CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Sep 30 22:04:33 UTC 2019 Modified Files: src/sys/net/npf: npf_if.c Log Message: npf_ifmap_copylogname: be more defensive. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_if.c diff -u src/sys/net/npf/npf_if.c:1.11 src/sys/net/npf/npf_if.c:1.12 --- src/sys/net/npf/npf_if.c:1.11 Sun Sep 29 17:00:29 2019 +++ src/sys/net/npf/npf_if.c Mon Sep 30 22:04:33 2019 @@ -56,7 +56,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.12 2019/09/30 22:04:33 rmind Exp $"); #include #include @@ -191,20 +191,22 @@ npf_ifmap_getid(npf_t *npf, const ifnet_ } /* - * This function is toxic; it can return garbage since we don't - * lock, but it is only used temporarily and only for logging. + * npf_ifmap_copylogname: this function is toxic; it can return garbage + * as we don't lock, but it is only used temporarily and only for logging. */ void npf_ifmap_copylogname(npf_t *npf, unsigned id, char *buf, size_t len) { - if (id != NPF_IFMAP_NOID) { - const unsigned i = NPF_IFMAP_ID2SLOT(npf, id); - npf_ifmap_t *ifmap = >ifmap[i]; + const unsigned i = NPF_IFMAP_ID2SLOT(npf, id); + + membar_consumer(); + if (id != NPF_IFMAP_NOID && i < NPF_MAX_IFMAP) { /* * Lock-free access is safe as there is an extra byte * with a permanent NUL terminator at the end. */ + const npf_ifmap_t *ifmap = >ifmap[i]; strlcpy(buf, ifmap->ifname, MIN(len, IFNAMSIZ)); } else { strlcpy(buf, "???", len);
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Sep 30 22:04:33 UTC 2019 Modified Files: src/sys/net/npf: npf_if.c Log Message: npf_ifmap_copylogname: be more defensive. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
Module Name:src Committed By: rmind Date: Mon Sep 30 00:37:12 UTC 2019 Modified Files: src/lib/libnpf: libnpf.3 npf.c npf.h src/sys/net/npf: npf_ctl.c src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l npfctl.c npfctl.h src/usr.sbin/npf/npftest: npftest.conf Log Message: libnpf/npfctl: support dynamic NAT rulesets using a name prefix. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/libnpf.3 cvs rdiff -u -r1.47 -r1.48 src/lib/libnpf/npf.c cvs rdiff -u -r1.37 -r1.38 src/lib/libnpf/npf.h cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.88 -r1.89 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/npf/npfctl/npf_scan.l cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/npftest.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.10 src/lib/libnpf/libnpf.3:1.11 --- src/lib/libnpf/libnpf.3:1.10 Wed Aug 21 21:45:47 2019 +++ src/lib/libnpf/libnpf.3 Mon Sep 30 00:37:11 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: libnpf.3,v 1.10 2019/08/21 21:45:47 rmind Exp $ +.\" $NetBSD: libnpf.3,v 1.11 2019/09/30 00:37:11 rmind Exp $ .\" .\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 21, 2019 +.Dd August 25, 2019 .Dt LIBNPF 3 .Os .Sh NAME @@ -108,6 +108,15 @@ .Fn npf_table_replace "int fd" "nl_table_t *tl" "npf_error_t *errinfo" .Ft void .Fn npf_table_destroy "nl_table_t *tl" +.\" --- +.Ft int +.Fn npf_ruleset_add "int fd" "const char *name" "nl_rule_t *rl" "uint64_t *id" +.Ft int +.Fn npf_ruleset_remove "int fd" "const char *name" "uint64_t id" +.Ft int +.Fn npf_ruleset_remkey "int fd" "const char *name" "const void *key" "size_t len" +.Ft int +.Fn npf_ruleset_flush "int fd" "const char *name" .\" - .Sh DESCRIPTION The @@ -352,7 +361,9 @@ Additionally, may be specified to indicate the translation network; otherwise, it should be set to .Dv NPF_NO_NETMASK . -In such case, a custom algorithm may need to be specified using the +.Pp +In order to use the translation network, a custom algorithm may need to +be specified using the .Fn npf_nat_setalgo function. .\" --- @@ -368,6 +379,9 @@ Currently, the following algorithms are Hash of the source and destination addresses. .It Dv NPF_ALGO_RR Round-robin for the translation addresses. +.It Dv NPF_ALGO_NETMAP +Network-to-network map as described below, but with state tracking. +It is used when it is necessary to translate the ports. .El .Pp The following are support with static NAT: @@ -450,6 +464,39 @@ specified by Destroy the specified table. .El .\" - +.Ss Ruleset interface +.Bl -tag -width 4n +.It Fn npf_ruleset_add "fd" "name" "rl" "id" +Add a given rule, specified by +.Fa rl , +into the dynamic ruleset named +.Fa name . +On success, return 0 and a unique rule ID in the +.Fa id +parameter. +.It Fn npf_ruleset_remove "fd" "name" "id" +Remove a rule from the dynamic ruleset, specified by +.Fa name . +The rule is specified by its unique ID in the +.Fa id +parameter. +.It Fn npf_ruleset_remkey "fd" "name" "key" "len" +Remove a rule from the dynamic ruleset, specified by +.Fa name . +The rule is specified by its key, in the +.Fa key +and +.Fa len +parameters. +The key for the rule must have been set during its construction, using the +.Fn npf_rule_setkey +routine. +.It Fn npf_ruleset_flush "fd" "name" +Clear the dynamic ruleset, specified by +.Fa name , +by removing all its rules. +.El +.\" - .Sh SEE ALSO .Xr bpf 4 , .Xr npf 7 , Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.47 src/lib/libnpf/npf.c:1.48 --- src/lib/libnpf/npf.c:1.47 Wed Aug 21 21:45:47 2019 +++ src/lib/libnpf/npf.c Mon Sep 30 00:37:11 2019 @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.47 2019/08/21 21:45:47 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.48 2019/09/30 00:37:11 rmind Exp $"); #include #include @@ -401,14 +401,31 @@ npf_param_set(nl_config_t *ncf, const ch * DYNAMIC RULESET INTERFACE. */ +static inline bool +_npf_nat_ruleset_p(const char *name) +{ + return strncmp(name, NPF_RULESET_MAP_PREF, + sizeof(NPF_RULESET_MAP_PREF) - 1) == 0; +} + int npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uint64_t *id) { + const bool natset = _npf_nat_ruleset_p(rname); nvlist_t *rule_dict = rl->rule_dict; nvlist_t *ret_dict; + nvlist_add_number(rule_dict, "attr", + NPF_RULE_DYNAMIC |
CVS commit: src
Module Name:src Committed By: rmind Date: Mon Sep 30 00:37:12 UTC 2019 Modified Files: src/lib/libnpf: libnpf.3 npf.c npf.h src/sys/net/npf: npf_ctl.c src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l npfctl.c npfctl.h src/usr.sbin/npf/npftest: npftest.conf Log Message: libnpf/npfctl: support dynamic NAT rulesets using a name prefix. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/libnpf.3 cvs rdiff -u -r1.47 -r1.48 src/lib/libnpf/npf.c cvs rdiff -u -r1.37 -r1.38 src/lib/libnpf/npf.h cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.88 -r1.89 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/npf/npfctl/npf_scan.l cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/npftest.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Sep 29 18:51:08 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c Log Message: npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. (missed a file in previous commit; cvs is so helpful..) To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Sep 29 18:51:08 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c Log Message: npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. (missed a file in previous commit; cvs is so helpful..) To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.51 src/usr.sbin/npf/npfctl/npf_build.c:1.52 --- src/usr.sbin/npf/npfctl/npf_build.c:1.51 Thu Aug 8 21:29:15 2019 +++ src/usr.sbin/npf/npfctl/npf_build.c Sun Sep 29 18:51:08 2019 @@ -32,7 +32,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.51 2019/08/08 21:29:15 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.52 2019/09/29 18:51:08 rmind Exp $"); #include #define __FAVOR_BSD @@ -151,25 +151,32 @@ npfctl_debug_addif(const char *ifname) return 0; } -unsigned -npfctl_table_getid(const char *name) +nl_table_t * +npfctl_table_getbyname(nl_config_t *ncf, const char *name) { - unsigned tid = (unsigned)-1; nl_iter_t i = NPF_ITER_BEGIN; nl_table_t *tl; /* XXX dynamic ruleset */ - if (!npf_conf) { - return (unsigned)-1; + if (!ncf) { + return NULL; } - while ((tl = npf_table_iterate(npf_conf, )) != NULL) { + while ((tl = npf_table_iterate(ncf, )) != NULL) { const char *tname = npf_table_getname(tl); if (strcmp(tname, name) == 0) { - tid = npf_table_getid(tl); break; } } - return tid; + return tl; +} + +unsigned +npfctl_table_getid(const char *name) +{ + nl_table_t *tl; + + tl = npfctl_table_getbyname(npf_conf, name); + return tl ? npf_table_getid(tl) : (unsigned)-1; } const char * @@ -873,15 +880,13 @@ npfctl_build_natseg(int sd, int type, un * npfctl_fill_table: fill NPF table with entries from a specified file. */ static void -npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname) +npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname, FILE *fp) { char *buf = NULL; int l = 0; - FILE *fp; size_t n; - fp = fopen(fname, "r"); - if (fp == NULL) { + if (fp == NULL && (fp = fopen(fname, "r")) == NULL) { err(EXIT_FAILURE, "open '%s'", fname); } while (l++, getline(, , fp) != -1) { @@ -908,6 +913,23 @@ npfctl_fill_table(nl_table_t *tl, u_int } /* + * npfctl_load_table: create an NPF table and fill with contents from a file. + */ +nl_table_t * +npfctl_load_table(const char *tname, int tid, u_int type, +const char *fname, FILE *fp) +{ + nl_table_t *tl; + + tl = npf_table_create(tname, tid, type); + if (tl && fname) { + npfctl_fill_table(tl, type, fname, fp); + } + + return tl; +} + +/* * npfctl_build_table: create an NPF table, add to the configuration and, * if required, fill with contents from a file. */ @@ -916,15 +938,13 @@ npfctl_build_table(const char *tname, u_ { nl_table_t *tl; - tl = npf_table_create(tname, npfctl_tid_counter++, type); - assert(tl != NULL); - - if (fname) { - npfctl_fill_table(tl, type, fname); - } else if (type == NPF_TABLE_CONST) { + if (type == NPF_TABLE_CONST && !fname) { yyerror("table type 'const' must be loaded from a file"); } + tl = npfctl_load_table(tname, npfctl_tid_counter++, type, fname, NULL); + assert(tl != NULL); + if (npf_table_insert(npf_conf, tl)) { yyerror("table '%s' is already defined", tname); }
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Sep 29 17:00:29 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c Log Message: NPF ifmap: rework and fix a few small bugs. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Sep 29 17:00:29 UTC 2019 Modified Files: src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c Log Message: NPF ifmap: rework and fix a few small bugs. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.29 src/sys/net/npf/npf_conn.c:1.30 --- src/sys/net/npf/npf_conn.c:1.29 Tue Aug 6 11:40:15 2019 +++ src/sys/net/npf/npf_conn.c Sun Sep 29 17:00:29 2019 @@ -107,7 +107,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.29 2019/08/06 11:40:15 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.30 2019/09/29 17:00:29 rmind Exp $"); #include #include @@ -782,7 +782,8 @@ npf_conn_export(npf_t *npf, npf_conn_t * nvlist_add_number(cdict, "flags", con->c_flags); nvlist_add_number(cdict, "proto", con->c_proto); if (con->c_ifid) { - const char *ifname = npf_ifmap_getname(npf, con->c_ifid); + char ifname[IFNAMSIZ]; + npf_ifmap_copyname(npf, con->c_ifid, ifname, sizeof(ifname)); nvlist_add_string(cdict, "ifname", ifname); } nvlist_add_binary(cdict, "state", >c_state, sizeof(npf_state_t)); Index: src/sys/net/npf/npf_if.c diff -u src/sys/net/npf/npf_if.c:1.10 src/sys/net/npf/npf_if.c:1.11 --- src/sys/net/npf/npf_if.c:1.10 Sun Aug 11 20:26:33 2019 +++ src/sys/net/npf/npf_if.c Sun Sep 29 17:00:29 2019 @@ -1,4 +1,5 @@ /*- + * Copyright (c) 2019 Mindaugas Rasiukevicius * Copyright (c) 2013 The NetBSD Foundation, Inc. * All rights reserved. * @@ -28,23 +29,34 @@ */ /* - * NPF network interface handling module. + * NPF network interface handling. * - * NPF uses its own interface IDs (npf-if-id). When NPF configuration is - * (re)loaded, each required interface name is registered and a matching - * network interface gets an ID assigned. If an interface is not present, - * it gets an ID on attach. + * NPF uses its own interface IDs (npf-if-id). These IDs start from 1. + * Zero is reserved to indicate "no interface" case or an interface of + * no interest (i.e. not registered). * - * IDs start from 1. Zero is reserved to indicate "no interface" case or - * an interface of no interest (i.e. not registered). + * This module provides an interface to primarily handle the following: * - * The IDs are mapped synchronously based on interface events which are - * monitored using pfil(9) hooks. + * - Bind a symbolic interface name to NPF interface ID. + * - Associate NPF interface ID when the network interface is attached. + * + * When NPF configuration is (re)loaded, each referenced network interface + * name is registered with a unique ID. If the network interface is already + * attached, then the ID is associated with it immediately; otherwise, IDs + * are associated/disassociated on interface events which are monitored + * using pfil(9) hooks. + * + * To avoid race conditions when an active NPF configuration is updated or + * interfaces are detached/attached, the interface names are never removed + * and therefore IDs are never re-assigned. The only point when interface + * names and IDs are cleared is when the configuration is flushed. + * + * A linear counter is used for IDs. */ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.10 2019/08/11 20:26:33 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $"); #include #include @@ -55,9 +67,13 @@ __KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1 #include "npf_impl.h" typedef struct npf_ifmap { - char n_ifname[IFNAMSIZ]; + char ifname[IFNAMSIZ + 1]; } npf_ifmap_t; +#define NPF_IFMAP_NOID (0U) +#define NPF_IFMAP_SLOT2ID(npf, slot) ((npf)->ifmap_off + (slot) + 1) +#define NPF_IFMAP_ID2SLOT(npf, id) ((id) - (npf)->ifmap_off - 1) + void npf_ifmap_init(npf_t *npf, const npf_ifops_t *ifops) { @@ -66,8 +82,10 @@ npf_ifmap_init(npf_t *npf, const npf_ifo KASSERT(ifops != NULL); ifops->flush((void *)(uintptr_t)0); + mutex_init(>ifmap_lock, MUTEX_DEFAULT, IPL_SOFTNET); npf->ifmap = kmem_zalloc(nbytes, KM_SLEEP); npf->ifmap_cnt = 0; + npf->ifmap_off = 0; npf->ifops = ifops; } @@ -75,82 +93,101 @@ void npf_ifmap_fini(npf_t *npf) { const size_t nbytes = sizeof(npf_ifmap_t) * NPF_MAX_IFMAP; + mutex_destroy(>ifmap_lock); kmem_free(npf->ifmap, nbytes); } -static u_int -npf_ifmap_new(npf_t *npf) -{ - KASSERT(npf_config_locked_p(npf)); - - for (u_int i = 0; i < npf->ifmap_cnt;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Sep 29 16:58:35 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 npfctl.c npfctl.h Log Message: npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npfctl.8 cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.21 src/usr.sbin/npf/npfctl/npfctl.8:1.22 --- src/usr.sbin/npf/npfctl/npfctl.8:1.21 Sat Jan 19 21:19:32 2019 +++ src/usr.sbin/npf/npfctl/npfctl.8 Sun Sep 29 16:58:35 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.21 2019/01/19 21:19:32 rmind Exp $ +.\" $NetBSD: npfctl.8,v 1.22 2019/09/29 16:58:35 rmind Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 10, 2017 +.Dd August 26, 2019 .Dt NPFCTL 8 .Os .Sh NAME @@ -114,28 +114,50 @@ List all rules in the dynamic ruleset sp Remove all rules from the dynamic ruleset specified by .Ar name . .\" --- -.It Ic table Ar tid Ic add Aq Ar addr/mask +.It Ic table Ar name Ic add Aq Ar addr/mask In table -.Ar tid , +.Ar name , add the IP address and optionally netmask, specified by .Aq Ar addr/mask . Only the tables of type "lpm" support masks. -.It Ic table Ar tid Ic rem Aq Ar addr/mask +.It Ic table Ar name Ic rem Aq Ar addr/mask In table -.Ar tid , +.Ar name , remove the IP address and optionally netmask, specified by .Aq Ar addr/mask . Only the tables of type "lpm" support masks. -.It Ic table Ar tid Ic test Aq Ar addr +.It Ic table Ar name Ic test Aq Ar addr Query the table -.Ar tid +.Ar name for a specific IP address, specified by .Ar addr . If no mask is specified, a single host is assumed. -.It Ic table Ar tid Ic list +.It Ic table Ar name Ic list List all entries in the currently loaded table specified by -.Ar tid . +.Ar name . This operation is expensive and should be used with caution. +.It Ic table Ar name Ic replace Oo Fl n Ar newname Oc Oo Fl t Ar type Oc Aq Ar path +Replace the existing table specified by +.Ar name +with a new table built from the file specified by +.Ar path . +Optionally, the new table will: +.Bl -tag -width xx -compact -offset 3n +.It Fl n Ar newname +be named +.Ar newname , +effectively renaming the table. +If not specified, the name of the table being replaced will be used. +.It Fl n Ar type +be of type +.Ar type ; +currently supported types are +.Cm ipset , +.Cm lpm , +or +.Cm const . +If not specified, the type of the table being replaced will be used. +.El .\" --- .It Ic save Save the active configuration and a snapshot of the current connections. @@ -201,6 +223,13 @@ Addition and removal of entries in the t # npfctl table "vip" add 10.0.0.1 # npfctl table "vip" rem 182.168.0.0/24 .Ed +.Pp +Replacing the existing table which has ID "svr" +with a new const table populated from file "/tmp/npf_vps_new", +and renamed to "vps": +.Bd -literal -offset indent +# npfctl table "svr" replace -n "vps" -t const "/tmp/npf_vps_new" +.Ed .\" - .Sh SEE ALSO .Xr bpf 4 , Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.61 src/usr.sbin/npf/npfctl/npfctl.c:1.62 --- src/usr.sbin/npf/npfctl/npfctl.c:1.61 Wed Aug 21 21:41:53 2019 +++ src/usr.sbin/npf/npfctl/npfctl.c Sun Sep 29 16:58:35 2019 @@ -28,7 +28,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.61 2019/08/21 21:41:53 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.62 2019/09/29 16:58:35 rmind Exp $"); #include #include @@ -142,10 +142,14 @@ usage(void) "\t%s rule \"rule-name\" { list | flush }\n", progname); fprintf(stderr, - "\t%s table { add | rem | test } \n", + "\t%s table \"table-name\" { add | rem | test } \n", progname); fprintf(stderr, - "\t%s table { list | flush }\n", + "\t%s table \"table-name\" { list | flush }\n", + progname); + fprintf(stderr, + "\t%s table \"table-name\" replace [-n \"name\"]" + " [-t ] \n", progname); fprintf(stderr, "\t%s save | load\n", @@ -275,7 +279,101 @@ npfctl_print_addrmask(int alen, const ch return buf; } -__dead static void +static int +npfctl_table_type(const char *typename) +{ + int i; + + static const struct tbltype_s { + const char *name; + u_int type; + } tbltypes[] = { + { "ipset", NPF_TABLE_IPSET }, + { "lpm", NPF_TABLE_LPM }, + { "const", NPF_TABLE_CONST }, + { NULL, 0 } + }; + + for (i = 0; tbltypes[i].name != NULL; i++) { + if (strcmp(typename, tbltypes[i].name) == 0) { + return tbltypes[i].type; + } + } + + return
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Sep 29 16:58:35 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 npfctl.c npfctl.h Log Message: npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npfctl.8 cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
Module Name:src Committed By: rmind Date: Wed Aug 28 21:48:14 UTC 2019 Modified Files: src/distrib/sets/lists/comp: mi src/share/man/man9: Makefile Log Message: Install thmap(9) man page. To generate a diff of this commit: cvs rdiff -u -r1.2283 -r1.2284 src/distrib/sets/lists/comp/mi cvs rdiff -u -r1.439 -r1.440 src/share/man/man9/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
Module Name:src Committed By: rmind Date: Wed Aug 28 21:48:14 UTC 2019 Modified Files: src/distrib/sets/lists/comp: mi src/share/man/man9: Makefile Log Message: Install thmap(9) man page. To generate a diff of this commit: cvs rdiff -u -r1.2283 -r1.2284 src/distrib/sets/lists/comp/mi cvs rdiff -u -r1.439 -r1.440 src/share/man/man9/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/comp/mi diff -u src/distrib/sets/lists/comp/mi:1.2283 src/distrib/sets/lists/comp/mi:1.2284 --- src/distrib/sets/lists/comp/mi:1.2283 Fri Aug 23 08:17:27 2019 +++ src/distrib/sets/lists/comp/mi Wed Aug 28 21:48:14 2019 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.2283 2019/08/23 08:17:27 mrg Exp $ +# $NetBSD: mi,v 1.2284 2019/08/28 21:48:14 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. ./etc/mtree/set.compcomp-sys-root @@ -11899,6 +11899,7 @@ ./usr/share/man/cat9/tc_syncbus.0 comp-sys-catman .cat ./usr/share/man/cat9/tc_wmb.0 comp-sys-catman .cat ./usr/share/man/cat9/tcp_congctl.0 comp-sys-catman .cat +./usr/share/man/cat9/thmap.0 comp-sys-catman .cat ./usr/share/man/cat9/threadpool.0 comp-sys-catman .cat ./usr/share/man/cat9/threadpool_cancel_job.0 comp-sys-catman .cat ./usr/share/man/cat9/threadpool_cancel_job_async.0 comp-sys-catman .cat @@ -19791,6 +19792,7 @@ ./usr/share/man/html9/tc_syncbus.html comp-sys-htmlman html ./usr/share/man/html9/tc_wmb.html comp-sys-htmlman html ./usr/share/man/html9/tcp_congctl.html comp-sys-htmlman html +./usr/share/man/html9/thmap.html comp-sys-htmlman html ./usr/share/man/html9/threadpool.html comp-sys-htmlman html ./usr/share/man/html9/threadpool_cancel_job.html comp-sys-htmlman html ./usr/share/man/html9/threadpool_cancel_job_async.html comp-sys-htmlman html @@ -27882,6 +27884,7 @@ ./usr/share/man/man9/tc_syncbus.9 comp-sys-man .man ./usr/share/man/man9/tc_wmb.9 comp-sys-man .man ./usr/share/man/man9/tcp_congctl.9 comp-sys-man .man +./usr/share/man/man9/thmap.9 comp-sys-man .man ./usr/share/man/man9/threadpool.9 comp-sys-man .man ./usr/share/man/man9/threadpool_cancel_job.9 comp-sys-man .man ./usr/share/man/man9/threadpool_cancel_job_async.9 comp-sys-man .man Index: src/share/man/man9/Makefile diff -u src/share/man/man9/Makefile:1.439 src/share/man/man9/Makefile:1.440 --- src/share/man/man9/Makefile:1.439 Sat Aug 10 23:33:10 2019 +++ src/share/man/man9/Makefile Wed Aug 28 21:48:14 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.439 2019/08/10 23:33:10 mrg Exp $ +# $NetBSD: Makefile,v 1.440 2019/08/28 21:48:14 rmind Exp $ # Makefile for section 9 (kernel function and variable) manual pages. @@ -55,7 +55,7 @@ MAN= accept_filter.9 accf_data.9 accf_ht spi.9 splraiseipl.9 \ suspendsched.9 \ sysctl.9 sysmon_envsys.9 sysmon_pswitch.9 sysmon_taskq.9 tc.9 \ - tcp_congctl.9 threadpool.9 timecounter.9 time_second.9 todr.9 \ + tcp_congctl.9 thmap.9 threadpool.9 timecounter.9 time_second.9 todr.9 \ ts2timo.9 tvtohz.9 \ ubc.9 ucas.9 ucom.9 ufetch.9 uiomove.9 \ usbd_status.9 usbdi.9 usbnet.9 \
CVS commit: src/share/man/man9
Module Name:src Committed By: rmind Date: Wed Aug 28 20:08:11 UTC 2019 Added Files: src/share/man/man9: thmap.9 Log Message: Add thmap(9) man page. Reviewed by wiz@. Forgot to commit it half a year ago. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/share/man/man9/thmap.9 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/share/man/man9/thmap.9 diff -u /dev/null src/share/man/man9/thmap.9:1.1 --- /dev/null Wed Aug 28 20:08:11 2019 +++ src/share/man/man9/thmap.9 Wed Aug 28 20:08:11 2019 @@ -0,0 +1,236 @@ +.\" +.\" Copyright (c) 2018 Mindaugas Rasiukevicius +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd December 11, 2018 +.Dt THMAP 9 +.Os +.Sh NAME +.Nm thmap +.Nd concurrent trie-hash map +.Sh SYNOPSIS +.In thmap.h +.\" - +.Ft thmap_t * +.Fn thmap_create "uintptr_t baseptr" "const thmap_ops_t *ops" "unsigned flags" +.Ft void +.Fn thmap_destroy "thmap_t *hmap" +.Ft void * +.Fn thmap_get "thmap_t *hmap" "const void *key" "size_t len" +.Ft void * +.Fn thmap_put "thmap_t *hmap" "const void *key" "size_t len" "void *val" +.Ft void * +.Fn thmap_del "thmap_t *hmap" "const void *key" "size_t len" +.Ft void * +.Fn thmap_stage_gc "thmap_t *hmap" +.Ft void +.Fn thmap_gc "thmap_t *hmap" "void *ref" +.Ft void +.Fn thmap_setroot "thmap_t *thmap" "uintptr_t root_offset" +.Ft uintptr_t +.Fn thmap_getroot "const thmap_t *thmap" +.\" - +.Sh DESCRIPTION +Concurrent trie-hash map \(em a general purpose associative array, +combining the elements of hashing and radix trie. +Highlights: +.Pp +.Bl -hyphen -compact +.It +Very competitive performance, with logarithmic time complexity on average. +.It +Lookups are lock-free and inserts/deletes are using fine-grained locking. +.It +Incremental growth of the data structure (no large resizing/rehashing). +.It +Optional support for use with shared memory, e.g. memory-mapped file. +.El +.Pp +Delete operations (the key/data destruction) must be synchronized with +the readers using some reclamation mechanism. +.\" - +.Sh FUNCTIONS +.Bl -tag -width thmap_create +.It Fn thmap_create +Construct a new trie-hash map. +The optional +.Fa ops +parameter can +used to set the custom allocate/free operations (see the description of +.Vt thmap_ops_t +below). +In such case, the +.Fa baseptr +is the base (start) address of the address space mapping (it must be +word-aligned). +If +.Fa ops +is set to +.Dv NULL , +then +.Xr malloc 3 +and +.Xr free 3 +will be used as the default operations and +.Fa baseptr +should be set to zero. +Currently, the supported +.Fa flags +are: +.Bl -tag -width THMAP_NOCOPY +.It Dv THMAP_NOCOPY +The keys on insert will not be copied and the given pointers to them will +be expected to be valid and the values constant until the key is deleted; +by default, the put operation will make a copy of the key. +.It Dv THMAP_SETROOT +Indicate that the root of the map will be manually set using the +.Fn thmap_setroot +routine; +by default, the map is initialized and the root node is set on +.Fn thmap_create . +.El +.\" --- +.It Fn thmap_destroy +Destroy the map, freeing the memory it uses. +.\" --- +.It Fn thmap_get +Lookup the key (of a given length) and return the value associated with it. +Return +.Dv NULL +if
CVS commit: src/share/man/man9
Module Name:src Committed By: rmind Date: Wed Aug 28 20:08:11 UTC 2019 Added Files: src/share/man/man9: thmap.9 Log Message: Add thmap(9) man page. Reviewed by wiz@. Forgot to commit it half a year ago. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/share/man/man9/thmap.9 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Aug 25 17:38:25 UTC 2019 Modified Files: src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c Log Message: ake npfctl_switch() and pfil private to OS-specific module. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.57 src/sys/net/npf/npf_ctl.c:1.58 --- src/sys/net/npf/npf_ctl.c:1.57 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_ctl.c Sun Aug 25 17:38:25 2019 @@ -36,7 +36,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.57 2019/08/25 13:21:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.58 2019/08/25 17:38:25 rmind Exp $"); #include #include @@ -53,28 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v nvlist_add_string((e), "source-file", __FILE__); \ nvlist_add_number((e), "source-line", __LINE__); -#ifdef _KERNEL -/* - * npfctl_switch: enable or disable packet inspection. - */ -int -npfctl_switch(void *data) -{ - const bool onoff = *(int *)data ? true : false; - int error; - - if (onoff) { - /* Enable: add pfil hooks. */ - error = npf_pfil_register(false); - } else { - /* Disable: remove pfil hooks. */ - npf_pfil_unregister(false); - error = 0; - } - return error; -} -#endif - static int npf_nvlist_copyin(npf_t *npf, void *data, nvlist_t **nvl) { @@ -731,7 +709,7 @@ npfctl_save(npf_t *npf, u_long cmd, void if (error) { goto out; } - nvlist_add_bool(npf_dict, "active", npf_pfil_registered_p()); + nvlist_add_bool(npf_dict, "active", npf_active_p()); error = npf_nvlist_copyout(npf, data, npf_dict); npf_dict = NULL; out: Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.78 src/sys/net/npf/npf_impl.h:1.79 --- src/sys/net/npf/npf_impl.h:1.78 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_impl.h Sun Aug 25 17:38:25 2019 @@ -289,6 +289,7 @@ npf_ruleset_t * npf_config_ruleset(npf_t npf_ruleset_t * npf_config_natset(npf_t *npf); npf_tableset_t *npf_config_tableset(npf_t *npf); bool npf_default_pass(npf_t *); +bool npf_active_p(void); int npf_worker_sysinit(unsigned); void npf_worker_sysfini(void); @@ -296,8 +297,6 @@ void npf_worker_signal(npf_t *); void npf_worker_register(npf_t *, npf_workfunc_t); void npf_worker_unregister(npf_t *, npf_workfunc_t); -int npfctl_switch(void *); -int npfctl_reload(u_long, void *); int npfctl_save(npf_t *, u_long, void *); int npfctl_load(npf_t *, u_long, void *); int npfctl_rule(npf_t *, u_long, void *); @@ -327,11 +326,6 @@ void npf_ifaddr_sync(npf_t *, ifnet_t * void npf_ifaddr_flush(npf_t *, ifnet_t *); void npf_ifaddr_syncall(npf_t *); -/* Packet filter hooks. */ -int npf_pfil_register(bool); -void npf_pfil_unregister(bool); -bool npf_pfil_registered_p(void); - /* Protocol helpers. */ int npf_cache_all(npf_cache_t *); void npf_recache(npf_cache_t *); Index: src/sys/net/npf/npf_os.c diff -u src/sys/net/npf/npf_os.c:1.16 src/sys/net/npf/npf_os.c:1.17 --- src/sys/net/npf/npf_os.c:1.16 Sun Aug 25 13:21:03 2019 +++ src/sys/net/npf/npf_os.c Sun Aug 25 17:38:25 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.16 2019/08/25 13:21:03 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.17 2019/08/25 17:38:25 rmind Exp $"); #ifdef _KERNEL_OPT #include "pf.h" @@ -84,6 +84,9 @@ MODULE(MODULE_CLASS_MISC, npf, "bpf"); MODULE(MODULE_CLASS_DRIVER, npf, "bpf"); #endif +static int npf_pfil_register(bool); +static void npf_pfil_unregister(bool); + static int npf_dev_open(dev_t, int, int, lwp_t *); static int npf_dev_close(dev_t, int, int, lwp_t *); static int npf_dev_ioctl(dev_t, u_long, void *, int, lwp_t *); @@ -226,6 +229,26 @@ npf_stats_export(npf_t *npf, void *data) return error; } +/* + * npfctl_switch: enable or disable packet inspection. + */ +static int +npfctl_switch(void *data) +{ + const bool onoff = *(int *)data ? true : false; + int error; + + if (onoff) { + /* Enable: add pfil hooks. */ + error = npf_pfil_register(false); + } else { + /* Disable: remove pfil hooks. */ + npf_pfil_unregister(false); + error = 0; + } + return error; +} + static int npf_dev_ioctl(dev_t dev, u_long cmd, void *data, int flag, lwp_t *l) { @@ -290,7 +313,7 @@ bool npf_autounload_p(void) { npf_t *npf = npf_getkernctx(); - return !npf_pfil_registered_p() && npf_default_pass(npf); + return !npf_active_p() && npf_default_pass(npf); } /* @@ -394,7 +417,7 @@ npf_ifaddrhook(void *arg, u_long cmd, vo /* * npf_pfil_register: register pfil(9) hooks. */ -int +static int npf_pfil_register(bool init) { npf_t *npf = npf_getkernctx(); @@ -463,7 +486,7 @@ out: /* * npf_pfil_unregister:
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Aug 25 17:38:25 UTC 2019 Modified Files: src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c Log Message: ake npfctl_switch() and pfil private to OS-specific module. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sun Aug 25 16:38:21 UTC 2019 Modified Files: src/sys/net/npf: npf.h src/sys/sys: mbuf.h Log Message: Move PACKET_TAG_NPF where it belongs to. To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 src/sys/net/npf/npf.h cvs rdiff -u -r1.219 -r1.220 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sun Aug 25 16:38:21 UTC 2019 Modified Files: src/sys/net/npf: npf.h src/sys/sys: mbuf.h Log Message: Move PACKET_TAG_NPF where it belongs to. To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 src/sys/net/npf/npf.h cvs rdiff -u -r1.219 -r1.220 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.61 src/sys/net/npf/npf.h:1.62 --- src/sys/net/npf/npf.h:1.61 Wed Aug 21 21:45:47 2019 +++ src/sys/net/npf/npf.h Sun Aug 25 16:38:20 2019 @@ -253,8 +253,9 @@ bool npf_autounload_p(void); #define NPF_LAYER_2 2 #define NPF_LAYER_3 3 -/* XXX mbuf.h: just for now. */ -#define PACKET_TAG_NPF 10 +/* + * Flags passed via nbuf tags. + */ #define NPF_NTAG_PASS 0x0001 /* Index: src/sys/sys/mbuf.h diff -u src/sys/sys/mbuf.h:1.219 src/sys/sys/mbuf.h:1.220 --- src/sys/sys/mbuf.h:1.219 Thu Jan 17 02:47:15 2019 +++ src/sys/sys/mbuf.h Sun Aug 25 16:38:20 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $ */ +/* $NetBSD: mbuf.h,v 1.220 2019/08/25 16:38:20 rmind Exp $ */ /* * Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc. @@ -799,6 +799,7 @@ int m_tag_copy_chain(struct mbuf *, stru /* Packet tag types */ #define PACKET_TAG_NONE 0 /* Nothing */ #define PACKET_TAG_SO 4 /* sending socket pointer */ +#define PACKET_TAG_NPF 10 /* packet filter */ #define PACKET_TAG_PF 11 /* packet filter */ #define PACKET_TAG_ALTQ_QID 12 /* ALTQ queue id */ #define PACKET_TAG_IPSEC_OUT_DONE 18
CVS commit: src
Module Name:src Committed By: rmind Date: Sun Aug 25 13:21:04 UTC 2019 Modified Files: src/sys/net/npf: npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c npf_ifaddr.c npf_impl.h npf_nat.c npf_os.c src/usr.sbin/npf/npfctl: npf_bpf_comp.c src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c Log Message: - npfctl_load_nvlist: simplify the config loading logic. - Fix a small race condition in npf_nat_getaddr(). - Rework pserialize/EBR wrappers, make it easier to maintain. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf.c cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_alg.c cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.56 -r1.57 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_ifaddr.c cvs rdiff -u -r1.77 -r1.78 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_os.c cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.18 -r1.19 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.c diff -u src/sys/net/npf/npf.c:1.40 src/sys/net/npf/npf.c:1.41 --- src/sys/net/npf/npf.c:1.40 Sun Aug 11 20:26:33 2019 +++ src/sys/net/npf/npf.c Sun Aug 25 13:21:03 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.40 2019/08/11 20:26:33 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.41 2019/08/25 13:21:03 rmind Exp $"); #include #include @@ -72,7 +72,7 @@ npfk_create(int flags, const npf_mbufops npf_t *npf; npf = kmem_zalloc(sizeof(npf_t), KM_SLEEP); - npf->qsbr = pserialize_create(); + npf->ebr = npf_ebr_create(); npf->stats_percpu = percpu_alloc(NPF_STATS_SIZE); npf->mbufops = mbufops; @@ -111,7 +111,7 @@ npfk_destroy(npf_t *npf) npf_state_sysfini(npf); npf_param_fini(npf); - pserialize_destroy(npf->qsbr); + npf_ebr_destroy(npf->ebr); percpu_free(npf->stats_percpu, NPF_STATS_SIZE); kmem_free(npf, sizeof(npf_t)); } @@ -131,14 +131,14 @@ npfk_gc(npf_t *npf) __dso_public void npfk_thread_register(npf_t *npf) { - pserialize_register(npf->qsbr); + npf_ebr_register(npf->ebr); } __dso_public void npfk_thread_unregister(npf_t *npf) { - pserialize_perform(npf->qsbr); - pserialize_unregister(npf->qsbr); + npf_ebr_full_sync(npf->ebr); + npf_ebr_unregister(npf->ebr); } void Index: src/sys/net/npf/npf_alg.c diff -u src/sys/net/npf/npf_alg.c:1.20 src/sys/net/npf/npf_alg.c:1.21 --- src/sys/net/npf/npf_alg.c:1.20 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_alg.c Sun Aug 25 13:21:03 2019 @@ -33,13 +33,12 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.20 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.21 2019/08/25 13:21:03 rmind Exp $"); #include #include #include -#include #include #endif @@ -185,7 +184,7 @@ npf_alg_unregister(npf_t *npf, npf_alg_t afuncs->match = NULL; afuncs->translate = NULL; afuncs->inspect = NULL; - pserialize_perform(npf->qsbr); + npf_ebr_full_sync(npf->ebr); /* Finally, unregister the ALG. */ npf_ruleset_freealg(npf_config_natset(npf), alg); @@ -210,13 +209,14 @@ npf_alg_unregister(npf_t *npf, npf_alg_t bool npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di) { - npf_algset_t *aset = npc->npc_ctx->algset; + npf_t *npf = npc->npc_ctx; + npf_algset_t *aset = npf->algset; bool match = false; int s; KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number"); - s = pserialize_read_enter(); + s = npf_ebr_enter(npf->ebr); for (unsigned i = 0; i < aset->alg_count; i++) { const npfa_funcs_t *f = >alg_funcs[i]; @@ -225,7 +225,7 @@ npf_alg_match(npf_cache_t *npc, npf_nat_ break; } } - pserialize_read_exit(s); + npf_ebr_exit(npf->ebr, s); return match; } @@ -243,12 +243,13 @@ npf_alg_match(npf_cache_t *npc, npf_nat_ void npf_alg_exec(npf_cache_t *npc, npf_nat_t *nt, bool forw) { - npf_algset_t *aset = npc->npc_ctx->algset; + npf_t *npf = npc->npc_ctx; + npf_algset_t *aset = npf->algset; int s; KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number"); - s = pserialize_read_enter(); + s = npf_ebr_enter(npf->ebr); for (unsigned i = 0; i < aset->alg_count; i++) { const npfa_funcs_t *f = >alg_funcs[i]; @@ -256,11 +257,11 @@ npf_alg_exec(npf_cache_t *npc, npf_nat_t f->translate(npc, nt, forw); } } - pserialize_read_exit(s); + npf_ebr_exit(npf->ebr, s); } /* - * npf_alg_conn: query ALGs giving which may perform a custom state lookup. + * npf_alg_conn: query ALGs which may perform a custom state lookup. * * The purpose of ALG connection inspection function is to provide * ALGs with a mechanism to override the regular connection state
CVS commit: src
Module Name:src Committed By: rmind Date: Sun Aug 25 13:21:04 UTC 2019 Modified Files: src/sys/net/npf: npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c npf_ifaddr.c npf_impl.h npf_nat.c npf_os.c src/usr.sbin/npf/npfctl: npf_bpf_comp.c src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c Log Message: - npfctl_load_nvlist: simplify the config loading logic. - Fix a small race condition in npf_nat_getaddr(). - Rework pserialize/EBR wrappers, make it easier to maintain. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf.c cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_alg.c cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.56 -r1.57 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_ifaddr.c cvs rdiff -u -r1.77 -r1.78 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_os.c cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.18 -r1.19 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
Module Name:src Committed By: rmind Date: Sat Aug 24 13:20:52 UTC 2019 Modified Files: src/lib/libnpf: Makefile src/lib/npf: mod.mk src/libexec/identd: Makefile src/usr.sbin/npf/npfctl: Makefile src/usr.sbin/npf/npfd: Makefile Log Message: libnpf fix: link the library itself to libnv; libnpf users should not be expected to assume this dependency. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/Makefile cvs rdiff -u -r1.7 -r1.8 src/lib/npf/mod.mk cvs rdiff -u -r1.17 -r1.18 src/libexec/identd/Makefile cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/Makefile cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
Module Name:src Committed By: rmind Date: Sat Aug 24 13:20:52 UTC 2019 Modified Files: src/lib/libnpf: Makefile src/lib/npf: mod.mk src/libexec/identd: Makefile src/usr.sbin/npf/npfctl: Makefile src/usr.sbin/npf/npfd: Makefile Log Message: libnpf fix: link the library itself to libnv; libnpf users should not be expected to assume this dependency. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/Makefile cvs rdiff -u -r1.7 -r1.8 src/lib/npf/mod.mk cvs rdiff -u -r1.17 -r1.18 src/libexec/identd/Makefile cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/Makefile cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/Makefile diff -u src/lib/libnpf/Makefile:1.10 src/lib/libnpf/Makefile:1.11 --- src/lib/libnpf/Makefile:1.10 Sun Jan 27 04:39:33 2019 +++ src/lib/libnpf/Makefile Sat Aug 24 13:20:52 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.10 2019/01/27 04:39:33 dholland Exp $ +# $NetBSD: Makefile,v 1.11 2019/08/24 13:20:52 rmind Exp $ USE_SHLIBDIR= yes @@ -12,8 +12,12 @@ SRCS= npf.c INCS= npf.h INCSDIR= /usr/include +LIBNV!= cd ${NETBSDSRCDIR}/external/bsd/libnv/lib && ${PRINTOBJDIR} CPPFLAGS+= -I${NETBSDSRCDIR}/sys/external/bsd/libnv/dist +DPADD+= ${LIBNV}/libnv.a +LDADD+= -L${LIBNV} -lnv + WARNS= 5 .include Index: src/lib/npf/mod.mk diff -u src/lib/npf/mod.mk:1.7 src/lib/npf/mod.mk:1.8 --- src/lib/npf/mod.mk:1.7 Sat Sep 29 14:41:36 2018 +++ src/lib/npf/mod.mk Sat Aug 24 13:20:52 2019 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.7 2018/09/29 14:41:36 rmind Exp $ +# $NetBSD: mod.mk,v 1.8 2019/08/24 13:20:52 rmind Exp $ .include @@ -25,8 +25,6 @@ SHLIBINSTALLDIR=${LIBROOTDIR}/npf LIB= ${MOD} SRCS= npf${MOD}.c - -CPPFLAGS+= -I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist LIBDPLIBS+= npf ${NETBSDSRCDIR}/lib/libnpf .include Index: src/libexec/identd/Makefile diff -u src/libexec/identd/Makefile:1.17 src/libexec/identd/Makefile:1.18 --- src/libexec/identd/Makefile:1.17 Sat Sep 29 14:41:37 2018 +++ src/libexec/identd/Makefile Sat Aug 24 13:20:52 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.17 2018/09/29 14:41:37 rmind Exp $ +# $NetBSD: Makefile,v 1.18 2019/08/24 13:20:52 rmind Exp $ .include @@ -22,10 +22,6 @@ CPPFLAGS+=-DWITH_PF .if (${MKNPF} != "no") SRCS+= npf.c CPPFLAGS+=-DWITH_NPF - -PROGDPLIBS+= nv ${NETBSDSRCDIR}/external/bsd/libnv/lib -CPPFLAGS+= -I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist - LDADD+=-lnpf DPADD+=${LIBNPF} .endif Index: src/usr.sbin/npf/npfctl/Makefile diff -u src/usr.sbin/npf/npfctl/Makefile:1.13 src/usr.sbin/npf/npfctl/Makefile:1.14 --- src/usr.sbin/npf/npfctl/Makefile:1.13 Sat Sep 29 14:41:36 2018 +++ src/usr.sbin/npf/npfctl/Makefile Sat Aug 24 13:20:52 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.13 2018/09/29 14:41:36 rmind Exp $ +# $NetBSD: Makefile,v 1.14 2019/08/24 13:20:52 rmind Exp $ .include @@ -13,9 +13,6 @@ CPPFLAGS+= -I${.CURDIR} SRCS+= npf_scan.l npf_parse.y YHEADER= 1 -PROGDPLIBS+= nv ${NETBSDSRCDIR}/external/bsd/libnv/lib -CPPFLAGS+= -I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist - LDADD+= -lnpf -lpcap -lutil -ly DPADD+= ${LIBNPF} ${LIBUTIL} ${LIBPCAP} ${LIBUTIL} ${LIBY} Index: src/usr.sbin/npf/npfd/Makefile diff -u src/usr.sbin/npf/npfd/Makefile:1.6 src/usr.sbin/npf/npfd/Makefile:1.7 --- src/usr.sbin/npf/npfd/Makefile:1.6 Sat Sep 29 14:41:36 2018 +++ src/usr.sbin/npf/npfd/Makefile Sat Aug 24 13:20:52 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.6 2018/09/29 14:41:36 rmind Exp $ +# $NetBSD: Makefile,v 1.7 2019/08/24 13:20:52 rmind Exp $ # # Public Domain # @@ -9,9 +9,6 @@ MAN= npfd.8 SRCS= npfd.c npfd_log.c CPPFLAGS+= -I${.CURDIR} -PROGDPLIBS+= nv ${NETBSDSRCDIR}/external/bsd/libnv/lib -CPPFLAGS+= -I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist - LDADD+= -lnpf -lpcap -lutil DPADD+= ${LIBNPF} ${LIBPCAP} ${LIBUTIL}
CVS commit: src
Module Name:src Committed By: rmind Date: Wed Aug 21 21:45:47 UTC 2019 Modified Files: src/lib/libnpf: libnpf.3 npf.c npf.h src/sys/net/npf: npf.h npf_ctl.c npf_impl.h npf_os.c npf_tableset.c Log Message: npfkern/libnpf: Add support for the table replace/swap operation. Contributed by Timshel Knoll-Miller. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libnpf/libnpf.3 cvs rdiff -u -r1.46 -r1.47 src/lib/libnpf/npf.c cvs rdiff -u -r1.36 -r1.37 src/lib/libnpf/npf.h cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf.h cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.76 -r1.77 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_os.c cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src
Module Name:src Committed By: rmind Date: Wed Aug 21 21:45:47 UTC 2019 Modified Files: src/lib/libnpf: libnpf.3 npf.c npf.h src/sys/net/npf: npf.h npf_ctl.c npf_impl.h npf_os.c npf_tableset.c Log Message: npfkern/libnpf: Add support for the table replace/swap operation. Contributed by Timshel Knoll-Miller. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libnpf/libnpf.3 cvs rdiff -u -r1.46 -r1.47 src/lib/libnpf/npf.c cvs rdiff -u -r1.36 -r1.37 src/lib/libnpf/npf.h cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf.h cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.76 -r1.77 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_os.c cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libnpf/libnpf.3 diff -u src/lib/libnpf/libnpf.3:1.9 src/lib/libnpf/libnpf.3:1.10 --- src/lib/libnpf/libnpf.3:1.9 Tue Jul 23 14:18:20 2019 +++ src/lib/libnpf/libnpf.3 Wed Aug 21 21:45:47 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: libnpf.3,v 1.9 2019/07/23 14:18:20 wiz Exp $ +.\" $NetBSD: libnpf.3,v 1.10 2019/08/21 21:45:47 rmind Exp $ .\" .\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 14, 2019 +.Dd August 21, 2019 .Dt LIBNPF 3 .Os .Sh NAME @@ -41,7 +41,7 @@ .Ft nl_config_t * .Fn npf_config_create "void" .Ft int -.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo" +.Fn npf_config_submit "nl_config_t *ncf" "int fd" "npf_error_t *errinfo" .Ft nl_config_t * .Fn npf_config_retrieve "int fd" .Ft int @@ -104,6 +104,8 @@ "const npf_addr_t *addr" "const npf_netmask_t mask" .Ft int .Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl" +.Ft int +.Fn npf_table_replace "int fd" "nl_table_t *tl" "npf_error_t *errinfo" .Ft void .Fn npf_table_destroy "nl_table_t *tl" .\" - @@ -347,7 +349,9 @@ for IPv4 or for IPv6 address. Additionally, .Fa mask -may be specified to indicate the translation network. +may be specified to indicate the translation network; +otherwise, it should be set to +.Dv NPF_NO_NETMASK . In such case, a custom algorithm may need to be specified using the .Fn npf_nat_setalgo function. @@ -423,11 +427,25 @@ must be either for IPv4 or .Dv AF_INET6 for IPv6 address. +If there is no mask, then +.Fa mask +should be set to +.Dv NPF_NO_NETMASK . +.\" --- .It Fn npf_table_insert "ncf" "tl" Add the table to the configuration object. This routine performs a check for duplicate table IDs. The table must not be referenced after insertion. .\" --- +.It Fn npf_table_replace "fd" "tl" "errinfo" +Submit the table object, specified by +.Fa tl , +to the kernel, to replace the existing table with the +corresponding table name and ID. +On failure, the error information is written into the structure +specified by +.Fa errinfo . +.\" --- .It Fn npf_table_destroy "tl" Destroy the specified table. .El Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.46 src/lib/libnpf/npf.c:1.47 --- src/lib/libnpf/npf.c:1.46 Tue Jul 23 00:52:01 2019 +++ src/lib/libnpf/npf.c Wed Aug 21 21:45:47 2019 @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.46 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.47 2019/08/21 21:45:47 rmind Exp $"); #include #include @@ -203,6 +203,30 @@ _npf_rules_process(nl_config_t *ncf, nvl } /* + * _npf_extract_error: check the error number field and extract the + * error details into the npf_error_t structure. + */ +static int +_npf_extract_error(nvlist_t *resp, npf_error_t *errinfo) +{ + int error; + + error = dnvlist_get_number(resp, "errno", 0); + if (error && errinfo) { + memset(errinfo, 0, sizeof(npf_error_t)); + + errinfo->id = dnvlist_get_number(resp, "id", 0); + errinfo->error_msg = + dnvlist_take_string(resp, "error-msg", NULL); + errinfo->source_file = + dnvlist_take_string(resp, "source-file", NULL); + errinfo->source_line = + dnvlist_take_number(resp, "source-line", 0); + } + return error; +} + +/* * CONFIGURATION INTERFACE. */ @@ -233,17 +257,7 @@ npf_config_submit(nl_config_t *ncf, int assert(errnv == NULL); return errno; } - error = dnvlist_get_number(errnv, "errno", 0); - if (error && errinfo) { - memset(errinfo, 0, sizeof(npf_error_t)); - errinfo->id = dnvlist_get_number(errnv, "id", 0); - errinfo->error_msg = - dnvlist_take_string(errnv, "error-msg", NULL); - errinfo->source_file = - dnvlist_take_string(errnv, "source-file", NULL); - errinfo->source_line = - dnvlist_take_number(errnv, "source-line", 0); - } + error = _npf_extract_error(errnv, errinfo); nvlist_destroy(errnv); return error; } @@ -949,7 +963,7 @@
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Wed Aug 21 21:41:54 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c src/usr.sbin/npf/npftest/libnpftest: npf_mbuf_subr.c npf_nbuf_test.c Log Message: - npftest: fix a memleak in a unit test (standalone path only). - Minor style fixes. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c \ src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Wed Aug 21 21:41:54 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c src/usr.sbin/npf/npftest/libnpftest: npf_mbuf_subr.c npf_nbuf_test.c Log Message: - npftest: fix a memleak in a unit test (standalone path only). - Minor style fixes. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c \ src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.60 src/usr.sbin/npf/npfctl/npfctl.c:1.61 --- src/usr.sbin/npf/npfctl/npfctl.c:1.60 Thu Jul 25 00:48:55 2019 +++ src/usr.sbin/npf/npfctl/npfctl.c Wed Aug 21 21:41:53 2019 @@ -28,7 +28,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.60 2019/07/25 00:48:55 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.61 2019/08/21 21:41:53 rmind Exp $"); #include #include @@ -701,7 +701,7 @@ npfctl_open_dev(const char *path) if (kernver != NPF_VERSION) { errx(EXIT_FAILURE, "incompatible NPF interface version (%d, kernel %d)\n" - "Hint: update %s?", NPF_VERSION, kernver, + "Hint: update %s?", NPF_VERSION, kernver, kernver > NPF_VERSION ? "userland" : "kernel"); } return fd; Index: src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c:1.9 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c:1.10 --- src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c:1.9 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c Wed Aug 21 21:41:53 2019 @@ -101,6 +101,7 @@ npfkern_m_ensure_contig(struct mbuf **m0 memcpy(dptr, m->m_data, m->m_len); dptr += m->m_len; } + npfkern_m_freem(*m0); *m0 = m1; (void)len; return true; Index: src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.9 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.10 --- src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.9 Thu Jul 25 01:18:05 2019 +++ src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c Wed Aug 21 21:41:53 2019 @@ -190,22 +190,22 @@ validate_mbuf_data(char *bufa, char *buf bool npf_nbuf_test(bool verbose) { - struct mbuf *m1, *m2; + struct mbuf *m; char *bufa, *bufb; unsigned n = 1; bool ok; while (n--) { - m1 = mbuf_random_len(MBUF_CHAIN_LEN); - bufa = mbuf_getstring(m1); - bufb = parse_nbuf_chain(m1); + m = mbuf_random_len(MBUF_CHAIN_LEN); + bufa = mbuf_getstring(m); + bufb = parse_nbuf_chain(m); ok = validate_mbuf_data(bufa, bufb); CHECK_TRUE(ok); } - m2 = mbuf_bytesize(MBUF_CHAIN_LEN); - bufa = mbuf_getstring(m2); - bufb = parse_nbuf_chain(m2); + m = mbuf_bytesize(MBUF_CHAIN_LEN); + bufa = mbuf_getstring(m); + bufb = parse_nbuf_chain(m); ok = validate_mbuf_data(bufa, bufb); CHECK_TRUE(ok);
CVS commit: src
Module Name:src Committed By: rmind Date: Sun Aug 11 20:26:34 UTC 2019 Modified Files: src/sys/net/npf: npf.c npf_conf.c npf_conn.h npf_ctl.c npf_handler.c npf_if.c npf_impl.h npf_inet.c npf_nat.c npf_os.c npf_params.c npf_portmap.c npf_worker.c npfkern.h src/usr.sbin/npf/npftest/libnpftest: npf_conn_test.c npf_nat_test.c npf_perf_test.c npf_rule_test.c npf_test_subr.c Log Message: Adjust some internal NPF APIs: * npfkern: use the npfk_ prefix. * NPF portmap: amend the API so it could be used elsewhere. * Make npf_connkey_t public. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf.c cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conf.c \ src/sys/net/npf/npf_os.c cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.54 -r1.55 src/sys/net/npf/npf_ctl.c \ src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.75 -r1.76 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_params.c cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_portmap.c \ src/sys/net/npf/npfkern.h cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_worker.c cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npftest/libnpftest/npf_conn_test.c cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npftest/libnpftest/npf_nat_test.c cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c cvs rdiff -u -r1.17 -r1.18 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c cvs rdiff -u -r1.15 -r1.16 \ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.c diff -u src/sys/net/npf/npf.c:1.39 src/sys/net/npf/npf.c:1.40 --- src/sys/net/npf/npf.c:1.39 Tue Aug 6 11:40:15 2019 +++ src/sys/net/npf/npf.c Sun Aug 11 20:26:33 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.39 2019/08/06 11:40:15 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.40 2019/08/11 20:26:33 rmind Exp $"); #include #include @@ -49,7 +49,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.39 static __read_mostly npf_t * npf_kernel_ctx = NULL; __dso_public int -npf_sysinit(unsigned nworkers) +npfk_sysinit(unsigned nworkers) { npf_bpf_sysinit(); npf_tableset_sysinit(); @@ -58,7 +58,7 @@ npf_sysinit(unsigned nworkers) } __dso_public void -npf_sysfini(void) +npfk_sysfini(void) { npf_worker_sysfini(); npf_nat_sysfini(); @@ -67,7 +67,7 @@ npf_sysfini(void) } __dso_public npf_t * -npf_create(int flags, const npf_mbufops_t *mbufops, const npf_ifops_t *ifops) +npfk_create(int flags, const npf_mbufops_t *mbufops, const npf_ifops_t *ifops) { npf_t *npf; @@ -94,7 +94,7 @@ npf_create(int flags, const npf_mbufops_ } __dso_public void -npf_destroy(npf_t *npf) +npfk_destroy(npf_t *npf) { /* * Destroy the current configuration. Note: at this point all @@ -117,25 +117,25 @@ npf_destroy(npf_t *npf) } __dso_public int -npf_load(npf_t *npf, void *config_ref, npf_error_t *err) +npfk_load(npf_t *npf, void *config_ref, npf_error_t *err) { return npfctl_load(npf, 0, config_ref); } __dso_public void -npf_gc(npf_t *npf) +npfk_gc(npf_t *npf) { npf_conn_worker(npf); } __dso_public void -npf_thread_register(npf_t *npf) +npfk_thread_register(npf_t *npf) { pserialize_register(npf->qsbr); } __dso_public void -npf_thread_unregister(npf_t *npf) +npfk_thread_unregister(npf_t *npf) { pserialize_perform(npf->qsbr); pserialize_unregister(npf->qsbr); @@ -198,14 +198,14 @@ npf_stats_clear_cb(void *mem, void *arg, */ __dso_public void -npf_stats(npf_t *npf, uint64_t *buf) +npfk_stats(npf_t *npf, uint64_t *buf) { memset(buf, 0, NPF_STATS_SIZE); percpu_foreach(npf->stats_percpu, npf_stats_collect, buf); } __dso_public void -npf_stats_clear(npf_t *npf) +npfk_stats_clear(npf_t *npf) { percpu_foreach(npf->stats_percpu, npf_stats_clear_cb, NULL); } Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.13 src/sys/net/npf/npf_conf.c:1.14 --- src/sys/net/npf/npf_conf.c:1.13 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_conf.c Sun Aug 11 20:26:33 2019 @@ -47,7 +47,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.13 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.14 2019/08/11 20:26:33 rmind Exp $"); #include #include @@ -169,7 +169,7 @@ npf_config_load(npf_t *npf, npf_ruleset_ /* Synchronise: drain all references. */ pserialize_perform(npf->qsbr); if (flush) { - npf_portmap_flush(npf); + npf_portmap_flush(npf->portmap); npf_ifmap_flush(npf); } Index: src/sys/net/npf/npf_os.c diff -u src/sys/net/npf/npf_os.c:1.13 src/sys/net/npf/npf_os.c:1.14 --- src/sys/net/npf/npf_os.c:1.13 Sat
CVS commit: src
Module Name:src Committed By: rmind Date: Sun Aug 11 20:26:34 UTC 2019 Modified Files: src/sys/net/npf: npf.c npf_conf.c npf_conn.h npf_ctl.c npf_handler.c npf_if.c npf_impl.h npf_inet.c npf_nat.c npf_os.c npf_params.c npf_portmap.c npf_worker.c npfkern.h src/usr.sbin/npf/npftest/libnpftest: npf_conn_test.c npf_nat_test.c npf_perf_test.c npf_rule_test.c npf_test_subr.c Log Message: Adjust some internal NPF APIs: * npfkern: use the npfk_ prefix. * NPF portmap: amend the API so it could be used elsewhere. * Make npf_connkey_t public. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf.c cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conf.c \ src/sys/net/npf/npf_os.c cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.54 -r1.55 src/sys/net/npf/npf_ctl.c \ src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.75 -r1.76 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_params.c cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_portmap.c \ src/sys/net/npf/npfkern.h cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_worker.c cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npftest/libnpftest/npf_conn_test.c cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npftest/libnpftest/npf_nat_test.c cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c cvs rdiff -u -r1.17 -r1.18 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c cvs rdiff -u -r1.15 -r1.16 \ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun Aug 11 20:25:14 UTC 2019 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: npf-params(7): add more bpf.jit details. >From David H. Gutteridge. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.2 src/usr.sbin/npf/npf-params.7:1.3 --- src/usr.sbin/npf/npf-params.7:1.2 Tue Jul 23 14:24:02 2019 +++ src/usr.sbin/npf/npf-params.7 Sun Aug 11 20:25:14 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.2 2019/07/23 14:24:02 wiz Exp $ +.\" $NetBSD: npf-params.7,v 1.3 2019/08/11 20:25:14 rmind Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd February 26, 2019 +.Dd August 3, 2019 .Dt NPF-PARAMS 7 .Os .Sh NAME @@ -44,7 +44,13 @@ or 1 ("on"). .\" --- .Bl -tag -width "123456" .It Li bpf.jit -BPF just-in time compilation. +BPF just-in-time compilation: enables or disables +.Xr bpfjit 4 +support. +Some machine architectures are not presently supported by +.Xr bpfjit 4 . +Setting this parameter to off stops NPF from trying to enable this +functionality, and generating a warning if it is unable to do so. Default: 1. .El .\" --- @@ -121,6 +127,7 @@ set state.tcp.timeout.time_wait 0 .Sh SEE ALSO .Xr libnpf 3 , .Xr npfkern 3 , +.Xr bpfjit 4 , .Xr npf.conf 5 , .Xr pcap-filter 7 , .Xr npfctl 8
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun Aug 11 20:25:14 UTC 2019 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: npf-params(7): add more bpf.jit details. >From David H. Gutteridge. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Aug 10 22:23:55 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl show/validate: fix couple bugs in multiple table/port representation. Fixes PR/54122. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28 src/usr.sbin/npf/npfctl/npf_show.c:1.29 --- src/usr.sbin/npf/npfctl/npf_show.c:1.28 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npfctl/npf_show.c Sat Aug 10 22:23:55 2019 @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013 The NetBSD Foundation, Inc. + * Copyright (c) 2013-2019 The NetBSD Foundation, Inc. * All rights reserved. * * This code is derived from software contributed to The NetBSD Foundation @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.28 2019/07/23 00:52:02 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.29 2019/08/10 22:23:55 rmind Exp $"); #include #define __FAVOR_BSD @@ -220,21 +220,29 @@ print_tcpflags(npf_conf_info_t *ctx __un } static char * -print_portrange(npf_conf_info_t *ctx, const uint32_t *words) +print_pbarrier(npf_conf_info_t *ctx, const uint32_t *words __unused) +{ + if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) { + ctx->flags |= SEEN_SRC; + return estrdup("from any"); + } + if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) { + ctx->flags |= SEEN_DST; + return estrdup("to any"); + } + return NULL; +} + +static char * +print_portrange(npf_conf_info_t *ctx __unused, const uint32_t *words) { u_int fport = words[0], tport = words[1]; - const char *any_str = ""; char *p; - if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) - any_str = "from any "; - if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) - any_str = "to any "; - if (fport != tport) { - easprintf(, "%sport %u:%u", any_str, fport, tport); + easprintf(, "%u-%u", fport, tport); } else { - easprintf(, "%sport %u", any_str, fport); + easprintf(, "%u", fport); } return p; } @@ -283,12 +291,14 @@ static const struct mark_keyword_mapent { BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 }, { BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 }, - { BM_SRC_TABLE, "from %s", NULL, SEEN_SRC, print_table, 1 }, - { BM_SRC_PORTS, "%s", ", ", 0, print_portrange,2 }, + { BM_SRC_TABLE, "from %s", ", ", SEEN_SRC, print_table, 1 }, + { BM_SRC_PORTS, "%s", NULL, 0, print_pbarrier, 2 }, + { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 }, { BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 }, - { BM_DST_TABLE, "to %s", NULL, SEEN_DST, print_table, 1 }, - { BM_DST_PORTS, "%s", ", ", 0, print_portrange,2 }, + { BM_DST_TABLE, "to %s", ", ", SEEN_DST, print_table, 1 }, + { BM_DST_PORTS, "%s", NULL, 0, print_pbarrier, 2 }, + { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 }, }; static const char * __attribute__((format_arg(2))) @@ -314,13 +324,17 @@ scan_marks(npf_conf_info_t *ctx, const s errx(EXIT_FAILURE, "byte-code marking inconsistency"); } if (m == mk->mark) { + char *val; + /* Set the current mark and the flags. */ ctx->flags |= mk->set_flags; ctx->curmark = m; /* Value is processed by the print function. */ assert(mk->fwords == nwords); - vals[nvals++] = mk->printfn(ctx, marks); + if ((val = mk->printfn(ctx, marks)) != NULL) { +vals[nvals++] = val; + } } marks += nwords; mlen -= nwords;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Aug 10 22:23:55 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl show/validate: fix couple bugs in multiple table/port representation. Fixes PR/54122. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys
Module Name:src Committed By: rmind Date: Sat Aug 10 21:13:54 UTC 2019 Modified Files: src/sys/net: if.h src/sys/net/npf: npf_os.c src/sys/sys: param.h Log Message: Add the ifnet_t::if_npf_private field. Bump the kernel version. Fixes PR/54098. To generate a diff of this commit: cvs rdiff -u -r1.274 -r1.275 src/sys/net/if.h cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_os.c cvs rdiff -u -r1.605 -r1.606 src/sys/sys/param.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.h diff -u src/sys/net/if.h:1.274 src/sys/net/if.h:1.275 --- src/sys/net/if.h:1.274 Thu Jul 4 02:44:25 2019 +++ src/sys/net/if.h Sat Aug 10 21:13:54 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: if.h,v 1.274 2019/07/04 02:44:25 ozaki-r Exp $ */ +/* $NetBSD: if.h,v 1.275 2019/08/10 21:13:54 rmind Exp $ */ /*- * Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc. @@ -340,6 +340,7 @@ typedef struct ifnet { struct mowner *if_mowner; /* ?: who owns mbufs for this interface */ void *if_agrprivate; /* ?: used only when #if NAGR > 0 */ + void *if_npf_private;/* ?: associated NPF context */ /* * pf specific data, used only when #if NPF > 0. Index: src/sys/net/npf/npf_os.c diff -u src/sys/net/npf/npf_os.c:1.12 src/sys/net/npf/npf_os.c:1.13 --- src/sys/net/npf/npf_os.c:1.12 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_os.c Sat Aug 10 21:13:54 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.12 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.13 2019/08/10 21:13:54 rmind Exp $"); #ifdef _KERNEL_OPT #include "pf.h" @@ -313,7 +313,7 @@ npf_ifop_flush(void *arg) KERNEL_LOCK(1, NULL); IFNET_GLOBAL_LOCK(); IFNET_WRITER_FOREACH(ifp) { - ifp->if_pf_kif = arg; + ifp->if_npf_private = arg; } IFNET_GLOBAL_UNLOCK(); KERNEL_UNLOCK_ONE(NULL); @@ -322,13 +322,13 @@ npf_ifop_flush(void *arg) static void * npf_ifop_getmeta(const ifnet_t *ifp) { - return ifp->if_pf_kif; + return ifp->if_npf_private; } static void npf_ifop_setmeta(ifnet_t *ifp, void *arg) { - ifp->if_pf_kif = arg; + ifp->if_npf_private = arg; } #ifdef _KERNEL Index: src/sys/sys/param.h diff -u src/sys/sys/param.h:1.605 src/sys/sys/param.h:1.606 --- src/sys/sys/param.h:1.605 Sat Aug 10 02:17:36 2019 +++ src/sys/sys/param.h Sat Aug 10 21:13:54 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: param.h,v 1.605 2019/08/10 02:17:36 mrg Exp $ */ +/* $NetBSD: param.h,v 1.606 2019/08/10 21:13:54 rmind Exp $ */ /*- * Copyright (c) 1982, 1986, 1989, 1993 @@ -67,7 +67,7 @@ * 2.99.9 (299000900) */ -#define __NetBSD_Version__ 999000600 /* NetBSD 9.99.6 */ +#define __NetBSD_Version__ 999000700 /* NetBSD 9.99.7 */ #define __NetBSD_Prereq__(M,m,p) (M) * 1) + \ (m) * 100) + (p) * 100) <= __NetBSD_Version__)
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Aug 8 21:29:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npfctl.h Log Message: NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.14 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Thu Aug 8 21:29:15 2019 @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. + * Copyright (c) 2010-2019 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -29,10 +29,60 @@ /* * BPF byte-code generation for NPF rules. + * + * Overview + * + * Each NPF rule is compiled into BPF micro-program. There is a + * BPF byte-code fragment for each higher-level filtering logic, + * e.g. to match L4 protocol, IP/mask, etc. The generation process + * combines multiple BPF-byte code fragments into one program. + * + * Basic case + * + * Consider a basic case, where all filters should match. They + * are expressed as logical conjunction, e.g.: + * + * A and B and C and D + * + * Each test (filter) criterion can be evaluated to true (match) or + * false (no match) and the logic is as follows: + * + * - If the value is true, then jump to the "next" test (offset 0). + * + * - If the value is false, then jump to the JUMP_MAGIC value (0xff). + * This "magic" value is used to indicate that it will have to be + * patched at a later stage. + * + * Once all byte-code fragments are combined into one, then there + * are two additional steps: + * + * - Two instructions are appended at the end of the program: return + * "success" followed by return "failure". + * + * - All jumps with the JUMP_MAGIC value are patched to point to the + * "return failure" instruction. + * + * Therefore, if all filter criteria will match, then the first + * instruction will be reached, indicating a successful match of the + * rule. Otherwise, if any of the criteria will not match, it will + * take the failure path and the rule will not matching. + * + * Grouping + * + * Filters can have groups, which are have a meaning of logical + * disjunction, e.g.: + * + * A and B and (C or D) + * + * In such case, the logic inside the group has to be inverted i.e. + * the jump values swapped. If the test value is true, then jump + * out of the group; if false, then jump "next". At the end of the + * group, an addition failure path is appended and the JUMP_MAGIC + * uses within the group are patched to jump past the said path. */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13 2019/07/23 00:52:02 rmind Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.14 2019/08/08 21:29:15 rmind Exp $"); #include #include @@ -75,7 +125,10 @@ struct npf_bpf { sa_family_t af; uint32_t flags; - /* The current group offset and block number. */ + /* + * The current group offset (counted in BPF instructions) + * and block number at the start of the group. + */ bool ingroup; u_int goff; u_int gblock; @@ -120,6 +173,7 @@ fixup_jumps(npf_bpf_t *ctx, u_int start, for (u_int i = start; i < end; i++) { struct bpf_insn *insn = >bf_insns[i]; const u_int fail_off = end - i; + bool seen_magic = false; if (fail_off >= JUMP_MAGIC) { errx(EXIT_FAILURE, "BPF generation error: " @@ -128,15 +182,37 @@ fixup_jumps(npf_bpf_t *ctx, u_int start, if (BPF_CLASS(insn->code) != BPF_JMP) { continue; } - if (swap) { + if (BPF_OP(insn->code) == BPF_JA) { + /* + * BPF_JA can be used to jump to the failure path. + * If we are swapping i.e. inside the group, then + * jump "next"; groups have a failure path appended + * at their end. + */ + if (insn->k == JUMP_MAGIC) { +insn->k = swap ? 0 : fail_off; + } + continue; + } + + /* + * Fixup the "magic" value. Swap only the "magic" jumps. + */ + + if (insn->jt == JUMP_MAGIC) { + insn->jt = fail_off; + seen_magic = true; + } + if (insn->jf == JUMP_MAGIC) { + insn->jf = fail_off; + seen_magic = true; + } + + if (seen_magic && swap) { uint8_t jt = insn->jt; insn->jt = insn->jf; insn->jf = jt; } - if (insn->jt == JUMP_MAGIC) - insn->jt = fail_off; - if (insn->jf == JUMP_MAGIC) - insn->jf = fail_off; } } @@ -225,11 +301,11 @@ npfctl_bpf_destroy(npf_bpf_t *ctx) } /* - * npfctl_bpf_group: begin a logical group. It merely uses logical + *
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Aug 8 21:29:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npfctl.h Log Message: NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: rmind Date: Thu Jul 25 01:18:06 UTC 2019 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_nbuf_test.c Log Message: npftest: fix double-free in npf_nbuf_test(). To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.8 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.9 --- src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.8 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c Thu Jul 25 01:18:05 2019 @@ -201,7 +201,6 @@ npf_nbuf_test(bool verbose) bufb = parse_nbuf_chain(m1); ok = validate_mbuf_data(bufa, bufb); CHECK_TRUE(ok); - m_freem(m1); } m2 = mbuf_bytesize(MBUF_CHAIN_LEN); @@ -209,7 +208,6 @@ npf_nbuf_test(bool verbose) bufb = parse_nbuf_chain(m2); ok = validate_mbuf_data(bufa, bufb); CHECK_TRUE(ok); - m_freem(m2); (void)verbose; return true;
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: rmind Date: Thu Jul 25 01:18:06 UTC 2019 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_nbuf_test.c Log Message: npftest: fix double-free in npf_nbuf_test(). To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Jul 25 01:00:28 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: npf_portmap_flush: remove invalid assert (this routine can be callied via the npf_destroy() path where the constraint is not applicable). To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_portmap.c diff -u src/sys/net/npf/npf_portmap.c:1.2 src/sys/net/npf/npf_portmap.c:1.3 --- src/sys/net/npf/npf_portmap.c:1.2 Tue Jul 23 08:25:52 2019 +++ src/sys/net/npf/npf_portmap.c Thu Jul 25 01:00:28 2019 @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.3 2019/07/25 01:00:28 rmind Exp $"); #include #include @@ -461,8 +461,6 @@ npf_portmap_flush(npf_t *npf) npf_portmap_t *pm = npf->portmap; bitmap_t *bm; - KASSERT(npf_config_locked_p(npf)); - while ((bm = LIST_FIRST(>bitmap_list)) != NULL) { for (unsigned i = 0; i < PORTMAP_L0_WORDS; i++) { uintptr_t bm1 = bm->bits0[i];
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Jul 25 01:00:28 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: npf_portmap_flush: remove invalid assert (this routine can be callied via the npf_destroy() path where the constraint is not applicable). To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Jul 25 00:48:55 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c npfctl.c Log Message: npfctl: fix the bpf.jit parameter handling. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Jul 25 00:48:55 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c npfctl.c Log Message: npfctl: fix the bpf.jit parameter handling. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.49 src/usr.sbin/npf/npfctl/npf_build.c:1.50 --- src/usr.sbin/npf/npfctl/npf_build.c:1.49 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npfctl/npf_build.c Thu Jul 25 00:48:55 2019 @@ -32,7 +32,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.49 2019/07/23 00:52:02 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.50 2019/07/25 00:48:55 rmind Exp $"); #include #define __FAVOR_BSD @@ -969,6 +969,7 @@ npfctl_setparam(const char *name, int va { if (strcmp(name, "bpf.jit") == 0) { npfctl_bpfjit(val != 0); + return; } if (npf_param_set(npf_conf, name, val) != 0) { yyerror("invalid parameter `%s` or its value", name); Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.59 src/usr.sbin/npf/npfctl/npfctl.c:1.60 --- src/usr.sbin/npf/npfctl/npfctl.c:1.59 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npfctl/npfctl.c Thu Jul 25 00:48:55 2019 @@ -28,7 +28,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.59 2019/07/23 00:52:02 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.60 2019/07/25 00:48:55 rmind Exp $"); #include #include @@ -231,7 +231,7 @@ npfctl_print_error(const npf_error_t *ne const char *srcfile = ne->source_file; if (ne->error_msg) { - warnx("%s", ne->error_msg); + errx(EXIT_FAILURE, "%s", ne->error_msg); } if (srcfile) { warnx("source %s line %d", srcfile, ne->source_line);
CVS commit: src
Module Name:src Committed By: rmind Date: Thu Jul 25 00:02:56 UTC 2019 Modified Files: src/distrib/sets/lists/man: mi src/usr.sbin/npf: Makefile Log Message: Install the npf-params(7) man page. To generate a diff of this commit: cvs rdiff -u -r1.1648 -r1.1649 src/distrib/sets/lists/man/mi cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/man/mi diff -u src/distrib/sets/lists/man/mi:1.1648 src/distrib/sets/lists/man/mi:1.1649 --- src/distrib/sets/lists/man/mi:1.1648 Wed Jun 12 09:03:32 2019 +++ src/distrib/sets/lists/man/mi Thu Jul 25 00:02:56 2019 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1648 2019/06/12 09:03:32 mrg Exp $ +# $NetBSD: mi,v 1.1649 2019/07/25 00:02:56 rmind Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -2317,6 +2317,7 @@ ./usr/share/man/cat7/msafer.0 man-obsolete obsolete ./usr/share/man/cat7/nls.0 man-reference-catman .cat ./usr/share/man/cat7/npf.0 man-npf-catman .cat,npf +./usr/share/man/cat7/npf-params.0 man-npf-catman .cat,npf ./usr/share/man/cat7/orders.0 man-reference-catman .cat ./usr/share/man/cat7/packages.0 man-obsolete obsolete ./usr/share/man/cat7/pcap-filter.0 man-netutil-catman .cat @@ -5383,6 +5384,7 @@ ./usr/share/man/html7/module.html man-reference-htmlman html ./usr/share/man/html7/nls.html man-reference-htmlman html ./usr/share/man/html7/npf.html man-npf-htmlman html,npf +./usr/share/man/html7/npf-params.html man-npf-htmlman html,npf ./usr/share/man/html7/orders.html man-reference-htmlman html ./usr/share/man/html7/pcap-filter.html man-netutil-htmlman html ./usr/share/man/html7/pcap-linktype.html man-netutil-htmlman html @@ -8424,6 +8426,7 @@ ./usr/share/man/man7/msafer.7 man-obsolete obsolete ./usr/share/man/man7/nls.7 man-reference-man .man ./usr/share/man/man7/npf.7 man-npf-man .man,npf +./usr/share/man/man7/npf-params.7 man-npf-man .man,npf ./usr/share/man/man7/orders.7 man-reference-man .man ./usr/share/man/man7/packages.7 man-obsolete obsolete ./usr/share/man/man7/pcap-filter.7 man-netutil-man .man Index: src/usr.sbin/npf/Makefile diff -u src/usr.sbin/npf/Makefile:1.6 src/usr.sbin/npf/Makefile:1.7 --- src/usr.sbin/npf/Makefile:1.6 Sat Jan 7 17:27:02 2017 +++ src/usr.sbin/npf/Makefile Thu Jul 25 00:02:55 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.6 2017/01/07 17:27:02 christos Exp $ +# $NetBSD: Makefile,v 1.7 2019/07/25 00:02:55 rmind Exp $ .include @@ -8,7 +8,7 @@ SUBDIR= npfctl npfd SUBDIR+= npftest .endif -MAN= npf.7 +MAN= npf.7 npf-params.7 .include .include
CVS commit: src
Module Name:src Committed By: rmind Date: Thu Jul 25 00:02:56 UTC 2019 Modified Files: src/distrib/sets/lists/man: mi src/usr.sbin/npf: Makefile Log Message: Install the npf-params(7) man page. To generate a diff of this commit: cvs rdiff -u -r1.1648 -r1.1649 src/distrib/sets/lists/man/mi cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/modules/npf
Module Name:src Committed By: rmind Date: Wed Jul 24 23:49:08 UTC 2019 Modified Files: src/sys/modules/npf: Makefile Log Message: Update the NPF kernel module Makefile. Missed in the previous commit. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/sys/modules/npf/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/modules/npf/Makefile diff -u src/sys/modules/npf/Makefile:1.23 src/sys/modules/npf/Makefile:1.24 --- src/sys/modules/npf/Makefile:1.23 Sun Feb 17 04:05:55 2019 +++ src/sys/modules/npf/Makefile Wed Jul 24 23:49:08 2019 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.23 2019/02/17 04:05:55 rin Exp $ +# $NetBSD: Makefile,v 1.24 2019/07/24 23:49:08 rmind Exp $ # # Public Domain. # @@ -11,9 +11,11 @@ KMOD= npf IOCONF= npf.ioconf SRCS= npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c SRCS+= npf_bpf.c npf_if.c npf_inet.c npf_mbuf.c npf_nat.c -SRCS+= npf_ruleset.c npf_conn.c npf_conndb.c npf_rproc.c +SRCS+= npf_params.c npf_ruleset.c npf_rproc.c +SRCS+= npf_conn.c npf_conndb.c npf_connkey.c npf_portmap.c SRCS+= npf_state.c npf_state_tcp.c npf_tableset.c -SRCS+= lpm.c npf_sendpkt.c npf_worker.c npf_ifaddr.c npf_os.c +SRCS+= lpm.c npf_sendpkt.c npf_worker.c npf_os.c npf_ifaddr.c + SRCS+= nvlist.c nvpair.c nv_kern_netbsd.c dnvlist.c CPPFLAGS+= -DINET6
CVS commit: src/sys/modules/npf
Module Name:src Committed By: rmind Date: Wed Jul 24 23:49:08 UTC 2019 Modified Files: src/sys/modules/npf: Makefile Log Message: Update the NPF kernel module Makefile. Missed in the previous commit. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/sys/modules/npf/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Tue Jul 23 08:25:52 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: NPF portmap: add a workaround for archs without 64-bit CAS. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Tue Jul 23 08:25:52 UTC 2019 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: NPF portmap: add a workaround for archs without 64-bit CAS. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_portmap.c diff -u src/sys/net/npf/npf_portmap.c:1.1 src/sys/net/npf/npf_portmap.c:1.2 --- src/sys/net/npf/npf_portmap.c:1.1 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_portmap.c Tue Jul 23 08:25:52 2019 @@ -35,7 +35,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.1 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $"); #include #include @@ -106,6 +106,8 @@ typedef struct { int max_port; } npf_portmap_params_t; +static kmutex_t portmap_lock; + void npf_portmap_init(npf_t *npf) { @@ -130,6 +132,8 @@ npf_portmap_init(npf_t *npf) npf->portmap = kmem_zalloc(sizeof(npf_portmap_t), KM_SLEEP); mutex_init(>portmap->list_lock, MUTEX_DEFAULT, IPL_SOFTNET); npf->portmap->addr_map = thmap_create(0, NULL, THMAP_NOCOPY); + + mutex_init(_lock, MUTEX_DEFAULT, IPL_SOFTNET); } void @@ -146,10 +150,31 @@ npf_portmap_fini(npf_t *npf) thmap_destroy(pm->addr_map); mutex_destroy(>list_lock); kmem_free(pm, sizeof(npf_portmap_t)); + + mutex_destroy(_lock); } / +#if defined(_LP64) +#define __npf_atomic_cas_64 atomic_cas_64 +#else +static uint64_t +__npf_atomic_cas_64(volatile uint64_t *ptr, uint64_t old, uint64_t new) +{ + uint64_t prev; + + mutex_enter(_lock); + prev = *ptr; + if (prev == old) { + *ptr = new; + } + mutex_exit(_lock); + + return prev; +} +#endif + /* * bitmap_word_isset: test whether the bit value is in the packed array. * @@ -283,7 +308,7 @@ again: */ if ((nval = bitmap_word_cax(bval, -1, chunk_bit)) != 0) { KASSERT((nval & PORTMAP_L1_TAG) == 0); - if (atomic_cas_64(>bits0[i], bval, nval) != bval) { + if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) { goto again; } return true; @@ -315,7 +340,7 @@ again: bm1p = (uintptr_t)bm1; KASSERT((bm1p & PORTMAP_L1_TAG) == 0); bm1p |= PORTMAP_L1_TAG; - if (atomic_cas_64(>bits0[i], bval, bm1p) != bval) { + if (__npf_atomic_cas_64(>bits0[i], bval, bm1p) != bval) { kmem_intr_free(bm1, sizeof(bitmap_l1_t)); goto again; } @@ -332,7 +357,7 @@ again: return false; } nval = oval | b; - if (atomic_cas_64(>bits1[i], oval, nval) != oval) { + if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) { goto again; } return true; @@ -356,7 +381,7 @@ again: } nval = bitmap_word_cax(bval, chunk_bit, chunk_bit); KASSERT((nval & PORTMAP_L1_TAG) == 0); - if (atomic_cas_64(>bits0[i], bval, nval) != bval) { + if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) { goto again; } return true; @@ -372,7 +397,7 @@ again: return false; } nval = oval & ~b; - if (atomic_cas_64(>bits1[i], oval, nval) != oval) { + if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) { goto again; } return true;
CVS commit: src
Module Name:src Committed By: rmind Date: Tue Jul 23 00:52:02 UTC 2019 Modified Files: src/lib/libnpf: libnpf.3 npf.c npf.h src/sys/net/npf: files.npf npf.c npf.h npf_alg.c npf_alg_icmp.c npf_conf.c npf_conn.c npf_conn.h npf_conndb.c npf_ctl.c npf_handler.c npf_impl.h npf_inet.c npf_nat.c npf_os.c npf_rproc.c npf_ruleset.c npf_state.c npf_state_tcp.c npf_tableset.c npfkern.h src/sys/rump/net/lib/libnpf: Makefile src/usr.sbin/npf/npfctl: npf.conf.5 npf_bpf_comp.c npf_build.c npf_parse.y npf_scan.l npf_show.c npfctl.c npfctl.h src/usr.sbin/npf/npftest: npfstream.c npftest.c npftest.conf src/usr.sbin/npf/npftest/libnpftest: npf_bpf_test.c npf_conn_test.c npf_mbuf_subr.c npf_nat_test.c npf_nbuf_test.c npf_perf_test.c npf_rule_test.c npf_state_test.c npf_table_test.c npf_test.h npf_test_subr.c Added Files: src/sys/net/npf: npf_connkey.c npf_params.c npf_portmap.c src/usr.sbin/npf: npf-params.7 Log Message: NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/lib/libnpf/libnpf.3 cvs rdiff -u -r1.45 -r1.46 src/lib/libnpf/npf.c cvs rdiff -u -r1.35 -r1.36 src/lib/libnpf/npf.h cvs rdiff -u -r1.21 -r1.22 src/sys/net/npf/files.npf \ src/sys/net/npf/npf_state.c cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf.c cvs rdiff -u -r1.59 -r1.60 src/sys/net/npf/npf.h cvs rdiff -u -r1.19 -r1.20 src/sys/net/npf/npf_alg.c \ src/sys/net/npf/npf_state_tcp.c cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.26 -r1.27 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_conndb.c cvs rdiff -u -r0 -r1.1 src/sys/net/npf/npf_connkey.c \ src/sys/net/npf/npf_params.c src/sys/net/npf/npf_portmap.c cvs rdiff -u -r1.53 -r1.54 src/sys/net/npf/npf_ctl.c \ src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.74 -r1.75 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_os.c cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_tableset.c cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npfkern.h cvs rdiff -u -r1.26 -r1.27 src/sys/rump/net/lib/libnpf/Makefile cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npf-params.7 cvs rdiff -u -r1.86 -r1.87 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_scan.l cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.58 -r1.59 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/npfstream.c cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npftest/npftest.c cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npftest/npftest.conf cvs rdiff -u -r1.10 -r1.11 src/usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npftest/libnpftest/npf_conn_test.c cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c \ src/usr.sbin/npf/npftest/libnpftest/npf_state_test.c cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npftest/libnpftest/npf_nat_test.c \ src/usr.sbin/npf/npftest/libnpftest/npf_table_test.c cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c \ src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c cvs rdiff -u -r1.16 -r1.17 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/npf/npftest/libnpftest/npf_test.h cvs rdiff -u -r1.14 -r1.15 \ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Tue Jul 23 00:49:16 UTC 2019 Modified Files: src/sys/external/bsd/libnv/dist: nv.h nvlist.c nvpair.c Log Message: - nvpair_create_stringf: use the in-kernel vasprintf(). - Make nvlist_add_stringf() availabe in the kernel. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/libnv/dist/nv.h cvs rdiff -u -r1.7 -r1.8 src/sys/external/bsd/libnv/dist/nvlist.c cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nvpair.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/external/bsd/libnv/dist
Module Name:src Committed By: rmind Date: Tue Jul 23 00:49:16 UTC 2019 Modified Files: src/sys/external/bsd/libnv/dist: nv.h nvlist.c nvpair.c Log Message: - nvpair_create_stringf: use the in-kernel vasprintf(). - Make nvlist_add_stringf() availabe in the kernel. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/libnv/dist/nv.h cvs rdiff -u -r1.7 -r1.8 src/sys/external/bsd/libnv/dist/nvlist.c cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nvpair.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/libnv/dist/nv.h diff -u src/sys/external/bsd/libnv/dist/nv.h:1.2 src/sys/external/bsd/libnv/dist/nv.h:1.3 --- src/sys/external/bsd/libnv/dist/nv.h:1.2 Sat Sep 8 14:02:15 2018 +++ src/sys/external/bsd/libnv/dist/nv.h Tue Jul 23 00:49:16 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nv.h,v 1.2 2018/09/08 14:02:15 christos Exp $ */ +/* $NetBSD: nv.h,v 1.3 2019/07/23 00:49:16 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause @@ -152,9 +152,7 @@ void nvlist_add_bool(nvlist_t *nvl, cons void nvlist_add_number(nvlist_t *nvl, const char *name, uint64_t value); void nvlist_add_string(nvlist_t *nvl, const char *name, const char *value); void nvlist_add_stringf(nvlist_t *nvl, const char *name, const char *valuefmt, ...) __printflike(3, 4); -#if !defined(_KERNEL) || defined(_VA_LIST_DECLARED) void nvlist_add_stringv(nvlist_t *nvl, const char *name, const char *valuefmt, va_list valueap) __printflike(3, 0); -#endif void nvlist_add_nvlist(nvlist_t *nvl, const char *name, const nvlist_t *value); void nvlist_add_binary(nvlist_t *nvl, const char *name, const void *value, size_t size); void nvlist_add_bool_array(nvlist_t *nvl, const char *name, const bool *value, size_t nitems); Index: src/sys/external/bsd/libnv/dist/nvlist.c diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.7 src/sys/external/bsd/libnv/dist/nvlist.c:1.8 --- src/sys/external/bsd/libnv/dist/nvlist.c:1.7 Tue Feb 12 12:49:23 2019 +++ src/sys/external/bsd/libnv/dist/nvlist.c Tue Jul 23 00:49:16 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $ */ +/* $NetBSD: nvlist.c,v 1.8 2019/07/23 00:49:16 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $"); #else -__RCSID("$NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $"); +__RCSID("$NetBSD: nvlist.c,v 1.8 2019/07/23 00:49:16 rmind Exp $"); #endif #include @@ -1507,7 +1507,7 @@ nvlist_add_nvpair(nvlist_t *nvl, const n nvpair_insert(>nvl_head, newnvp, nvl); } -#if !defined(_KERNEL) && !defined(_STANDALONE) && !defined(__NetBSD__) +#if !defined(_STANDALONE) void nvlist_add_stringf(nvlist_t *nvl, const char *name, const char *valuefmt, ...) { Index: src/sys/external/bsd/libnv/dist/nvpair.c diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.6 src/sys/external/bsd/libnv/dist/nvpair.c:1.7 --- src/sys/external/bsd/libnv/dist/nvpair.c:1.6 Fri Feb 15 22:49:24 2019 +++ src/sys/external/bsd/libnv/dist/nvpair.c Tue Jul 23 00:49:16 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $ */ +/* $NetBSD: nvpair.c,v 1.7 2019/07/23 00:49:16 rmind Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD @@ -36,7 +36,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $"); #else -__RCSID("$NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $"); +__RCSID("$NetBSD: nvpair.c,v 1.7 2019/07/23 00:49:16 rmind Exp $"); #endif #include @@ -1191,7 +1191,7 @@ nvpair_name(const nvpair_t *nvp) return (nvp->nvp_name); } -#if !defined(_KERNEL) && !defined(_STANDALONE) && !defined(__NetBSD__) +#if !defined(_STANDALONE) nvpair_t * nvpair_create_stringf(const char *name, const char *valuefmt, ...) { @@ -1212,7 +1212,7 @@ nvpair_create_stringv(const char *name, char *str; int len; - len = nv_vasprintf(, valuefmt, valueap); + len = vasprintf(, valuefmt, valueap); if (len < 0) return (NULL); nvp = nvpair_create_string(name, str);
Re: CVS commit: src/sys/external/bsd/libnv/dist
Martin Husemann wrote: > Can you try this patch? > > rmind: can you *please* run the tests before commiting such changes? > That would have immediately caught this. Well, I did run libnv tests as well as NPF tests and they both passed, just not on NetBSD. :) Turns out NetBSD libnv and Github libnv code bases deviated a little bit, causing a bug in NetBSD (but not upstream). Anyway, I committed the fix. As for the NetBSD tests: it takes forever to recompile and rerun them, so it is not really practical for me. -- Mindaugas
Re: CVS commit: src/sys/net/npf
"Maxime Villard"wrote: > Module Name: src > Committed By: maxv > Date: Fri Dec 15 21:00:26 UTC 2017 > > Modified Files: > src/sys/net/npf: npf.h > > Log Message: > Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to > bypass a certain number of filtering rules. > > Basically there is an integer overflow in npf_cache_ip: npc_hlen is a > 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed > has large extensions. Thanks for discovering and fixing this. I think this is the first serious remote vulnerability in NPF, although limited to IPv6 only. > Fix this by using uint32_t. While here, it seems to me there is also a > memory overflow: still in npf_cache_ip, npc_hlen may be incremented with > a value that goes beyond the mbuf. A minor aspect, but promoting npf_hlen to uint32_t results in wasteful padding in the struct, so it is better to re-order the struct members in this case. If the npc_hlen value is beyond the packet length, NPF's nbuf interface will catch that, since it performs the bounds check. However, I think we should implement some sanity check for the npc_hlen value. RFC 7112 suggests that the IPv6 header chain should not exceed the MTU size (and thus fit in the first fragment, in case of fragmentation). Some value along these lines could be the basis for a sanity check.. -- Mindaugas
Re: CVS commit: src/sys/net80211
Hi, David Youngwrote: > On Tue, Jan 16, 2018 at 08:39:29AM +, Maxime Villard wrote: > > Module Name:src > > Committed By: maxv > > Date: Tue Jan 16 08:39:29 UTC 2018 > > > > Modified Files: > > src/sys/net80211: ieee80211_input.c > > > > ... > > IMO, changes like this are important and overdue, however, do keep in > mind the provenance of this code: NetBSD -> FreeBSD. > > Maybe you have written off ever re-synching with FreeBSD? If so, do > you have a plan for integrating useful features like virtual stations > independently of their code? I can just echo this part. It is completely unrealistic that NetBSD can maintain its own 802.11 stack these days. A better approach would be to sync the code with FreeBSD and treat is as an upstream, trying to merge the fixes back there. Not sure if diverging will help syncing the code. IMO, 802.11n (and there is some FreeBSD code for 802.11ac) is much more useful feature, as it would allow NetBSD users to use decent WiFI speeds. Currently supported throughput is pretty miserable for these days.. -- Mindaugas
Re: CVS commit: src/sys
Alex, Alexander Nasonov al...@yandex.ru wrote: Lourival Pereira Vieira Neto wrote: Module Name:src Committed By: lneto Date: Sat Jul 19 17:13:22 UTC 2014 Modified Files: src/sys/modules/lua: lua.c src/sys/sys: lua.h Log Message: lua(4): added support for running Lua scripts in intr context Please revert this. You can't make a mechanical change (s/kmem_/kmem_intr_/g and so on) to enable lua in softintr context. You need to design it. What if GC kicks-in in softintr? What if the code tries to load a chunk of new code in softintr? And there are other questions. I have explained to Lourival that softint context is a very constrained environment and he should seek for a better design, e.g. have per-CPU Lua state while keeping such Lua programs mostly stateless and sharing no global state. Ideally, we should have deterministic behaviour and memory pre-allocation with such programs (whether it is Lua or not). This is tricky with Lua, but I think he understands the implications and issues. The change is more of an initial step to (inefficiently) support the capability. Meanwhile, those interested can research and experiment with NPF+Lua. Such use of Lua is not really meant to be production-ready at this point. -- Mindaugas
Re: CVS commit: src/sys
David Holland dholland-sourcechan...@netbsd.org wrote: On Tue, Jul 01, 2014 at 10:16:02AM +, Ryota Ozaki wrote: Log Message: Lock IFQ operations when NET_MPSAFE - Introduce NET_MPSAFE - not defined by default If it compiles (and is expected to continue to compile) please add it to ALL. While it is okay for now, I think this knob should be only for the short term (i.e. only for transitional period while making changes to the APIs). -- Mindaugas
Re: CVS commit: src/sys/sys
Tyler R. Retzlaff r...@netbsd.org wrote: Module Name: src Committed By: rtr Date: Tue Jul 1 13:25:21 UTC 2014 Modified Files: src/sys/sys: param.h Log Message: Bump to version 6.99.45 for removal of struct lwp * parameter from pr_ioctl I do not think there is much point in doing this. The protocols are not really modular yet (no risk of breaking ABI) nor this interface is exposed to userland. So, technically you can bump the version, but practically it is useless. -- Mindaugas
Re: CVS commit: src/sys
Paul Goyette p...@whooppee.com wrote: On Sun, 18 May 2014, Mindaugas Rasiukevicius wrote: snip Log Message: Add struct pr_usrreqs with a pr_generic function and prepare for the dismantling of pr_usrreq in the protocols; no functional change intended. PRU_ATTACH/PRU_DETACH changes will follow soon. Bump for struct protosw. Welcome to 6.99.62! 6.99.62? or 6.99.42? Heh. It is 6.99.42 (the one it should be). -- Mindaugas
Re: CVS commit: src/sys
Nick Hudson sk...@netbsd.org wrote: Module Name: src Committed By: skrll Date: Thu Mar 20 06:48:54 UTC 2014 Modified Files: src/sys/arch/arm/ixp12x0: ixp12x0_intr.c src/sys/arch/arm/xscale: ixp425_if_npe.c ixp425_npe.c ixp425_npevar.h src/sys/arch/xen/include: xbdvar.h src/sys/coda: coda_vnops.c src/sys/dev/mca: ed_mca.c edc_mca.c edvar.h src/sys/dev/pci: cy82c693.c src/sys/dev/pci/cxgb: cxgb_osdep.h src/sys/net: if_tap.c if_tun.c Log Message: Mechanically replace simplelock with kmutex_t. That is great! Thanks. -- Mindaugas
Re: CVS commit: src/sys/miscfs/genfs
Taylor R Campbell campbell+netbsd-source-change...@mumble.net wrote: Date: Wed, 12 Mar 2014 16:16:32 +0200 From: Jukka Ruohonen jruoho...@iki.fi On Wed, Mar 12, 2014 at 09:39:23AM +, Juergen Hannken-Illjes wrote: Restructure layer_lock() to always lock before testing for dead node. Use ISSET() to test flags, add assertions. As I wrote in the manual page, I'd rather see ISSET(3) et. al. disappear, i.e. these obscure rather than clarify... I disagree. Phrases like `(vp-v_iflag (VI_XLOCK | VI_CLEAN)) == 0' make my head's parser stumble -- there are just enough complements to juggle that it overwhelms my brain registers for the fast path. I'd rather read `!ISSET(vp-v_iflag, (VI_XLOCK | VI_CLEAN))'. I disagree. For kernel developers, that kind of bitwise arithmetics and masking ought to be intuitive. If there is more logic and it gets long, then separate it: const bool foobar = (mask (FOO | BAR)) == 0; const bool baz = (mask BAZ) != 0; if (foobar baz) ... ISSET() is somewhat okay (although I do not use it), but I particularly dislike __BIT() as I forget whether the 1st bit is n = 0 or whether this API tries to be fancy and it is n = 1. 1U n is just straigtforward. -- Mindaugas
Re: CVS commit: src
J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote: I have not had time to follow your VFS changes, but can you explain why did you remove VOP_LOCK/VOP_UNLOCK in tmpfs_reclaim()? It was added to prevent from the racy access of tn_links. Hopefully a vnode lock is needed to access tn_links -- otherwise the VOP_LOCK/UNLOCK in tmpfs_reclaim() didn't protect it ... Yes, tn_links is modified with the vnode lock held. Unlocked access in VOP_RECLAIM() racing with the release of the last last reference, used to cause crashes due to premature reclamation attempts. Given that VOP_LOCK() acquires the vnode node, can you explain why this didn't protect it? As this commit prevents other threads from obtaining a lock while VOP_RECLAIM() is running the protection should be the same as before. You mean VOP_RECLAIM() is now called with the vnode lock held? Can you please add an assert in tmpfs_reclaim() which demonstrates that? Thanks. -- Mindaugas
Re: CVS commit: src/sys/fs/tmpfs
J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote: On Jan 8, 2014, at 5:11 PM, pedro martelletto pe...@netbsd.org wrote: Module Name:src Committed By: pedro Date: Wed Jan 8 16:11:04 UTC 2014 Modified Files: src/sys/fs/tmpfs: tmpfs_subr.c Log Message: Allocate direntp on the stack in tmpfs_dir_getdents(), thus saving calls to kmem_zalloc() and kmem_free(); OK rmind@. From OpenBSD. Is it really a good idea to allocate 528 bytes on the kernel stack? File systems nest and already use much stack space. It is harmless in this case since we get a few or more pages for the stack. Looks better to use a pool_cache. It is worth to create a separate pool_cache(9) only if the allocations can potentially be very intensive. -- Mindaugas
Re: CVS commit: src/sys/fs/tmpfs
Juergen Hannken-Illjes hann...@netbsd.org wrote: Module Name: src Committed By: hannken Date: Fri Jan 3 09:53:12 UTC 2014 Modified Files: src/sys/fs/tmpfs: tmpfs_subr.c tmpfs_vnops.c Log Message: Fix a race where thread1 runs VOP_REMOVE() and gets preempted in tmpfs_reclaim() before the call to tmpfs_free_node(). Thread2 runs VFS_FHTOVP() and gets a new vnode attached to the node thread1 is about to destroy. Change tmpfs_alloc_node() to always assign non-zero generation number and tmpfs_inactive() to set the generation number of unlinked nodes to zero. Can you explain how does this help? It still seems racy to me. Why not just check for tn_links == 0 in tmpfs_fhtovp()? -- Mindaugas
Re: CVS commit: src/sbin/mount_tmpfs
Martin Husemann mar...@netbsd.org wrote: Module Name: src Committed By: martin Date: Wed Dec 4 13:30:35 UTC 2013 Modified Files: src/sbin/mount_tmpfs: mount_tmpfs.8 mount_tmpfs.c Log Message: Provide variants of the -s option to allow limiting the tmpfs dynamically at mount time to 1/Nth or to N percent of the available ram. I think you confused err() with errx(). Also, why bother with the fraction and the floating point? -- Mindaugas
Re: CVS commit: src/sbin/mount_tmpfs
Martin Husemann mar...@duskware.de wrote: On Wed, Dec 04, 2013 at 01:45:51PM +, Mindaugas Rasiukevicius wrote: I think you confused err() with errx(). Also, why bother with the fraction and the floating point? The err vs. errx may be debatable, but since this is usual called via other programs the name of the program (and thus the man page to look up details) may be usefull. I mean you have them other way round: + len = sizeof(ram); + if (sysctlbyname(hw.physmem64, ram, len, NULL, 0)) + err(EXIT_FAILURE, can't get \hw.physmem64\: %s, strerror(errno)); err() already appends the error string for you, while in in ram_fract() and ram_percent() you want errx(). -- Mindaugas
Re: CVS commit: src/sys
Hello Juergen, Juergen Hannken-Illjes hann...@netbsd.org wrote: Module Name: src Committed By: hannken Date: Sat Nov 23 13:46:22 UTC 2013 Modified Files: src/sys/kern: vfs_vnode.c src/sys/sys: vnode.h Log Message: Replace VI_INACTNOW and VI_INACTREDO with a new flag VI_CHANGING that gets set while a vnode changes state from active to inactive or from active or inactive to clean and protects vclean(); vrelel() and vrelel() against vget(). Presented on tech-kern. There are multiple reports of hangs in VFS (see something's wrong thread on current-users@ and PR/48411). It seems to be due to this change. Can you revert it for now? Thanks. -- Mindaugas
Re: CVS commit: src/sys/coda
Christos Zoulas chris...@netbsd.org wrote: Module Name: src Committed By: christos Date: Sat Nov 23 17:57:23 UTC 2013 Modified Files: src/sys/coda: coda_vfsops.c Log Message: replace open-coded scan with macro; fix locking -/* mount structure wasn't found */ -return(NULL); +mutex_exit(mountlist_lock); +return mp == TAILQ_END(mountlist) ? NULL : mp; Although this is correct, TAILQ_END(mountlist) *suggests* access of mountlist. If it would be true, it would be unlocked and buggy access. Why not just return mp; ? It seems to me that TAILQ_END() makes the code more missleading without doing any good. What was the rationale behind adding and using it? -- Mindaugas
Re: CVS commit: src/sys/coda
chris...@zoulas.com (Christos Zoulas) wrote: On Nov 23, 6:14pm, rm...@netbsd.org (Mindaugas Rasiukevicius) wrote: -- Subject: Re: CVS commit: src/sys/coda | Although this is correct, TAILQ_END(mountlist) *suggests* access of | mountlist. If it would be true, it would be unlocked and buggy access. | Why not just return mp; ? | | It seems to me that TAILQ_END() makes the code more missleading without | doing any good. What was the rationale behind adding and using it? I think it was provided so that the macros look the same across different ADT's. Don't shoot the messenger, I did not add it. But I will fix the locking non-issue... Revision 1.54 of queue.h shows you. Thanks for improving it, but I still do not see the benefit of: mp = mp == TAILQ_END(mountlist) ? NULL : mp; Over: return mp; Everybody understood NULL, so why obfuscate the code? -- Mindaugas
Re: CVS commit: src/sys/coda
chris...@zoulas.com (Christos Zoulas) wrote: On Nov 23, 11:24pm, rm...@netbsd.org (Mindaugas Rasiukevicius) wrote: -- Subject: Re: CVS commit: src/sys/coda | mp = mp == TAILQ_END(mountlist) ? NULL : mp; | | Over: | | return mp; | | Everybody understood NULL, so why obfuscate the code? The point (as I understand it) is so that if you want to change to another ADT where end != NULL (are there any now, that we have banned CIRCLEQ?) using the END macro lets you s/FOOQ/BARQ/ and have it mostly work. Since 1990s (or even earlier) none of the lists in queue(3) had _END(), apart from the circle queue (for a very obvious reason it makes sense). Now that CIRCLEQ is banned - you added _END() for LIST and TAILQ. I do not follow the logic. :) I would remove _END() macros to keep the way it always was. If the goal is to improve the interface, then now is a good time to design a new API, but we already have a long thread on tech-userlevel for this.. -- Mindaugas
Re: CVS commit: src/usr.sbin/npf/npfctl
Christos Zoulas chris...@netbsd.org wrote: Module Name: src Committed By: christos Date: Tue Nov 19 17:01:45 UTC 2013 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: CID 1129614: dereference after null It should never be NULL. Perhaps assert(tl != NULL)? -- Mindaugas
Re: CVS commit: src
Alexander Nasonov al...@yandex.ru wrote: +./usr/lib/librumpkern_sljit.so base-rump-shlib rump +./usr/lib/librumpkern_sljit.so.0 base-rump-shlib rump +./usr/lib/librumpkern_sljit.so.0.0 base-rump-shlib rump A similar change was sitting in my local tree for quite a while but sljit API isn't yet stable enough to wrap it into a DSO. I kept bpbfjit and libsljit private (LIBISPRIVATE=yes) and used them only for libsljit and libbpfjit tests. Is it possible to do something similar in rump framework? I think we can just create sys/rump/net/lib/libbpfjit/sljit as a library, specify SUBDIR and compile the library itself with LIBISPRIVATE=yes. -- Mindaugas
Re: CVS commit: src/usr.sbin/npf/npftest
Alexander Nasonov al...@yandex.ru wrote: Mindaugas Rasiukevicius wrote: Module Name:src Committed By: rmind Date: Sat Nov 16 01:41:43 UTC 2013 Modified Files: src/usr.sbin/npf/npftest: Makefile src/usr.sbin/npf/npftest/libnpftest: Makefile npf_bpf_test.c Log Message: Enable bpfjit for npftest. It breaks when MKSLJIT=no. I fixed the build already but I don't know if something else should be changed in npf_bpf_test.c file. Nope, it is handled dynamically. Thanks. -- Mindaugas
Re: CVS commit: src/sys/fs/tmpfs
J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote: Module Name:src Committed By: rmind Date: Fri Nov 8 15:44:23 UTC 2013 ... The tests fs/vfs/t_union/tmpfs_basic and fs/vfs/t_union/tmpfs_whiteout start failing after this commit. Fixed. -- Mindaugas
Re: CVS commit: src/sys/net/npf
Paul Goyette p...@whooppee.com wrote: On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote: Module Name:src Committed By: rmind Date: Tue Oct 29 16:39:10 UTC 2013 Modified Files: src/sys/net/npf: npf_impl.h npf_nat.c npf_session.c Log Message: npf_session_setnat: fix the race condition when the old connection is still being expired while a new/duplicate is being created. Should we have (or do we have) a regression test to catch this race condition? You would need to write a test simulating a particular condition and then trying to brute-force the race. It requires a bit of coding as it is not an easy race to trigger. Let me know if you want to volunteer. -- Mindaugas
Re: CVS commit: src/sys
chris...@zoulas.com (Christos Zoulas) wrote: On Nov 30, 11:39pm, plu...@rya-online.net (Iain Hibbert) wrote: -- Subject: Re: CVS commit: src/sys | On Fri, 30 Nov 2012, Christos Zoulas wrote: | | In article 20121130134954.ga14...@britannica.bec.de, | Joerg Sonnenberger jo...@britannica.bec.de wrote: | On Fri, Nov 30, 2012 at 08:34:27AM -0500, Christos Zoulas wrote: | | fd_set doesn't seem like an appropriate structure for this. | | I've been thinking about creating something more efficient, but I | didn't come up with something better and decided that using fd_set | was less complex. | | A plain bitmap is ok for this purpose. Something like: | | static uintptr_t inet4_reserve[65536 / sizeof(uintptr_t) / | CHAR_BITS]; | | Sure, but then I would have to rewrite or open code the access macros. | I think that it would be a lot nicer to have a more general fdset | that could be included multiple times, and provided the access macros. | | well, there is bitstring(3) ..? I'll convert to that. Or cook a set of macros. christos Or reuse this interface, which manages portmap atomically: http://nxr.netbsd.org/xref/src/sys/net/npf/npf_nat.c?r=1.17#336 -- Mindaugas
Re: CVS commit: src/sys/uvm
Matt Thomas m...@3am-software.com wrote: On Sep 3, 2012, at 3:33 PM, Mindaugas Rasiukevicius wrote: Matt Thomas m...@netbsd.org wrote: Module Name: src Committed By: matt Date: Mon Sep 3 19:53:43 UTC 2012 Modified Files: src/sys/uvm: uvm_km.c uvm_map.c Log Message: Switch to a spin lock (uvm_kentry_lock) which, fortunately, was sitting there unused. - pmap_growkernel() may use adaptive locks, which cannot be acquired with the spin lock held; so the change breaks at least x86 and alpha. - Why in the caller? I think it would be better do leave it for the pmaps, e.g. they may re-use the locks which already provide the necessary protection and which need to be taken anyway (like in x86 pmap). uvm_maxkaddr need a lock for its updating growkernel can be called uvm_km_mem_alloc which might be called at interrupt level. The second point stands, but I see you already fixed it - thanks! As for pmap_growkernel() being called from interrupt context - right, then it seems Xen is broken, as its path in pmap_growkernel() acquires adaptive pmaps_lock and might call pool_cache_invalidate() which can block.. -- Mindaugas
Re: CVS commit: src/sys/uvm
Matt Thomas m...@netbsd.org wrote: Module Name: src Committed By: matt Date: Mon Sep 3 19:53:43 UTC 2012 Modified Files: src/sys/uvm: uvm_km.c uvm_map.c Log Message: Switch to a spin lock (uvm_kentry_lock) which, fortunately, was sitting there unused. - pmap_growkernel() may use adaptive locks, which cannot be acquired with the spin lock held; so the change breaks at least x86 and alpha. - Why in the caller? I think it would be better do leave it for the pmaps, e.g. they may re-use the locks which already provide the necessary protection and which need to be taken anyway (like in x86 pmap). -- Mindaugas
Re: CVS commit: src/sys/modules/bpf
Matt Thomas m...@netbsd.org wrote: Module Name: src Committed By: matt Date: Thu Aug 2 00:22:32 UTC 2012 Modified Files: src/sys/modules/bpf: Makefile Log Message: Add missing paren. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/modules/bpf/Makefile Seems that make ignored the syntax error in .if statement, as it compiles on e.g. x86 where the first check is true. Is this a bug in make? -- Mindaugas
Re: CVS commit: src/sys
Mindaugas Rasiukevicius rm...@netbsd.org wrote: Module Name: src Committed By: rmind Date: Wed Aug 1 23:24:29 UTC 2012 ... Log Message: Add BPF JIT compiler, currently supporting amd64 and i386. Code obtained from FreeBSD. Also, make few BPF fixes and simplifications while here. Note that bpf_jit_enable is false for now. FYI: FreeBSD has quite comprehensive regression tests for BPF. With some changes they run on NetBSD. http://www.netbsd.org/~rmind/regress/bpf_tests.tar.bz2 Out of 84 tests, all pass with BPF JIT enabled (and disabled). -- Mindaugas
Re: CVS commit: src
Hi Simon, Simon Burge sim...@netbsd.org wrote: [ ... ] Log Message: Add MurmurHash2 -- a non-cryptographic hash function by Austin Appleby. The code is taken from the upstream and is in the public domain. I'm curious why you've chosen MurmurHash2 instead of MurmurHash3 given the known problems with MurmurHash2? Also, should the filename have a 2 in it? It meets my needs. Are you referring to the weakness when using 4-bytes? Anyway, that is why the file name does not have 2 in it, so that we could add MurmurHash3 as well. -- Mindaugas
Re: CVS commit: src
Simon Burge sim...@netbsd.org wrote: Mindaugas Rasiukevicius wrote: Simon Burge sim...@netbsd.org wrote: [ ... ] Log Message: Add MurmurHash2 -- a non-cryptographic hash function by Austin Appleby. The code is taken from the upstream and is in the public domain. I'm curious why you've chosen MurmurHash2 instead of MurmurHash3 given the known problems with MurmurHash2? Also, should the filename have a 2 in it? It meets my needs. What are your needs? I don't see this change discussed anywhere. I am going to use it in NPF as it shows better characteristics than Jenkins lookup3. It is a very small function. Are you referring to the weakness when using 4-bytes? Anyway, that is why the file name does not have 2 in it, so that we could add MurmurHash3 as well. That's completely different to the other hashes we have in the source tree. Can you rename the file so that it's consistent please? Because other hashes use very different interface, with a context and common template in libc (rather horrible macros). There is no need to create a directory for every different version of MurmurHash. Rather undesirable, I would say. -- Mindaugas
Re: CVS commit: src
Joerg Sonnenberger jo...@britannica.bec.de wrote: Log Message: Add MurmurHash2 -- a non-cryptographic hash function by Austin Appleby. The code is taken from the upstream and is in the public domain. OK christos@ There are a number of issues with this. First of all, it pollutes the global namespace and can't be used safely from libc the way it is done. How do you suggest to do it? Second, I don't really like adding a special purpose name of a hash function which is explicitly not designed to be endian neutral. We should provide a fast hash function and be able to change it without breaking assumptions, which this is not doing. Well, the added function is endian-neutral and is generic implementation. Idea is to provide optimised functions per architecture. They would merely override the generic one, but produce the same result regardless of endianess. Do you want to do it differently? -- Mindaugas
Re: CVS commit: src
Simon Burge sim...@netbsd.org wrote: Are you referring to the weakness when using 4-bytes? Anyway, that is why the file name does not have 2 in it, so that we could add MurmurHash3 as well. That's completely different to the other hashes we have in the source tree. Can you rename the file so that it's consistent please? Because other hashes use very different interface, with a context and common template in libc (rather horrible macros). There is no need to create a directory for every different version of MurmurHash. Rather undesirable, I would say. I wasn't talking about creating a directory for every variant of murmur, just putting each variant in a separate .c file. Eg: src/common/lib/libc/hash/murmurhash/murmurhash2.c src/common/lib/libc/hash/murmurhash/murmurhash3.c Or do you intend on adding other variants of murmur to the current .c file if/when needed? Yes, I would like to add MurmurHash3 to the same module. Having them in the same module enables easier code reuse, when it's the case. Do you see a good reason to have them in separate modules? -- Mindaugas
Re: CVS commit: src/sys
Manuel Bouyer bou...@antioche.eu.org wrote: Few minor points. Does atabus_alloc_drives() need to use M_NOWAIT and malloc(9), instead of kmem(9)? At first glance I'd say it should always be called from the atabus thread, so it should be OK Could you change it then? Generally, KM_NOSLEEP should not be used unless there is a very good reason. It may fail even if there is free memory. Also, any reason why you use tsleep(9) instead of kpause(9) (in satapmp_subr.c and elsewhere)? We are trying to get rid of the former. kpause(9) could be used here. But I prefer to keep sys/dev/ata consistent and convert all the code to kpause at the same time. It could have been done here, I just didn't think about it. Next opportunity will be with NCQ support, which I hope to look at soon. This also would be the time to make ata(4) MP-safe. Cool! NCQ and MP-safe ata(4) would be a major improvement for NetBSD! -- Mindaugas
Re: CVS commit: src/sys
Manuel Bouyer bou...@netbsd.org wrote: Module Name: src Committed By: bouyer Date: Mon Jul 2 18:15:48 UTC 2012 ... Log Message: Add sata Port MultiPlier (PMP) support to the ata bus layer, as described in http://mail-index.netbsd.org/tech-kern/2012/06/23/msg013442.html PMP support in integrated to the atabus layer. Nice piece of development! Few minor points. Does atabus_alloc_drives() need to use M_NOWAIT and malloc(9), instead of kmem(9)? Also, any reason why you use tsleep(9) instead of kpause(9) (in satapmp_subr.c and elsewhere)? We are trying to get rid of the former. -- Mindaugas
Re: CVS commit: src/sys/kern
y...@mwd.biglobe.ne.jp (YAMAMOTO Takashi) wrote: hi, Module Name:src Committed By: rmind Date: Mon Jan 30 21:05:40 UTC 2012 Modified Files: src/sys/kern: subr_kmem.c Log Message: Fix for KMEM_GUARD; do not use it from interrupt context. kmem_zalloc still seems broken and anyway the test looks too fragile. how about simply moving the #ifdef blocks to callers? It was just a quick workaround to make it run. I have changed KMGUARD such that it could be called from interrupt context. Might need some tuning as memory consumption is even more significant, but that can be done later. KMGUARD already discovered 4 bugs. YAMAMOTO Takashi -- Mindaugas
Re: CVS commit: src/sys/kern
David Laight da...@l8s.co.uk wrote: On Sun, Jan 22, 2012 at 03:48:51AM +, Mindaugas Rasiukevicius wrote: Module Name:src Committed By: rmind Date: Sun Jan 22 03:48:51 UTC 2012 Modified Files: src/sys/kern: kern_fileassoc.c Log Message: fileassoc_file_delete: pre-check whether fileassoc was used and thus avoid acquiring kernel-lock, which damages sys_unlink() performance. Erm... looking at the file the locking in there looks decidedly dubious. 1) There doesn't seem to be any locking on the hash table. 2) It isn't clear why the KERNEL_LOCK was acquired in one specific path. 3) If fileassoc_file_delete() is expected to remove all references for a vnode, something external must have forced the state of the vnode. (otherwise the stuff might be added - inc. global init - while this code is being called. Yes, locking issues are known in this code (see e.g. PR/35351) and I would say fileassoc(9) should be disabled by default while this is resolved. However, I do not really have much interest in fixing fileassoc(9), so my only concern was to fix performance degradation of unlink(2) due to it. -- Mindaugas
Re: CVS commit: src/sys/arch
Chuck Silvers c...@chuq.com wrote: Log Message: map all of physical memory using large pages. ported from openbsd years ago by Murray Armfield, updated for changes since then by me. This is cool, thanks! Can you add an entry to src/doc/CHANGES? Also, just wondering - did you try any benchmarks? I would expect reasonable improvement. does it really make sense to list incremental performance improvements there? I can add it if folks want, but we don't tend to document misc performance improvements that have no API impact outside the kernel. Yes, we should and do list such changes. Also, 2.5% is quite good and it is useful to collect such numbers in doc/CHANGES for marketing purposes. as for how much it helps, on a 12-CPU box build.sh release is about 2.5% faster. if I enable __HAVE_CPU_UAREA_ROUTINES so that uareas are also accessed this way that gives an additional 0.5% speedup. Cool! Any reason why __HAVE_CPU_UAREA_ROUTINES is not enabled by default? coincidentally, this almost exactly compensates for the performance hit of enabling DIAGNOSTIC. It really depends on the workload, e.g. effects on sysbench OLTP are quite visible or e.g. PR/45734. -Chuck -- Mindaugas
Re: CVS commit: src/sys/arch
Chuck Silvers c...@netbsd.org wrote: Module Name: src Committed By: chs Date: Sun Dec 4 16:24:13 UTC 2011 Modified Files: src/sys/arch/amd64/amd64: locore.S machdep.c src/sys/arch/amd64/include: types.h src/sys/arch/x86/include: pmap.h src/sys/arch/x86/x86: pmap.c Log Message: map all of physical memory using large pages. ported from openbsd years ago by Murray Armfield, updated for changes since then by me. This is cool, thanks! Can you add an entry to src/doc/CHANGES? Also, just wondering - did you try any benchmarks? I would expect reasonable improvement. -- Mindaugas
Re: CVS commit: src
Martin Husemann mar...@duskware.de wrote: On Wed, Nov 23, 2011 at 03:19:55AM +, Christos Zoulas wrote: He does not want to write atf tests. In my opinion non-atf tests is better than no tests. IMHO non-atf tests are just as useless as the whole src/regress hierachy always was. BUT: finding someone to pick this new tests up and embed them in atf should be easy. They are not useless at all. Actually, I still use them. Martin -- Mindaugas
Re: CVS commit: src/sys/arch/i386/i386
J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote: Module Name:src Committed By: yamt Date: Mon Oct 31 12:42:53 UTC 2011 Modified Files: src/sys/arch/i386/i386: dumpsys.c Log Message: dumpsys_seg: don't overwrite the previous mapping With this change in place core dumps from ddb (reboot 104) no longer work on MP machines. Before pmap_tlb_shootnow() always returned on the `tp-tp_count == 0' check. Now it goes into the `remote' case and hangs hard trying to reach other CPUs. We could check for panicstr. Not sure if that is desirable, though. -- Mindaugas
Re: CVS commit: src/sys/kern
Hello Juergen, Juergen Hannken-Illjes hann...@netbsd.org wrote: Log Message: The path getnewvnode()-getcleanvnode()-vclean()-VOP_LOCK() will panic if the vnode we want to clean is a layered vnode and the caller already locked its lower vnode. Change getnewvnode() to always allocate a fresh vnode and add a helper thread (vdrain) to keep the number of allocated vnodes within desiredvnodes. Rename getcleanvnode() to cleanvnode() and let it take a vnode from the lists, clean and free it. ... To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/kern/vfs_vnode.c Not that I object to the change, but such approach was already discussed in the past on tech-kern@ and rejected. See the follow ups of this thread: http://mail-index.netbsd.org/tech-kern/2009/08/17/msg005861.html This significantly changes the dynamics of vnode cache and reclamation, apart from making it single-threaded. Given the current locking scheme with its issues (and thus reclamation complexity), the change is probably good enough for the medium term. However, in the long term, I would say that getnewvnode() behaviour should be restored. -- Mindaugas
Re: CVS commit: src/sys
Christos Zoulas chris...@netbsd.org wrote: Log Message: Add an optional pglist argument to uvm_obj_wirepages, to be filled with the list of pages that were wired. To generate a diff of this commit: cvs rdiff -u -r1.121 -r1.122 src/sys/kern/sysv_shm.c cvs rdiff -u -r1.174 -r1.175 src/sys/uvm/uvm_extern.h cvs rdiff -u -r1.10 -r1.11 src/sys/uvm/uvm_object.c Why? -- Mindaugas
Re: CVS commit: src/share/man/man9
Jukka Ruohonen jruoho...@iki.fi wrote: Log Message: Fix .Xr to membar_ops(3), not membar(9). Spotted by wiz@. Can you brief on what is the difference between membar_ops(3) and mb(9)? mb(9) predates membar_ops(3). I do not know why it was left when the later interface was added. It seems to me that mb(9) should be removed. Some good notes from mb(9) man page can be moved to membar_ops(9) though. -- Mindaugas
Re: CVS commit: src/sys/kern
Masao Uebayashi uebay...@netbsd.org wrote: Module Name: src Committed By: uebayasi Date: Sat Jul 30 05:24:17 UTC 2011 Modified Files: src/sys/kern: kern_softint.c Log Message: Use kmem(9) to allocate per-cpu softint context. No functional changes. Why? The allocation is page-sized, persistent and should preferably be on page-boundary. -- Mindaugas
Re: CVS commit: src/sys/uvm
y...@mwd.biglobe.ne.jp (YAMAMOTO Takashi) wrote: Log Message: amap_copy(): Keep the source amap locked until its lock has been copied. btw, this code seems to assume that uvm_anfree does not release the lock even temporarily while the comment on uvm_anfree1 says the opposite. http://www.netbsd.org/~rmind/uvm_anon_freelst.diff Looks good? i don't understand what it solves. can you explain a little? Here is the updated patch after your changes: http://www.netbsd.org/~rmind/uvm_anon_freelst2.diff As you noted, uvm_anfree() can temporarily release the amap lock - that can happen in amap_copy(). Patch closes the race by moving uvm_anfree() further, and changes the semantics of the function, now called uvm_anon_freelst(), to return with amap lock released (plus free anons without lock held). -- Mindaugas
Re: CVS commit: src/sys/arch
Manuel Bouyer bou...@netbsd.org wrote: Module Name: src Committed By: bouyer Date: Sun Jul 3 10:40:16 UTC 2011 Modified Files: src/sys/arch/amd64/conf: GENERIC src/sys/arch/i386/conf: GENERIC Log Message: Add back DIAGNOSTIC option to x86 GENERIC kernels, as discussed on tech-kern. This will have to be commented out on release branches. Thanks for enabling this, however you have ignored points raised on tech-kern@. In such case, at least DEBUG and DDB on panic (plus trace command) should be re-enabled as well. And, most importantly, this is not communicated to -current users who will get performance decrease after kernel update. Apart from updating motd, I was thinking about some printf()ed warning in the kernel.. -- Mindaugas
Re: CVS commit: src/sys/arch
Manuel Bouyer bou...@antioche.eu.org wrote: On Sun, Jul 03, 2011 at 03:57:25PM +0100, Mindaugas Rasiukevicius wrote: Thanks for enabling this, however you have ignored points raised on tech-kern@. In such case, at least DEBUG DEBUG is not as usefull as DIAGNOSTIC, and is very verbose. My main point is to get KASSERT() back again. DEBUG and LOCKDEBUG were mentionned, but I don't remmeber a clear consensus about thoses and DDB on panic (plus trace command) should be re-enabled as well. I also don't think we did reach a consensus about this either. Well, I object on adding only DIAGNOSTIC, without DEBUG and DDB trace enabled, as it is counter productive to the idea to gather more info. LOCKDEBUG would be useful as well, but its very significant effect to performance can be understood. Also, it seems that nobody disagreed on enabling DDB trace (as well as adding DEBUG option). What makes you think that we did not reach the consensus? With DDB on panic you don't get a core dump, you just see the system hang if running X11. With trace (assuming you're not running X11), you have the usefull panic message scroll away on a standard VGA screen. Again, call ddb_vgapost was proposed. You can still coredump, either manually or just by adding another command. Also, if automatic coredump fails (to me it is often the case) - then info is left uncollected. -- Mindaugas
Re: CVS commit: src/sys/arch
Manuel Bouyer bou...@antioche.eu.org wrote: On Sun, Jul 03, 2011 at 06:09:10PM +0100, Mindaugas Rasiukevicius wrote: I also don't think we did reach a consensus about this either. Well, I object on adding only DIAGNOSTIC, without DEBUG and DDB trace enabled, as it is counter productive to the idea to gather more info. I can't see how DEBUG can give more infos for KASSERT(). I can see how DDB trace will hide usefull infos from KASSERT(). LOCKDEBUG would be useful as well, but its very significant effect to performance can be understood. Also, it seems that nobody disagreed on enabling DDB trace (as well as adding DEBUG option). What makes you think that we did not reach the consensus? I did agree at fisrt, but then I sent http://mail-index.netbsd.org/tech-kern/2011/06/17/msg010736.html There are over a hundred KDASSERT()s and plenty #ifdef DEBUG checks. Crash reports without backtrace - that is very often useless, and we do receive such reports in time, where we need to ask users to reproduce it again and collect more information. Naturally, we cannot expect our users/admins to be fluent in DDB, but collecting more information is a key in debugging more complex bugs, and backtrace is a bare minimum. I think the change is half-baked and should we be reverted until we reach the agreement on tech-kern@. With DDB on panic you don't get a core dump, you just see the system hang if running X11. With trace (assuming you're not running X11), you have the usefull panic message scroll away on a standard VGA screen. Again, call ddb_vgapost was proposed. You can still coredump, either what will this do on a serial console ? How is it related to serial console? -- Mindaugas
Re: CVS commit: src/sys/uvm
y...@mwd.biglobe.ne.jp (YAMAMOTO Takashi) wrote: hi, Module Name:src Committed By: hannken Date: Mon Jun 27 15:56:37 UTC 2011 Modified Files: src/sys/uvm: uvm_amap.c Log Message: amap_copy(): Keep the source amap locked until its lock has been copied. btw, this code seems to assume that uvm_anfree does not release the lock even temporarily while the comment on uvm_anfree1 says the opposite. Right. Fix would be to always drop the lock in uvm_anfree() and call it in the last point. I will write a patch tomorrow. YAMAMOTO Takashi -- Mindaugas
Re: CVS commit: src/sys/uvm
tsugutomo.en...@jp.sony.com wrote: Modified Files: src/sys/uvm: uvm_amap.c Log Message: Clean-up, add asserts, slightly simplify. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.96 src/sys/uvm/uvm_amap.c In amap_copy(), I guess map entry may be clipped and need to recompute entry-end - entry-start after that. Yes.. fixed. Thanks! -- Mindaugas