CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Mon May 25 17:29:28 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_scan.l Log Message: Pull up following revision(s) (requested by rmind in ticket #932): usr.sbin/npf/npfctl/npf_scan.l: revision 1.31 PR/55288: npfctl: change parameter syntax to be more permissive. To generate a diff of this commit: cvs rdiff -u -r1.29.2.1 -r1.29.2.2 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src
Committed By: martin
Date: Mon May 25 17:29:28 UTC 2020
Modified Files:
src/usr.sbin/npf/npfctl [netbsd-9]: npf_scan.l
Log Message:
Pull up following revision(s) (requested by rmind in ticket #932):
usr.sbin/npf/npfctl/npf_scan.l: revision 1.31
PR/55288: npfctl: change parameter syntax to be more permissive.
To generate a diff of this commit:
cvs rdiff -u -r1.29.2.1 -r1.29.2.2 src/usr.sbin/npf/npfctl/npf_scan.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.29.2.1 src/usr.sbin/npf/npfctl/npf_scan.l:1.29.2.2
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.29.2.1 Fri Oct 4 08:06:34 2019
+++ src/usr.sbin/npf/npfctl/npf_scan.l Mon May 25 17:29:28 2020
@@ -91,6 +91,7 @@ npfctl_parse_string(const char *str, par
ID [a-zA-Z_][a-zA-Z_0-9]*
DID [a-zA-Z_][a-zA-Z_0-9-]*
+SPID [a-zA-Z][a-zA-Z_0-9.]*
NUMBER [0-9]+
HEXDIG [0-9a-fA-F]+
@@ -227,7 +228,7 @@ any return ANY;
return VAR_ID;
}
-[a-z]*"."[a-z.]* {
+{ID}"."{SPID}+ {
yylval.str = estrndup(yytext, yyleng);
return PARAM;
}
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Mon May 25 17:27:19 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c Log Message: Pull up following revision(s) (requested by rmind in ticket #931): usr.sbin/npf/npfctl/npf_show.c: revision 1.30 PR/54670: Azuma OKAMOTO: Consistently use 'W' for TH_CWN, and bump buffer size. To generate a diff of this commit: cvs rdiff -u -r1.28.2.2 -r1.28.2.3 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src
Committed By: martin
Date: Mon May 25 17:27:19 UTC 2020
Modified Files:
src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #931):
usr.sbin/npf/npfctl/npf_show.c: revision 1.30
PR/54670: Azuma OKAMOTO: Consistently use 'W' for TH_CWN, and bump buffer
size.
To generate a diff of this commit:
cvs rdiff -u -r1.28.2.2 -r1.28.2.3 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.2 src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.3
--- src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.2 Mon May 25 17:25:28 2020
+++ src/usr.sbin/npf/npfctl/npf_show.c Mon May 25 17:27:19 2020
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_show.c,v 1.28.2.2 2020/05/25 17:25:28 martin Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.28.2.3 2020/05/25 17:27:19 martin Exp $");
#include
#define __FAVOR_BSD
@@ -125,7 +125,7 @@ tcpflags2string(char *buf, u_int tfl)
if (tfl & TH_ACK) buf[i++] = 'A';
if (tfl & TH_URG) buf[i++] = 'U';
if (tfl & TH_ECE) buf[i++] = 'E';
- if (tfl & TH_CWR) buf[i++] = 'C';
+ if (tfl & TH_CWR) buf[i++] = 'W';
buf[i] = '\0';
return i;
}
@@ -209,7 +209,7 @@ static char *
print_tcpflags(npf_conf_info_t *ctx __unused, const uint32_t *words)
{
const u_int tf = words[0], tf_mask = words[1];
- char buf[16];
+ char buf[20];
size_t n = tcpflags2string(buf, tf);
if (tf != tf_mask) {
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Sun Aug 11 10:12:18 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c Log Message: Pull up following revision(s) (requested by rmind in ticket #45): usr.sbin/npf/npfctl/npf_show.c: revision 1.29 npfctl show/validate: fix couple bugs in multiple table/port representation. Fixes PR/54122. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.2.1 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src
Committed By: martin
Date: Sun Aug 11 10:12:18 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #45):
usr.sbin/npf/npfctl/npf_show.c: revision 1.29
npfctl show/validate: fix couple bugs in multiple table/port representation.
Fixes PR/54122.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.2.1 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28 src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.1
--- src/usr.sbin/npf/npfctl/npf_show.c:1.28 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_show.c Sun Aug 11 10:12:18 2019
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013 The NetBSD Foundation, Inc.
+ * Copyright (c) 2013-2019 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_show.c,v 1.28 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.28.2.1 2019/08/11 10:12:18 martin Exp $");
#include
#define __FAVOR_BSD
@@ -220,21 +220,29 @@ print_tcpflags(npf_conf_info_t *ctx __un
}
static char *
-print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
+print_pbarrier(npf_conf_info_t *ctx, const uint32_t *words __unused)
+{
+ if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) {
+ ctx->flags |= SEEN_SRC;
+ return estrdup("from any");
+ }
+ if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) {
+ ctx->flags |= SEEN_DST;
+ return estrdup("to any");
+ }
+ return NULL;
+}
+
+static char *
+print_portrange(npf_conf_info_t *ctx __unused, const uint32_t *words)
{
u_int fport = words[0], tport = words[1];
- const char *any_str = "";
char *p;
- if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0)
- any_str = "from any ";
- if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0)
- any_str = "to any ";
-
if (fport != tport) {
- easprintf(, "%sport %u:%u", any_str, fport, tport);
+ easprintf(, "%u-%u", fport, tport);
} else {
- easprintf(, "%sport %u", any_str, fport);
+ easprintf(, "%u", fport);
}
return p;
}
@@ -283,12 +291,14 @@ static const struct mark_keyword_mapent
{ BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 },
{ BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 },
- { BM_SRC_TABLE, "from %s", NULL, SEEN_SRC, print_table, 1 },
- { BM_SRC_PORTS, "%s", ", ", 0, print_portrange,2 },
+ { BM_SRC_TABLE, "from %s", ", ", SEEN_SRC, print_table, 1 },
+ { BM_SRC_PORTS, "%s", NULL, 0, print_pbarrier, 2 },
+ { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 },
{ BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 },
- { BM_DST_TABLE, "to %s", NULL, SEEN_DST, print_table, 1 },
- { BM_DST_PORTS, "%s", ", ", 0, print_portrange,2 },
+ { BM_DST_TABLE, "to %s", ", ", SEEN_DST, print_table, 1 },
+ { BM_DST_PORTS, "%s", NULL, 0, print_pbarrier, 2 },
+ { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 },
};
static const char * __attribute__((format_arg(2)))
@@ -314,13 +324,17 @@ scan_marks(npf_conf_info_t *ctx, const s
errx(EXIT_FAILURE, "byte-code marking inconsistency");
}
if (m == mk->mark) {
+ char *val;
+
/* Set the current mark and the flags. */
ctx->flags |= mk->set_flags;
ctx->curmark = m;
/* Value is processed by the print function. */
assert(mk->fwords == nwords);
- vals[nvals++] = mk->printfn(ctx, marks);
+ if ((val = mk->printfn(ctx, marks)) != NULL) {
+vals[nvals++] = val;
+ }
}
marks += nwords;
mlen -= nwords;
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src
Committed By: martin
Date: Sun Aug 11 10:10:23 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl [netbsd-9]: npf_bpf_comp.c npf_build.c npfctl.h
Log Message:
Pull up following revision(s) (requested by rmind in ticket #44):
usr.sbin/npf/npfctl/npfctl.h: revision 1.49
usr.sbin/npf/npfctl/npf_build.c: revision 1.51
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.14
NPF: fix BPF byte-code generation for a port-range used in a group.
Resolved PR/52609 and PR/54169.
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.2.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.50 -r1.50.2.1 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.48 -r1.48.2.1 src/usr.sbin/npf/npfctl/npfctl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13.2.1
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Sun Aug 11 10:10:23 2019
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2019 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -29,10 +29,60 @@
/*
* BPF byte-code generation for NPF rules.
+ *
+ * Overview
+ *
+ * Each NPF rule is compiled into BPF micro-program. There is a
+ * BPF byte-code fragment for each higher-level filtering logic,
+ * e.g. to match L4 protocol, IP/mask, etc. The generation process
+ * combines multiple BPF-byte code fragments into one program.
+ *
+ * Basic case
+ *
+ * Consider a basic case, where all filters should match. They
+ * are expressed as logical conjunction, e.g.:
+ *
+ * A and B and C and D
+ *
+ * Each test (filter) criterion can be evaluated to true (match) or
+ * false (no match) and the logic is as follows:
+ *
+ * - If the value is true, then jump to the "next" test (offset 0).
+ *
+ * - If the value is false, then jump to the JUMP_MAGIC value (0xff).
+ * This "magic" value is used to indicate that it will have to be
+ * patched at a later stage.
+ *
+ * Once all byte-code fragments are combined into one, then there
+ * are two additional steps:
+ *
+ * - Two instructions are appended at the end of the program: return
+ * "success" followed by return "failure".
+ *
+ * - All jumps with the JUMP_MAGIC value are patched to point to the
+ * "return failure" instruction.
+ *
+ * Therefore, if all filter criteria will match, then the first
+ * instruction will be reached, indicating a successful match of the
+ * rule. Otherwise, if any of the criteria will not match, it will
+ * take the failure path and the rule will not matching.
+ *
+ * Grouping
+ *
+ * Filters can have groups, which are have a meaning of logical
+ * disjunction, e.g.:
+ *
+ * A and B and (C or D)
+ *
+ * In such case, the logic inside the group has to be inverted i.e.
+ * the jump values swapped. If the test value is true, then jump
+ * out of the group; if false, then jump "next". At the end of the
+ * group, an addition failure path is appended and the JUMP_MAGIC
+ * uses within the group are patched to jump past the said path.
*/
#include
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13.2.1 2019/08/11 10:10:23 martin Exp $");
#include
#include
@@ -75,7 +125,10 @@ struct npf_bpf {
sa_family_t af;
uint32_t flags;
- /* The current group offset and block number. */
+ /*
+ * The current group offset (counted in BPF instructions)
+ * and block number at the start of the group.
+ */
bool ingroup;
u_int goff;
u_int gblock;
@@ -120,6 +173,7 @@ fixup_jumps(npf_bpf_t *ctx, u_int start,
for (u_int i = start; i < end; i++) {
struct bpf_insn *insn = >bf_insns[i];
const u_int fail_off = end - i;
+ bool seen_magic = false;
if (fail_off >= JUMP_MAGIC) {
errx(EXIT_FAILURE, "BPF generation error: "
@@ -128,15 +182,37 @@ fixup_jumps(npf_bpf_t *ctx, u_int start,
if (BPF_CLASS(insn->code) != BPF_JMP) {
continue;
}
- if (swap) {
+ if (BPF_OP(insn->code) == BPF_JA) {
+ /*
+ * BPF_JA can be used to jump to the failure path.
+ * If we are swapping i.e. inside the group, then
+ * jump "next"; groups have a failure path appended
+ * at their end.
+ */
+ if (insn->k == JUMP_MAGIC) {
+insn->k = swap ? 0 : fail_off;
+ }
+ continue;
+ }
+
+ /*
+ * Fixup the "magic" value. Swap only the "magic" jumps.
+ */
+
+ if (insn->jt == JUMP_MAGIC) {
+ insn->jt = fail_off;
+ seen_magic = true;
+ }
+ if (insn->jf == JUMP_MAGIC) {
+ insn->jf = fail_off;
+ seen_magic = true;
+ }
+
+ if (seen_magic && swap) {
uint8_t jt = insn->jt;
insn->jt = insn->jf;
insn->jf = jt;
}
-
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Sun Aug 11 10:10:23 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_bpf_comp.c npf_build.c npfctl.h Log Message: Pull up following revision(s) (requested by rmind in ticket #44): usr.sbin/npf/npfctl/npfctl.h: revision 1.49 usr.sbin/npf/npfctl/npf_build.c: revision 1.51 usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.14 NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.2.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.50 -r1.50.2.1 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.48 -r1.48.2.1 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
