CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Mon May 25 17:29:28 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_scan.l Log Message: Pull up following revision(s) (requested by rmind in ticket #932): usr.sbin/npf/npfctl/npf_scan.l: revision 1.31 PR/55288: npfctl: change parameter syntax to be more permissive. To generate a diff of this commit: cvs rdiff -u -r1.29.2.1 -r1.29.2.2 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Mon May 25 17:29:28 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_scan.l Log Message: Pull up following revision(s) (requested by rmind in ticket #932): usr.sbin/npf/npfctl/npf_scan.l: revision 1.31 PR/55288: npfctl: change parameter syntax to be more permissive. To generate a diff of this commit: cvs rdiff -u -r1.29.2.1 -r1.29.2.2 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_scan.l diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.29.2.1 src/usr.sbin/npf/npfctl/npf_scan.l:1.29.2.2 --- src/usr.sbin/npf/npfctl/npf_scan.l:1.29.2.1 Fri Oct 4 08:06:34 2019 +++ src/usr.sbin/npf/npfctl/npf_scan.l Mon May 25 17:29:28 2020 @@ -91,6 +91,7 @@ npfctl_parse_string(const char *str, par ID [a-zA-Z_][a-zA-Z_0-9]* DID [a-zA-Z_][a-zA-Z_0-9-]* +SPID [a-zA-Z][a-zA-Z_0-9.]* NUMBER [0-9]+ HEXDIG [0-9a-fA-F]+ @@ -227,7 +228,7 @@ any return ANY; return VAR_ID; } -[a-z]*"."[a-z.]* { +{ID}"."{SPID}+ { yylval.str = estrndup(yytext, yyleng); return PARAM; }
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Mon May 25 17:27:19 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c Log Message: Pull up following revision(s) (requested by rmind in ticket #931): usr.sbin/npf/npfctl/npf_show.c: revision 1.30 PR/54670: Azuma OKAMOTO: Consistently use 'W' for TH_CWN, and bump buffer size. To generate a diff of this commit: cvs rdiff -u -r1.28.2.2 -r1.28.2.3 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Mon May 25 17:27:19 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c Log Message: Pull up following revision(s) (requested by rmind in ticket #931): usr.sbin/npf/npfctl/npf_show.c: revision 1.30 PR/54670: Azuma OKAMOTO: Consistently use 'W' for TH_CWN, and bump buffer size. To generate a diff of this commit: cvs rdiff -u -r1.28.2.2 -r1.28.2.3 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.2 src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.3 --- src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.2 Mon May 25 17:25:28 2020 +++ src/usr.sbin/npf/npfctl/npf_show.c Mon May 25 17:27:19 2020 @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.28.2.2 2020/05/25 17:25:28 martin Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.28.2.3 2020/05/25 17:27:19 martin Exp $"); #include #define __FAVOR_BSD @@ -125,7 +125,7 @@ tcpflags2string(char *buf, u_int tfl) if (tfl & TH_ACK) buf[i++] = 'A'; if (tfl & TH_URG) buf[i++] = 'U'; if (tfl & TH_ECE) buf[i++] = 'E'; - if (tfl & TH_CWR) buf[i++] = 'C'; + if (tfl & TH_CWR) buf[i++] = 'W'; buf[i] = '\0'; return i; } @@ -209,7 +209,7 @@ static char * print_tcpflags(npf_conf_info_t *ctx __unused, const uint32_t *words) { const u_int tf = words[0], tf_mask = words[1]; - char buf[16]; + char buf[20]; size_t n = tcpflags2string(buf, tf); if (tf != tf_mask) {
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Sun Aug 11 10:12:18 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c Log Message: Pull up following revision(s) (requested by rmind in ticket #45): usr.sbin/npf/npfctl/npf_show.c: revision 1.29 npfctl show/validate: fix couple bugs in multiple table/port representation. Fixes PR/54122. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.2.1 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Sun Aug 11 10:12:18 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c Log Message: Pull up following revision(s) (requested by rmind in ticket #45): usr.sbin/npf/npfctl/npf_show.c: revision 1.29 npfctl show/validate: fix couple bugs in multiple table/port representation. Fixes PR/54122. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.2.1 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28 src/usr.sbin/npf/npfctl/npf_show.c:1.28.2.1 --- src/usr.sbin/npf/npfctl/npf_show.c:1.28 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npfctl/npf_show.c Sun Aug 11 10:12:18 2019 @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013 The NetBSD Foundation, Inc. + * Copyright (c) 2013-2019 The NetBSD Foundation, Inc. * All rights reserved. * * This code is derived from software contributed to The NetBSD Foundation @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.28 2019/07/23 00:52:02 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.28.2.1 2019/08/11 10:12:18 martin Exp $"); #include #define __FAVOR_BSD @@ -220,21 +220,29 @@ print_tcpflags(npf_conf_info_t *ctx __un } static char * -print_portrange(npf_conf_info_t *ctx, const uint32_t *words) +print_pbarrier(npf_conf_info_t *ctx, const uint32_t *words __unused) +{ + if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) { + ctx->flags |= SEEN_SRC; + return estrdup("from any"); + } + if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) { + ctx->flags |= SEEN_DST; + return estrdup("to any"); + } + return NULL; +} + +static char * +print_portrange(npf_conf_info_t *ctx __unused, const uint32_t *words) { u_int fport = words[0], tport = words[1]; - const char *any_str = ""; char *p; - if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) - any_str = "from any "; - if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) - any_str = "to any "; - if (fport != tport) { - easprintf(, "%sport %u:%u", any_str, fport, tport); + easprintf(, "%u-%u", fport, tport); } else { - easprintf(, "%sport %u", any_str, fport); + easprintf(, "%u", fport); } return p; } @@ -283,12 +291,14 @@ static const struct mark_keyword_mapent { BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 }, { BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 }, - { BM_SRC_TABLE, "from %s", NULL, SEEN_SRC, print_table, 1 }, - { BM_SRC_PORTS, "%s", ", ", 0, print_portrange,2 }, + { BM_SRC_TABLE, "from %s", ", ", SEEN_SRC, print_table, 1 }, + { BM_SRC_PORTS, "%s", NULL, 0, print_pbarrier, 2 }, + { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 }, { BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 }, - { BM_DST_TABLE, "to %s", NULL, SEEN_DST, print_table, 1 }, - { BM_DST_PORTS, "%s", ", ", 0, print_portrange,2 }, + { BM_DST_TABLE, "to %s", ", ", SEEN_DST, print_table, 1 }, + { BM_DST_PORTS, "%s", NULL, 0, print_pbarrier, 2 }, + { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 }, }; static const char * __attribute__((format_arg(2))) @@ -314,13 +324,17 @@ scan_marks(npf_conf_info_t *ctx, const s errx(EXIT_FAILURE, "byte-code marking inconsistency"); } if (m == mk->mark) { + char *val; + /* Set the current mark and the flags. */ ctx->flags |= mk->set_flags; ctx->curmark = m; /* Value is processed by the print function. */ assert(mk->fwords == nwords); - vals[nvals++] = mk->printfn(ctx, marks); + if ((val = mk->printfn(ctx, marks)) != NULL) { +vals[nvals++] = val; + } } marks += nwords; mlen -= nwords;
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Sun Aug 11 10:10:23 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_bpf_comp.c npf_build.c npfctl.h Log Message: Pull up following revision(s) (requested by rmind in ticket #44): usr.sbin/npf/npfctl/npfctl.h: revision 1.49 usr.sbin/npf/npfctl/npf_build.c: revision 1.51 usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.14 NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.2.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.50 -r1.50.2.1 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.48 -r1.48.2.1 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13.2.1 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Sun Aug 11 10:10:23 2019 @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. + * Copyright (c) 2010-2019 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -29,10 +29,60 @@ /* * BPF byte-code generation for NPF rules. + * + * Overview + * + * Each NPF rule is compiled into BPF micro-program. There is a + * BPF byte-code fragment for each higher-level filtering logic, + * e.g. to match L4 protocol, IP/mask, etc. The generation process + * combines multiple BPF-byte code fragments into one program. + * + * Basic case + * + * Consider a basic case, where all filters should match. They + * are expressed as logical conjunction, e.g.: + * + * A and B and C and D + * + * Each test (filter) criterion can be evaluated to true (match) or + * false (no match) and the logic is as follows: + * + * - If the value is true, then jump to the "next" test (offset 0). + * + * - If the value is false, then jump to the JUMP_MAGIC value (0xff). + * This "magic" value is used to indicate that it will have to be + * patched at a later stage. + * + * Once all byte-code fragments are combined into one, then there + * are two additional steps: + * + * - Two instructions are appended at the end of the program: return + * "success" followed by return "failure". + * + * - All jumps with the JUMP_MAGIC value are patched to point to the + * "return failure" instruction. + * + * Therefore, if all filter criteria will match, then the first + * instruction will be reached, indicating a successful match of the + * rule. Otherwise, if any of the criteria will not match, it will + * take the failure path and the rule will not matching. + * + * Grouping + * + * Filters can have groups, which are have a meaning of logical + * disjunction, e.g.: + * + * A and B and (C or D) + * + * In such case, the logic inside the group has to be inverted i.e. + * the jump values swapped. If the test value is true, then jump + * out of the group; if false, then jump "next". At the end of the + * group, an addition failure path is appended and the JUMP_MAGIC + * uses within the group are patched to jump past the said path. */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13 2019/07/23 00:52:02 rmind Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13.2.1 2019/08/11 10:10:23 martin Exp $"); #include #include @@ -75,7 +125,10 @@ struct npf_bpf { sa_family_t af; uint32_t flags; - /* The current group offset and block number. */ + /* + * The current group offset (counted in BPF instructions) + * and block number at the start of the group. + */ bool ingroup; u_int goff; u_int gblock; @@ -120,6 +173,7 @@ fixup_jumps(npf_bpf_t *ctx, u_int start, for (u_int i = start; i < end; i++) { struct bpf_insn *insn = >bf_insns[i]; const u_int fail_off = end - i; + bool seen_magic = false; if (fail_off >= JUMP_MAGIC) { errx(EXIT_FAILURE, "BPF generation error: " @@ -128,15 +182,37 @@ fixup_jumps(npf_bpf_t *ctx, u_int start, if (BPF_CLASS(insn->code) != BPF_JMP) { continue; } - if (swap) { + if (BPF_OP(insn->code) == BPF_JA) { + /* + * BPF_JA can be used to jump to the failure path. + * If we are swapping i.e. inside the group, then + * jump "next"; groups have a failure path appended + * at their end. + */ + if (insn->k == JUMP_MAGIC) { +insn->k = swap ? 0 : fail_off; + } + continue; + } + + /* + * Fixup the "magic" value. Swap only the "magic" jumps. + */ + + if (insn->jt == JUMP_MAGIC) { + insn->jt = fail_off; + seen_magic = true; + } + if (insn->jf == JUMP_MAGIC) { + insn->jf = fail_off; + seen_magic = true; + } + + if (seen_magic && swap) { uint8_t jt = insn->jt; insn->jt = insn->jf; insn->jf = jt; } -
CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Module Name:src Committed By: martin Date: Sun Aug 11 10:10:23 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl [netbsd-9]: npf_bpf_comp.c npf_build.c npfctl.h Log Message: Pull up following revision(s) (requested by rmind in ticket #44): usr.sbin/npf/npfctl/npfctl.h: revision 1.49 usr.sbin/npf/npfctl/npf_build.c: revision 1.51 usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.14 NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.2.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.50 -r1.50.2.1 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.48 -r1.48.2.1 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.