npf/npfctl/npf_build.c:1.39
--- src/usr.sbin/npf/npfctl/npf_build.c:1.38 Sat May 31 22:41:37 2014
+++ src/usr.sbin/npf/npfctl/npf_build.c Sat Mar 21 00:49:07 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $ */
/*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $);
+__RCSID($NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $);
#include sys/types.h
#include sys/mman.h
@@ -91,6 +91,10 @@ npfctl_config_send(int fd, const char *o
}
npf_rule_insert(npf_conf, NULL, defgroup);
error = npf_config_submit(npf_conf, fd);
+ if (error == EEXIST) { /* XXX */
+ errx(EXIT_FAILURE, (re)load failed:
+ some table has a duplicate entry?);
+ }
if (error) {
nl_error_t ne;
_npf_config_error(npf_conf, ne);
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.17 src/usr.sbin/npf/npfctl/npf_show.c:1.18
--- src/usr.sbin/npf/npfctl/npf_show.c:1.17 Mon Feb 2 19:08:32 2015
+++ src/usr.sbin/npf/npfctl/npf_show.c Sat Mar 21 00:49:07 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $);
+__RCSID($NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $);
#include sys/socket.h
#include netinet/in.h
@@ -53,13 +53,22 @@ __RCSID($NetBSD: npf_show.c,v 1.17 2015
#include npfctl.h
+#define SEEN_SRC 0x01
+#define SEEN_DST 0x02
+
typedef struct {
nl_config_t * conf;
FILE * fp;
long fpos;
+ u_int flags;
+ uint32_t curmark;
} npf_conf_info_t;
-static npf_conf_info_t stdout_ctx = { .fp = stdout, .fpos = 0 };
+static npf_conf_info_t stdout_ctx = {
+ .fp = stdout,
+ .fpos = 0,
+ .flags = 0
+};
static void print_indent(npf_conf_info_t *, u_int);
static void print_linesep(npf_conf_info_t *);
@@ -201,12 +210,18 @@ static char *
print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
{
u_int fport = words[0], tport = words[1];
+ const char *any_str = ;
char *p;
+ if (ctx-curmark == BM_SRC_PORTS (ctx-flags SEEN_SRC) == 0)
+ any_str = to any ;
+ if (ctx-curmark == BM_DST_PORTS (ctx-flags SEEN_DST) == 0)
+ any_str = from any ;
+
if (fport != tport) {
- easprintf(p, %u:%u, fport, tport);
+ easprintf(p, %s%u:%u, any_str, fport, tport);
} else {
- easprintf(p, %u, fport);
+ easprintf(p, %s%u, any_str, fport);
}
return p;
}
@@ -244,22 +259,23 @@ static const struct mark_keyword_mapent
u_int mark;
const char * token;
const char * sep;
+ u_int set_flags;
char * (*printfn)(npf_conf_info_t *, const uint32_t *);
u_int fwords;
} mark_keyword_map[] = {
- { BM_IPVER, family %s, NULL, print_family, 1 },
- { BM_PROTO, proto %s, , , print_proto, 1 },
- { BM_TCPFL, flags %s, NULL, print_tcpflags, 2 },
- { BM_ICMP_TYPE, icmp-type %s, NULL, print_number, 1 },
- { BM_ICMP_CODE, code %s, NULL, print_number, 1 },
-
- { BM_SRC_CIDR, from %s, , , print_address, 6 },
- { BM_SRC_TABLE, from %s, NULL, print_table, 1 },
- { BM_SRC_PORTS, port %s, , , print_portrange,2 },
-
- { BM_DST_CIDR, to %s, , , print_address, 6 },
- { BM_DST_TABLE, to %s, NULL, print_table, 1 },
- { BM_DST_PORTS, port %s, , , print_portrange,2 },
+ { BM_IPVER, family %s, NULL, 0, print_family, 1 },
+ { BM_PROTO, proto %s, , , 0, print_proto, 1 },
+ { BM_TCPFL, flags %s, NULL, 0, print_tcpflags, 2 },
+ { BM_ICMP_TYPE, icmp-type %s, NULL, 0, print_number, 1 },
+ { BM_ICMP_CODE, code %s, NULL, 0, print_number, 1 },
+
+ { BM_SRC_CIDR, from %s, , , SEEN_SRC, print_address, 6 },
+ { BM_SRC_TABLE, from %s, NULL, SEEN_SRC, print_table, 1 },
+ { BM_SRC_PORTS, port %s, , , 0, print_portrange,2 },
+
+ { BM_DST_CIDR, to %s, , , SEEN_DST, print_address, 6 },
+ { BM_DST_TABLE, to %s, NULL, SEEN_DST, print_table, 1 },
+ { BM_DST_PORTS, port %s, , , 0, print_portrange,2 },
};
static const char * __attribute__((format_arg(2)))
@@ -285,6 +301,10 @@ scan_marks(npf_conf_info_t
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Thu Feb 5 22:04:03 UTC 2015
Modified Files:
src/sys/net/npf: npf_conn.c
Log Message:
npf_conn_establish: fix the previous change - drop the reference on error.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conn.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.15 src/sys/net/npf/npf_conn.c:1.16
--- src/sys/net/npf/npf_conn.c:1.15 Sun Feb 1 22:41:22 2015
+++ src/sys/net/npf/npf_conn.c Thu Feb 5 22:04:03 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $ */
/*-
* Copyright (c) 2014-2015 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -528,8 +528,8 @@ err:
* here since there might be references acquired already.
*/
if (error) {
- const u_int dflags = CONN_REMOVED | CONN_EXPIRE;
- atomic_or_uint(con-c_flags, dflags);
+ atomic_or_uint(con-c_flags, CONN_REMOVED | CONN_EXPIRE);
+ atomic_dec_uint(con-c_refcnt);
npf_stats_inc(NPF_STAT_RACE_CONN);
} else {
NPF_PRINTF((NPF: establish conn %p\n, con));
@@ -569,6 +569,8 @@ npf_conn_destroy(npf_conn_t *con)
/*
* npf_conn_setnat: associate NAT entry with the connection, update and
* re-insert connection entry using the translation values.
+ *
+ * = The caller must be holding a reference.
*/
int
npf_conn_setnat(const npf_cache_t *npc, npf_conn_t *con,
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Mon Feb 2 19:08:32 UTC 2015
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
npfctl_print_rule: print the ID in hex, not decimal.
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.16 src/usr.sbin/npf/npfctl/npf_show.c:1.17
--- src/usr.sbin/npf/npfctl/npf_show.c:1.16 Mon Feb 2 00:31:39 2015
+++ src/usr.sbin/npf/npfctl/npf_show.c Mon Feb 2 19:08:32 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $);
+__RCSID($NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $);
#include sys/socket.h
#include netinet/in.h
@@ -388,7 +388,7 @@ npfctl_print_rule(npf_conf_info_t *ctx,
/* If dynamic rule - print its ID. */
if ((attr NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) {
uint64_t id = npf_rule_getid(rl);
- fprintf(ctx-fp, # id = \% PRIu64 \ , id);
+ fprintf(ctx-fp, # id = \% PRIx64 \ , id);
}
fputs(\n, ctx-fp);
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sun Feb 1 22:41:22 UTC 2015
Modified Files:
src/sys/net/npf: npf_conn.c
Log Message:
- npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conn.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.14 src/sys/net/npf/npf_conn.c:1.15
--- src/sys/net/npf/npf_conn.c:1.14 Sat Dec 20 16:19:43 2014
+++ src/sys/net/npf/npf_conn.c Sun Feb 1 22:41:22 2015
@@ -1,7 +1,7 @@
-/* $NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $ */
/*-
- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
+ * Copyright (c) 2014-2015 Mindaugas Rasiukevicius rmind at netbsd org
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
* All rights reserved.
*
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.15 2015/02/01 22:41:22 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -369,7 +369,6 @@ npf_conn_lookup(const npf_cache_t *npc,
/* Check if connection is active and not expired. */
flags = con-c_flags;
ok = (flags (CONN_ACTIVE | CONN_EXPIRE)) == CONN_ACTIVE;
-
if (__predict_false(!ok)) {
atomic_dec_uint(con-c_refcnt);
return NULL;
@@ -453,6 +452,7 @@ npf_conn_establish(npf_cache_t *npc, int
{
const nbuf_t *nbuf = npc-npc_nbuf;
npf_conn_t *con;
+ int error = 0;
KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));
@@ -468,16 +468,16 @@ npf_conn_establish(npf_cache_t *npc, int
NPF_PRINTF((NPF: create conn %p\n, con));
npf_stats_inc(NPF_STAT_CONN_CREATE);
- /* Reference count and flags (indicate direction). */
mutex_init(con-c_lock, MUTEX_DEFAULT, IPL_SOFTNET);
con-c_flags = (di PFIL_ALL);
- con-c_refcnt = 1;
+ con-c_refcnt = 0;
con-c_rproc = NULL;
con-c_nat = NULL;
- /* Initialize protocol state. */
+ /* Initialize the protocol state. */
if (!npf_state_init(npc, con-c_state)) {
- goto err;
+ npf_conn_destroy(con);
+ return NULL;
}
KASSERT(npf_iscached(npc, NPC_IP46));
@@ -488,45 +488,65 @@ npf_conn_establish(npf_cache_t *npc, int
* Construct forwards and backwards keys. Also, set the
* interface ID for this connection (unless it is global).
*/
- if (!npf_conn_conkey(npc, fw, true)) {
- goto err;
- }
- if (!npf_conn_conkey(npc, bk, false)) {
- goto err;
+ if (!npf_conn_conkey(npc, fw, true) ||
+ !npf_conn_conkey(npc, bk, false)) {
+ npf_conn_destroy(con);
+ return NULL;
}
fw-ck_backptr = bk-ck_backptr = con;
con-c_ifid = per_if ? nbuf-nb_ifid : 0;
con-c_proto = npc-npc_proto;
- /* Set last activity time for a new connection. */
+ /*
+ * Set last activity time for a new connection and acquire
+ * a reference for the caller before we make it visible.
+ */
getnanouptime(con-c_atime);
+ con-c_refcnt = 1;
/*
* Insert both keys (entries representing directions) of the
- * connection. At this point, it becomes visible.
+ * connection. At this point it becomes visible, but we activate
+ * the connection later.
*/
+ mutex_enter(con-c_lock);
if (!npf_conndb_insert(conn_db, fw, con)) {
+ error = EISCONN;
goto err;
}
if (!npf_conndb_insert(conn_db, bk, con)) {
- /* We have hit the duplicate. */
- npf_conndb_remove(conn_db, fw);
- npf_stats_inc(NPF_STAT_RACE_CONN);
+ npf_conn_t *ret __diagused;
+ ret = npf_conndb_remove(conn_db, fw);
+ KASSERT(ret == con);
+ error = EISCONN;
goto err;
}
+err:
+ /*
+ * If we have hit the duplicate: mark the connection as expired
+ * and let the G/C thread to take care of it. We cannot do it
+ * here since there might be references acquired already.
+ */
+ if (error) {
+ const u_int dflags = CONN_REMOVED | CONN_EXPIRE;
+ atomic_or_uint(con-c_flags, dflags);
+ npf_stats_inc(NPF_STAT_RACE_CONN);
+ } else {
+ NPF_PRINTF((NPF: establish conn %p\n, con));
+ }
/* Finally, insert into the connection list. */
- NPF_PRINTF((NPF: establish conn %p\n, con));
npf_conndb_enqueue(conn_db, con);
- return con;
-err:
- npf_conn_destroy(con);
- return NULL;
+ mutex_exit(con-c_lock);
+
+ return error ? NULL : con;
}
static void
npf_conn_destroy(npf_conn_t *con)
{
+ KASSERT(con-c_refcnt == 0);
+
if (con-c_nat) {
/* Release any NAT structures. */
npf_nat_destroy(con-c_nat);
@@ -582,6 +602,8 @@ npf_conn_setnat(const npf_cache_t *npc,
mutex_exit(con-c_lock);
return EINVAL;
}
+ KASSERT((con-c_flags CONN_REMOVED) == 0);
+
if (__predict_false(con-c_nat != NULL)) {
/* Race
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun Feb 1 22:57:22 UTC 2015
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
npf.conf(5): mention alg, include in the example, minor fix.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.43 src/usr.sbin/npf/npfctl/npf.conf.5:1.44
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.43 Fri Dec 26 22:44:54 2014
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Feb 1 22:57:21 2015
@@ -1,6 +1,6 @@
-.\$NetBSD: npf.conf.5,v 1.43 2014/12/26 22:44:54 christos Exp $
+.\$NetBSD: npf.conf.5,v 1.44 2015/02/01 22:57:21 rmind Exp $
.\
-.\ Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
+.\ Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
.\ All rights reserved.
.\
.\ This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\ POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd December 26, 2014
+.Dd February 1, 2015
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -232,7 +232,8 @@ is more flexible.
; Syntax of a single line. Lines can be separated by LF (\\n) or
; a semicolon. Comments start with a hash (#) character.
-syntax = var-def | table-def | map | group | rproc | comment
+syntax = var-def | set-param | alg | table-def |
+ map | group | rproc | comment
; Variable definition. Names can be alpha-numeric, including _ character.
@@ -240,8 +241,12 @@ var-name = $ . string
interface = interface-name | var-name
var-def = var = ( var-value | { value *[ , value ] } )
-; Parameter setting
-set-statement = set parameter value
+; Parameter setting.
+set-param = set param-value
+
+; Application level gateway. The name should be in the double quotes.
+
+alg = alg alg-name
; Table definition. Table ID shall be numeric. Path is in the double quotes.
@@ -306,8 +311,8 @@ directory containing further examples
.\ -
.Sh EXAMPLES
.Bd -literal
-$ext_if = { inet4(wm0), inet6(wm0) }
-$int_if = { inet4(wm1), inet6(wm1) }
+$ext_if = { inet4(wm0) }
+$int_if = { inet4(wm1) }
table blacklist type hash file /etc/npf_blacklist
table limited type tree dynamic
@@ -316,6 +321,8 @@ $services_tcp = { http, https, smtp, dom
$services_udp = { domain, ntp, 6000 }
$localnet = { 10.1.1.0/24 }
+alg icmp
+
# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic 10.1.1.0/24 - $ext_if
CVS commit: src
Module Name:src
Committed By: rmind
Date: Mon Feb 2 00:31:39 UTC 2015
Modified Files:
src/sys/net/npf: npf_impl.h npf_ruleset.c
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.60 src/sys/net/npf/npf_impl.h:1.61
--- src/sys/net/npf/npf_impl.h:1.60 Sun Nov 30 01:37:53 2014
+++ src/sys/net/npf/npf_impl.h Mon Feb 2 00:31:39 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.61 2015/02/02 00:31:39 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -344,6 +344,7 @@ prop_array_t npf_alg_export(void);
const char * npf_addr_dump(const npf_addr_t *, int);
void npf_state_dump(const npf_state_t *);
void npf_nat_dump(const npf_nat_t *);
+void npf_ruleset_dump(const char *);
void npf_state_setsampler(void (*)(npf_state_t *, bool));
#endif /* _NPF_IMPL_H_ */
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.40 src/sys/net/npf/npf_ruleset.c:1.41
--- src/sys/net/npf/npf_ruleset.c:1.40 Sun Nov 30 01:37:53 2014
+++ src/sys/net/npf/npf_ruleset.c Mon Feb 2 00:31:39 2015
@@ -1,7 +1,7 @@
-/* $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $ */
/*-
- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -936,3 +936,25 @@ npf_rule_conclude(const npf_rule_t *rl,
*retfl = rl-r_attr;
return (rl-r_attr NPF_RULE_PASS) ? 0 : ENETUNREACH;
}
+
+
+#if defined(DDB) || defined(_NPF_TESTING)
+
+void
+npf_ruleset_dump(const char *name)
+{
+ npf_ruleset_t *rlset = npf_config_ruleset();
+ npf_rule_t *rg, *rl;
+
+ LIST_FOREACH(rg, rlset-rs_dynamic, r_dentry) {
+ printf(ruleset '%s':\n, rg-r_name);
+ TAILQ_FOREACH(rl, rg-r_subset, r_entry) {
+ printf(\tid %PRIu64, key: , rl-r_id);
+ for (u_int i = 0; i NPF_RULE_MAXKEYLEN; i++)
+printf(%x, rl-r_key[i]);
+ printf(\n);
+ }
+ }
+}
+
+#endif
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.15 src/usr.sbin/npf/npfctl/npf_show.c:1.16
--- src/usr.sbin/npf/npfctl/npf_show.c:1.15 Sun Jul 20 00:48:51 2014
+++ src/usr.sbin/npf/npfctl/npf_show.c Mon Feb 2 00:31:39 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $);
+__RCSID($NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $);
#include sys/socket.h
#include netinet/in.h
@@ -316,10 +316,25 @@ static void
npfctl_print_filter(npf_conf_info_t *ctx, nl_rule_t *rl)
{
const void *marks;
- size_t mlen;
+ size_t mlen, len;
+ const void *code;
+ int type;
- /* BPF filter criteria described by the byte-code marks. */
marks = npf_rule_getinfo(rl, mlen);
+ if (!marks (code = npf_rule_getcode(rl, type, len)) != NULL) {
+ /*
+ * No marks, but the byte-code is present. This must
+ * have been filled by libpcap(3) or possibly an unknown
+ * to us byte-code.
+ */
+ fprintf(ctx-fp, %s , type == NPF_CODE_BPF ?
+ pcap-filter \...\ : unrecognized-bytecode);
+ return;
+ }
+
+ /*
+ * BPF filter criteria described by the byte-code marks.
+ */
for (u_int i = 0; i __arraycount(mark_keyword_map); i++) {
const struct mark_keyword_mapent *mk = mark_keyword_map[i];
char *val;
@@ -356,7 +371,7 @@ npfctl_print_rule(npf_conf_info_t *ctx,
fprintf(ctx-fp, on %s , ifname);
}
- if ((attr (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)) == NPF_RULE_GROUP) {
+ if ((attr NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP) {
/* Group; done. */
fputs(\n, ctx-fp);
return;
@@ -367,8 +382,15 @@ npfctl_print_rule(npf_conf_info_t *ctx,
/* Rule procedure. */
if ((rproc = npf_rule_getproc(rl)) != NULL) {
- fprintf(ctx-fp, apply \%s\, rproc);
+ fprintf(ctx-fp, apply \%s\ , rproc);
+ }
+
+ /* If dynamic rule - print its ID. */
+
CVS commit: src/lib/libnpf
Module Name:src
Committed By: rmind
Date: Mon Feb 2 00:55:28 UTC 2015
Modified Files:
src/lib/libnpf: npf.c npf.h
Log Message:
libnpf: add npf_rule_getid() and npf_rule_getcode().
Missed in the previous commit.
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/lib/libnpf/npf.c
cvs rdiff -u -r1.27 -r1.28 src/lib/libnpf/npf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.34 src/lib/libnpf/npf.c:1.35
--- src/lib/libnpf/npf.c:1.34 Sun Aug 24 20:37:35 2014
+++ src/lib/libnpf/npf.c Mon Feb 2 00:55:28 2015
@@ -1,7 +1,7 @@
-/* $NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.35 2015/02/02 00:55:28 rmind Exp $ */
/*-
- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf.c,v 1.35 2015/02/02 00:55:28 rmind Exp $);
#include sys/types.h
#include netinet/in_systm.h
@@ -715,6 +715,27 @@ npf_rule_getproc(nl_rule_t *rl)
return rpname;
}
+uint64_t
+npf_rule_getid(nl_rule_t *rl)
+{
+ prop_dictionary_t rldict = rl-nrl_dict;
+ uint64_t id = 0;
+
+ (void)prop_dictionary_get_uint64(rldict, id, id);
+ return id;
+}
+
+const void *
+npf_rule_getcode(nl_rule_t *rl, int *type, size_t *len)
+{
+ prop_dictionary_t rldict = rl-nrl_dict;
+ prop_object_t obj = prop_dictionary_get(rldict, code);
+
+ prop_dictionary_get_uint32(rldict, code-type, (uint32_t *)type);
+ *len = prop_data_size(obj);
+ return prop_data_data_nocopy(obj);
+}
+
int
_npf_ruleset_list(int fd, const char *rname, nl_config_t *ncf)
{
Index: src/lib/libnpf/npf.h
diff -u src/lib/libnpf/npf.h:1.27 src/lib/libnpf/npf.h:1.28
--- src/lib/libnpf/npf.h:1.27 Wed Jul 23 01:25:34 2014
+++ src/lib/libnpf/npf.h Mon Feb 2 00:55:28 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.27 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.28 2015/02/02 00:55:28 rmind Exp $ */
/*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -129,6 +129,8 @@ uint32_t npf_rule_getattr(nl_rule_t *);
const char * npf_rule_getinterface(nl_rule_t *);
const void * npf_rule_getinfo(nl_rule_t *, size_t *);
const char * npf_rule_getproc(nl_rule_t *);
+uint64_t npf_rule_getid(nl_rule_t *);
+const void * npf_rule_getcode(nl_rule_t *, int *, size_t *);
nl_table_t * npf_table_iterate(nl_config_t *);
const char * npf_table_getname(nl_table_t *);
CVS commit: src/sys
Module Name:src
Committed By: rmind
Date: Sun Jan 18 23:16:35 UTC 2015
Modified Files:
src/sys/kern: subr_ipi.c
src/sys/sys: ipi.h
Log Message:
Implement ipi_trigger_multi(9); requested by cherry@.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/kern/subr_ipi.c
cvs rdiff -u -r1.2 -r1.3 src/sys/sys/ipi.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_ipi.c
diff -u src/sys/kern/subr_ipi.c:1.2 src/sys/kern/subr_ipi.c:1.3
--- src/sys/kern/subr_ipi.c:1.2 Sun May 25 15:34:19 2014
+++ src/sys/kern/subr_ipi.c Sun Jan 18 23:16:35 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_ipi.c,v 1.2 2014/05/25 15:34:19 rmind Exp $ */
+/* $NetBSD: subr_ipi.c,v 1.3 2015/01/18 23:16:35 rmind Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: subr_ipi.c,v 1.2 2014/05/25 15:34:19 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: subr_ipi.c,v 1.3 2015/01/18 23:16:35 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -45,6 +45,7 @@ __KERNEL_RCSID(0, $NetBSD: subr_ipi.c,v
#include sys/evcnt.h
#include sys/cpu.h
#include sys/ipi.h
+#include sys/intr.h
#include sys/kcpuset.h
#include sys/kmem.h
#include sys/lock.h
@@ -188,6 +189,35 @@ ipi_trigger(u_int ipi_id, struct cpu_inf
}
/*
+ * ipi_trigger_multi: same as ipi_trigger() but sends to the multiple
+ * CPUs given the target CPU set.
+ */
+void
+ipi_trigger_multi(u_int ipi_id, const kcpuset_t *target)
+{
+ const cpuid_t selfid = cpu_index(curcpu());
+ CPU_INFO_ITERATOR cii;
+ struct cpu_info *ci;
+
+ KASSERT(kpreempt_disabled());
+ KASSERT(target != NULL);
+
+ for (CPU_INFO_FOREACH(cii, ci)) {
+ const cpuid_t cpuid = cpu_index(ci);
+
+ if (!kcpuset_isset(target, cpuid) || cpuid == selfid) {
+ continue;
+ }
+ ipi_trigger(ipi_id, ci);
+ }
+ if (kcpuset_isset(target, selfid)) {
+ int s = splhigh();
+ ipi_cpu_handler();
+ splx(s);
+ }
+}
+
+/*
* put_msg: insert message into the mailbox.
*/
static inline void
Index: src/sys/sys/ipi.h
diff -u src/sys/sys/ipi.h:1.2 src/sys/sys/ipi.h:1.3
--- src/sys/sys/ipi.h:1.2 Sun May 25 15:34:19 2014
+++ src/sys/sys/ipi.h Sun Jan 18 23:16:35 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: ipi.h,v 1.2 2014/05/25 15:34:19 rmind Exp $ */
+/* $NetBSD: ipi.h,v 1.3 2015/01/18 23:16:35 rmind Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -67,6 +67,7 @@ void cpu_ipi(struct cpu_info *);
u_int ipi_register(ipi_func_t, void *);
void ipi_unregister(u_int);
void ipi_trigger(u_int, struct cpu_info *);
+void ipi_trigger_multi(u_int, const kcpuset_t *);
/* Public interface: synchronous IPIs. */
void ipi_unicast(ipi_msg_t *, struct cpu_info *);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Fri Dec 26 20:44:38 UTC 2014
Modified Files:
src/usr.sbin/npf/npfctl: npfctl.c
Log Message:
npfctl(8): attempt to preload bpfjit kernel module and print the
warning on failure.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.43 src/usr.sbin/npf/npfctl/npfctl.c:1.44
--- src/usr.sbin/npf/npfctl/npfctl.c:1.43 Mon Aug 11 23:48:01 2014
+++ src/usr.sbin/npf/npfctl/npfctl.c Fri Dec 26 20:44:38 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npfctl.c,v 1.44 2014/12/26 20:44:38 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -30,11 +30,12 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $);
+__RCSID($NetBSD: npfctl.c,v 1.44 2014/12/26 20:44:38 rmind Exp $);
#include sys/ioctl.h
#include sys/stat.h
#include sys/types.h
+#include sys/module.h
#include stdio.h
#include stdlib.h
@@ -480,6 +481,22 @@ npfctl_rule(int fd, int argc, char **arg
exit(EXIT_SUCCESS);
}
+static void
+npfctl_preload_bpfjit(void)
+{
+ modctl_load_t args = {
+ .ml_filename = bpfjit,
+ .ml_flags = MODCTL_NO_PROP,
+ .ml_props = NULL,
+ .ml_propslen = 0
+ };
+
+ if (modctl(MODCTL_LOAD, args) != 0 errno != EEXIST) {
+ fprintf(stderr, WARNING: bpfjit is not loaded;
+ this may have severe impact on performance.);
+ }
+}
+
static int
npfctl_save(int fd)
{
@@ -547,6 +564,7 @@ npfctl(int action, int argc, char **argv
fun = ioctl(IOC_NPF_SWITCH);
break;
case NPFCTL_RELOAD:
+ npfctl_preload_bpfjit();
npfctl_config_init(false);
npfctl_parse_file(argc 3 ? NPF_CONF_PATH : argv[2]);
errno = ret = npfctl_config_send(fd, NULL);
@@ -581,6 +599,7 @@ npfctl(int action, int argc, char **argv
npfctl_rule(fd, argc, argv);
break;
case NPFCTL_LOAD:
+ npfctl_preload_bpfjit();
ret = npfctl_load(fd);
fun = npfctl_config_load;
break;
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sat Dec 20 16:19:43 UTC 2014
Modified Files:
src/sys/net/npf: npf_conn.c npf_conn.h npf_nat.c
Log Message:
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_nat.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.13 src/sys/net/npf/npf_conn.c:1.14
--- src/sys/net/npf/npf_conn.c:1.13 Sun Nov 30 00:40:55 2014
+++ src/sys/net/npf/npf_conn.c Sat Dec 20 16:19:43 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.14 2014/12/20 16:19:43 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -660,7 +660,7 @@ npf_conn_setpass(npf_conn_t *con, npf_rp
* If rproc is set, the caller transfers its reference to us,
* which will be released on npf_conn_destroy().
*/
- con-c_flags |= CONN_PASS;
+ atomic_or_uint(con-c_flags, CONN_PASS);
con-c_rproc = rp;
}
@@ -673,7 +673,7 @@ npf_conn_release(npf_conn_t *con)
{
if ((con-c_flags (CONN_ACTIVE | CONN_EXPIRE)) == 0) {
/* Activate: after this, connection is globally visible. */
- con-c_flags |= CONN_ACTIVE;
+ atomic_or_uint(con-c_flags, CONN_ACTIVE);
}
KASSERT(con-c_refcnt 0);
atomic_dec_uint(con-c_refcnt);
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.7 src/sys/net/npf/npf_conn.h:1.8
--- src/sys/net/npf/npf_conn.h:1.7 Sun Nov 30 00:40:55 2014
+++ src/sys/net/npf/npf_conn.h Sat Dec 20 16:19:43 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.7 2014/11/30 00:40:55 rmind Exp $ */
+/* $NetBSD: npf_conn.h,v 1.8 2014/12/20 16:19:43 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -47,7 +47,7 @@ typedef struct npf_connkey npf_connkey_t
#include sys/rbtree.h
/*
- * See npf_conn_key() function for the description key layout.
+ * See npf_conn_conkey() function for the key layout description.
*/
#define NPF_CONN_NKEYWORDS (2 + ((sizeof(npf_addr_t) * 2) 2))
#define NPF_CONN_MAXKEYLEN (NPF_CONN_NKEYWORDS * sizeof(uint32_t))
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.37 src/sys/net/npf/npf_nat.c:1.38
--- src/sys/net/npf/npf_nat.c:1.37 Sun Nov 30 01:37:53 2014
+++ src/sys/net/npf/npf_nat.c Sat Dec 20 16:19:43 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.38 2014/12/20 16:19:43 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.38 2014/12/20 16:19:43 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -914,8 +914,8 @@ npf_nat_dump(const npf_nat_t *nt)
np = nt-nt_natpolicy;
memcpy(ip, np-n_taddr, sizeof(ip));
- printf(\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n,
- np, np-n_type, np-n_flags, inet_ntoa(ip), np-n_tport);
+ printf(\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n, np,
+ np-n_type, np-n_flags, inet_ntoa(ip), ntohs(np-n_tport));
memcpy(ip, nt-nt_oaddr, sizeof(ip));
printf(\tNAT: original address %s oport %d tport %d\n,
inet_ntoa(ip), ntohs(nt-nt_oport), ntohs(nt-nt_tport));
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sun Nov 30 00:40:55 UTC 2014
Modified Files:
src/sys/net/npf: npf_conn.c npf_conn.h npf_nat.c npf_ruleset.c
Log Message:
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.12 src/sys/net/npf/npf_conn.c:1.13
--- src/sys/net/npf/npf_conn.c:1.12 Sun Aug 24 20:36:30 2014
+++ src/sys/net/npf/npf_conn.c Sun Nov 30 00:40:55 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.13 2014/11/30 00:40:55 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -680,11 +680,11 @@ npf_conn_release(npf_conn_t *con)
}
/*
- * npf_conn_retnat: return associated NAT data entry and indicate
+ * npf_conn_getnat: return associated NAT data entry and indicate
* whether it is a forwards or backwards stream.
*/
npf_nat_t *
-npf_conn_retnat(npf_conn_t *con, const int di, bool *forw)
+npf_conn_getnat(npf_conn_t *con, const int di, bool *forw)
{
KASSERT(con-c_refcnt 0);
*forw = (con-c_flags PFIL_ALL) == di;
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.6 src/sys/net/npf/npf_conn.h:1.7
--- src/sys/net/npf/npf_conn.h:1.6 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_conn.h Sun Nov 30 00:40:55 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.6 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_conn.h,v 1.7 2014/11/30 00:40:55 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -113,7 +113,7 @@ bool npf_conn_pass(const npf_conn_t *,
void npf_conn_setpass(npf_conn_t *, npf_rproc_t *);
int npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
npf_nat_t *, u_int);
-npf_nat_t * npf_conn_retnat(npf_conn_t *, const int, bool *);
+npf_nat_t * npf_conn_getnat(npf_conn_t *, const int, bool *);
void npf_conn_gc(npf_conndb_t *, bool, bool);
int npf_conn_import(npf_conndb_t *, prop_dictionary_t,
npf_ruleset_t *);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.35 src/sys/net/npf/npf_nat.c:1.36
--- src/sys/net/npf/npf_nat.c:1.35 Wed Nov 26 21:25:35 2014
+++ src/sys/net/npf/npf_nat.c Sun Nov 30 00:40:55 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -252,6 +252,7 @@ npf_nat_newpolicy(prop_dictionary_t natd
np-n_portmap = pm;
} else {
KASSERT(np-n_portmap != NULL);
+ KASSERT(np-n_portmap-p_refcnt 0);
}
return np;
err:
@@ -417,6 +418,9 @@ npf_nat_getport(npf_natpolicy_t *np)
u_int n = PORTMAP_SIZE, idx, bit;
uint32_t map, nmap;
+ KASSERT((np-n_flags NPF_NAT_PORTMAP) != 0);
+ KASSERT(pm-p_refcnt 0);
+
idx = cprng_fast32() % PORTMAP_SIZE;
for (;;) {
KASSERT(idx PORTMAP_SIZE);
@@ -450,6 +454,9 @@ npf_nat_takeport(npf_natpolicy_t *np, in
uint32_t map, nmap;
u_int idx, bit;
+ KASSERT((np-n_flags NPF_NAT_PORTMAP) != 0);
+ KASSERT(pm-p_refcnt 0);
+
port = ntohs(port) - PORTMAP_FIRST;
idx = port PORTMAP_SHIFT;
bit = port PORTMAP_MASK;
@@ -474,6 +481,9 @@ npf_nat_putport(npf_natpolicy_t *np, in_
uint32_t map, nmap;
u_int idx, bit;
+ KASSERT((np-n_flags NPF_NAT_PORTMAP) != 0);
+ KASSERT(pm-p_refcnt 0);
+
port = ntohs(port) - PORTMAP_FIRST;
idx = port PORTMAP_SHIFT;
bit = port PORTMAP_MASK;
@@ -686,7 +696,7 @@ npf_do_nat(npf_cache_t *npc, npf_conn_t
* Determines whether the stream is forwards or backwards.
* Note: no need to lock, since reference on connection is held.
*/
- if (con (nt = npf_conn_retnat(con, di, forw)) != NULL) {
+ if (con (nt = npf_conn_getnat(con, di, forw)) != NULL) {
np = nt-nt_natpolicy;
goto translate;
}
@@ -874,7 +884,8 @@ npf_nat_import(prop_dictionary_t natdict
prop_dictionary_get_uint16(natdict, tport, nt-nt_tport);
/* Take a specific port from port-map. */
- if (!npf_nat_takeport(np, nt-nt_tport
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sun Nov 30 01:37:53 UTC 2014
Modified Files:
src/sys/net/npf: npf_conf.c npf_impl.h npf_nat.c npf_ruleset.c
Log Message:
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.59 -r1.60 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.8 src/sys/net/npf/npf_conf.c:1.9
--- src/sys/net/npf/npf_conf.c:1.8 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_conf.c Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -105,11 +105,13 @@ npf_config_destroy(npf_config_t *nc)
void
npf_config_fini(void)
{
+ npf_conndb_t *cd = npf_conndb_create();
+
/* Flush the connections. */
mutex_enter(npf_config_lock);
npf_conn_tracking(false);
pserialize_perform(npf_config_psz);
- npf_conn_load(NULL, false);
+ npf_conn_load(cd, false);
npf_ifmap_flush();
mutex_exit(npf_config_lock);
@@ -127,6 +129,7 @@ npf_config_load(npf_ruleset_t *rset, npf
npf_ruleset_t *nset, npf_rprocset_t *rpset,
npf_conndb_t *conns, bool flush)
{
+ const bool load = conns != NULL;
npf_config_t *nc, *onc;
nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
@@ -143,9 +146,9 @@ npf_config_load(npf_ruleset_t *rset, npf
*/
mutex_enter(npf_config_lock);
if ((onc = npf_config) != NULL) {
- npf_ruleset_reload(rset, onc-n_rules);
+ npf_ruleset_reload(rset, onc-n_rules, load);
npf_tableset_reload(tset, onc-n_tables);
- npf_ruleset_reload(nset, onc-n_nat_rules);
+ npf_ruleset_reload(nset, onc-n_nat_rules, load);
}
/*
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.59 src/sys/net/npf/npf_impl.h:1.60
--- src/sys/net/npf/npf_impl.h:1.59 Mon Aug 11 23:48:01 2014
+++ src/sys/net/npf/npf_impl.h Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -254,7 +254,7 @@ int npf_table_flush(npf_table_t *);
npf_ruleset_t * npf_ruleset_create(size_t);
void npf_ruleset_destroy(npf_ruleset_t *);
void npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *);
-void npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *);
+void npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *, bool);
npf_rule_t * npf_ruleset_sharepm(npf_ruleset_t *, npf_natpolicy_t *);
npf_natpolicy_t *npf_ruleset_findnat(npf_ruleset_t *, uint64_t);
void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.36 src/sys/net/npf/npf_nat.c:1.37
--- src/sys/net/npf/npf_nat.c:1.36 Sun Nov 30 00:40:55 2014
+++ src/sys/net/npf/npf_nat.c Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -364,6 +364,8 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf
npf_portmap_t *pm, *mpm;
KASSERT(np mnp np != mnp);
+ KASSERT(LIST_EMPTY(mnp-n_nat_list));
+ KASSERT(mnp-n_refcnt == 0);
/* Using port map and having equal translation address? */
if ((np-n_flags mnp-n_flags NPF_NAT_PORTMAP) == 0) {
@@ -889,6 +891,7 @@ npf_nat_import(prop_dictionary_t natdict
pool_cache_put(nat_cache, nt);
return NULL;
}
+ npf_stats_inc(NPF_STAT_NAT_CREATE);
/*
* Associate, take a reference and insert. Unlocked since
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.39 src/sys/net/npf/npf_ruleset.c:1.40
--- src/sys/net/npf/npf_ruleset.c:1.39 Sun Nov 30 00:40:55 2014
+++ src/sys/net/npf/npf_ruleset.c Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.39 2014/11/30 00
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Wed Nov 26 21:25:35 UTC 2014
Modified Files:
src/sys/net/npf: npf_nat.c npf_ruleset.c
Log Message:
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload. Should fixes PR/49412, reported by kardel@.
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.34 src/sys/net/npf/npf_nat.c:1.35
--- src/sys/net/npf/npf_nat.c:1.34 Sun Aug 24 20:36:30 2014
+++ src/sys/net/npf/npf_nat.c Wed Nov 26 21:25:35 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.35 2014/11/26 21:25:35 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -313,9 +313,10 @@ npf_nat_freepolicy(npf_natpolicy_t *np)
kpause(npfgcnat, false, 1, NULL);
}
KASSERT(LIST_EMPTY(np-n_nat_list));
+ KASSERT(pm == NULL || pm-p_refcnt 0);
/* Destroy the port map, on last reference. */
- if (pm --pm-p_refcnt == 0) {
+ if (pm atomic_dec_uint_nv(pm-p_refcnt) == 0) {
KASSERT((np-n_flags NPF_NAT_PORTMAP) != 0);
kmem_free(pm, PORTMAP_MEM_SIZE);
}
@@ -373,17 +374,21 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf
if (memcmp(np-n_taddr, mnp-n_taddr, np-n_alen) != 0) {
return false;
}
- /* If NAT policy has an old port map - drop the reference. */
mpm = mnp-n_portmap;
- if (mpm) {
- /* Note: at this point we cannot hold a last reference. */
- KASSERT(mpm-p_refcnt 1);
- mpm-p_refcnt--;
+ KASSERT(mpm == NULL || mpm-p_refcnt 0);
+
+ /*
+ * If NAT policy has an old port map - drop the reference
+ * and destroy the port map if it was the last.
+ */
+ if (mpm atomic_dec_uint_nv(mpm-p_refcnt) == 0) {
+ kmem_free(mpm, PORTMAP_MEM_SIZE);
}
+
/* Share the port map. */
pm = np-n_portmap;
+ atomic_inc_uint(pm-p_refcnt);
mnp-n_portmap = pm;
- pm-p_refcnt++;
return true;
}
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.37 src/sys/net/npf/npf_ruleset.c:1.38
--- src/sys/net/npf/npf_ruleset.c:1.37 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_ruleset.c Wed Nov 26 21:25:35 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.38 2014/11/26 21:25:35 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.38 2014/11/26 21:25:35 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -421,22 +421,6 @@ npf_ruleset_gc(npf_ruleset_t *rlset)
}
/*
- * npf_ruleset_cmpnat: find a matching NAT policy in the ruleset.
- */
-static inline npf_rule_t *
-npf_ruleset_cmpnat(npf_ruleset_t *rlset, npf_natpolicy_t *mnp)
-{
- npf_rule_t *rl;
-
- /* Find a matching NAT policy in the old ruleset. */
- LIST_FOREACH(rl, rlset-rs_all, r_aentry) {
- if (rl-r_natp npf_nat_cmppolicy(rl-r_natp, mnp))
- break;
- }
- return rl;
-}
-
-/*
* npf_ruleset_reload: prepare the new ruleset by scanning the active
* ruleset and 1) sharing the dynamic rules 2) sharing NAT policies.
*
@@ -492,18 +476,30 @@ npf_ruleset_reload(npf_ruleset_t *newset
continue;
}
+ /*
+ * First, try to share the active port map. If this
+ * policy will be unused, npf_nat_freepolicy() will
+ * drop the reference.
+ */
+ npf_ruleset_sharepm(oldset, np);
+
/* Does it match with any policy in the active ruleset? */
- if ((actrl = npf_ruleset_cmpnat(oldset, np)) == NULL) {
+ LIST_FOREACH(actrl, oldset-rs_all, r_aentry) {
+ if (!actrl-r_natp)
+continue;
+ if ((actrl-r_attr NPF_RULE_KEEPNAT) != 0)
+continue;
+ if (npf_nat_cmppolicy(actrl-r_natp, np))
+break;
+ }
+ if (!actrl) {
+ /* No: just set the ID and continue. */
npf_nat_setid(np, ++nid);
continue;
}
- /*
- * Inherit the matching NAT policy and check other ones
- * in the new ruleset for sharing the portmap.
- */
+ /* Yes: inherit the matching NAT policy. */
rl-r_natp = actrl-r_natp;
- npf_ruleset_sharepm(newset, rl-r_natp);
npf_nat_setid(rl-r_natp, ++nid);
/*
@@ -525,13 +521,8 @@ npf_ruleset_sharepm(npf_ruleset_t *rlset
npf_natpolicy_t *np;
npf_rule_t *rl;
- /* Find a matching NAT policy in the old ruleset. */
+ /* Find a matching NAT policy in the old ruleset; skip the self. */
LIST_FOREACH(rl, rlset
CVS commit: src/sys/net
Module Name:src
Committed By: rmind
Date: Sat Sep 13 17:18:45 UTC 2014
Modified Files:
src/sys/net: bpf.c
Log Message:
PR/49190: bpf_deliver: set scratch memory store in bpf_args_t.
To generate a diff of this commit:
cvs rdiff -u -r1.188 -r1.189 src/sys/net/bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpf.c
diff -u src/sys/net/bpf.c:1.188 src/sys/net/bpf.c:1.189
--- src/sys/net/bpf.c:1.188 Fri Sep 5 09:22:22 2014
+++ src/sys/net/bpf.c Sat Sep 13 17:18:45 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf.c,v 1.188 2014/09/05 09:22:22 matt Exp $ */
+/* $NetBSD: bpf.c,v 1.189 2014/09/13 17:18:45 rmind Exp $ */
/*
* Copyright (c) 1990, 1991, 1993
@@ -39,7 +39,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: bpf.c,v 1.188 2014/09/05 09:22:22 matt Exp $);
+__KERNEL_RCSID(0, $NetBSD: bpf.c,v 1.189 2014/09/13 17:18:45 rmind Exp $);
#if defined(_KERNEL_OPT)
#include opt_bpf.h
@@ -1388,25 +1388,24 @@ static inline void
bpf_deliver(struct bpf_if *bp, void *(*cpfn)(void *, const void *, size_t),
void *pkt, u_int pktlen, u_int buflen, const bool rcv)
{
- struct timespec ts;
+ const bpf_ctx_t *bc = NULL;
+ uint32_t mem[BPF_MEMWORDS];
bpf_args_t args = {
.pkt = (const uint8_t *)pkt,
.wirelen = pktlen,
.buflen = buflen,
- .mem = NULL,
+ .mem = mem,
.arg = NULL
};
- struct bpf_d *d;
-
- const bpf_ctx_t *bc = NULL;
bool gottime = false;
+ struct timespec ts;
/*
* Note that the IPL does not have to be raised at this point.
* The only problem that could arise here is that if two different
* interfaces shared any data. This is not the case.
*/
- for (d = bp-bif_dlist; d != NULL; d = d-bd_next) {
+ for (struct bpf_d *d = bp-bif_dlist; d != NULL; d = d-bd_next) {
u_int slen;
if (!d-bd_seesent !rcv) {
CVS commit: src/sys
Module Name:src
Committed By: rmind
Date: Tue Sep 9 20:16:12 UTC 2014
Modified Files:
src/sys/net: if.c if.h route.c
src/sys/netatalk: at_control.c
src/sys/netinet: in.c
src/sys/netinet6: in6.c in6_ifattach.c mld6.c nd6_nbr.c
Log Message:
Eliminate IFAREF() and IFAFREE() macros in favour of functions.
To generate a diff of this commit:
cvs rdiff -u -r1.290 -r1.291 src/sys/net/if.c
cvs rdiff -u -r1.174 -r1.175 src/sys/net/if.h
cvs rdiff -u -r1.132 -r1.133 src/sys/net/route.c
cvs rdiff -u -r1.35 -r1.36 src/sys/netatalk/at_control.c
cvs rdiff -u -r1.147 -r1.148 src/sys/netinet/in.c
cvs rdiff -u -r1.175 -r1.176 src/sys/netinet6/in6.c
cvs rdiff -u -r1.92 -r1.93 src/sys/netinet6/in6_ifattach.c
cvs rdiff -u -r1.59 -r1.60 src/sys/netinet6/mld6.c
cvs rdiff -u -r1.100 -r1.101 src/sys/netinet6/nd6_nbr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if.c
diff -u src/sys/net/if.c:1.290 src/sys/net/if.c:1.291
--- src/sys/net/if.c:1.290 Sat Aug 9 05:33:01 2014
+++ src/sys/net/if.c Tue Sep 9 20:16:12 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if.c,v 1.290 2014/08/09 05:33:01 rtr Exp $ */
+/* $NetBSD: if.c,v 1.291 2014/09/09 20:16:12 rmind Exp $ */
/*-
* Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: if.c,v 1.290 2014/08/09 05:33:01 rtr Exp $);
+__KERNEL_RCSID(0, $NetBSD: if.c,v 1.291 2014/09/09 20:16:12 rmind Exp $);
#include opt_inet.h
@@ -362,7 +362,7 @@ if_set_sadl(struct ifnet *ifp, const voi
(void)sockaddr_dl_setaddr(sdl, sdl-sdl_len, lla, ifp-if_addrlen);
if (factory) {
ifp-if_hwdl = ifp-if_dl;
- IFAREF(ifp-if_hwdl);
+ ifaref(ifp-if_hwdl);
}
/* TBD routing socket */
}
@@ -402,9 +402,9 @@ if_sadl_setrefs(struct ifnet *ifp, struc
{
const struct sockaddr_dl *sdl;
ifnet_addrs[ifp-if_index] = ifa;
- IFAREF(ifa);
+ ifaref(ifa);
ifp-if_dl = ifa;
- IFAREF(ifa);
+ ifaref(ifa);
sdl = satosdl(ifa-ifa_addr);
ifp-if_sadl = sdl;
}
@@ -447,9 +447,9 @@ if_deactivate_sadl(struct ifnet *ifp)
ifp-if_sadl = NULL;
ifnet_addrs[ifp-if_index] = NULL;
- IFAFREE(ifa);
+ ifafree(ifa);
ifp-if_dl = NULL;
- IFAFREE(ifa);
+ ifafree(ifa);
}
void
@@ -494,7 +494,7 @@ if_free_sadl(struct ifnet *ifp)
ifa_remove(ifp, ifa);
if_deactivate_sadl(ifp);
if (ifp-if_hwdl == ifa) {
- IFAFREE(ifa);
+ ifafree(ifa);
ifp-if_hwdl = NULL;
}
splx(s);
@@ -1101,11 +1101,28 @@ if_clone_list(struct if_clonereq *ifcr)
}
void
+ifaref(struct ifaddr *ifa)
+{
+ ifa-ifa_refcnt++;
+}
+
+void
+ifafree(struct ifaddr *ifa)
+{
+ KASSERT(ifa != NULL);
+ KASSERT(ifa-ifa_refcnt 0);
+
+ if (--ifa-ifa_refcnt == 0) {
+ free(ifa, M_IFADDR);
+ }
+}
+
+void
ifa_insert(struct ifnet *ifp, struct ifaddr *ifa)
{
ifa-ifa_ifp = ifp;
TAILQ_INSERT_TAIL(ifp-if_addrlist, ifa, ifa_list);
- IFAREF(ifa);
+ ifaref(ifa);
}
void
@@ -1113,7 +1130,7 @@ ifa_remove(struct ifnet *ifp, struct ifa
{
KASSERT(ifa-ifa_ifp == ifp);
TAILQ_REMOVE(ifp-if_addrlist, ifa, ifa_list);
- IFAFREE(ifa);
+ ifafree(ifa);
}
static inline int
Index: src/sys/net/if.h
diff -u src/sys/net/if.h:1.174 src/sys/net/if.h:1.175
--- src/sys/net/if.h:1.174 Thu Jul 31 06:35:47 2014
+++ src/sys/net/if.h Tue Sep 9 20:16:12 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if.h,v 1.174 2014/07/31 06:35:47 ozaki-r Exp $ */
+/* $NetBSD: if.h,v 1.175 2014/09/09 20:16:12 rmind Exp $ */
/*-
* Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc.
@@ -718,44 +718,6 @@ struct if_addrprefreq {
#endif /* _NETBSD_SOURCE */
#ifdef _KERNEL
-#ifdef IFAREF_DEBUG
-#define IFAREF(ifa) \
-do { \
- printf(IFAREF: %s:%d %p - %d\n, __FILE__, __LINE__, \
- (ifa), ++(ifa)-ifa_refcnt);\
-} while (/*CONSTCOND*/ 0)
-
-#define IFAFREE(ifa) \
-do { \
- if ((ifa)-ifa_refcnt = 0) \
- panic(%s:%d: %p ifa_refcnt = 0, __FILE__, \
- __LINE__, (ifa)); \
- printf(IFAFREE: %s:%d %p - %d\n, __FILE__, __LINE__, \
- (ifa), --(ifa)-ifa_refcnt);\
- if ((ifa)-ifa_refcnt == 0) \
- ifafree(ifa); \
-} while (/*CONSTCOND*/ 0)
-#else
-#define IFAREF(ifa) (ifa)-ifa_refcnt++
-
-#ifdef DIAGNOSTIC
-#define IFAFREE(ifa) \
-do { \
- if ((ifa)-ifa_refcnt = 0) \
- panic(%s:%d: %p ifa_refcnt = 0, __FILE__, \
- __LINE__, (ifa)); \
- if (--(ifa)-ifa_refcnt == 0) \
- ifafree(ifa); \
-} while (/*CONSTCOND*/ 0)
-#else
-#define IFAFREE(ifa) \
-do { \
- if (--(ifa)-ifa_refcnt == 0) \
- ifafree(ifa); \
-} while (/*CONSTCOND*/ 0)
-#endif /* DIAGNOSTIC */
-#endif /* IFAREF_DEBUG */
-
#ifdef ALTQ
#define ALTQ_DECL(x) x
#define ALTQ_COMMA ,
@@ -922,6 +884,9 @@ int if_flags_set(struct ifnet *, const s
void ifa_insert(struct ifnet *, struct ifaddr *);
void ifa_remove(struct ifnet *, struct ifaddr *);
+void ifaref(struct ifaddr *);
+void ifafree(struct
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sun Sep 7 00:50:57 UTC 2014 Modified Files: src/sys/netinet: in_pcb.c src/sys/netinet6: in6_pcb.c Log Message: in_pcbdetach: move ip_freemoptions() under softnet_lock for now (this will be changed back once other IP paths become MP-safe). Same for IPv6 routine. This partially reverts 1.150 of in_pcb.c and 1.127 of in6_pcb.c changes. To generate a diff of this commit: cvs rdiff -u -r1.151 -r1.152 src/sys/netinet/in_pcb.c cvs rdiff -u -r1.128 -r1.129 src/sys/netinet6/in6_pcb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/in_pcb.c diff -u src/sys/netinet/in_pcb.c:1.151 src/sys/netinet/in_pcb.c:1.152 --- src/sys/netinet/in_pcb.c:1.151 Tue Aug 5 05:24:26 2014 +++ src/sys/netinet/in_pcb.c Sun Sep 7 00:50:56 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in_pcb.c,v 1.151 2014/08/05 05:24:26 rtr Exp $ */ +/* $NetBSD: in_pcb.c,v 1.152 2014/09/07 00:50:56 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -93,7 +93,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: in_pcb.c,v 1.151 2014/08/05 05:24:26 rtr Exp $); +__KERNEL_RCSID(0, $NetBSD: in_pcb.c,v 1.152 2014/09/07 00:50:56 rmind Exp $); #include opt_inet.h #include opt_ipsec.h @@ -606,9 +606,9 @@ in_pcbdetach(void *v) m_free(inp-inp_options); } rtcache_free(inp-inp_route); + ip_freemoptions(inp-inp_moptions); sofree(so); /* drops the socket's lock */ - ip_freemoptions(inp-inp_moptions); pool_put(inpcb_pool, inp); mutex_enter(softnet_lock); /* reacquire the softnet_lock */ } Index: src/sys/netinet6/in6_pcb.c diff -u src/sys/netinet6/in6_pcb.c:1.128 src/sys/netinet6/in6_pcb.c:1.129 --- src/sys/netinet6/in6_pcb.c:1.128 Tue Aug 5 05:24:27 2014 +++ src/sys/netinet6/in6_pcb.c Sun Sep 7 00:50:56 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_pcb.c,v 1.128 2014/08/05 05:24:27 rtr Exp $ */ +/* $NetBSD: in6_pcb.c,v 1.129 2014/09/07 00:50:56 rmind Exp $ */ /* $KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: in6_pcb.c,v 1.128 2014/08/05 05:24:27 rtr Exp $); +__KERNEL_RCSID(0, $NetBSD: in6_pcb.c,v 1.129 2014/09/07 00:50:56 rmind Exp $); #include opt_inet.h #include opt_ipsec.h @@ -617,9 +617,9 @@ in6_pcbdetach(struct in6pcb *in6p) free(in6p-in6p_outputopts, M_IP6OPT); } rtcache_free(in6p-in6p_route); + ip6_freemoptions(in6p-in6p_moptions); sofree(so);/* drops the socket's lock */ - ip6_freemoptions(in6p-in6p_moptions); pool_put(in6pcb_pool, in6p); mutex_enter(softnet_lock); /* reacquire it */ }
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sun Aug 24 20:36:30 UTC 2014
Modified Files:
src/sys/net/npf: npf_conn.c npf_ctl.c npf_nat.c
Log Message:
- npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_nat.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.11 src/sys/net/npf/npf_conn.c:1.12
--- src/sys/net/npf/npf_conn.c:1.11 Mon Aug 11 23:48:01 2014
+++ src/sys/net/npf/npf_conn.c Sun Aug 24 20:36:30 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.12 2014/08/24 20:36:30 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -899,6 +899,7 @@ npf_conn_import(npf_conndb_t *cd, prop_d
con = pool_cache_get(conn_cache, PR_WAITOK);
memset(con, 0, sizeof(npf_conn_t));
mutex_init(con-c_lock, MUTEX_DEFAULT, IPL_SOFTNET);
+ npf_stats_inc(NPF_STAT_CONN_CREATE);
prop_dictionary_get_uint32(cdict, proto, con-c_proto);
prop_dictionary_get_uint32(cdict, flags, con-c_flags);
@@ -952,6 +953,8 @@ npf_conn_import(npf_conndb_t *cd, prop_d
npf_conndb_remove(cd, fw);
goto err;
}
+
+ NPF_PRINTF((NPF: imported conn %p\n, con));
npf_conndb_enqueue(cd, con);
return 0;
err:
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.39 src/sys/net/npf/npf_ctl.c:1.40
--- src/sys/net/npf/npf_ctl.c:1.39 Mon Aug 11 23:48:01 2014
+++ src/sys/net/npf/npf_ctl.c Sun Aug 24 20:36:30 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.40 2014/08/24 20:36:30 rmind Exp $);
#include sys/param.h
#include sys/conf.h
@@ -459,7 +459,7 @@ npf_mk_connlist(prop_array_t conlist, np
prop_dictionary_t condict;
prop_object_iterator_t it;
npf_conndb_t *cd;
- int error;
+ int error = 0;
/* Connection list - array */
if (prop_object_type(conlist) != PROP_TYPE_ARRAY) {
@@ -469,8 +469,6 @@ npf_mk_connlist(prop_array_t conlist, np
/* Create a connection database. */
cd = npf_conndb_create();
-
- error = 0;
it = prop_array_iterator(conlist);
while ((condict = prop_object_iterator_next(it)) != NULL) {
/* Connection - dictionary. */
@@ -479,7 +477,7 @@ npf_mk_connlist(prop_array_t conlist, np
error = EINVAL;
break;
}
- /* Construct and insert real connection structure. */
+ /* Construct and insert the connection. */
error = npf_conn_import(cd, condict, natlist);
if (error) {
NPF_ERR_DEBUG(errdict);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.33 src/sys/net/npf/npf_nat.c:1.34
--- src/sys/net/npf/npf_nat.c:1.33 Mon Aug 11 23:48:01 2014
+++ src/sys/net/npf/npf_nat.c Sun Aug 24 20:36:30 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.34 2014/08/24 20:36:30 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -812,6 +812,7 @@ npf_nat_destroy(npf_nat_t *nt)
mutex_enter(np-n_lock);
LIST_REMOVE(nt, nt_entry);
+ KASSERT(np-n_refcnt 0);
atomic_dec_uint(np-n_refcnt);
mutex_exit(np-n_lock);
@@ -873,9 +874,14 @@ npf_nat_import(prop_dictionary_t natdict
return NULL;
}
- LIST_INSERT_HEAD(np-n_nat_list, nt, nt_entry);
+ /*
+ * Associate, take a reference and insert. Unlocked since
+ * the policy is not yet visible.
+ */
nt-nt_natpolicy = np;
nt-nt_conn = con;
+ np-n_refcnt++;
+ LIST_INSERT_HEAD(np-n_nat_list, nt, nt_entry);
return nt;
}
CVS commit: src/lib/libnpf
Module Name:src
Committed By: rmind
Date: Sun Aug 24 20:37:35 UTC 2014
Modified Files:
src/lib/libnpf: npf.c
Log Message:
npf_config_submit: finally, include the saved connections.
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/lib/libnpf/npf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.33 src/lib/libnpf/npf.c:1.34
--- src/lib/libnpf/npf.c:1.33 Mon Aug 11 23:48:01 2014
+++ src/lib/libnpf/npf.c Sun Aug 24 20:37:35 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf.c,v 1.34 2014/08/24 20:37:35 rmind Exp $);
#include sys/types.h
#include netinet/in_systm.h
@@ -69,13 +69,14 @@ struct nl_ext {
};
struct nl_config {
- /* Rules, translations, tables, procedures. */
+ /* Rules, translations, procedures, tables, connections. */
prop_dictionary_t ncf_dict;
prop_array_t ncf_alg_list;
prop_array_t ncf_rules_list;
prop_array_t ncf_rproc_list;
prop_array_t ncf_table_list;
prop_array_t ncf_nat_list;
+ prop_array_t ncf_conn_list;
/* Iterators. */
prop_object_iterator_t ncf_rule_iter;
@@ -153,6 +154,10 @@ npf_config_submit(nl_config_t *ncf, int
prop_dictionary_set(npf_dict, rprocs, ncf-ncf_rproc_list);
prop_dictionary_set(npf_dict, tables, ncf-ncf_table_list);
prop_dictionary_set(npf_dict, nat, ncf-ncf_nat_list);
+ if (ncf-ncf_conn_list) {
+ prop_dictionary_set(npf_dict, conn-list,
+ ncf-ncf_conn_list);
+ }
prop_dictionary_set_bool(npf_dict, flush, ncf-ncf_flush);
if (ncf-ncf_debug) {
prop_dictionary_set(npf_dict, debug, ncf-ncf_debug);
@@ -194,6 +199,7 @@ _npf_config_consdict(prop_dictionary_t n
ncf-ncf_rproc_list = prop_dictionary_get(npf_dict, rprocs);
ncf-ncf_table_list = prop_dictionary_get(npf_dict, tables);
ncf-ncf_nat_list = prop_dictionary_get(npf_dict, nat);
+ ncf-ncf_conn_list = prop_dictionary_get(npf_dict, conn-list);
return ncf;
}
CVS commit: src
Module Name:src
Committed By: rmind
Date: Mon Aug 11 23:48:01 UTC 2014
Modified Files:
src/lib/libnpf: npf.c
src/sys/net/npf: npf_alg.c npf_conn.c npf_ctl.c npf_impl.h npf_nat.c
src/usr.sbin/npf/npfctl: npfctl.c
Log Message:
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/lib/libnpf/npf.c
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_alg.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.32 src/lib/libnpf/npf.c:1.33
--- src/lib/libnpf/npf.c:1.32 Sun Aug 10 19:09:43 2014
+++ src/lib/libnpf/npf.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $);
#include sys/types.h
#include netinet/in_systm.h
@@ -237,11 +237,11 @@ npf_config_import(const char *path)
nl_config_t *ncf;
npf_dict = prop_dictionary_internalize_from_file(path);
- if (npf_dict) {
+ if (!npf_dict) {
return NULL;
}
ncf = _npf_config_consdict(npf_dict);
- if (ncf == NULL) {
+ if (!ncf) {
prop_object_release(npf_dict);
return NULL;
}
Index: src/sys/net/npf/npf_alg.c
diff -u src/sys/net/npf/npf_alg.c:1.14 src/sys/net/npf/npf_alg.c:1.15
--- src/sys/net/npf/npf_alg.c:1.14 Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_alg.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -244,3 +244,24 @@ npf_alg_conn(npf_cache_t *npc, int di)
pserialize_read_exit(s);
return con;
}
+
+prop_array_t
+npf_alg_export(void)
+{
+ prop_array_t alglist = prop_array_create();
+
+ KASSERT(npf_config_locked_p());
+
+ for (u_int i = 0; i alg_count; i++) {
+ const npf_alg_t *alg = alg_list[i];
+
+ if (alg-na_name == NULL) {
+ continue;
+ }
+ prop_dictionary_t algdict = prop_dictionary_create();
+ prop_dictionary_set_cstring(algdict, name, alg-na_name);
+ prop_array_add(alglist, algdict);
+ prop_object_release(algdict);
+ }
+ return alglist;
+}
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.10 src/sys/net/npf/npf_conn.c:1.11
--- src/sys/net/npf/npf_conn.c:1.10 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_conn.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -917,8 +917,11 @@ npf_conn_import(npf_conndb_t *cd, prop_d
}
memcpy(con-c_state, d, sizeof(npf_state_t));
- /* Reconstruct NAT association, if any, or return NULL. */
- con-c_nat = npf_nat_import(cdict, natlist, con);
+ /* Reconstruct NAT association, if any. */
+ if ((obj = prop_dictionary_get(cdict, nat)) != NULL
+ (con-c_nat = npf_nat_import(obj, natlist, con)) == NULL) {
+ goto err;
+ }
/*
* Fetch and copy the keys for each direction.
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.38 src/sys/net/npf/npf_ctl.c:1.39
--- src/sys/net/npf/npf_ctl.c:1.38 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_ctl.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54
CVS commit: src
);
/* Translation port (for redirect case). */
- prop_dictionary_set_uint16(rldict, translation-port, port);
+ prop_dictionary_set_uint16(rldict, nat-port, port);
return (nl_nat_t *)rl;
}
@@ -901,7 +901,7 @@ npf_nat_insert(nl_config_t *ncf, nl_nat_
{
prop_dictionary_t rldict = nt-nrl_dict;
- prop_dictionary_set_int32(rldict, priority, NPF_PRI_LAST);
+ prop_dictionary_set_int32(rldict, prio, NPF_PRI_LAST);
prop_array_add(ncf-ncf_nat_list, rldict);
return 0;
}
@@ -917,7 +917,7 @@ int
npf_nat_setalgo(nl_nat_t *nt, u_int algo)
{
prop_dictionary_t rldict = nt-nrl_dict;
- prop_dictionary_set_uint32(rldict, translation-algo, algo);
+ prop_dictionary_set_uint32(rldict, nat-algo, algo);
return 0;
}
@@ -930,7 +930,7 @@ npf_nat_setnpt66(nl_nat_t *nt, uint16_t
if ((error = npf_nat_setalgo(nt, NPF_ALGO_NPT66)) != 0) {
return error;
}
- prop_dictionary_set_uint16(rldict, npt66-adjustment, adj);
+ prop_dictionary_set_uint16(rldict, npt66-adj, adj);
return 0;
}
@@ -958,13 +958,13 @@ void
npf_nat_getmap(nl_nat_t *nt, npf_addr_t *addr, size_t *alen, in_port_t *port)
{
prop_dictionary_t rldict = nt-nrl_dict;
- prop_object_t obj = prop_dictionary_get(rldict, translation-ip);
+ prop_object_t obj = prop_dictionary_get(rldict, nat-ip);
*alen = prop_data_size(obj);
memcpy(addr, prop_data_data_nocopy(obj), *alen);
*port = 0;
- prop_dictionary_get_uint16(rldict, translation-port, port);
+ prop_dictionary_get_uint16(rldict, nat-port, port);
}
/*
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.46 src/sys/net/npf/npf.h:1.47
--- src/sys/net/npf/npf.h:1.46 Wed Jul 23 01:48:05 2014
+++ src/sys/net/npf/npf.h Sun Aug 10 19:09:43 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.46 2014/07/23 01:48:05 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include netinet/in_systm.h
#include netinet/in.h
-#define NPF_VERSION 16
+#define NPF_VERSION 17
/*
* Public declarations and definitions.
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.9 src/sys/net/npf/npf_conn.c:1.10
--- src/sys/net/npf/npf_conn.c:1.9 Sat Jul 26 16:42:03 2014
+++ src/sys/net/npf/npf_conn.c Sun Aug 10 19:09:43 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -809,11 +809,11 @@ npf_conn_worker(void)
}
/*
- * npf_conn_export: construct a list of connections prepared for saving.
+ * npf_conndb_export: construct a list of connections prepared for saving.
* Note: this is expected to be an expensive operation.
*/
int
-npf_conn_export(prop_array_t conlist)
+npf_conndb_export(prop_array_t conlist)
{
npf_conn_t *con, *prev;
@@ -830,33 +830,12 @@ npf_conn_export(prop_array_t conlist)
con = npf_conndb_getlist(conn_db);
while (con) {
npf_conn_t *next = con-c_next;
- prop_data_t d;
+ prop_dictionary_t cdict;
- if ((con-c_flags (CONN_ACTIVE|CONN_EXPIRE)) != CONN_ACTIVE)
- goto skip;
-
- prop_dictionary_t cdict = prop_dictionary_create();
- prop_dictionary_set_uint32(cdict, flags, con-c_flags);
- prop_dictionary_set_uint32(cdict, proto, con-c_proto);
- /* FIXME: interface-id */
-
- d = prop_data_create_data(con-c_state, sizeof(npf_state_t));
- prop_dictionary_set_and_rel(cdict, state, d);
-
- const uint32_t *fkey = con-c_forw_entry.ck_key;
- d = prop_data_create_data(fkey, NPF_CONN_MAXKEYLEN);
- prop_dictionary_set_and_rel(cdict, forw-key, d);
-
- const uint32_t *bkey = con-c_back_entry.ck_key;
- d = prop_data_create_data(bkey, NPF_CONN_MAXKEYLEN);
- prop_dictionary_set_and_rel(cdict, back-key, d);
-
- if (con-c_nat) {
- npf_nat_export(cdict, con-c_nat);
+ if ((cdict = npf_conn_export(con)) != NULL) {
+ prop_array_add(conlist, cdict);
+ prop_object_release(cdict);
}
- prop_array_add(conlist, cdict);
- prop_object_release(cdict);
-skip:
prev = con;
con = next;
}
@@ -866,6 +845,43 @@ skip:
}
/*
+ * npf_conn_export: serialise a single connection.
+ */
+prop_dictionary_t
+npf_conn_export(const npf_conn_t *con)
+{
+ prop_dictionary_t cdict;
+ prop_data_t d;
+
+ if ((con-c_flags (CONN_ACTIVE|CONN_EXPIRE)) != CONN_ACTIVE) {
+ return NULL;
+ }
+ cdict = prop_dictionary_create();
+ prop_dictionary_set_uint32(cdict, flags, con-c_flags);
+ prop_dictionary_set_uint32(cdict, proto, con-c_proto);
+ if (con-c_ifid) {
+ const char *ifname = npf_ifmap_getname(con-c_ifid);
+ prop_dictionary_set_cstring(cdict, ifname, ifname);
+ }
+
+ d = prop_data_create_data(con-c_state, sizeof(npf_state_t));
+ prop_dictionary_set_and_rel
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Mon Aug 11 01:54:13 UTC 2014
Modified Files:
src/sys/net/npf: npf_conf.c npf_ctl.c npf_impl.h npf_rproc.c
npf_ruleset.c npf_tableset.c
Log Message:
NPF: finish up the rework of npfctl_save() mechanism.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_rproc.c
cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.21 -r1.22 src/sys/net/npf/npf_tableset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.7 src/sys/net/npf/npf_conf.c:1.8
--- src/sys/net/npf/npf_conf.c:1.7 Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf_conf.c Mon Aug 11 01:54:12 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conf.c,v 1.7 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.7 2014/07/23 01:25:34 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -66,7 +66,6 @@ typedef struct {
npf_tableset_t * n_tables;
npf_ruleset_t * n_nat_rules;
npf_rprocset_t * n_rprocs;
- prop_dictionary_t n_dict;
bool n_default_pass;
} npf_config_t;
@@ -77,7 +76,6 @@ static pserialize_t npf_config_psz __c
void
npf_config_init(void)
{
- prop_dictionary_t dict;
npf_ruleset_t *rlset, *nset;
npf_rprocset_t *rpset;
npf_tableset_t *tset;
@@ -86,19 +84,17 @@ npf_config_init(void)
npf_config_psz = pserialize_create();
/* Load the empty configuration. */
- dict = prop_dictionary_create();
tset = npf_tableset_create(0);
rpset = npf_rprocset_create();
rlset = npf_ruleset_create(0);
nset = npf_ruleset_create(0);
- npf_config_load(dict, rlset, tset, nset, rpset, NULL, true);
+ npf_config_load(rlset, tset, nset, rpset, NULL, true);
KASSERT(npf_config != NULL);
}
static void
npf_config_destroy(npf_config_t *nc)
{
- prop_object_release(nc-n_dict);
npf_ruleset_destroy(nc-n_rules);
npf_ruleset_destroy(nc-n_nat_rules);
npf_rprocset_destroy(nc-n_rprocs);
@@ -127,8 +123,8 @@ npf_config_fini(void)
* Performs the necessary synchronisation and destroys the old config.
*/
void
-npf_config_load(prop_dictionary_t dict, npf_ruleset_t *rset,
-npf_tableset_t *tset, npf_ruleset_t *nset, npf_rprocset_t *rpset,
+npf_config_load(npf_ruleset_t *rset, npf_tableset_t *tset,
+npf_ruleset_t *nset, npf_rprocset_t *rpset,
npf_conndb_t *conns, bool flush)
{
npf_config_t *nc, *onc;
@@ -138,7 +134,6 @@ npf_config_load(prop_dictionary_t dict,
nc-n_tables = tset;
nc-n_nat_rules = nset;
nc-n_rprocs = rpset;
- nc-n_dict = dict;
nc-n_default_pass = flush;
/*
@@ -185,9 +180,6 @@ npf_config_load(prop_dictionary_t dict,
* If not flushing - enable the connection tracking.
*/
npf_conn_load(conns, !flush);
-
- /* Sync the config proplib data. */
- npf_tableset_syncdict(tset, dict);
mutex_exit(npf_config_lock);
/* Finally, it is safe to destroy the old config. */
@@ -261,10 +253,10 @@ npf_config_tableset(void)
return npf_config-n_tables;
}
-prop_dictionary_t
-npf_config_dict(void)
+npf_rprocset_t *
+npf_config_rprocs(void)
{
- return npf_config-n_dict;
+ return npf_config-n_rprocs;
}
bool
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.37 src/sys/net/npf/npf_ctl.c:1.38
--- src/sys/net/npf/npf_ctl.c:1.37 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_ctl.c Mon Aug 11 01:54:12 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.37 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.37 2014/08/10 19:09:43 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $);
#include sys/param.h
#include sys/conf.h
@@ -181,7 +181,6 @@ npf_mk_tables(npf_tableset_t *tblset, pr
NPF_ERR_DEBUG(errdict);
break;
}
- prop_dictionary_remove(tbldict, entries);
}
prop_object_iterator_release(it);
/*
@@ -555,7 +554,6 @@ npfctl_load(u_long cmd, void *data)
if (error) {
goto fail;
}
- prop_dictionary_remove(npf_dict, nat);
/* Tables. */
tables = prop_dictionary_get(npf_dict, tables);
@@ -597,7 +595,6 @@ npfctl_load(u_long cmd, void *data)
if (error) {
goto fail;
}
- prop_dictionary_remove(npf_dict, conn-list);
}
flush = false;
@@ -606,7 +603,7 @@ npfctl_load(u_long cmd, void *data)
/*
* Finally - perform the load.
CVS commit: src/sys/netinet
Module Name:src
Committed By: rmind
Date: Sun Aug 3 22:11:50 UTC 2014
Modified Files:
src/sys/netinet: in_pcb.c
Log Message:
in_pcbdetach: not that IGMP and multicast groups are MP-safe, we can move
the ip_freemoptions() call outside the softnet_lock. Should fix PR/49065.
To generate a diff of this commit:
cvs rdiff -u -r1.149 -r1.150 src/sys/netinet/in_pcb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/in_pcb.c
diff -u src/sys/netinet/in_pcb.c:1.149 src/sys/netinet/in_pcb.c:1.150
--- src/sys/netinet/in_pcb.c:1.149 Thu Jul 24 15:12:03 2014
+++ src/sys/netinet/in_pcb.c Sun Aug 3 22:11:50 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: in_pcb.c,v 1.149 2014/07/24 15:12:03 rtr Exp $ */
+/* $NetBSD: in_pcb.c,v 1.150 2014/08/03 22:11:50 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -93,7 +93,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: in_pcb.c,v 1.149 2014/07/24 15:12:03 rtr Exp $);
+__KERNEL_RCSID(0, $NetBSD: in_pcb.c,v 1.150 2014/08/03 22:11:50 rmind Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -593,19 +593,23 @@ in_pcbdetach(void *v)
#if defined(IPSEC)
if (ipsec_enabled)
ipsec4_delete_pcbpolicy(inp);
-#endif /* IPSEC */
- so-so_pcb = 0;
- if (inp-inp_options)
- (void)m_free(inp-inp_options);
- rtcache_free(inp-inp_route);
- ip_freemoptions(inp-inp_moptions);
+#endif
+ so-so_pcb = NULL;
+
s = splnet();
in_pcbstate(inp, INP_ATTACHED);
LIST_REMOVE(inp-inp_head, inph_lhash);
TAILQ_REMOVE(inp-inp_table-inpt_queue, inp-inp_head, inph_queue);
- pool_put(inpcb_pool, inp);
splx(s);
+
+ if (inp-inp_options) {
+ m_free(inp-inp_options);
+ }
+ rtcache_free(inp-inp_route);
sofree(so); /* drops the socket's lock */
+
+ ip_freemoptions(inp-inp_moptions);
+ pool_put(inpcb_pool, inp);
mutex_enter(softnet_lock); /* reacquire the softnet_lock */
}
CVS commit: src/sys/netinet6
Module Name:src
Committed By: rmind
Date: Sun Aug 3 22:55:24 UTC 2014
Modified Files:
src/sys/netinet6: in6_pcb.c
Log Message:
in6_pcbdetach: now that IGMP and multicast groups are MP-safe, we can move
the ip6_freemoptions() call outside the softnet_lock. Should fix PR/49065.
To generate a diff of this commit:
cvs rdiff -u -r1.126 -r1.127 src/sys/netinet6/in6_pcb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/in6_pcb.c
diff -u src/sys/netinet6/in6_pcb.c:1.126 src/sys/netinet6/in6_pcb.c:1.127
--- src/sys/netinet6/in6_pcb.c:1.126 Thu Jul 24 15:12:03 2014
+++ src/sys/netinet6/in6_pcb.c Sun Aug 3 22:55:24 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_pcb.c,v 1.126 2014/07/24 15:12:03 rtr Exp $ */
+/* $NetBSD: in6_pcb.c,v 1.127 2014/08/03 22:55:24 rmind Exp $ */
/* $KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: in6_pcb.c,v 1.126 2014/07/24 15:12:03 rtr Exp $);
+__KERNEL_RCSID(0, $NetBSD: in6_pcb.c,v 1.127 2014/08/03 22:55:24 rmind Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -599,24 +599,28 @@ in6_pcbdetach(struct in6pcb *in6p)
#if defined(IPSEC)
if (ipsec_enabled)
ipsec6_delete_pcbpolicy(in6p);
-#endif /* IPSEC */
- so-so_pcb = 0;
- if (in6p-in6p_options)
+#endif
+ so-so_pcb = NULL;
+
+ s = splnet();
+ in6_pcbstate(in6p, IN6P_ATTACHED);
+ LIST_REMOVE(in6p-in6p_head, inph_lhash);
+ TAILQ_REMOVE(in6p-in6p_table-inpt_queue, in6p-in6p_head,
+ inph_queue);
+ splx(s);
+
+ if (in6p-in6p_options) {
m_freem(in6p-in6p_options);
+ }
if (in6p-in6p_outputopts != NULL) {
ip6_clearpktopts(in6p-in6p_outputopts, -1);
free(in6p-in6p_outputopts, M_IP6OPT);
}
rtcache_free(in6p-in6p_route);
+ sofree(so);/* drops the socket's lock */
+
ip6_freemoptions(in6p-in6p_moptions);
- s = splnet();
- in6_pcbstate(in6p, IN6P_ATTACHED);
- LIST_REMOVE(in6p-in6p_head, inph_lhash);
- TAILQ_REMOVE(in6p-in6p_table-inpt_queue, in6p-in6p_head,
- inph_queue);
pool_put(in6pcb_pool, in6p);
- splx(s);
- sofree(so);/* drops the socket's lock */
mutex_enter(softnet_lock); /* reacquire it */
}
CVS commit: src
Module Name:src Committed By: rmind Date: Sat Aug 2 23:57:40 UTC 2014 Modified Files: src/distrib/sets/lists/man: mi src/usr.sbin/npf: Makefile Added Files: src/usr.sbin/npf: npf.7 Log Message: NPF: add a general npf(7) manual page. Improved by wiz@. To generate a diff of this commit: cvs rdiff -u -r1.1481 -r1.1482 src/distrib/sets/lists/man/mi cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/Makefile cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npf.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/man/mi diff -u src/distrib/sets/lists/man/mi:1.1481 src/distrib/sets/lists/man/mi:1.1482 --- src/distrib/sets/lists/man/mi:1.1481 Fri Aug 1 14:08:47 2014 +++ src/distrib/sets/lists/man/mi Sat Aug 2 23:57:40 2014 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1481 2014/08/01 14:08:47 christos Exp $ +# $NetBSD: mi,v 1.1482 2014/08/02 23:57:40 rmind Exp $ # # Note: don't delete entries from here - mark them as obsolete instead. # @@ -2224,6 +2224,7 @@ ./usr/share/man/cat7/module.0 man-reference-catman .cat ./usr/share/man/cat7/msafer.0 man-obsolete obsolete ./usr/share/man/cat7/nls.0 man-reference-catman .cat +./usr/share/man/cat7/npf.0 man-npf-catman .cat,npf ./usr/share/man/cat7/orders.0 man-reference-catman .cat ./usr/share/man/cat7/packages.0 man-obsolete obsolete ./usr/share/man/cat7/pcap-filter.0 man-netutil-catman .cat @@ -5167,6 +5168,7 @@ ./usr/share/man/html7/mdoc.html man-groff-htmlman html,groff ./usr/share/man/html7/module.html man-reference-htmlman html ./usr/share/man/html7/nls.html man-reference-htmlman html +./usr/share/man/html7/npf.html man-npf-htmlman html,npf ./usr/share/man/html7/orders.html man-reference-htmlman html ./usr/share/man/html7/pcap-filter.html man-netutil-htmlman html ./usr/share/man/html7/pcap-linktype.html man-netutil-htmlman html @@ -8084,6 +8086,7 @@ ./usr/share/man/man7/module.7 man-reference-man .man ./usr/share/man/man7/msafer.7 man-obsolete obsolete ./usr/share/man/man7/nls.7 man-reference-man .man +./usr/share/man/man7/npf.7 man-npf-man .man,npf ./usr/share/man/man7/orders.7 man-reference-man .man ./usr/share/man/man7/packages.7 man-obsolete obsolete ./usr/share/man/man7/pcap-filter.7 man-netutil-man .man Index: src/usr.sbin/npf/Makefile diff -u src/usr.sbin/npf/Makefile:1.4 src/usr.sbin/npf/Makefile:1.5 --- src/usr.sbin/npf/Makefile:1.4 Thu Sep 13 21:02:50 2012 +++ src/usr.sbin/npf/Makefile Sat Aug 2 23:57:40 2014 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.4 2012/09/13 21:02:50 martin Exp $ +# $NetBSD: Makefile,v 1.5 2014/08/02 23:57:40 rmind Exp $ .include bsd.own.mk @@ -8,4 +8,7 @@ SUBDIR= npfctl SUBDIR+= npftest .endif +MAN= npf.7 + +.include bsd.man.mk .include bsd.subdir.mk Added files: Index: src/usr.sbin/npf/npf.7 diff -u /dev/null src/usr.sbin/npf/npf.7:1.1 --- /dev/null Sat Aug 2 23:57:40 2014 +++ src/usr.sbin/npf/npf.7 Sat Aug 2 23:57:40 2014 @@ -0,0 +1,91 @@ +.\ $NetBSD: npf.7,v 1.1 2014/08/02 23:57:40 rmind Exp $ +.\ +.\ Copyright (c) 2009-2014 The NetBSD Foundation, Inc. +.\ All rights reserved. +.\ +.\ This material is based upon work partially supported by The +.\ NetBSD Foundation under a contract with Mindaugas Rasiukevicius. +.\ +.\ Redistribution and use in source and binary forms, with or without +.\ modification, are permitted provided that the following conditions +.\ are met: +.\ 1. Redistributions of source code must retain the above copyright +.\notice, this list of conditions and the following disclaimer. +.\ 2. Redistributions in binary form must reproduce the above copyright +.\notice, this list of conditions and the following disclaimer in the +.\documentation and/or other materials provided with the distribution. +.\ +.\ THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\ POSSIBILITY OF SUCH DAMAGE. +.\ +.Dd August 2, 2014 +.Dt NPF 7 +.Os +.Sh NAME +.Nm NPF +.Nd NetBSD packet filter +.\ - +.Sh DESCRIPTION +NPF is a layer 3 packet filter, supporting IPv4 and IPv6 as well as +layer 4 protocols such as TCP, UDP, and ICMP. +It was designed with a focus on high performance, scalability, and +modularity. +.Pp +NPF
CVS commit: src
Module Name:src
Committed By: rmind
Date: Sun Aug 3 00:02:56 UTC 2014
Modified Files:
src/lib/libnpf: libnpf.3
src/usr.sbin/npf/npfctl: npf.conf.5 npfctl.8
Log Message:
Cross-link npf(7).
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/lib/libnpf/libnpf.3
cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/npf/npfctl/npfctl.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/libnpf.3
diff -u src/lib/libnpf/libnpf.3:1.1 src/lib/libnpf/libnpf.3:1.2
--- src/lib/libnpf/libnpf.3:1.1 Tue Jul 22 22:28:47 2014
+++ src/lib/libnpf/libnpf.3 Sun Aug 3 00:02:56 2014
@@ -1,4 +1,4 @@
-.\ $NetBSD: libnpf.3,v 1.1 2014/07/22 22:28:47 christos Exp $
+.\ $NetBSD: libnpf.3,v 1.2 2014/08/03 00:02:56 rmind Exp $
.\
.\ Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
.\ All rights reserved.
@@ -27,7 +27,7 @@
.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\ POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd July 22, 2014
+.Dd August 2, 2014
.Dt LIBNPF 3
.Os
.Sh NAME
@@ -297,6 +297,7 @@ Destroy the specified table.
.\ -
.Sh SEE ALSO
.Xr bpf 4 ,
+.Xr npf 7 ,
.Xr npfctl 8
.Sh HISTORY
The NPF library first appeared in
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.41 src/usr.sbin/npf/npfctl/npf.conf.5:1.42
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.41 Thu May 15 23:52:32 2014
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Aug 3 00:02:56 2014
@@ -1,4 +1,4 @@
-.\$NetBSD: npf.conf.5,v 1.41 2014/05/15 23:52:32 wiz Exp $
+.\$NetBSD: npf.conf.5,v 1.42 2014/08/03 00:02:56 rmind Exp $
.\
.\ Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\ All rights reserved.
@@ -27,7 +27,7 @@
.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\ POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd May 15, 2014
+.Dd August 2, 2014
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -352,6 +352,7 @@ group default {
.\ -
.Sh SEE ALSO
.Xr bpf 4 ,
+.Xr npf 7 ,
.Xr pcap-filter 7 ,
.Xr npfctl 8
.Sh HISTORY
Index: src/usr.sbin/npf/npfctl/npfctl.8
diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.16 src/usr.sbin/npf/npfctl/npfctl.8:1.17
--- src/usr.sbin/npf/npfctl/npfctl.8:1.16 Wed Jul 23 01:25:34 2014
+++ src/usr.sbin/npf/npfctl/npfctl.8 Sun Aug 3 00:02:56 2014
@@ -1,4 +1,4 @@
-.\ $NetBSD: npfctl.8,v 1.16 2014/07/23 01:25:34 rmind Exp $
+.\ $NetBSD: npfctl.8,v 1.17 2014/08/03 00:02:56 rmind Exp $
.\
.\ Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\ All rights reserved.
@@ -27,7 +27,7 @@
.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\ POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd July 23, 2014
+.Dd August 2, 2014
.Dt NPFCTL 8
.Os
.Sh NAME
@@ -186,7 +186,8 @@ Addition and removal of entries in the t
.\ -
.Sh SEE ALSO
.Xr bpf 4 ,
-.Xr npf.conf 5
+.Xr npf.conf 5 ,
+.Xr npf 7
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Jul 26 16:42:03 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf_conn_conkey: fix a comment. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.8 src/sys/net/npf/npf_conn.c:1.9 --- src/sys/net/npf/npf_conn.c:1.8 Fri Jul 25 23:21:46 2014 +++ src/sys/net/npf/npf_conn.c Sat Jul 26 16:42:03 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -99,7 +99,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.9 2014/07/26 16:42:03 rmind Exp $); #include sys/param.h #include sys/types.h @@ -297,9 +297,9 @@ npf_conn_conkey(const npf_cache_t *npc, /* * Construct a key formed out of 32-bit integers. The key layout: * - * Field: | proto | alen | src-id | dst-id | src-addr | dst-addr | - *+---+---+++--+--+ - * Bits: | 8 | 8 | 16 | 16 | 32-128 | 32-128 | + * Field: | proto | alen | src-id | dst-id | src-addr | dst-addr | + *+++++--+--+ + * Bits: | 16 | 16 | 16 | 16 | 32-128 | 32-128 | * * The source and destination are inverted if they key is for the * backwards stream (forw == false). The address length depends
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Fri Jul 25 20:07:32 UTC 2014
Modified Files:
src/sys/net/npf: npf_state_tcp.c
Log Message:
npf_tcp_inwindow: enable strict RST check by default.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_state_tcp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_state_tcp.c
diff -u src/sys/net/npf/npf_state_tcp.c:1.15 src/sys/net/npf/npf_state_tcp.c:1.16
--- src/sys/net/npf/npf_state_tcp.c:1.15 Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_state_tcp.c Fri Jul 25 20:07:32 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_state_tcp.c,v 1.15 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf_state_tcp.c,v 1.16 2014/07/25 20:07:32 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_state_tcp.c,v 1.15 2014/07/20 00:37:41 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_state_tcp.c,v 1.16 2014/07/25 20:07:32 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -89,7 +89,7 @@ static u_int npf_tcp_timeouts[] __read_m
[NPF_TCPS_TIME_WAIT] = 60 * 2 * 2,
};
-static bool npf_strict_order_rst __read_mostly = false;
+static bool npf_strict_order_rst __read_mostly = true;
#define NPF_TCP_MAXACKWIN 66000
@@ -395,7 +395,7 @@ npf_tcp_inwindow(npf_cache_t *npc, npf_s
seq = end;
}
- /* Strict in-order sequence for RST packets. */
+ /* Strict in-order sequence for RST packets (RFC 5961). */
if (npf_strict_order_rst (fstate-nst_end - seq) 1) {
return false;
}
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Fri Jul 25 23:07:21 UTC 2014
Modified Files:
src/sys/net/npf: npf_conn.c npf_conn.h npf_ctl.c
Log Message:
npf_mk_connlist: destroy the connections on error path.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_ctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.6 src/sys/net/npf/npf_conn.c:1.7
--- src/sys/net/npf/npf_conn.c:1.6 Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf_conn.c Fri Jul 25 23:07:21 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.6 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.6 2014/07/23 01:25:34 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -141,7 +141,6 @@ static npf_conndb_t * conn_db __read_mo
static pool_cache_t conn_cache __read_mostly;
static kmutex_t conn_lock __cacheline_aligned;
-static void npf_conn_gc(npf_conndb_t *, bool, bool);
static void npf_conn_worker(void);
static void npf_conn_destroy(npf_conn_t *);
@@ -706,7 +705,7 @@ npf_conn_expired(const npf_conn_t *con,
* = If it is a flush request, then destroy all connections.
* = If 'sync' is true, then perform passive serialisation.
*/
-static void
+void
npf_conn_gc(npf_conndb_t *cd, bool flush, bool sync)
{
npf_conn_t *con, *prev, *gclist = NULL;
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.3 src/sys/net/npf/npf_conn.h:1.4
--- src/sys/net/npf/npf_conn.h:1.3 Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf_conn.h Fri Jul 25 23:07:21 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.3 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf_conn.h,v 1.4 2014/07/25 23:07:21 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -114,6 +114,7 @@ void npf_conn_setpass(npf_conn_t *, npf
int npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
npf_nat_t *, u_int);
npf_nat_t * npf_conn_retnat(npf_conn_t *, const int, bool *);
+void npf_conn_gc(npf_conndb_t *, bool, bool);
int npf_conn_export(prop_array_t);
int npf_conn_import(npf_conndb_t *, prop_dictionary_t,
npf_ruleset_t *);
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.35 src/sys/net/npf/npf_ctl.c:1.36
--- src/sys/net/npf/npf_ctl.c:1.35 Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf_ctl.c Fri Jul 25 23:07:21 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.35 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.36 2014/07/25 23:07:21 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.35 2014/07/23 01:25:34 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.36 2014/07/25 23:07:21 rmind Exp $);
#include sys/param.h
#include sys/conf.h
@@ -492,7 +492,7 @@ npf_mk_connlist(prop_array_t conlist, np
}
prop_object_iterator_release(it);
if (error) {
- /* FIXME: npf_conn_gc(cd, true, false); */
+ npf_conn_gc(cd, true, false);
npf_conndb_destroy(cd);
} else {
*conndb = cd;
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Fri Jul 25 23:21:46 UTC 2014
Modified Files:
src/sys/net/npf: npf_conn.c npf_conn.h
Log Message:
npf_conn_conkey: adjust to return the key length and add a comment
describing the key layout.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_conn.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.7 src/sys/net/npf/npf_conn.c:1.8
--- src/sys/net/npf/npf_conn.c:1.7 Fri Jul 25 23:07:21 2014
+++ src/sys/net/npf/npf_conn.c Fri Jul 25 23:21:46 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.7 2014/07/25 23:07:21 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.8 2014/07/25 23:21:46 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -242,8 +242,10 @@ npf_conn_trackable_p(const npf_cache_t *
/*
* npf_conn_conkey: construct a key for the connection lookup.
+ *
+ * = Returns the key length in bytes or zero on failure.
*/
-bool
+unsigned
npf_conn_conkey(const npf_cache_t *npc, npf_connkey_t *key, const bool forw)
{
const u_int alen = npc-npc_alen;
@@ -272,7 +274,7 @@ npf_conn_conkey(const npf_cache_t *npc,
id[NPF_DST] = ic-icmp_id;
break;
}
- return false;
+ return 0;
case IPPROTO_ICMPV6:
if (npf_iscached(npc, NPC_ICMP_ID)) {
const struct icmp6_hdr *ic6 = npc-npc_l4.icmp6;
@@ -280,21 +282,30 @@ npf_conn_conkey(const npf_cache_t *npc,
id[NPF_DST] = ic6-icmp6_id;
break;
}
- return false;
+ return 0;
default:
/* Unsupported protocol. */
- return false;
+ return 0;
}
- /*
- * Finally, construct a key formed out of 32-bit integers.
- */
if (__predict_true(forw)) {
isrc = NPF_SRC, idst = NPF_DST;
} else {
isrc = NPF_DST, idst = NPF_SRC;
}
+ /*
+ * Construct a key formed out of 32-bit integers. The key layout:
+ *
+ * Field: | proto | alen | src-id | dst-id | src-addr | dst-addr |
+ *+---+---+++--+--+
+ * Bits: | 8 | 8 | 16 | 16 | 32-128 | 32-128 |
+ *
+ * The source and destination are inverted if they key is for the
+ * backwards stream (forw == false). The address length depends
+ * on the 'alen' field; it is a length in bytes, either 4 or 16.
+ */
+
key-ck_key[0] = ((uint32_t)npc-npc_proto 16) | (alen 0x);
key-ck_key[1] = ((uint32_t)id[isrc] 16) | id[idst];
@@ -308,8 +319,7 @@ npf_conn_conkey(const npf_cache_t *npc,
memcpy(key-ck_key[2 + nwords], npc-npc_ips[idst], alen);
keylen = (2 + (nwords * 2)) * sizeof(uint32_t);
}
- (void)keylen;
- return true;
+ return keylen;
}
static __inline void
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.4 src/sys/net/npf/npf_conn.h:1.5
--- src/sys/net/npf/npf_conn.h:1.4 Fri Jul 25 23:07:21 2014
+++ src/sys/net/npf/npf_conn.h Fri Jul 25 23:21:46 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.4 2014/07/25 23:07:21 rmind Exp $ */
+/* $NetBSD: npf_conn.h,v 1.5 2014/07/25 23:21:46 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -103,7 +103,7 @@ void npf_conn_sysfini(void);
void npf_conn_tracking(bool);
void npf_conn_load(npf_conndb_t *, bool);
-bool npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool);
+unsigned npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool);
npf_conn_t * npf_conn_lookup(const npf_cache_t *, const int, bool *);
npf_conn_t * npf_conn_inspect(npf_cache_t *, const int, int *);
npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool);
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Wed Jul 23 01:48:05 UTC 2014
Modified Files:
src/sys/net/npf: npf.h
Log Message:
npf_iscached: add an assert.
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.45 src/sys/net/npf/npf.h:1.46
--- src/sys/net/npf/npf.h:1.45 Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf.h Wed Jul 23 01:48:05 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.45 2014/07/23 01:25:34 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.46 2014/07/23 01:48:05 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -172,6 +172,7 @@ typedef struct {
static inline bool
npf_iscached(const npf_cache_t *npc, const int inf)
{
+ KASSERT(npc-npc_nbuf != NULL);
return __predict_true((npc-npc_info inf) != 0);
}
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sat Jul 19 19:14:21 UTC 2014
Added Files:
src/sys/net/npf: npf_conn.h
Log Message:
Add npf_conn.h missed in the previous commit.
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/sys/net/npf/npf_conn.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Added files:
Index: src/sys/net/npf/npf_conn.h
diff -u /dev/null src/sys/net/npf/npf_conn.h:1.1
--- /dev/null Sat Jul 19 19:14:21 2014
+++ src/sys/net/npf/npf_conn.h Sat Jul 19 19:14:21 2014
@@ -0,0 +1,139 @@
+/* $NetBSD: npf_conn.h,v 1.1 2014/07/19 19:14:21 rmind Exp $ */
+
+/*-
+ * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This material is based upon work partially supported by The
+ * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _NPF_CONN_H_
+#define _NPF_CONN_H_
+
+#if !defined(_KERNEL)
+#error kernel-level header only
+#endif
+
+#include sys/types.h
+
+#include npf_impl.h
+
+typedef struct npf_connkey npf_connkey_t;
+
+#if defined(__NPF_CONN_PRIVATE)
+
+#include sys/rbtree.h
+
+#define NPF_CONN_NKEYWORDS (2 + ((sizeof(npf_addr_t) * 2) 2))
+#define NPF_CONN_MAXKEYLEN (NPF_CONN_NKEYWORDS * sizeof(uint32_t))
+#define NPF_CONN_GETALEN(key) ((key)-ck_key[0] 0x)
+#define NPF_CONN_KEYLEN(key) (8 + (2 * NPF_CONN_GETALEN(key)))
+
+struct npf_connkey {
+ /* Entry node and back-pointer to the actual connection. */
+ rb_node_t ck_rbnode;
+ uint32_t ck_key[NPF_CONN_NKEYWORDS];
+ npf_conn_t * ck_backptr;
+};
+
+/*
+ * The main connection tracking structure.
+ */
+
+struct npf_conn {
+ /*
+ * Connection forwards and backwards entries, plus the
+ * interface ID (if zero, then the state is global).
+ */
+ npf_connkey_t c_forw_entry;
+ npf_connkey_t c_back_entry;
+ u_int c_proto;
+ u_int c_ifid;
+
+ /* Flags and entry in the connection database or G/C list. */
+ u_int c_flags;
+ npf_conn_t * c_next;
+
+ /* Associated rule procedure or NAT (if any). */
+ npf_rproc_t * c_rproc;
+ npf_nat_t * c_nat;
+
+ /*
+ * The protocol state, reference count and the last activity
+ * time (used to calculate expiration time).
+ */
+ kmutex_t c_lock;
+ npf_state_t c_state;
+ u_int c_refcnt;
+ struct timespec c_atime;
+};
+
+#endif
+
+/*
+ * Connection tracking interface.
+ */
+void npf_conn_sysinit(void);
+void npf_conn_sysfini(void);
+void npf_conn_tracking(bool);
+
+bool npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool);
+npf_conn_t * npf_conn_lookup(const npf_cache_t *, const nbuf_t *,
+ const int, bool *);
+npf_conn_t * npf_conn_inspect(npf_cache_t *, nbuf_t *, const int, int *);
+npf_conn_t * npf_conn_establish(npf_cache_t *, nbuf_t *, int, bool);
+void npf_conn_release(npf_conn_t *);
+void npf_conn_expire(npf_conn_t *);
+bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **);
+void npf_conn_setpass(npf_conn_t *, npf_rproc_t *);
+int npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
+ npf_nat_t *, u_int);
+npf_nat_t * npf_conn_retnat(npf_conn_t *, const int, bool *);
+
+void npf_conn_load(npf_conndb_t *);
+int npf_conn_save(prop_array_t, prop_array_t);
+int npf_conn_restore(npf_conndb_t *, prop_dictionary_t);
+
+void npf_conn_print(const npf_conn_t *);
+
+/*
+ * Connection database (aka state table) interface.
+ */
+npf_conndb_t * npf_conndb_create(void);
+void npf_conndb_destroy(npf_conndb_t *);
+
+npf_conn_t * npf_conndb_lookup(npf_conndb_t *, const npf_connkey_t *,
+ bool *);
+bool npf_conndb_insert(npf_conndb_t *, npf_connkey_t *,
+ npf_conn_t *);
+npf_conn_t * npf_conndb_remove
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Jul 19 20:59:01 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Fix gcc warnings. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.1 src/sys/net/npf/npf_conn.c:1.2 --- src/sys/net/npf/npf_conn.c:1.1 Sat Jul 19 18:24:16 2014 +++ src/sys/net/npf/npf_conn.c Sat Jul 19 20:59:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.1 2014/07/19 18:24:16 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.2 2014/07/19 20:59:01 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -100,7 +100,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.1 2014/07/19 18:24:16 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.2 2014/07/19 20:59:01 rmind Exp $); #include sys/param.h #include sys/types.h @@ -328,6 +328,7 @@ npf_conn_conkey(const npf_cache_t *npc, memcpy(key-ck_key[2 + nwords], npc-npc_ips[idst], alen); keylen = (2 + (nwords * 2)) * sizeof(uint32_t); } + (void)keylen; return true; } @@ -566,7 +567,7 @@ npf_conn_setnat(const npf_cache_t *npc, [NPF_NATIN] = NPF_SRC, }; npf_connkey_t key, *bk; - npf_conn_t *ret; + npf_conn_t *ret __diagused; npf_addr_t *taddr; in_port_t tport; u_int tidx;
CVS commit: src
/net/npf/npf_conn.c:1.3 src/sys/net/npf/npf_conn.c:1.4
--- src/sys/net/npf/npf_conn.c:1.3 Sat Jul 19 21:22:58 2014
+++ src/sys/net/npf/npf_conn.c Sun Jul 20 00:37:41 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.3 2014/07/19 21:22:58 christos Exp $ */
+/* $NetBSD: npf_conn.c,v 1.4 2014/07/20 00:37:41 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -100,7 +100,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.3 2014/07/19 21:22:58 christos Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.4 2014/07/20 00:37:41 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -358,9 +358,9 @@ connkey_set_id(npf_connkey_t *key, const
* = If found, we will hold a reference for the caller.
*/
npf_conn_t *
-npf_conn_lookup(const npf_cache_t *npc, const nbuf_t *nbuf,
-const int di, bool *forw)
+npf_conn_lookup(const npf_cache_t *npc, const int di, bool *forw)
{
+ const nbuf_t *nbuf = npc-npc_nbuf;
npf_conn_t *con;
npf_connkey_t key;
u_int flags, cifid;
@@ -411,8 +411,9 @@ npf_conn_lookup(const npf_cache_t *npc,
* = If found, we will hold a reference for the caller.
*/
npf_conn_t *
-npf_conn_inspect(npf_cache_t *npc, nbuf_t *nbuf, const int di, int *error)
+npf_conn_inspect(npf_cache_t *npc, const int di, int *error)
{
+ nbuf_t *nbuf = npc-npc_nbuf;
npf_conn_t *con;
bool forw, ok;
@@ -422,7 +423,7 @@ npf_conn_inspect(npf_cache_t *npc, nbuf_
}
/* Query ALG which may lookup connection for us. */
- if ((con = npf_alg_conn(npc, nbuf, di)) != NULL) {
+ if ((con = npf_alg_conn(npc, di)) != NULL) {
/* Note: reference is held. */
return con;
}
@@ -433,13 +434,13 @@ npf_conn_inspect(npf_cache_t *npc, nbuf_
KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));
/* Main lookup of the connection. */
- if ((con = npf_conn_lookup(npc, nbuf, di, forw)) == NULL) {
+ if ((con = npf_conn_lookup(npc, di, forw)) == NULL) {
return NULL;
}
/* Inspect the protocol data and handle state changes. */
mutex_enter(con-c_lock);
- ok = npf_state_inspect(npc, nbuf, con-c_state, forw);
+ ok = npf_state_inspect(npc, con-c_state, forw);
mutex_exit(con-c_lock);
if (__predict_false(!ok)) {
@@ -458,8 +459,9 @@ npf_conn_inspect(npf_cache_t *npc, nbuf_
* = Connection will be activated on the first reference release.
*/
npf_conn_t *
-npf_conn_establish(npf_cache_t *npc, nbuf_t *nbuf, int di, bool per_if)
+npf_conn_establish(npf_cache_t *npc, int di, bool per_if)
{
+ const nbuf_t *nbuf = npc-npc_nbuf;
npf_conn_t *con;
KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));
@@ -484,7 +486,7 @@ npf_conn_establish(npf_cache_t *npc, nbu
con-c_nat = NULL;
/* Initialize protocol state. */
- if (!npf_state_init(npc, nbuf, con-c_state)) {
+ if (!npf_state_init(npc, con-c_state)) {
goto err;
}
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.1 src/sys/net/npf/npf_conn.h:1.2
--- src/sys/net/npf/npf_conn.h:1.1 Sat Jul 19 19:14:21 2014
+++ src/sys/net/npf/npf_conn.h Sun Jul 20 00:37:41 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.1 2014/07/19 19:14:21 rmind Exp $ */
+/* $NetBSD: npf_conn.h,v 1.2 2014/07/20 00:37:41 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -100,10 +100,9 @@ void npf_conn_sysfini(void);
void npf_conn_tracking(bool);
bool npf_conn_conkey(const npf_cache_t *, npf_connkey_t *, bool);
-npf_conn_t * npf_conn_lookup(const npf_cache_t *, const nbuf_t *,
- const int, bool *);
-npf_conn_t * npf_conn_inspect(npf_cache_t *, nbuf_t *, const int, int *);
-npf_conn_t * npf_conn_establish(npf_cache_t *, nbuf_t *, int, bool);
+npf_conn_t * npf_conn_lookup(const npf_cache_t *, const int, bool *);
+npf_conn_t * npf_conn_inspect(npf_cache_t *, const int, int *);
+npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool);
void npf_conn_release(npf_conn_t *);
void npf_conn_expire(npf_conn_t *);
bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **);
Index: src/sys/net/npf/npf_ext_log.c
diff -u src/sys/net/npf/npf_ext_log.c:1.7 src/sys/net/npf/npf_ext_log.c:1.8
--- src/sys/net/npf/npf_ext_log.c:1.7 Mon May 19 18:45:51 2014
+++ src/sys/net/npf/npf_ext_log.c Sun Jul 20 00:37:41 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ext_log.c,v 1.7 2014/05/19 18:45:51 jakllsch Exp $ */
+/* $NetBSD: npf_ext_log.c,v 1.8 2014/07/20 00:37:41 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ext_log.c,v 1.7 2014/05/19 18:45:51 jakllsch Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ext_log.c,v 1.8 2014/07/20 00:37:41 rmind Exp $);
#include sys/types.h
#include sys/module.h
@@ -79,9 +79,9 @@ npf_log_dtor(npf_rproc_t *rp, void *meta
}
static bool
-npf_log(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
+npf_log(npf_cache_t *npc, void *meta, int *decision)
{
- struct mbuf *m = nbuf_head_mbuf(nbuf);
+ struct mbuf *m = nbuf_head_mbuf(npc-npc_nbuf
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Jul 20 00:43:47 UTC 2014 Removed Files: src/sys/net/npf: npf_session.c Log Message: Bye bye npf_session.c To generate a diff of this commit: cvs rdiff -u -r1.33 -r0 src/sys/net/npf/npf_session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun Jul 20 00:48:51 UTC 2014
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
formatting
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.14 src/usr.sbin/npf/npfctl/npf_show.c:1.15
--- src/usr.sbin/npf/npfctl/npf_show.c:1.14 Sat May 31 22:41:37 2014
+++ src/usr.sbin/npf/npfctl/npf_show.c Sun Jul 20 00:48:51 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $);
+__RCSID($NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $);
#include sys/socket.h
#include netinet/in.h
@@ -452,7 +452,7 @@ npfctl_config_show(int fd)
if (ncf == NULL) {
return errno;
}
- fprintf(ctx-fp, Filtering:\t%s\nConfiguration:\t%s\n,
+ fprintf(ctx-fp, # filtering:\t%s\n# config:\t%s\n,
active ? active : inactive,
loaded ? loaded : empty);
print_linesep(ctx);
CVS commit: src/sys/netinet
Module Name:src
Committed By: rmind
Date: Thu Jul 10 14:05:19 UTC 2014
Modified Files:
src/sys/netinet: tcp_usrreq.c
Log Message:
tcp_accept: simplify a little.
To generate a diff of this commit:
cvs rdiff -u -r1.186 -r1.187 src/sys/netinet/tcp_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_usrreq.c
diff -u src/sys/netinet/tcp_usrreq.c:1.186 src/sys/netinet/tcp_usrreq.c:1.187
--- src/sys/netinet/tcp_usrreq.c:1.186 Wed Jul 9 14:41:42 2014
+++ src/sys/netinet/tcp_usrreq.c Thu Jul 10 14:05:19 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_usrreq.c,v 1.186 2014/07/09 14:41:42 rtr Exp $ */
+/* $NetBSD: tcp_usrreq.c,v 1.187 2014/07/10 14:05:19 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -99,7 +99,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tcp_usrreq.c,v 1.186 2014/07/09 14:41:42 rtr Exp $);
+__KERNEL_RCSID(0, $NetBSD: tcp_usrreq.c,v 1.187 2014/07/10 14:05:19 rmind Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -948,20 +948,6 @@ tcp_accept(struct socket *so, struct mbu
{
return EINVAL;
}
-#ifdef INET
- if (inp) {
- tp = intotcpcb(inp);
- /* WHAT IF TP IS 0? */
- ostate = tcp_debug_capture(tp, PRU_ACCEPT);
- }
-#endif
-#ifdef INET6
- if (in6p) {
- tp = in6totcpcb(in6p);
- /* WHAT IF TP IS 0? */
- ostate = tcp_debug_capture(tp, PRU_ACCEPT);
- }
-#endif
/*
* Accept a connection. Essentially all the work is
@@ -969,16 +955,22 @@ tcp_accept(struct socket *so, struct mbu
* of the peer, storing through addr.
*/
#ifdef INET
- if (inp)
+ if (inp) {
+ tp = intotcpcb(inp);
+ KASSERT(tp != NULL);
+ ostate = tcp_debug_capture(tp, PRU_ACCEPT);
in_setpeeraddr(inp, nam);
+ }
#endif
#ifdef INET6
- if (in6p)
+ if (in6p) {
+ tp = in6totcpcb(in6p);
+ KASSERT(tp != NULL);
+ ostate = tcp_debug_capture(tp, PRU_ACCEPT);
in6_setpeeraddr(in6p, nam);
+ }
#endif
-
tcp_debug_trace(so, tp, ostate, PRU_ACCEPT);
-
return 0;
}
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Mon Jun 30 00:01:24 UTC 2014
Modified Files:
src/sys/net/npf: npf_bpf.c
Log Message:
NPF: use BPF JIT by default.
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_bpf.c
diff -u src/sys/net/npf/npf_bpf.c:1.9 src/sys/net/npf/npf_bpf.c:1.10
--- src/sys/net/npf/npf_bpf.c:1.9 Sun Jun 29 00:05:24 2014
+++ src/sys/net/npf/npf_bpf.c Mon Jun 30 00:01:23 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $ */
+/* $NetBSD: npf_bpf.c,v 1.10 2014/06/30 00:01:23 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_bpf.c,v 1.10 2014/06/30 00:01:23 rmind Exp $);
#include sys/types.h
#include sys/param.h
@@ -127,11 +127,7 @@ npf_bpf_filter(bpf_args_t *args, const v
void *
npf_bpf_compile(void *code, size_t size)
{
-#if 0
return bpf_jit_generate(npf_bpfctx, code, size);
-#else
- return NULL;
-#endif
}
bool
CVS commit: src
Module Name:src
Committed By: rmind
Date: Sun Jun 29 00:05:24 UTC 2014
Modified Files:
src/sys/net/npf: npf.h npf_bpf.c
src/usr.sbin/npf/npfctl: npf_bpf_comp.c
Log Message:
NPF:
- Populate the BPF external memory store with L3 information.
- Eliminate NPF_COP_L3 call and just use the data in the memstore.
- Bump NPF_VERSION.
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf.h
cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_bpf.c
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.41 src/sys/net/npf/npf.h:1.42
--- src/sys/net/npf/npf.h:1.41 Wed Jun 25 00:20:06 2014
+++ src/sys/net/npf/npf.h Sun Jun 29 00:05:24 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.41 2014/06/25 00:20:06 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.42 2014/06/29 00:05:24 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include netinet/in_systm.h
#include netinet/in.h
-#define NPF_VERSION 13
+#define NPF_VERSION 14
/*
* Public declarations and definitions.
Index: src/sys/net/npf/npf_bpf.c
diff -u src/sys/net/npf/npf_bpf.c:1.8 src/sys/net/npf/npf_bpf.c:1.9
--- src/sys/net/npf/npf_bpf.c:1.8 Wed Jun 25 00:20:06 2014
+++ src/sys/net/npf/npf_bpf.c Sun Jun 29 00:05:24 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $ */
+/* $NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_bpf.c,v 1.9 2014/06/29 00:05:24 rmind Exp $);
#include sys/types.h
#include sys/param.h
@@ -78,7 +78,7 @@ npf_bpf_sysfini(void)
}
void
-npf_bpf_prepare(npf_cache_t *npc, nbuf_t *nbuf, bpf_args_t *args, uint32_t *m)
+npf_bpf_prepare(npf_cache_t *npc, nbuf_t *nbuf, bpf_args_t *args, uint32_t *M)
{
const struct mbuf *mbuf = nbuf_head_mbuf(nbuf);
const size_t pktlen = m_length(mbuf);
@@ -87,19 +87,39 @@ npf_bpf_prepare(npf_cache_t *npc, nbuf_t
args-pkt = (const uint8_t *)mbuf;
args-wirelen = pktlen;
args-buflen = 0;
- args-mem = m;
+ args-mem = M;
args-arg = npc;
+
+ /*
+ * Convert address length to IP version. Just mask out
+ * number 4 or set 6 if higher bits set, such that:
+ *
+ * 0 = 0
+ * 4 = 4 (IPVERSION)
+ * 16 = 6 (IPV6_VERSION 4)
+ */
+ const u_int alen = npc-npc_alen;
+ const uint32_t ver = (alen 4) | ((alen 4) * 6);
+
+ /*
+ * Output words in the memory store:
+ * BPF_MW_IPVER IP version (4 or 6).
+ * BPF_MW_L4OFF L4 header offset.
+ * BPF_MW_L4PROTO L4 protocol.
+ */
+ M[BPF_MW_IPVER] = ver;
+ M[BPF_MW_L4OFF] = npc-npc_hlen;
+ M[BPF_MW_L4PROTO] = npc-npc_proto;
}
int
npf_bpf_filter(bpf_args_t *args, const void *code, bpfjit_func_t jcode)
{
-#if 0
/* Execute JIT-compiled code. */
if (__predict_true(jcode)) {
return jcode(npf_bpfctx, args);
}
-#endif
+
/* Execute BPF byte-code. */
return bpf_filter_ext(npf_bpfctx, code, args);
}
@@ -123,35 +143,18 @@ npf_bpf_validate(const void *code, size_
/*
* NPF_COP_L3: fetches layer 3 information.
- *
- * Output words in the memory store:
- * BPF_MW_IPVER IP version (4 or 6).
- * BPF_MW_L4OFF L4 header offset.
- * BPF_MW_L4PROTO L4 protocol.
*/
static uint32_t
npf_cop_l3(const bpf_ctx_t *bc, bpf_args_t *args, uint32_t A)
{
const npf_cache_t * const npc = (const npf_cache_t *)args-arg;
+ const uint32_t ver = (npc-npc_alen 4) | ((npc-npc_alen 4) * 6);
uint32_t * const M = args-mem;
- /*
- * Convert address length to IP version. Just mask out
- * number 4 or set 6 if higher bits set, such that:
- *
- * 0 = 0
- * 4 = 4 (IPVERSION)
- * 16 = 6 (IPV6_VERSION 4)
- */
- const u_int alen = npc-npc_alen;
- const uint32_t ver = (alen 4) | ((alen 4) * 6);
-
M[BPF_MW_IPVER] = ver;
M[BPF_MW_L4OFF] = npc-npc_hlen;
M[BPF_MW_L4PROTO] = npc-npc_proto;
-
- /* A - IP version */
- return ver;
+ return ver; /* A - IP version */
}
#define SRC_FLAG_BIT (1U 31)
Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.6 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.7
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.6 Sat May 31 22:41:37 2014
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Sun Jun 29 00:05:24 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $ */
+/* $NetBSD: npf_bpf_comp.c,v 1.7 2014/06/29 00:05:24 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $);
+__RCSID($NetBSD: npf_bpf_comp.c,v 1.7 2014/06/29 00:05:24 rmind Exp $);
#include stdlib.h
#include stdbool.h
@@
CVS commit: src/sys/net
Module Name:src
Committed By: rmind
Date: Tue Jun 24 22:19:36 UTC 2014
Modified Files:
src/sys/net: bpf.h bpf_filter.c bpfjit.c
Log Message:
- Improve the comments in bpf.h and KNF a little.
- Rename bpf_ctx_t member noinit to preinited (reflects the meaning better).
To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/sys/net/bpf.h
cvs rdiff -u -r1.62 -r1.63 src/sys/net/bpf_filter.c
cvs rdiff -u -r1.13 -r1.14 src/sys/net/bpfjit.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpf.h
diff -u src/sys/net/bpf.h:1.64 src/sys/net/bpf.h:1.65
--- src/sys/net/bpf.h:1.64 Tue Jun 24 10:53:30 2014
+++ src/sys/net/bpf.h Tue Jun 24 22:19:36 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf.h,v 1.64 2014/06/24 10:53:30 alnsn Exp $ */
+/* $NetBSD: bpf.h,v 1.65 2014/06/24 22:19:36 rmind Exp $ */
/*
* Copyright (c) 1990, 1991, 1993
@@ -280,19 +280,16 @@ struct bpf_insn {
/*
* Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
*/
-#define BPF_MEMWORDS 16
+#define BPF_MEMWORDS 16
/*
- * Each bit in bpf_memword_init_t value indicates if the corresponding
- * external memory word is initialised prior to calling a bpf program.
- * Note that when used internally, a meaning is often flipped: bits
- * indicate which memory words need to be initialised prior to
- * executing a bpf program.
+ * bpf_memword_init_t: bits indicate which words in the external memory
+ * store will be initialised by the caller before BPF program execution.
*/
typedef uint32_t bpf_memword_init_t;
-#define BPF_MEMWORD_INIT(k) (UINT32_C(1) (k))
+#define BPF_MEMWORD_INIT(k) (UINT32_C(1) (k))
-/* Two most significant bits are reserved by bpfjit. */
+/* Note: two most significant bits are reserved by bpfjit. */
__CTASSERT(BPF_MEMWORDS + 2 = sizeof(bpf_memword_init_t) * NBBY);
#ifdef _KERNEL
@@ -300,13 +297,10 @@ __CTASSERT(BPF_MEMWORDS + 2 = sizeof(bp
* Max number of external memory words (for BPF_LD|BPF_MEM and BPF_ST).
*/
#define BPF_MAX_MEMWORDS 30
-__CTASSERT(BPF_MAX_MEMWORDS = BPF_MEMWORDS);
-#ifdef __BPF_PRIVATE
-/* Two most significant bits are reserved by bpfjit. */
+__CTASSERT(BPF_MAX_MEMWORDS = BPF_MEMWORDS);
__CTASSERT(BPF_MAX_MEMWORDS + 2 = sizeof(bpf_memword_init_t) * NBBY);
#endif
-#endif
/*
* Structure to retrieve available DLTs for the interface.
@@ -319,10 +313,7 @@ struct bpf_dltlist {
struct bpf_ctx;
typedef struct bpf_ctx bpf_ctx_t;
-struct bpf_args;
-typedef struct bpf_args bpf_args_t;
-
-struct bpf_args {
+typedef struct bpf_args {
const uint8_t * pkt;
size_t wirelen;
size_t buflen;
@@ -336,21 +327,32 @@ struct bpf_args {
*/
uint32_t * mem; /* pointer to external memory store */
void * arg; /* auxiliary argument for a copfunc */
-};
+} bpf_args_t;
#if defined(_KERNEL) || defined(__BPF_PRIVATE)
+
typedef uint32_t (*bpf_copfunc_t)(const bpf_ctx_t *, bpf_args_t *, uint32_t);
struct bpf_ctx {
+ /*
+ * BPF coprocessor functions and the number of them.
+ */
const bpf_copfunc_t * copfuncs;
size_t nfuncs;
+
/*
- * Number of external memwords, up to BPF_MAX_MEMWORDS or 0.
- * The latter forces a switch to internal memstore with a
- * fixed number (BPF_MEMWORDS) of memwords.
+ * The number of memory words in the external memory store.
+ * There may be up to BPF_MAX_MEMWORDS words; if zero is set,
+ * then the internal memory store is used which has a fixed
+ * number of words (BPF_MEMWORDS).
*/
size_t extwords;
- bpf_memword_init_t noinit; /* pre-initialised external memwords */
+
+ /*
+ * The bitmask indicating which words in the external memstore
+ * will be initialised by the caller.
+ */
+ bpf_memword_init_t preinited;
};
#endif
@@ -447,20 +449,20 @@ bpf_mtap_sl_out(struct ifnet *_ifp, u_ch
}
-void bpf_setops(void);
+void bpf_setops(void);
-void bpf_ops_handover_enter(struct bpf_ops *);
-void bpf_ops_handover_exit(void);
+void bpf_ops_handover_enter(struct bpf_ops *);
+void bpf_ops_handover_exit(void);
-void bpfilterattach(int);
+void bpfilterattach(int);
bpf_ctx_t *bpf_create(void);
void bpf_destroy(bpf_ctx_t *);
-int bpf_set_cop(bpf_ctx_t *, const bpf_copfunc_t *, size_t);
-int bpf_set_extmem(bpf_ctx_t *, size_t, bpf_memword_init_t);
-u_int bpf_filter_ext(const bpf_ctx_t *, const struct bpf_insn *, bpf_args_t *);
-int bpf_validate_ext(const bpf_ctx_t *, const struct bpf_insn *, int);
+int bpf_set_cop(bpf_ctx_t *, const bpf_copfunc_t *, size_t);
+int bpf_set_extmem(bpf_ctx_t *, size_t, bpf_memword_init_t);
+u_int bpf_filter_ext(const bpf_ctx_t *, const struct bpf_insn *, bpf_args_t *);
+int bpf_validate_ext(const bpf_ctx_t *, const struct bpf_insn *, int);
bpfjit_func_t bpf_jit_generate(bpf_ctx_t *, void *, size_t);
void bpf_jit_freecode(bpfjit_func_t);
Index: src/sys/net/bpf_filter.c
diff -u src/sys/net/bpf_filter.c:1.62 src/sys/net/bpf_filter.c:1.63
---
CVS commit: src/sys/net
Module Name:src
Committed By: rmind
Date: Tue Jun 24 22:27:40 UTC 2014
Modified Files:
src/sys/net: bpf_filter.c
Log Message:
- bpf_validate_ext: fix memword validation in BPF_ST/BPF_STX case.
- bpf_set_extmem: check the number of words against BPF_MAX_MEMWORDS.
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/sys/net/bpf_filter.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpf_filter.c
diff -u src/sys/net/bpf_filter.c:1.63 src/sys/net/bpf_filter.c:1.64
--- src/sys/net/bpf_filter.c:1.63 Tue Jun 24 22:19:36 2014
+++ src/sys/net/bpf_filter.c Tue Jun 24 22:27:40 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf_filter.c,v 1.63 2014/06/24 22:19:36 rmind Exp $ */
+/* $NetBSD: bpf_filter.c,v 1.64 2014/06/24 22:27:40 rmind Exp $ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: bpf_filter.c,v 1.63 2014/06/24 22:19:36 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: bpf_filter.c,v 1.64 2014/06/24 22:27:40 rmind Exp $);
#if 0
#if !(defined(lint) || defined(KERNEL))
@@ -79,8 +79,9 @@ bpf_set_cop(bpf_ctx_t *bc, const bpf_cop
int
bpf_set_extmem(bpf_ctx_t *bc, size_t nwords, bpf_memword_init_t preinited)
{
- /* XXX check arguments */
-
+ if (nwords BPF_MAX_MEMWORDS) {
+ return EINVAL;
+ }
bc-extwords = nwords;
bc-preinited = preinited;
return 0;
@@ -661,7 +662,7 @@ bpf_validate(const struct bpf_insn *f, i
goto out;
#if defined(KERNEL) || defined(_KERNEL)
/* validate the memory word */
- invalid = ~BPF_MEMWORD_INIT(1 p-k);
+ invalid = ~BPF_MEMWORD_INIT(p-k);
#endif
break;
case BPF_ALU:
CVS commit: src
Module Name:src
Committed By: rmind
Date: Wed Jun 25 00:20:06 UTC 2014
Modified Files:
src/sys/net/npf: npf.h npf_bpf.c npf_impl.h npf_ruleset.c
src/usr.sbin/npf/npftest/libnpftest: npf_bpf_test.c
Log Message:
Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf.h
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_bpf.c
cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.40 src/sys/net/npf/npf.h:1.41
--- src/sys/net/npf/npf.h:1.40 Fri May 30 23:26:06 2014
+++ src/sys/net/npf/npf.h Wed Jun 25 00:20:06 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.40 2014/05/30 23:26:06 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.41 2014/06/25 00:20:06 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -67,6 +67,8 @@ typedef uint8_t npf_netmask_t;
#define BPF_MW_L4OFF 1
#define BPF_MW_L4PROTO 2
#endif
+/* The number of words used. */
+#define NPF_BPF_NWORDS 3
#if defined(_KERNEL)
Index: src/sys/net/npf/npf_bpf.c
diff -u src/sys/net/npf/npf_bpf.c:1.7 src/sys/net/npf/npf_bpf.c:1.8
--- src/sys/net/npf/npf_bpf.c:1.7 Tue Jun 24 11:31:49 2014
+++ src/sys/net/npf/npf_bpf.c Wed Jun 25 00:20:06 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf.c,v 1.7 2014/06/24 11:31:49 alnsn Exp $ */
+/* $NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,11 +34,12 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_bpf.c,v 1.7 2014/06/24 11:31:49 alnsn Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_bpf.c,v 1.8 2014/06/25 00:20:06 rmind Exp $);
#include sys/types.h
#include sys/param.h
+#include sys/bitops.h
#include sys/mbuf.h
#include net/bpf.h
@@ -59,12 +60,15 @@ static const bpf_copfunc_t npf_bpfcop[]
[NPF_COP_TABLE] = npf_cop_table,
};
+#define BPF_MW_ALLMASK \
+((1U BPF_MW_IPVER) | (1U BPF_MW_L4OFF) | (1U BPF_MW_L4PROTO))
+
void
npf_bpf_sysinit(void)
{
npf_bpfctx = bpf_create();
- KASSERT(npf_bpfctx != NULL);
bpf_set_cop(npf_bpfctx, npf_bpfcop, __arraycount(npf_bpfcop));
+ bpf_set_extmem(npf_bpfctx, NPF_BPF_NWORDS, BPF_MW_ALLMASK);
}
void
@@ -73,6 +77,20 @@ npf_bpf_sysfini(void)
bpf_destroy(npf_bpfctx);
}
+void
+npf_bpf_prepare(npf_cache_t *npc, nbuf_t *nbuf, bpf_args_t *args, uint32_t *m)
+{
+ const struct mbuf *mbuf = nbuf_head_mbuf(nbuf);
+ const size_t pktlen = m_length(mbuf);
+
+ /* Prepare the arguments for the BPF programs. */
+ args-pkt = (const uint8_t *)mbuf;
+ args-wirelen = pktlen;
+ args-buflen = 0;
+ args-mem = m;
+ args-arg = npc;
+}
+
int
npf_bpf_filter(bpf_args_t *args, const void *code, bpfjit_func_t jcode)
{
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.52 src/sys/net/npf/npf_impl.h:1.53
--- src/sys/net/npf/npf_impl.h:1.52 Fri May 30 23:26:06 2014
+++ src/sys/net/npf/npf_impl.h Wed Jun 25 00:20:06 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.52 2014/05/30 23:26:06 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.53 2014/06/25 00:20:06 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -223,6 +223,7 @@ bool npf_return_block(npf_cache_t *, nb
/* BPF interface. */
void npf_bpf_sysinit(void);
void npf_bpf_sysfini(void);
+void npf_bpf_prepare(npf_cache_t *, nbuf_t *, bpf_args_t *, uint32_t *);
int npf_bpf_filter(bpf_args_t *, const void *, bpfjit_func_t);
void * npf_bpf_compile(void *, size_t);
bool npf_bpf_validate(const void *, size_t);
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.32 src/sys/net/npf/npf_ruleset.c:1.33
--- src/sys/net/npf/npf_ruleset.c:1.32 Tue Jun 24 10:53:30 2014
+++ src/sys/net/npf/npf_ruleset.c Wed Jun 25 00:20:06 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.32 2014/06/24 10:53:30 alnsn Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.33 2014/06/25 00:20:06 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.32 2014/06/24 10:53:30 alnsn Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.33 2014/06/25 00:20:06 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -741,18 +741,18 @@ npf_ruleset_inspect(npf_cache_t *npc, nb
const u_int nitems = rlset-rs_nitems;
const u_int ifid = nbuf-nb_ifid;
npf_rule_t *final_rl = NULL;
- const struct mbuf *m;
bpf_args_t bc_args;
u_int n = 0;
- memset(bc_args, 0, sizeof(bpf_args_t));
- m = nbuf_head_mbuf(nbuf);
- bc_args.pkt = (const uint8_t *)m;
- bc_args.wirelen = m_length(m);
- bc_args.arg
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: rmind Date: Wed Jun 25 00:21:42 UTC 2014 Modified Files: src/usr.sbin/npf/npftest: README src/usr.sbin/npf/npftest/libnpftest: npf_perf_test.c Log Message: npftest: add an example in the README, fix the total in npf_test_conc(). To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npftest/README cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/README diff -u src/usr.sbin/npf/npftest/README:1.5 src/usr.sbin/npf/npftest/README:1.6 --- src/usr.sbin/npf/npftest/README:1.5 Wed May 14 21:46:50 2014 +++ src/usr.sbin/npf/npftest/README Wed Jun 25 00:21:42 2014 @@ -1,4 +1,4 @@ -$NetBSD: README,v 1.5 2014/05/14 21:46:50 rmind Exp $ +$NetBSD: README,v 1.6 2014/06/25 00:21:42 rmind Exp $ npftest - a tool for regression testing and debugging NPF. It uses RUMP framework to run NPF kernel module in the userspace. @@ -12,12 +12,16 @@ npftest -c /tmp/npf.plist -t Stream: -tcpdump -w stream.pcap -i $INTERFACE host $HOST and tcp +tcpdump -w stream.pcap -i $interface host $host and tcp npfctl debug npftest.conf /tmp/npf.plist npftest -c /tmp/npf.plist -s stream.pcap stream_npf_data.txt Preferably, use MALLOC_OPTIONS=AJ and/or other facilities. +Benchmark: + +npftest -b rule -c /tmp/npf.plist -p $ncpu + --- Update RUMP libraries once the kernel side has been changed. Hint: Index: src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c:1.3 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c:1.4 --- src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c:1.3 Tue Sep 24 22:52:14 2013 +++ src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c Wed Jun 25 00:21:42 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_perf_test.c,v 1.3 2013/09/24 22:52:14 joerg Exp $ */ +/* $NetBSD: npf_perf_test.c,v 1.4 2014/06/25 00:21:42 rmind Exp $ */ /* * NPF benchmarking. @@ -99,5 +99,5 @@ npf_test_conc(bool st, unsigned nthreads kmem_free(npackets, sizeof(uint64_t) * nthreads); kmem_free(l, sizeof(lwp_t *) * nthreads); - printf(%u\t% PRIu64 \n, nthreads, total); + printf(%u\t% PRIu64 \n, nthreads, total / NSECS); }
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Wed Jun 25 01:21:36 UTC 2014 Modified Files: src/sys/net: bpfjit.c Log Message: bpfjit_generate_code: emit the instruction correctly. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/net/bpfjit.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpfjit.c diff -u src/sys/net/bpfjit.c:1.14 src/sys/net/bpfjit.c:1.15 --- src/sys/net/bpfjit.c:1.14 Tue Jun 24 22:19:36 2014 +++ src/sys/net/bpfjit.c Wed Jun 25 01:21:36 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: bpfjit.c,v 1.14 2014/06/24 22:19:36 rmind Exp $ */ +/* $NetBSD: bpfjit.c,v 1.15 2014/06/25 01:21:36 rmind Exp $ */ /*- * Copyright (c) 2011-2014 Alexander Nasonov. @@ -31,9 +31,9 @@ #include sys/cdefs.h #ifdef _KERNEL -__KERNEL_RCSID(0, $NetBSD: bpfjit.c,v 1.14 2014/06/24 22:19:36 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: bpfjit.c,v 1.15 2014/06/25 01:21:36 rmind Exp $); #else -__RCSID($NetBSD: bpfjit.c,v 1.14 2014/06/24 22:19:36 rmind Exp $); +__RCSID($NetBSD: bpfjit.c,v 1.15 2014/06/25 01:21:36 rmind Exp $); #endif #include sys/types.h @@ -1670,7 +1670,7 @@ bpfjit_generate_code(const bpf_ctx_t *bc status = sljit_emit_op1(compiler, SLJIT_MOV_P, BJ_TMP1REG, 0, - BJ_ARGS, offsetof(struct bpf_args, mem)); + SLJIT_MEM1(BJ_ARGS), offsetof(struct bpf_args, mem)); if (status != SLJIT_SUCCESS) goto fail;
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Fri Jun 13 13:54:08 UTC 2014 Modified Files: src/sys/net: if.c Log Message: if_detach: drain ip6_pktq as well. To generate a diff of this commit: cvs rdiff -u -r1.280 -r1.281 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.280 src/sys/net/if.c:1.281 --- src/sys/net/if.c:1.280 Tue Jun 10 09:38:30 2014 +++ src/sys/net/if.c Fri Jun 13 13:54:08 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.280 2014/06/10 09:38:30 joerg Exp $ */ +/* $NetBSD: if.c,v 1.281 2014/06/13 13:54:08 rmind Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: if.c,v 1.280 2014/06/10 09:38:30 joerg Exp $); +__KERNEL_RCSID(0, $NetBSD: if.c,v 1.281 2014/06/13 13:54:08 rmind Exp $); #include opt_inet.h @@ -875,6 +875,9 @@ again: #ifdef INET pktq_barrier(ip_pktq); #endif +#ifdef INET6 + pktq_barrier(ip6_pktq); +#endif xc = xc_broadcast(0, (xcfunc_t)nullop, NULL, NULL); xc_wait(xc);
CVS commit: src/sys
Module Name:src
Committed By: rmind
Date: Mon Jun 9 12:44:07 UTC 2014
Modified Files:
src/sys/kern: subr_pcq.c
src/sys/sys: pcq.h
Log Message:
Add PCQ_MAXLEN constant.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/kern/subr_pcq.c
cvs rdiff -u -r1.1 -r1.2 src/sys/sys/pcq.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_pcq.c
diff -u src/sys/kern/subr_pcq.c:1.7 src/sys/kern/subr_pcq.c:1.8
--- src/sys/kern/subr_pcq.c:1.7 Thu Feb 6 03:47:16 2014
+++ src/sys/kern/subr_pcq.c Mon Jun 9 12:44:06 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_pcq.c,v 1.7 2014/02/06 03:47:16 riastradh Exp $ */
+/* $NetBSD: subr_pcq.c,v 1.8 2014/06/09 12:44:06 rmind Exp $ */
/*-
* Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: subr_pcq.c,v 1.7 2014/02/06 03:47:16 riastradh Exp $);
+__KERNEL_RCSID(0, $NetBSD: subr_pcq.c,v 1.8 2014/06/09 12:44:06 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -60,6 +60,7 @@ struct pcq {
* Consumer (c) - in the higher 16 bits.
*
* We have a limitation of 16 bits i.e. 0x items in the queue.
+ * The PCQ_MAXLEN constant is set accordingly.
*/
static inline void
@@ -197,7 +198,7 @@ pcq_create(size_t nitems, km_flag_t kmfl
{
pcq_t *pcq;
- KASSERT(nitems 0 || nitems = 0x);
+ KASSERT(nitems 0 || nitems = PCQ_MAXLEN);
pcq = kmem_zalloc(offsetof(pcq_t, pcq_items[nitems]), kmflags);
if (pcq == NULL) {
Index: src/sys/sys/pcq.h
diff -u src/sys/sys/pcq.h:1.1 src/sys/sys/pcq.h:1.2
--- src/sys/sys/pcq.h:1.1 Tue Nov 11 20:17:27 2008
+++ src/sys/sys/pcq.h Mon Jun 9 12:44:06 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: pcq.h,v 1.1 2008/11/11 20:17:27 matt Exp $ */
+/* $NetBSD: pcq.h,v 1.2 2014/06/09 12:44:06 rmind Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -37,12 +37,16 @@
typedef struct pcq pcq_t;
#ifdef _KERNEL
+
+#define PCQ_MAXLEN (0xU)
+
bool pcq_put(pcq_t *, void *);
void * pcq_peek(pcq_t *);
void * pcq_get(pcq_t *);
size_t pcq_maxitems(pcq_t *);
pcq_t * pcq_create(size_t, km_flag_t);
void pcq_destroy(pcq_t *);
+
#endif /* _KERNEL */
#endif /* _SYS_PCQ_H_ */
CVS commit: src/sys/net
Module Name:src
Committed By: rmind
Date: Mon Jun 9 12:57:05 UTC 2014
Modified Files:
src/sys/net: if.c pktqueue.c pktqueue.h
Log Message:
Implement pktq_set_maxlen() and let sysctl net.inet.{ip,ip6}.ifq.maxlen be
changed on the fly again.
To generate a diff of this commit:
cvs rdiff -u -r1.278 -r1.279 src/sys/net/if.c
cvs rdiff -u -r1.1 -r1.2 src/sys/net/pktqueue.c src/sys/net/pktqueue.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if.c
diff -u src/sys/net/if.c:1.278 src/sys/net/if.c:1.279
--- src/sys/net/if.c:1.278 Sat Jun 7 13:25:33 2014
+++ src/sys/net/if.c Mon Jun 9 12:57:04 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if.c,v 1.278 2014/06/07 13:25:33 he Exp $ */
+/* $NetBSD: if.c,v 1.279 2014/06/09 12:57:04 rmind Exp $ */
/*-
* Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: if.c,v 1.278 2014/06/07 13:25:33 he Exp $);
+__KERNEL_RCSID(0, $NetBSD: if.c,v 1.279 2014/06/09 12:57:04 rmind Exp $);
#include opt_inet.h
@@ -2341,6 +2341,20 @@ bad:
#if defined(INET) || defined(INET6)
static int
+sysctl_pktq_maxlen(SYSCTLFN_ARGS, pktqueue_t *pq)
+{
+ u_int nmaxlen = pktq_get_count(pq, PKTQ_MAXLEN);
+ struct sysctlnode node = *rnode;
+ int error;
+
+ node.sysctl_data = nmaxlen;
+ error = sysctl_lookup(SYSCTLFN_CALL(node));
+ if (error || newp == NULL)
+ return error;
+ return pktq_set_maxlen(pq, nmaxlen);
+}
+
+static int
sysctl_pktq_count(SYSCTLFN_ARGS, pktqueue_t *pq, u_int count_id)
{
int count = pktq_get_count(pq, count_id);
@@ -2357,12 +2371,21 @@ sysctl_pktq_count(SYSCTLFN_ARGS, pktqueu
}
#if defined(INET)
-SYSCTL_NET_PKTQ(ip_pktq, maxlen, PKTQ_MAXLEN)
+static int
+sysctl_net_ip_pktq_maxlen(SYSCTLFN_ARGS)
+{
+ return sysctl_pktq_maxlen(SYSCTLFN_CALL(rnode), ip_pktq);
+}
SYSCTL_NET_PKTQ(ip_pktq, items, PKTQ_NITEMS)
SYSCTL_NET_PKTQ(ip_pktq, drops, PKTQ_DROPS)
#endif
+
#if defined(INET6)
-SYSCTL_NET_PKTQ(ip6_pktq, maxlen, PKTQ_MAXLEN)
+static int
+sysctl_net_ip6_pktq_maxlen(SYSCTLFN_ARGS)
+{
+ return sysctl_pktq_maxlen(SYSCTLFN_CALL(rnode), ip6_pktq);
+}
SYSCTL_NET_PKTQ(ip6_pktq, items, PKTQ_NITEMS)
SYSCTL_NET_PKTQ(ip6_pktq, drops, PKTQ_DROPS)
#endif
Index: src/sys/net/pktqueue.c
diff -u src/sys/net/pktqueue.c:1.1 src/sys/net/pktqueue.c:1.2
--- src/sys/net/pktqueue.c:1.1 Thu Jun 5 23:48:16 2014
+++ src/sys/net/pktqueue.c Mon Jun 9 12:57:04 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: pktqueue.c,v 1.1 2014/06/05 23:48:16 rmind Exp $ */
+/* $NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: pktqueue.c,v 1.1 2014/06/05 23:48:16 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -299,3 +299,63 @@ pktq_flush(pktqueue_t *pq)
}
}
}
+
+/*
+ * pktq_set_maxlen: create per-CPU queues using a new size and replace
+ * the existing queues without losing any packets.
+ */
+int
+pktq_set_maxlen(pktqueue_t *pq, size_t maxlen)
+{
+ const u_int slotbytes = ncpu * sizeof(pcq_t *);
+ pcq_t **qs;
+
+ if (!maxlen || maxlen PCQ_MAXLEN)
+ return EINVAL;
+ if (pq-pq_maxlen == maxlen)
+ return 0;
+
+ /* First, allocate the new queues and replace them. */
+ qs = kmem_zalloc(slotbytes, KM_SLEEP);
+ for (u_int i = 0; i ncpu; i++) {
+ qs[i] = pcq_create(maxlen, KM_SLEEP);
+ }
+ mutex_enter(pq-pq_lock);
+ for (u_int i = 0; i ncpu; i++) {
+ /* Swap: store of a word is atomic. */
+ pcq_t *q = pq-pq_queue[i];
+ pq-pq_queue[i] = qs[i];
+ qs[i] = q;
+ }
+ pq-pq_maxlen = maxlen;
+ mutex_exit(pq-pq_lock);
+
+ /*
+ * At this point, the new packets are flowing into the new
+ * queues. However, the old queues may have same packets
+ * present which are no longer being present. We are going
+ * to re-enqueue them. This may change the order of packet
+ * arrival, but it is not considered an issue.
+ *
+ * There may also in-flight interrupts calling pktq_dequeue()
+ * which reference the old queues. Issue a barrier to ensure
+ * that we are going to be the only pcq_get() callers on the
+ * old queues.
+ */
+ pktq_barrier(pq);
+
+ for (u_int i = 0; i ncpu; i++) {
+ struct mbuf *m;
+
+ while ((m = pcq_get(qs[i])) != NULL) {
+ while (!pcq_put(pq-pq_queue[i], m)) {
+kpause(pktqrenq, false, 1, NULL);
+ }
+ }
+ pcq_destroy(qs[i]);
+ }
+
+ /* Well, that was fun. */
+ kmem_free(qs, slotbytes);
+ return 0;
+}
Index: src/sys/net/pktqueue.h
diff -u src/sys/net/pktqueue.h:1.1 src/sys/net/pktqueue.h:1.2
--- src/sys/net/pktqueue.h:1.1 Thu Jun 5 23:48:16 2014
+++ src/sys/net/pktqueue.h Mon Jun 9 12:57:04 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: pktqueue.h,v 1.1 2014/06/05 23:48:16 rmind Exp $ */
+/* $NetBSD: pktqueue.h,v 1.2 2014/06/09 12:57:04 rmind Exp $ */
CVS commit: src/sys
Module Name:src
Committed By: rmind
Date: Mon Jun 9 13:03:16 UTC 2014
Modified Files:
src/sys/net: pktqueue.c
src/sys/rump/librump/rumpkern: intr.c
Log Message:
Restore the assert in RUMP's softint_schedule_cpu() and just ensure
curcpu() in the caller.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/pktqueue.c
cvs rdiff -u -r1.44 -r1.45 src/sys/rump/librump/rumpkern/intr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/pktqueue.c
diff -u src/sys/net/pktqueue.c:1.2 src/sys/net/pktqueue.c:1.3
--- src/sys/net/pktqueue.c:1.2 Mon Jun 9 12:57:04 2014
+++ src/sys/net/pktqueue.c Mon Jun 9 13:03:16 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $ */
+/* $NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: pktqueue.c,v 1.2 2014/06/09 12:57:04 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $);
#include sys/param.h
#include sys/types.h
@@ -204,9 +204,9 @@ pktq_rps_hash(const struct mbuf *m __unu
* = Returns false on failure; caller is responsible to free the packet.
*/
bool
-pktq_enqueue(pktqueue_t *pq, struct mbuf *m, const u_int hash)
+pktq_enqueue(pktqueue_t *pq, struct mbuf *m, const u_int hash __unused)
{
- const unsigned cpuid = hash % ncpu;
+ const unsigned cpuid = curcpu()-ci_index /* hash % ncpu */;
KASSERT(kpreempt_disabled());
Index: src/sys/rump/librump/rumpkern/intr.c
diff -u src/sys/rump/librump/rumpkern/intr.c:1.44 src/sys/rump/librump/rumpkern/intr.c:1.45
--- src/sys/rump/librump/rumpkern/intr.c:1.44 Sun Jun 8 15:24:34 2014
+++ src/sys/rump/librump/rumpkern/intr.c Mon Jun 9 13:03:16 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $ */
+/* $NetBSD: intr.c,v 1.45 2014/06/09 13:03:16 rmind Exp $ */
/*
* Copyright (c) 2008-2010 Antti Kantee. All Rights Reserved.
@@ -26,7 +26,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: intr.c,v 1.45 2014/06/09 13:03:16 rmind Exp $);
#include sys/param.h
#include sys/atomic.h
@@ -329,8 +329,8 @@ softint_schedule_cpu(void *arg, struct c
{
/*
* TODO: implement this properly
- * KASSERT(curcpu() == ci);
*/
+ KASSERT(curcpu() == ci);
softint_schedule(arg);
}
CVS commit: src/sys/net
Module Name:src Committed By: rmind Date: Mon Jun 9 14:44:48 UTC 2014 Modified Files: src/sys/net: pktqueue.c Log Message: pktqueue: add or fix some comments, remove some header inclusions. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/net/pktqueue.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/pktqueue.c diff -u src/sys/net/pktqueue.c:1.3 src/sys/net/pktqueue.c:1.4 --- src/sys/net/pktqueue.c:1.3 Mon Jun 9 13:03:16 2014 +++ src/sys/net/pktqueue.c Mon Jun 9 14:44:48 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $ */ +/* $NetBSD: pktqueue.c,v 1.4 2014/06/09 14:44:48 rmind Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -29,8 +29,14 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * The packet queue (pktqueue) interface is a lockless IP input queue + * which also abstracts and handles network ISR scheduling. It provides + * a mechanism to enable receiver-side packet steering (RPS). + */ + #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: pktqueue.c,v 1.3 2014/06/09 13:03:16 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: pktqueue.c,v 1.4 2014/06/09 14:44:48 rmind Exp $); #include sys/param.h #include sys/types.h @@ -43,10 +49,6 @@ __KERNEL_RCSID(0, $NetBSD: pktqueue.c,v #include sys/proc.h #include sys/percpu.h -#include netinet/in.h -#include netinet/ip.h -#include netinet/ip_private.h - #include net/pktqueue.h /* @@ -285,7 +287,7 @@ pktq_barrier(pktqueue_t *pq) /* * pktq_flush: free mbufs in all queues. * - * = The caller must ensure there are no concurrent writers or flush. + * = The caller must ensure there are no concurrent writers or flush calls. */ void pktq_flush(pktqueue_t *pq) @@ -332,12 +334,12 @@ pktq_set_maxlen(pktqueue_t *pq, size_t m /* * At this point, the new packets are flowing into the new - * queues. However, the old queues may have same packets - * present which are no longer being present. We are going + * queues. However, the old queues may have some packets + * present which are no longer being processed. We are going * to re-enqueue them. This may change the order of packet * arrival, but it is not considered an issue. * - * There may also in-flight interrupts calling pktq_dequeue() + * There may be in-flight interrupts calling pktq_dequeue() * which reference the old queues. Issue a barrier to ensure * that we are going to be the only pcq_get() callers on the * old queues.
CVS commit: src/sys/rump/librump/rumpkern
Module Name:src
Committed By: rmind
Date: Sun Jun 8 15:24:34 UTC 2014
Modified Files:
src/sys/rump/librump/rumpkern: intr.c
Log Message:
RUMP's softint_schedule_cpu: comment out an assert for now.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/sys/rump/librump/rumpkern/intr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/rump/librump/rumpkern/intr.c
diff -u src/sys/rump/librump/rumpkern/intr.c:1.43 src/sys/rump/librump/rumpkern/intr.c:1.44
--- src/sys/rump/librump/rumpkern/intr.c:1.43 Thu Jun 5 23:43:04 2014
+++ src/sys/rump/librump/rumpkern/intr.c Sun Jun 8 15:24:34 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: intr.c,v 1.43 2014/06/05 23:43:04 rmind Exp $ */
+/* $NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $ */
/*
* Copyright (c) 2008-2010 Antti Kantee. All Rights Reserved.
@@ -26,7 +26,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: intr.c,v 1.43 2014/06/05 23:43:04 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: intr.c,v 1.44 2014/06/08 15:24:34 rmind Exp $);
#include sys/param.h
#include sys/atomic.h
@@ -327,8 +327,10 @@ softint_schedule(void *arg)
void
softint_schedule_cpu(void *arg, struct cpu_info *ci)
{
- /* TODO: implement this properly */
- KASSERT(curcpu() == ci);
+ /*
+ * TODO: implement this properly
+ * KASSERT(curcpu() == ci);
+ */
softint_schedule(arg);
}
CVS commit: src/sys/net
Module Name:src
Committed By: rmind
Date: Sat Jun 7 11:00:29 UTC 2014
Modified Files:
src/sys/net: if_loop.c
Log Message:
lostart: silence gcc warning (XXX: gcc is not right though).
To generate a diff of this commit:
cvs rdiff -u -r1.79 -r1.80 src/sys/net/if_loop.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_loop.c
diff -u src/sys/net/if_loop.c:1.79 src/sys/net/if_loop.c:1.80
--- src/sys/net/if_loop.c:1.79 Thu Jun 5 23:48:16 2014
+++ src/sys/net/if_loop.c Sat Jun 7 11:00:29 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if_loop.c,v 1.79 2014/06/05 23:48:16 rmind Exp $ */
+/* $NetBSD: if_loop.c,v 1.80 2014/06/07 11:00:29 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -65,7 +65,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: if_loop.c,v 1.79 2014/06/05 23:48:16 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: if_loop.c,v 1.80 2014/06/07 11:00:29 rmind Exp $);
#include opt_inet.h
#include opt_atalk.h
@@ -359,11 +359,11 @@ lostart(struct ifnet *ifp)
{
for (;;) {
pktqueue_t *pktq = NULL;
- struct ifqueue *ifq;
+ struct ifqueue *ifq = NULL;
struct mbuf *m;
size_t pktlen;
uint32_t af;
- int s, isr;
+ int s, isr = 0;
IFQ_DEQUEUE(ifp-if_snd, m);
if (m == NULL)
CVS commit: src/sys/rump/librump/rumpkern
Module Name:src
Committed By: rmind
Date: Sat Jun 7 11:08:09 UTC 2014
Modified Files:
src/sys/rump/librump/rumpkern: scheduler.c
Log Message:
Make kpreempt_disabled() always return true in RUMP kernels for now.
May revisit once RUMP provides better splfoo/splx() handling.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/rump/librump/rumpkern/scheduler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/rump/librump/rumpkern/scheduler.c
diff -u src/sys/rump/librump/rumpkern/scheduler.c:1.38 src/sys/rump/librump/rumpkern/scheduler.c:1.39
--- src/sys/rump/librump/rumpkern/scheduler.c:1.38 Thu Jun 5 23:43:04 2014
+++ src/sys/rump/librump/rumpkern/scheduler.c Sat Jun 7 11:08:09 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: scheduler.c,v 1.38 2014/06/05 23:43:04 rmind Exp $ */
+/* $NetBSD: scheduler.c,v 1.39 2014/06/07 11:08:09 rmind Exp $ */
/*
* Copyright (c) 2010, 2011 Antti Kantee. All Rights Reserved.
@@ -26,7 +26,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: scheduler.c,v 1.38 2014/06/05 23:43:04 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: scheduler.c,v 1.39 2014/06/07 11:08:09 rmind Exp $);
#include sys/param.h
#include sys/atomic.h
@@ -526,10 +526,14 @@ kpreempt_enable(void)
bool
kpreempt_disabled(void)
{
+#if 0
const lwp_t *l = curlwp;
return l-l_nopreempt != 0 || l-l_stat == LSZOMB ||
- (l-l_flag LW_IDLE) != 0 /* || cpu_kpreempt_disabled() */;
+ (l-l_flag LW_IDLE) != 0 || cpu_kpreempt_disabled();
+#endif
+ /* XXX: emulate cpu_kpreempt_disabled() */
+ return true;
}
void
CVS commit: src/sys/net
Module Name:src
Committed By: rmind
Date: Fri Jun 6 22:15:32 UTC 2014
Modified Files:
src/sys/net: if_spppsubr.c
Log Message:
sppp_input: handle pktqueue case correctly (fix for the previous).
To generate a diff of this commit:
cvs rdiff -u -r1.129 -r1.130 src/sys/net/if_spppsubr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_spppsubr.c
diff -u src/sys/net/if_spppsubr.c:1.129 src/sys/net/if_spppsubr.c:1.130
--- src/sys/net/if_spppsubr.c:1.129 Thu Jun 5 23:48:16 2014
+++ src/sys/net/if_spppsubr.c Fri Jun 6 22:15:32 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if_spppsubr.c,v 1.129 2014/06/05 23:48:16 rmind Exp $ */
+/* $NetBSD: if_spppsubr.c,v 1.130 2014/06/06 22:15:32 rmind Exp $ */
/*
* Synchronous PPP/Cisco link level subroutines.
@@ -41,7 +41,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: if_spppsubr.c,v 1.129 2014/06/05 23:48:16 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: if_spppsubr.c,v 1.130 2014/06/06 22:15:32 rmind Exp $);
#if defined(_KERNEL_OPT)
#include opt_inet.h
@@ -636,8 +636,9 @@ sppp_input(struct ifnet *ifp, struct mbu
}
queue_pkt:
- if (! (ifp-if_flags IFF_UP) || ! inq)
+ if ((ifp-if_flags IFF_UP) == 0 || (!inq !pktq)) {
goto drop;
+ }
/* Check queue. */
if (__predict_true(pktq)) {
CVS commit: src/sys/rump/librump/rumpkern
Module Name:src
Committed By: rmind
Date: Thu Jun 5 23:43:04 UTC 2014
Modified Files:
src/sys/rump/librump/rumpkern: intr.c scheduler.c
Log Message:
librump: add kpreempt_disabled(9) and softint_schedule_cpu(9).
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/sys/rump/librump/rumpkern/intr.c
cvs rdiff -u -r1.37 -r1.38 src/sys/rump/librump/rumpkern/scheduler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/rump/librump/rumpkern/intr.c
diff -u src/sys/rump/librump/rumpkern/intr.c:1.42 src/sys/rump/librump/rumpkern/intr.c:1.43
--- src/sys/rump/librump/rumpkern/intr.c:1.42 Mon Nov 11 23:11:30 2013
+++ src/sys/rump/librump/rumpkern/intr.c Thu Jun 5 23:43:04 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: intr.c,v 1.42 2013/11/11 23:11:30 pooka Exp $ */
+/* $NetBSD: intr.c,v 1.43 2014/06/05 23:43:04 rmind Exp $ */
/*
* Copyright (c) 2008-2010 Antti Kantee. All Rights Reserved.
@@ -26,7 +26,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: intr.c,v 1.42 2013/11/11 23:11:30 pooka Exp $);
+__KERNEL_RCSID(0, $NetBSD: intr.c,v 1.43 2014/06/05 23:43:04 rmind Exp $);
#include sys/param.h
#include sys/atomic.h
@@ -324,6 +324,14 @@ softint_schedule(void *arg)
}
}
+void
+softint_schedule_cpu(void *arg, struct cpu_info *ci)
+{
+ /* TODO: implement this properly */
+ KASSERT(curcpu() == ci);
+ softint_schedule(arg);
+}
+
/*
* flimsy disestablish: should wait for softints to finish.
*/
Index: src/sys/rump/librump/rumpkern/scheduler.c
diff -u src/sys/rump/librump/rumpkern/scheduler.c:1.37 src/sys/rump/librump/rumpkern/scheduler.c:1.38
--- src/sys/rump/librump/rumpkern/scheduler.c:1.37 Wed Apr 9 23:53:36 2014
+++ src/sys/rump/librump/rumpkern/scheduler.c Thu Jun 5 23:43:04 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: scheduler.c,v 1.37 2014/04/09 23:53:36 pooka Exp $ */
+/* $NetBSD: scheduler.c,v 1.38 2014/06/05 23:43:04 rmind Exp $ */
/*
* Copyright (c) 2010, 2011 Antti Kantee. All Rights Reserved.
@@ -26,7 +26,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: scheduler.c,v 1.37 2014/04/09 23:53:36 pooka Exp $);
+__KERNEL_RCSID(0, $NetBSD: scheduler.c,v 1.38 2014/06/05 23:43:04 rmind Exp $);
#include sys/param.h
#include sys/atomic.h
@@ -523,6 +523,15 @@ kpreempt_enable(void)
KPREEMPT_ENABLE(curlwp);
}
+bool
+kpreempt_disabled(void)
+{
+ const lwp_t *l = curlwp;
+
+ return l-l_nopreempt != 0 || l-l_stat == LSZOMB ||
+ (l-l_flag LW_IDLE) != 0 /* || cpu_kpreempt_disabled() */;
+}
+
void
suspendsched(void)
{
CVS commit: src/sys/rump/librump/rumpkern
Module Name:src
Committed By: rmind
Date: Thu Jun 5 23:42:25 UTC 2014
Modified Files:
src/sys/rump/librump/rumpkern: Makefile.rumpkern
Log Message:
librump: include pcq(9) interface.
To generate a diff of this commit:
cvs rdiff -u -r1.146 -r1.147 src/sys/rump/librump/rumpkern/Makefile.rumpkern
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/rump/librump/rumpkern/Makefile.rumpkern
diff -u src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.146 src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.147
--- src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.146 Sun Apr 27 15:15:13 2014
+++ src/sys/rump/librump/rumpkern/Makefile.rumpkern Thu Jun 5 23:42:25 2014
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.rumpkern,v 1.146 2014/04/27 15:15:13 pooka Exp $
+# $NetBSD: Makefile.rumpkern,v 1.147 2014/06/05 23:42:25 rmind Exp $
#
.include ${RUMPTOP}/Makefile.rump
@@ -115,6 +115,7 @@ SRCS+= init_sysctl_base.c \
subr_log.c \
subr_lwp_specificdata.c \
subr_once.c \
+ subr_pcq.c \
subr_percpu.c \
subr_prf.c \
subr_pserialize.c \
CVS commit: src/sys/netinet
Module Name:src
Committed By: rmind
Date: Fri Jun 6 00:11:19 UTC 2014
Modified Files:
src/sys/netinet: ip_output.c
Log Message:
ip_output: zero iproute structure only when needed; reduce the scope
of some variables.
To generate a diff of this commit:
cvs rdiff -u -r1.229 -r1.230 src/sys/netinet/ip_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.229 src/sys/netinet/ip_output.c:1.230
--- src/sys/netinet/ip_output.c:1.229 Fri May 30 01:39:03 2014
+++ src/sys/netinet/ip_output.c Fri Jun 6 00:11:19 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.229 2014/05/30 01:39:03 christos Exp $ */
+/* $NetBSD: ip_output.c,v 1.230 2014/06/06 00:11:19 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: ip_output.c,v 1.229 2014/05/30 01:39:03 christos Exp $);
+__KERNEL_RCSID(0, $NetBSD: ip_output.c,v 1.230 2014/06/06 00:11:19 rmind Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -161,7 +161,6 @@ ip_output(struct mbuf *m0, ...)
struct route iproute;
const struct sockaddr_in *dst;
struct in_ifaddr *ia;
- struct ifaddr *xifa;
struct mbuf *opt;
struct route *ro;
int flags, sw_csum;
@@ -173,7 +172,7 @@ ip_output(struct mbuf *m0, ...)
struct secpolicy *sp = NULL;
#endif
bool natt_frag = false;
- bool __unused done = false;
+ bool rtmtu_nolock;
union {
struct sockaddr dst;
struct sockaddr_in dst4;
@@ -221,9 +220,10 @@ ip_output(struct mbuf *m0, ...)
/*
* Route packet.
*/
- memset(iproute, 0, sizeof(iproute));
- if (ro == NULL)
+ if (ro == NULL) {
+ memset(iproute, 0, sizeof(iproute));
ro = iproute;
+ }
sockaddr_in_init(u.dst4, ip-ip_dst, 0);
dst = satocsin(rtcache_getdst(ro));
@@ -277,6 +277,7 @@ ip_output(struct mbuf *m0, ...)
if (rt-rt_flags RTF_GATEWAY)
dst = satosin(rt-rt_gateway);
}
+ rtmtu_nolock = rt (rt-rt_rmx.rmx_locks RTV_MTU) == 0;
if (IN_MULTICAST(ip-ip_dst.s_addr) ||
(ip-ip_dst.s_addr == INADDR_BROADCAST)) {
@@ -320,6 +321,7 @@ ip_output(struct mbuf *m0, ...)
*/
if (in_nullhost(ip-ip_src)) {
struct in_ifaddr *xia;
+ struct ifaddr *xifa;
IFP_TO_IA(ifp, xia);
if (!xia) {
@@ -378,14 +380,16 @@ ip_output(struct mbuf *m0, ...)
m_freem(m);
goto done;
}
-
goto sendit;
}
+
/*
* If source address not specified yet, use address
* of outgoing interface.
*/
if (in_nullhost(ip-ip_src)) {
+ struct ifaddr *xifa;
+
xifa = ia-ia_ifa;
if (xifa-ifa_getifa != NULL)
ia = ifatoia((*xifa-ifa_getifa)(xifa, rdst));
@@ -403,9 +407,8 @@ ip_output(struct mbuf *m0, ...)
}
/*
- * Look for broadcast address and
- * and verify user is allowed to send
- * such a packet.
+ * Look for broadcast address and and verify user is allowed to
+ * send such a packet.
*/
if (in_broadcast(dst-sin_addr, ifp)) {
if ((ifp-if_flags IFF_BROADCAST) == 0) {
@@ -450,20 +453,23 @@ sendit:
ip-ip_id = ip_newid_range(ia, num);
}
}
+
/*
* If we're doing Path MTU Discovery, we need to set DF unless
* the route's MTU is locked.
*/
- if ((flags IP_MTUDISC) != 0 rt != NULL
- (rt-rt_rmx.rmx_locks RTV_MTU) == 0)
+ if ((flags IP_MTUDISC) != 0 rtmtu_nolock) {
ip-ip_off |= htons(IP_DF);
+ }
#ifdef IPSEC
if (ipsec_used) {
+ bool ipsec_done = false;
+
/* Perform IPsec processing, if any. */
error = ipsec4_output(m, so, flags, sp, mtu, natt_frag,
- done);
- if (error || done)
+ ipsec_done);
+ if (error || ipsec_done)
goto done;
}
#endif
@@ -471,7 +477,8 @@ sendit:
/*
* Run through list of hooks for output packets.
*/
- if ((error = pfil_run_hooks(inet_pfil_hook, m, ifp, PFIL_OUT)) != 0)
+ error = pfil_run_hooks(inet_pfil_hook, m, ifp, PFIL_OUT);
+ if (error)
goto done;
if (m == NULL)
goto done;
@@ -500,6 +507,8 @@ sendit:
*/
if (ntohs(ip-ip_len) = mtu ||
(m-m_pkthdr.csum_flags M_CSUM_TSOv4) != 0) {
+ const struct sockaddr *sa;
+
#if IFA_STATS
if (ia)
ia-ia_ifa.ifa_data.ifad_outbytes += ntohs(ip-ip_len);
@@ -533,22 +542,15 @@ sendit:
}
}
+ sa = (m-m_flags M_MCAST) ? sintocsa(rdst) : sintocsa(dst);
if (__predict_true(
(m-m_pkthdr.csum_flags M_CSUM_TSOv4) == 0 ||
(ifp-if_capenable IFCAP_TSOv4) != 0)) {
KERNEL_LOCK(1, NULL);
- error =
- (*ifp-if_output)(ifp, m,
-(m-m_flags M_MCAST) ?
-sintocsa(rdst) : sintocsa(dst),
-rt);
+ error = (*ifp-if_output)(ifp, m, sa, rt);
KERNEL_UNLOCK_ONE(NULL);
} else {
- error =
- ip_tso_output(ifp, m,
-(m-m_flags M_MCAST) ?
-sintocsa(rdst) : sintocsa(dst),
-rt);
+ error = ip_tso_output(ifp, m, sa, rt);
}
goto done;
}
@@ -593,39 +595,41 @@ sendit:
for (; m; m = m0) {
m0 = m-m_nextpkt;
m-m_nextpkt = 0;
-
