CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Mon Sep 30 22:04:33 UTC 2019

Modified Files:
src/sys/net/npf: npf_if.c

Log Message:
npf_ifmap_copylogname: be more defensive.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_if.c
diff -u src/sys/net/npf/npf_if.c:1.11 src/sys/net/npf/npf_if.c:1.12
--- src/sys/net/npf/npf_if.c:1.11	Sun Sep 29 17:00:29 2019
+++ src/sys/net/npf/npf_if.c	Mon Sep 30 22:04:33 2019
@@ -56,7 +56,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.12 2019/09/30 22:04:33 rmind Exp $");
 
 #include 
 #include 
@@ -191,20 +191,22 @@ npf_ifmap_getid(npf_t *npf, const ifnet_
 }
 
 /*
- * This function is toxic; it can return garbage since we don't
- * lock, but it is only used temporarily and only for logging.
+ * npf_ifmap_copylogname: this function is toxic; it can return garbage
+ * as we don't lock, but it is only used temporarily and only for logging.
  */
 void
 npf_ifmap_copylogname(npf_t *npf, unsigned id, char *buf, size_t len)
 {
-	if (id != NPF_IFMAP_NOID) {
-		const unsigned i = NPF_IFMAP_ID2SLOT(npf, id);
-		npf_ifmap_t *ifmap = >ifmap[i];
+	const unsigned i = NPF_IFMAP_ID2SLOT(npf, id);
+
+	membar_consumer();
 
+	if (id != NPF_IFMAP_NOID && i < NPF_MAX_IFMAP) {
 		/*
 		 * Lock-free access is safe as there is an extra byte
 		 * with a permanent NUL terminator at the end.
 		 */
+		const npf_ifmap_t *ifmap = >ifmap[i];
 		strlcpy(buf, ifmap->ifname, MIN(len, IFNAMSIZ));
 	} else {
 		strlcpy(buf, "???", len);

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Mon Sep 30 22:04:33 UTC 2019

Modified Files:
src/sys/net/npf: npf_if.c

Log Message:
npf_ifmap_copylogname: be more defensive.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Mon Sep 30 00:37:12 UTC 2019

Modified Files:
src/lib/libnpf: libnpf.3 npf.c npf.h
src/sys/net/npf: npf_ctl.c
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l
npfctl.c npfctl.h
src/usr.sbin/npf/npftest: npftest.conf

Log Message:
libnpf/npfctl: support dynamic NAT rulesets using a name prefix.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/libnpf.3
cvs rdiff -u -r1.47 -r1.48 src/lib/libnpf/npf.c
cvs rdiff -u -r1.37 -r1.38 src/lib/libnpf/npf.h
cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.88 -r1.89 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/npftest.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/lib/libnpf/libnpf.3
diff -u src/lib/libnpf/libnpf.3:1.10 src/lib/libnpf/libnpf.3:1.11
--- src/lib/libnpf/libnpf.3:1.10	Wed Aug 21 21:45:47 2019
+++ src/lib/libnpf/libnpf.3	Mon Sep 30 00:37:11 2019
@@ -1,4 +1,4 @@
-.\"	$NetBSD: libnpf.3,v 1.10 2019/08/21 21:45:47 rmind Exp $
+.\"	$NetBSD: libnpf.3,v 1.11 2019/09/30 00:37:11 rmind Exp $
 .\"
 .\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 21, 2019
+.Dd August 25, 2019
 .Dt LIBNPF 3
 .Os
 .Sh NAME
@@ -108,6 +108,15 @@
 .Fn npf_table_replace "int fd" "nl_table_t *tl" "npf_error_t *errinfo"
 .Ft void
 .Fn npf_table_destroy "nl_table_t *tl"
+.\" ---
+.Ft int
+.Fn npf_ruleset_add "int fd" "const char *name" "nl_rule_t *rl" "uint64_t *id"
+.Ft int
+.Fn npf_ruleset_remove "int fd" "const char *name" "uint64_t id"
+.Ft int
+.Fn npf_ruleset_remkey "int fd" "const char *name" "const void *key" "size_t len"
+.Ft int
+.Fn npf_ruleset_flush "int fd" "const char *name"
 .\" -
 .Sh DESCRIPTION
 The
@@ -352,7 +361,9 @@ Additionally,
 may be specified to indicate the translation network;
 otherwise, it should be set to
 .Dv NPF_NO_NETMASK .
-In such case, a custom algorithm may need to be specified using the
+.Pp
+In order to use the translation network, a custom algorithm may need to
+be specified using the
 .Fn npf_nat_setalgo
 function.
 .\" ---
@@ -368,6 +379,9 @@ Currently, the following algorithms are 
 Hash of the source and destination addresses.
 .It Dv NPF_ALGO_RR
 Round-robin for the translation addresses.
+.It Dv NPF_ALGO_NETMAP
+Network-to-network map as described below, but with state tracking.
+It is used when it is necessary to translate the ports.
 .El
 .Pp
 The following are support with static NAT:
@@ -450,6 +464,39 @@ specified by
 Destroy the specified table.
 .El
 .\" -
+.Ss Ruleset interface
+.Bl -tag -width 4n
+.It Fn npf_ruleset_add "fd" "name" "rl" "id"
+Add a given rule, specified by
+.Fa rl ,
+into the dynamic ruleset named
+.Fa name .
+On success, return 0 and a unique rule ID in the
+.Fa id
+parameter.
+.It Fn npf_ruleset_remove "fd" "name" "id"
+Remove a rule from the dynamic ruleset, specified by
+.Fa name .
+The rule is specified by its unique ID in the
+.Fa id
+parameter.
+.It Fn npf_ruleset_remkey "fd" "name" "key" "len"
+Remove a rule from the dynamic ruleset, specified by
+.Fa name .
+The rule is specified by its key, in the
+.Fa key
+and
+.Fa len
+parameters.
+The key for the rule must have been set during its construction, using the
+.Fn npf_rule_setkey
+routine.
+.It Fn npf_ruleset_flush "fd" "name"
+Clear the dynamic ruleset, specified by
+.Fa name ,
+by removing all its rules.
+.El
+.\" -
 .Sh SEE ALSO
 .Xr bpf 4 ,
 .Xr npf 7 ,

Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.47 src/lib/libnpf/npf.c:1.48
--- src/lib/libnpf/npf.c:1.47	Wed Aug 21 21:45:47 2019
+++ src/lib/libnpf/npf.c	Mon Sep 30 00:37:11 2019
@@ -28,7 +28,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.47 2019/08/21 21:45:47 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.48 2019/09/30 00:37:11 rmind Exp $");
 
 #include 
 #include 
@@ -401,14 +401,31 @@ npf_param_set(nl_config_t *ncf, const ch
  * DYNAMIC RULESET INTERFACE.
  */
 
+static inline bool
+_npf_nat_ruleset_p(const char *name)
+{
+	return strncmp(name, NPF_RULESET_MAP_PREF,
+	sizeof(NPF_RULESET_MAP_PREF) - 1) == 0;
+}
+
 int
 npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uint64_t *id)
 {
+	const bool natset = _npf_nat_ruleset_p(rname);
 	nvlist_t *rule_dict = rl->rule_dict;
 	nvlist_t *ret_dict;
 
+	nvlist_add_number(rule_dict, "attr",
+	NPF_RULE_DYNAMIC | 

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Mon Sep 30 00:37:12 UTC 2019

Modified Files:
src/lib/libnpf: libnpf.3 npf.c npf.h
src/sys/net/npf: npf_ctl.c
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l
npfctl.c npfctl.h
src/usr.sbin/npf/npftest: npftest.conf

Log Message:
libnpf/npfctl: support dynamic NAT rulesets using a name prefix.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/libnpf.3
cvs rdiff -u -r1.47 -r1.48 src/lib/libnpf/npf.c
cvs rdiff -u -r1.37 -r1.38 src/lib/libnpf/npf.h
cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.88 -r1.89 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/npftest.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 18:51:08 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c

Log Message:
npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

(missed a file in previous commit; cvs is so helpful..)


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_build.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 18:51:08 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c

Log Message:
npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

(missed a file in previous commit; cvs is so helpful..)


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_build.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.51 src/usr.sbin/npf/npfctl/npf_build.c:1.52
--- src/usr.sbin/npf/npfctl/npf_build.c:1.51	Thu Aug  8 21:29:15 2019
+++ src/usr.sbin/npf/npfctl/npf_build.c	Sun Sep 29 18:51:08 2019
@@ -32,7 +32,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: npf_build.c,v 1.51 2019/08/08 21:29:15 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.52 2019/09/29 18:51:08 rmind Exp $");
 
 #include 
 #define	__FAVOR_BSD
@@ -151,25 +151,32 @@ npfctl_debug_addif(const char *ifname)
 	return 0;
 }
 
-unsigned
-npfctl_table_getid(const char *name)
+nl_table_t *
+npfctl_table_getbyname(nl_config_t *ncf, const char *name)
 {
-	unsigned tid = (unsigned)-1;
 	nl_iter_t i = NPF_ITER_BEGIN;
 	nl_table_t *tl;
 
 	/* XXX dynamic ruleset */
-	if (!npf_conf) {
-		return (unsigned)-1;
+	if (!ncf) {
+		return NULL;
 	}
-	while ((tl = npf_table_iterate(npf_conf, )) != NULL) {
+	while ((tl = npf_table_iterate(ncf, )) != NULL) {
 		const char *tname = npf_table_getname(tl);
 		if (strcmp(tname, name) == 0) {
-			tid = npf_table_getid(tl);
 			break;
 		}
 	}
-	return tid;
+	return tl;
+}
+
+unsigned
+npfctl_table_getid(const char *name)
+{
+	nl_table_t *tl;
+
+	tl = npfctl_table_getbyname(npf_conf, name);
+	return tl ? npf_table_getid(tl) : (unsigned)-1;
 }
 
 const char *
@@ -873,15 +880,13 @@ npfctl_build_natseg(int sd, int type, un
  * npfctl_fill_table: fill NPF table with entries from a specified file.
  */
 static void
-npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname)
+npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname, FILE *fp)
 {
 	char *buf = NULL;
 	int l = 0;
-	FILE *fp;
 	size_t n;
 
-	fp = fopen(fname, "r");
-	if (fp == NULL) {
+	if (fp == NULL && (fp = fopen(fname, "r")) == NULL) {
 		err(EXIT_FAILURE, "open '%s'", fname);
 	}
 	while (l++, getline(, , fp) != -1) {
@@ -908,6 +913,23 @@ npfctl_fill_table(nl_table_t *tl, u_int 
 }
 
 /*
+ * npfctl_load_table: create an NPF table and fill with contents from a file.
+ */
+nl_table_t *
+npfctl_load_table(const char *tname, int tid, u_int type,
+const char *fname, FILE *fp)
+{
+	nl_table_t *tl;
+
+	tl = npf_table_create(tname, tid, type);
+	if (tl && fname) {
+		npfctl_fill_table(tl, type, fname, fp);
+	}
+
+	return tl;
+}
+
+/*
  * npfctl_build_table: create an NPF table, add to the configuration and,
  * if required, fill with contents from a file.
  */
@@ -916,15 +938,13 @@ npfctl_build_table(const char *tname, u_
 {
 	nl_table_t *tl;
 
-	tl = npf_table_create(tname, npfctl_tid_counter++, type);
-	assert(tl != NULL);
-
-	if (fname) {
-		npfctl_fill_table(tl, type, fname);
-	} else if (type == NPF_TABLE_CONST) {
+	if (type == NPF_TABLE_CONST && !fname) {
 		yyerror("table type 'const' must be loaded from a file");
 	}
 
+	tl = npfctl_load_table(tname, npfctl_tid_counter++, type, fname, NULL);
+	assert(tl != NULL);
+
 	if (npf_table_insert(npf_conf, tl)) {
 		yyerror("table '%s' is already defined", tname);
 	}

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 17:00:29 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c

Log Message:
NPF ifmap: rework and fix a few small bugs.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c
cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 17:00:29 UTC 2019

Modified Files:
src/sys/net/npf: npf_conn.c npf_if.c npf_impl.h npf_ruleset.c

Log Message:
NPF ifmap: rework and fix a few small bugs.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_if.c
cvs rdiff -u -r1.79 -r1.80 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.29 src/sys/net/npf/npf_conn.c:1.30
--- src/sys/net/npf/npf_conn.c:1.29	Tue Aug  6 11:40:15 2019
+++ src/sys/net/npf/npf_conn.c	Sun Sep 29 17:00:29 2019
@@ -107,7 +107,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.29 2019/08/06 11:40:15 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.30 2019/09/29 17:00:29 rmind Exp $");
 
 #include 
 #include 
@@ -782,7 +782,8 @@ npf_conn_export(npf_t *npf, npf_conn_t *
 	nvlist_add_number(cdict, "flags", con->c_flags);
 	nvlist_add_number(cdict, "proto", con->c_proto);
 	if (con->c_ifid) {
-		const char *ifname = npf_ifmap_getname(npf, con->c_ifid);
+		char ifname[IFNAMSIZ];
+		npf_ifmap_copyname(npf, con->c_ifid, ifname, sizeof(ifname));
 		nvlist_add_string(cdict, "ifname", ifname);
 	}
 	nvlist_add_binary(cdict, "state", >c_state, sizeof(npf_state_t));

Index: src/sys/net/npf/npf_if.c
diff -u src/sys/net/npf/npf_if.c:1.10 src/sys/net/npf/npf_if.c:1.11
--- src/sys/net/npf/npf_if.c:1.10	Sun Aug 11 20:26:33 2019
+++ src/sys/net/npf/npf_if.c	Sun Sep 29 17:00:29 2019
@@ -1,4 +1,5 @@
 /*-
+ * Copyright (c) 2019 Mindaugas Rasiukevicius 
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
@@ -28,23 +29,34 @@
  */
 
 /*
- * NPF network interface handling module.
+ * NPF network interface handling.
  *
- * NPF uses its own interface IDs (npf-if-id).  When NPF configuration is
- * (re)loaded, each required interface name is registered and a matching
- * network interface gets an ID assigned.  If an interface is not present,
- * it gets an ID on attach.
+ * NPF uses its own interface IDs (npf-if-id).  These IDs start from 1.
+ * Zero is reserved to indicate "no interface" case or an interface of
+ * no interest (i.e. not registered).
  *
- * IDs start from 1.  Zero is reserved to indicate "no interface" case or
- * an interface of no interest (i.e. not registered).
+ * This module provides an interface to primarily handle the following:
  *
- * The IDs are mapped synchronously based on interface events which are
- * monitored using pfil(9) hooks.
+ * - Bind a symbolic interface name to NPF interface ID.
+ * - Associate NPF interface ID when the network interface is attached.
+ *
+ * When NPF configuration is (re)loaded, each referenced network interface
+ * name is registered with a unique ID.  If the network interface is already
+ * attached, then the ID is associated with it immediately; otherwise, IDs
+ * are associated/disassociated on interface events which are monitored
+ * using pfil(9) hooks.
+ *
+ * To avoid race conditions when an active NPF configuration is updated or
+ * interfaces are detached/attached, the interface names are never removed
+ * and therefore IDs are never re-assigned.  The only point when interface
+ * names and IDs are cleared is when the configuration is flushed.
+ *
+ * A linear counter is used for IDs.
  */
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.10 2019/08/11 20:26:33 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1.11 2019/09/29 17:00:29 rmind Exp $");
 
 #include 
 #include 
@@ -55,9 +67,13 @@ __KERNEL_RCSID(0, "$NetBSD: npf_if.c,v 1
 #include "npf_impl.h"
 
 typedef struct npf_ifmap {
-	char		n_ifname[IFNAMSIZ];
+	char		ifname[IFNAMSIZ + 1];
 } npf_ifmap_t;
 
+#define	NPF_IFMAP_NOID			(0U)
+#define	NPF_IFMAP_SLOT2ID(npf, slot)	((npf)->ifmap_off + (slot) + 1)
+#define	NPF_IFMAP_ID2SLOT(npf, id)	((id) - (npf)->ifmap_off - 1)
+
 void
 npf_ifmap_init(npf_t *npf, const npf_ifops_t *ifops)
 {
@@ -66,8 +82,10 @@ npf_ifmap_init(npf_t *npf, const npf_ifo
 	KASSERT(ifops != NULL);
 	ifops->flush((void *)(uintptr_t)0);
 
+	mutex_init(>ifmap_lock, MUTEX_DEFAULT, IPL_SOFTNET);
 	npf->ifmap = kmem_zalloc(nbytes, KM_SLEEP);
 	npf->ifmap_cnt = 0;
+	npf->ifmap_off = 0;
 	npf->ifops = ifops;
 }
 
@@ -75,82 +93,101 @@ void
 npf_ifmap_fini(npf_t *npf)
 {
 	const size_t nbytes = sizeof(npf_ifmap_t) * NPF_MAX_IFMAP;
+	mutex_destroy(>ifmap_lock);
 	kmem_free(npf->ifmap, nbytes);
 }
 
-static u_int
-npf_ifmap_new(npf_t *npf)
-{
-	KASSERT(npf_config_locked_p(npf));
-
-	for (u_int i = 0; i < npf->ifmap_cnt;

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 16:58:35 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npfctl.8 npfctl.c npfctl.h

Log Message:
npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npfctl.8
cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npfctl.8
diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.21 src/usr.sbin/npf/npfctl/npfctl.8:1.22
--- src/usr.sbin/npf/npfctl/npfctl.8:1.21	Sat Jan 19 21:19:32 2019
+++ src/usr.sbin/npf/npfctl/npfctl.8	Sun Sep 29 16:58:35 2019
@@ -1,4 +1,4 @@
-.\"	$NetBSD: npfctl.8,v 1.21 2019/01/19 21:19:32 rmind Exp $
+.\"	$NetBSD: npfctl.8,v 1.22 2019/09/29 16:58:35 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 10, 2017
+.Dd August 26, 2019
 .Dt NPFCTL 8
 .Os
 .Sh NAME
@@ -114,28 +114,50 @@ List all rules in the dynamic ruleset sp
 Remove all rules from the dynamic ruleset specified by
 .Ar name .
 .\" ---
-.It Ic table Ar tid Ic add Aq Ar addr/mask
+.It Ic table Ar name Ic add Aq Ar addr/mask
 In table
-.Ar tid ,
+.Ar name ,
 add the IP address and optionally netmask, specified by
 .Aq Ar addr/mask .
 Only the tables of type "lpm" support masks.
-.It Ic table Ar tid Ic rem Aq Ar addr/mask
+.It Ic table Ar name Ic rem Aq Ar addr/mask
 In table
-.Ar tid ,
+.Ar name ,
 remove the IP address and optionally netmask, specified by
 .Aq Ar addr/mask .
 Only the tables of type "lpm" support masks.
-.It Ic table Ar tid Ic test Aq Ar addr
+.It Ic table Ar name Ic test Aq Ar addr
 Query the table
-.Ar tid
+.Ar name
 for a specific IP address, specified by
 .Ar addr .
 If no mask is specified, a single host is assumed.
-.It Ic table Ar tid Ic list
+.It Ic table Ar name Ic list
 List all entries in the currently loaded table specified by
-.Ar tid .
+.Ar name .
 This operation is expensive and should be used with caution.
+.It Ic table Ar name Ic replace Oo Fl n Ar newname Oc Oo Fl t Ar type Oc Aq Ar path
+Replace the existing table specified by
+.Ar name
+with a new table built from the file specified by
+.Ar path .
+Optionally, the new table will:
+.Bl -tag -width xx -compact -offset 3n
+.It Fl n Ar newname
+be named
+.Ar newname ,
+effectively renaming the table.
+If not specified, the name of the table being replaced will be used.
+.It Fl n Ar type
+be of type
+.Ar type ;
+currently supported types are
+.Cm ipset ,
+.Cm lpm ,
+or
+.Cm const .
+If not specified, the type of the table being replaced will be used.
+.El
 .\" ---
 .It Ic save
 Save the active configuration and a snapshot of the current connections.
@@ -201,6 +223,13 @@ Addition and removal of entries in the t
 # npfctl table "vip" add 10.0.0.1
 # npfctl table "vip" rem 182.168.0.0/24
 .Ed
+.Pp
+Replacing the existing table which has ID "svr"
+with a new const table populated from file "/tmp/npf_vps_new",
+and renamed to "vps":
+.Bd -literal -offset indent
+# npfctl table "svr" replace -n "vps" -t const "/tmp/npf_vps_new"
+.Ed
 .\" -
 .Sh SEE ALSO
 .Xr bpf 4 ,

Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.61 src/usr.sbin/npf/npfctl/npfctl.c:1.62
--- src/usr.sbin/npf/npfctl/npfctl.c:1.61	Wed Aug 21 21:41:53 2019
+++ src/usr.sbin/npf/npfctl/npfctl.c	Sun Sep 29 16:58:35 2019
@@ -28,7 +28,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: npfctl.c,v 1.61 2019/08/21 21:41:53 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.62 2019/09/29 16:58:35 rmind Exp $");
 
 #include 
 #include 
@@ -142,10 +142,14 @@ usage(void)
 	"\t%s rule \"rule-name\" { list | flush }\n",
 	progname);
 	fprintf(stderr,
-	"\t%s table  { add | rem | test } \n",
+	"\t%s table \"table-name\" { add | rem | test } \n",
 	progname);
 	fprintf(stderr,
-	"\t%s table  { list | flush }\n",
+	"\t%s table \"table-name\" { list | flush }\n",
+	progname);
+	fprintf(stderr,
+	"\t%s table \"table-name\" replace [-n \"name\"]"
+	" [-t ] \n",
 	progname);
 	fprintf(stderr,
 	"\t%s save | load\n",
@@ -275,7 +279,101 @@ npfctl_print_addrmask(int alen, const ch
 	return buf;
 }
 
-__dead static void
+static int
+npfctl_table_type(const char *typename)
+{
+	int i;
+
+	static const struct tbltype_s {
+		const char *name;
+		u_int type;
+	} tbltypes[] = {
+		{ "ipset",	NPF_TABLE_IPSET	},
+		{ "lpm",	NPF_TABLE_LPM	},
+		{ "const",	NPF_TABLE_CONST	},
+		{ NULL,		0		}
+	};
+
+	for (i = 0; tbltypes[i].name != NULL; i++) {
+		if (strcmp(typename, tbltypes[i].name) == 0) {
+			return tbltypes[i].type;
+		}
+	}
+
+	return 

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Sep 29 16:58:35 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npfctl.8 npfctl.c npfctl.h

Log Message:
npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npfctl.8
cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 28 21:48:14 UTC 2019

Modified Files:
src/distrib/sets/lists/comp: mi
src/share/man/man9: Makefile

Log Message:
Install thmap(9) man page.


To generate a diff of this commit:
cvs rdiff -u -r1.2283 -r1.2284 src/distrib/sets/lists/comp/mi
cvs rdiff -u -r1.439 -r1.440 src/share/man/man9/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 28 21:48:14 UTC 2019

Modified Files:
src/distrib/sets/lists/comp: mi
src/share/man/man9: Makefile

Log Message:
Install thmap(9) man page.


To generate a diff of this commit:
cvs rdiff -u -r1.2283 -r1.2284 src/distrib/sets/lists/comp/mi
cvs rdiff -u -r1.439 -r1.440 src/share/man/man9/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/distrib/sets/lists/comp/mi
diff -u src/distrib/sets/lists/comp/mi:1.2283 src/distrib/sets/lists/comp/mi:1.2284
--- src/distrib/sets/lists/comp/mi:1.2283	Fri Aug 23 08:17:27 2019
+++ src/distrib/sets/lists/comp/mi	Wed Aug 28 21:48:14 2019
@@ -1,4 +1,4 @@
-#	$NetBSD: mi,v 1.2283 2019/08/23 08:17:27 mrg Exp $
+#	$NetBSD: mi,v 1.2284 2019/08/28 21:48:14 rmind Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 ./etc/mtree/set.compcomp-sys-root
@@ -11899,6 +11899,7 @@
 ./usr/share/man/cat9/tc_syncbus.0		comp-sys-catman		.cat
 ./usr/share/man/cat9/tc_wmb.0			comp-sys-catman		.cat
 ./usr/share/man/cat9/tcp_congctl.0		comp-sys-catman		.cat
+./usr/share/man/cat9/thmap.0			comp-sys-catman		.cat
 ./usr/share/man/cat9/threadpool.0		comp-sys-catman		.cat
 ./usr/share/man/cat9/threadpool_cancel_job.0	comp-sys-catman		.cat
 ./usr/share/man/cat9/threadpool_cancel_job_async.0 comp-sys-catman	.cat
@@ -19791,6 +19792,7 @@
 ./usr/share/man/html9/tc_syncbus.html		comp-sys-htmlman	html
 ./usr/share/man/html9/tc_wmb.html		comp-sys-htmlman	html
 ./usr/share/man/html9/tcp_congctl.html		comp-sys-htmlman	html
+./usr/share/man/html9/thmap.html		comp-sys-htmlman	html
 ./usr/share/man/html9/threadpool.html		comp-sys-htmlman	html
 ./usr/share/man/html9/threadpool_cancel_job.html comp-sys-htmlman	html
 ./usr/share/man/html9/threadpool_cancel_job_async.html comp-sys-htmlman	html
@@ -27882,6 +27884,7 @@
 ./usr/share/man/man9/tc_syncbus.9		comp-sys-man		.man
 ./usr/share/man/man9/tc_wmb.9			comp-sys-man		.man
 ./usr/share/man/man9/tcp_congctl.9		comp-sys-man		.man
+./usr/share/man/man9/thmap.9			comp-sys-man		.man
 ./usr/share/man/man9/threadpool.9		comp-sys-man		.man
 ./usr/share/man/man9/threadpool_cancel_job.9	comp-sys-man		.man
 ./usr/share/man/man9/threadpool_cancel_job_async.9 comp-sys-man		.man

Index: src/share/man/man9/Makefile
diff -u src/share/man/man9/Makefile:1.439 src/share/man/man9/Makefile:1.440
--- src/share/man/man9/Makefile:1.439	Sat Aug 10 23:33:10 2019
+++ src/share/man/man9/Makefile	Wed Aug 28 21:48:14 2019
@@ -1,4 +1,4 @@
-#   $NetBSD: Makefile,v 1.439 2019/08/10 23:33:10 mrg Exp $
+#   $NetBSD: Makefile,v 1.440 2019/08/28 21:48:14 rmind Exp $
 
 #	Makefile for section 9 (kernel function and variable) manual pages.
 
@@ -55,7 +55,7 @@ MAN=	accept_filter.9 accf_data.9 accf_ht
 	spi.9 splraiseipl.9 \
 	suspendsched.9 \
 	sysctl.9 sysmon_envsys.9 sysmon_pswitch.9 sysmon_taskq.9 tc.9 \
-	tcp_congctl.9 threadpool.9 timecounter.9 time_second.9 todr.9 \
+	tcp_congctl.9 thmap.9 threadpool.9 timecounter.9 time_second.9 todr.9 \
 	ts2timo.9 tvtohz.9 \
 	ubc.9 ucas.9 ucom.9 ufetch.9 uiomove.9 \
 	usbd_status.9 usbdi.9 usbnet.9 \

CVS commit: src/share/man/man9

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 28 20:08:11 UTC 2019

Added Files:
src/share/man/man9: thmap.9

Log Message:
Add thmap(9) man page.  Reviewed by wiz@.
Forgot to commit it half a year ago.


To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/share/man/man9/thmap.9

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Added files:

Index: src/share/man/man9/thmap.9
diff -u /dev/null src/share/man/man9/thmap.9:1.1
--- /dev/null	Wed Aug 28 20:08:11 2019
+++ src/share/man/man9/thmap.9	Wed Aug 28 20:08:11 2019
@@ -0,0 +1,236 @@
+.\"
+.\" Copyright (c) 2018 Mindaugas Rasiukevicius 
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"notice, this list of conditions and the following disclaimer in the
+.\"documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd December 11, 2018
+.Dt THMAP 9
+.Os
+.Sh NAME
+.Nm thmap
+.Nd concurrent trie-hash map
+.Sh SYNOPSIS
+.In thmap.h
+.\" -
+.Ft thmap_t *
+.Fn thmap_create "uintptr_t baseptr" "const thmap_ops_t *ops" "unsigned flags"
+.Ft void
+.Fn thmap_destroy "thmap_t *hmap"
+.Ft void *
+.Fn thmap_get "thmap_t *hmap" "const void *key" "size_t len"
+.Ft void *
+.Fn thmap_put "thmap_t *hmap" "const void *key" "size_t len" "void *val"
+.Ft void *
+.Fn thmap_del "thmap_t *hmap" "const void *key" "size_t len"
+.Ft void *
+.Fn thmap_stage_gc "thmap_t *hmap"
+.Ft void
+.Fn thmap_gc "thmap_t *hmap" "void *ref"
+.Ft void
+.Fn thmap_setroot "thmap_t *thmap" "uintptr_t root_offset"
+.Ft uintptr_t
+.Fn thmap_getroot "const thmap_t *thmap"
+.\" -
+.Sh DESCRIPTION
+Concurrent trie-hash map \(em a general purpose associative array,
+combining the elements of hashing and radix trie.
+Highlights:
+.Pp
+.Bl -hyphen -compact
+.It
+Very competitive performance, with logarithmic time complexity on average.
+.It
+Lookups are lock-free and inserts/deletes are using fine-grained locking.
+.It
+Incremental growth of the data structure (no large resizing/rehashing).
+.It
+Optional support for use with shared memory, e.g. memory-mapped file.
+.El
+.Pp
+Delete operations (the key/data destruction) must be synchronized with
+the readers using some reclamation mechanism.
+.\" -
+.Sh FUNCTIONS
+.Bl -tag -width thmap_create
+.It Fn thmap_create
+Construct a new trie-hash map.
+The optional
+.Fa ops
+parameter can
+used to set the custom allocate/free operations (see the description of
+.Vt thmap_ops_t
+below).
+In such case, the
+.Fa baseptr
+is the base (start) address of the address space mapping (it must be
+word-aligned).
+If
+.Fa ops
+is set to
+.Dv NULL ,
+then
+.Xr malloc 3
+and
+.Xr free 3
+will be used as the default operations and
+.Fa baseptr
+should be set to zero.
+Currently, the supported
+.Fa flags
+are:
+.Bl -tag -width THMAP_NOCOPY
+.It Dv THMAP_NOCOPY
+The keys on insert will not be copied and the given pointers to them will
+be expected to be valid and the values constant until the key is deleted;
+by default, the put operation will make a copy of the key.
+.It Dv THMAP_SETROOT
+Indicate that the root of the map will be manually set using the
+.Fn thmap_setroot
+routine;
+by default, the map is initialized and the root node is set on
+.Fn thmap_create .
+.El
+.\" ---
+.It Fn thmap_destroy
+Destroy the map, freeing the memory it uses.
+.\" ---
+.It Fn thmap_get
+Lookup the key (of a given length) and return the value associated with it.
+Return
+.Dv NULL
+if 

CVS commit: src/share/man/man9

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 28 20:08:11 UTC 2019

Added Files:
src/share/man/man9: thmap.9

Log Message:
Add thmap(9) man page.  Reviewed by wiz@.
Forgot to commit it half a year ago.


To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/share/man/man9/thmap.9

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 17:38:25 UTC 2019

Modified Files:
src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c

Log Message:
 ake npfctl_switch() and pfil private to OS-specific module.


To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.57 src/sys/net/npf/npf_ctl.c:1.58
--- src/sys/net/npf/npf_ctl.c:1.57	Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_ctl.c	Sun Aug 25 17:38:25 2019
@@ -36,7 +36,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.57 2019/08/25 13:21:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.58 2019/08/25 17:38:25 rmind Exp $");
 
 #include 
 #include 
@@ -53,28 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 
 	nvlist_add_string((e), "source-file", __FILE__); \
 	nvlist_add_number((e), "source-line", __LINE__);
 
-#ifdef _KERNEL
-/*
- * npfctl_switch: enable or disable packet inspection.
- */
-int
-npfctl_switch(void *data)
-{
-	const bool onoff = *(int *)data ? true : false;
-	int error;
-
-	if (onoff) {
-		/* Enable: add pfil hooks. */
-		error = npf_pfil_register(false);
-	} else {
-		/* Disable: remove pfil hooks. */
-		npf_pfil_unregister(false);
-		error = 0;
-	}
-	return error;
-}
-#endif
-
 static int
 npf_nvlist_copyin(npf_t *npf, void *data, nvlist_t **nvl)
 {
@@ -731,7 +709,7 @@ npfctl_save(npf_t *npf, u_long cmd, void
 	if (error) {
 		goto out;
 	}
-	nvlist_add_bool(npf_dict, "active", npf_pfil_registered_p());
+	nvlist_add_bool(npf_dict, "active", npf_active_p());
 	error = npf_nvlist_copyout(npf, data, npf_dict);
 	npf_dict = NULL;
 out:

Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.78 src/sys/net/npf/npf_impl.h:1.79
--- src/sys/net/npf/npf_impl.h:1.78	Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_impl.h	Sun Aug 25 17:38:25 2019
@@ -289,6 +289,7 @@ npf_ruleset_t *	npf_config_ruleset(npf_t
 npf_ruleset_t *	npf_config_natset(npf_t *npf);
 npf_tableset_t *npf_config_tableset(npf_t *npf);
 bool		npf_default_pass(npf_t *);
+bool		npf_active_p(void);
 
 int		npf_worker_sysinit(unsigned);
 void		npf_worker_sysfini(void);
@@ -296,8 +297,6 @@ void		npf_worker_signal(npf_t *);
 void		npf_worker_register(npf_t *, npf_workfunc_t);
 void		npf_worker_unregister(npf_t *, npf_workfunc_t);
 
-int		npfctl_switch(void *);
-int		npfctl_reload(u_long, void *);
 int		npfctl_save(npf_t *, u_long, void *);
 int		npfctl_load(npf_t *, u_long, void *);
 int		npfctl_rule(npf_t *, u_long, void *);
@@ -327,11 +326,6 @@ void		npf_ifaddr_sync(npf_t *, ifnet_t *
 void		npf_ifaddr_flush(npf_t *, ifnet_t *);
 void		npf_ifaddr_syncall(npf_t *);
 
-/* Packet filter hooks. */
-int		npf_pfil_register(bool);
-void		npf_pfil_unregister(bool);
-bool		npf_pfil_registered_p(void);
-
 /* Protocol helpers. */
 int		npf_cache_all(npf_cache_t *);
 void		npf_recache(npf_cache_t *);

Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.16 src/sys/net/npf/npf_os.c:1.17
--- src/sys/net/npf/npf_os.c:1.16	Sun Aug 25 13:21:03 2019
+++ src/sys/net/npf/npf_os.c	Sun Aug 25 17:38:25 2019
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.16 2019/08/25 13:21:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.17 2019/08/25 17:38:25 rmind Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pf.h"
@@ -84,6 +84,9 @@ MODULE(MODULE_CLASS_MISC, npf, "bpf");
 MODULE(MODULE_CLASS_DRIVER, npf, "bpf");
 #endif
 
+static int	npf_pfil_register(bool);
+static void	npf_pfil_unregister(bool);
+
 static int	npf_dev_open(dev_t, int, int, lwp_t *);
 static int	npf_dev_close(dev_t, int, int, lwp_t *);
 static int	npf_dev_ioctl(dev_t, u_long, void *, int, lwp_t *);
@@ -226,6 +229,26 @@ npf_stats_export(npf_t *npf, void *data)
 	return error;
 }
 
+/*
+ * npfctl_switch: enable or disable packet inspection.
+ */
+static int
+npfctl_switch(void *data)
+{
+	const bool onoff = *(int *)data ? true : false;
+	int error;
+
+	if (onoff) {
+		/* Enable: add pfil hooks. */
+		error = npf_pfil_register(false);
+	} else {
+		/* Disable: remove pfil hooks. */
+		npf_pfil_unregister(false);
+		error = 0;
+	}
+	return error;
+}
+
 static int
 npf_dev_ioctl(dev_t dev, u_long cmd, void *data, int flag, lwp_t *l)
 {
@@ -290,7 +313,7 @@ bool
 npf_autounload_p(void)
 {
 	npf_t *npf = npf_getkernctx();
-	return !npf_pfil_registered_p() && npf_default_pass(npf);
+	return !npf_active_p() && npf_default_pass(npf);
 }
 
 /*
@@ -394,7 +417,7 @@ npf_ifaddrhook(void *arg, u_long cmd, vo
 /*
  * npf_pfil_register: register pfil(9) hooks.
  */
-int
+static int
 npf_pfil_register(bool init)
 {
 	npf_t *npf = npf_getkernctx();
@@ -463,7 +486,7 @@ out:
 /*
  * npf_pfil_unregister: 

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 17:38:25 UTC 2019

Modified Files:
src/sys/net/npf: npf_ctl.c npf_impl.h npf_os.c

Log Message:
 ake npfctl_switch() and pfil private to OS-specific module.


To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.78 -r1.79 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_os.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 16:38:21 UTC 2019

Modified Files:
src/sys/net/npf: npf.h
src/sys/sys: mbuf.h

Log Message:
Move PACKET_TAG_NPF where it belongs to.


To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 src/sys/net/npf/npf.h
cvs rdiff -u -r1.219 -r1.220 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 16:38:21 UTC 2019

Modified Files:
src/sys/net/npf: npf.h
src/sys/sys: mbuf.h

Log Message:
Move PACKET_TAG_NPF where it belongs to.


To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 src/sys/net/npf/npf.h
cvs rdiff -u -r1.219 -r1.220 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.61 src/sys/net/npf/npf.h:1.62
--- src/sys/net/npf/npf.h:1.61	Wed Aug 21 21:45:47 2019
+++ src/sys/net/npf/npf.h	Sun Aug 25 16:38:20 2019
@@ -253,8 +253,9 @@ bool		npf_autounload_p(void);
 #define	NPF_LAYER_2			2
 #define	NPF_LAYER_3			3
 
-/* XXX mbuf.h: just for now. */
-#define	PACKET_TAG_NPF			10
+/*
+ * Flags passed via nbuf tags.
+ */
 #define	NPF_NTAG_PASS			0x0001
 
 /*

Index: src/sys/sys/mbuf.h
diff -u src/sys/sys/mbuf.h:1.219 src/sys/sys/mbuf.h:1.220
--- src/sys/sys/mbuf.h:1.219	Thu Jan 17 02:47:15 2019
+++ src/sys/sys/mbuf.h	Sun Aug 25 16:38:20 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $	*/
+/*	$NetBSD: mbuf.h,v 1.220 2019/08/25 16:38:20 rmind Exp $	*/
 
 /*
  * Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc.
@@ -799,6 +799,7 @@ int	m_tag_copy_chain(struct mbuf *, stru
 /* Packet tag types */
 #define PACKET_TAG_NONE			0  /* Nothing */
 #define PACKET_TAG_SO			4  /* sending socket pointer */
+#define PACKET_TAG_NPF			10 /* packet filter */
 #define PACKET_TAG_PF			11 /* packet filter */
 #define PACKET_TAG_ALTQ_QID		12 /* ALTQ queue id */
 #define PACKET_TAG_IPSEC_OUT_DONE	18

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 13:21:04 UTC 2019

Modified Files:
src/sys/net/npf: npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
npf_ifaddr.c npf_impl.h npf_nat.c npf_os.c
src/usr.sbin/npf/npfctl: npf_bpf_comp.c
src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c

Log Message:
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf.c
cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_alg.c
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.56 -r1.57 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_handler.c \
src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_ifaddr.c
cvs rdiff -u -r1.77 -r1.78 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.18 -r1.19 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.c
diff -u src/sys/net/npf/npf.c:1.40 src/sys/net/npf/npf.c:1.41
--- src/sys/net/npf/npf.c:1.40	Sun Aug 11 20:26:33 2019
+++ src/sys/net/npf/npf.c	Sun Aug 25 13:21:03 2019
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.40 2019/08/11 20:26:33 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.41 2019/08/25 13:21:03 rmind Exp $");
 
 #include 
 #include 
@@ -72,7 +72,7 @@ npfk_create(int flags, const npf_mbufops
 	npf_t *npf;
 
 	npf = kmem_zalloc(sizeof(npf_t), KM_SLEEP);
-	npf->qsbr = pserialize_create();
+	npf->ebr = npf_ebr_create();
 	npf->stats_percpu = percpu_alloc(NPF_STATS_SIZE);
 	npf->mbufops = mbufops;
 
@@ -111,7 +111,7 @@ npfk_destroy(npf_t *npf)
 	npf_state_sysfini(npf);
 	npf_param_fini(npf);
 
-	pserialize_destroy(npf->qsbr);
+	npf_ebr_destroy(npf->ebr);
 	percpu_free(npf->stats_percpu, NPF_STATS_SIZE);
 	kmem_free(npf, sizeof(npf_t));
 }
@@ -131,14 +131,14 @@ npfk_gc(npf_t *npf)
 __dso_public void
 npfk_thread_register(npf_t *npf)
 {
-	pserialize_register(npf->qsbr);
+	npf_ebr_register(npf->ebr);
 }
 
 __dso_public void
 npfk_thread_unregister(npf_t *npf)
 {
-	pserialize_perform(npf->qsbr);
-	pserialize_unregister(npf->qsbr);
+	npf_ebr_full_sync(npf->ebr);
+	npf_ebr_unregister(npf->ebr);
 }
 
 void

Index: src/sys/net/npf/npf_alg.c
diff -u src/sys/net/npf/npf_alg.c:1.20 src/sys/net/npf/npf_alg.c:1.21
--- src/sys/net/npf/npf_alg.c:1.20	Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_alg.c	Sun Aug 25 13:21:03 2019
@@ -33,13 +33,12 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.20 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.21 2019/08/25 13:21:03 rmind Exp $");
 
 #include 
 #include 
 
 #include 
-#include 
 #include 
 #endif
 
@@ -185,7 +184,7 @@ npf_alg_unregister(npf_t *npf, npf_alg_t
 	afuncs->match = NULL;
 	afuncs->translate = NULL;
 	afuncs->inspect = NULL;
-	pserialize_perform(npf->qsbr);
+	npf_ebr_full_sync(npf->ebr);
 
 	/* Finally, unregister the ALG. */
 	npf_ruleset_freealg(npf_config_natset(npf), alg);
@@ -210,13 +209,14 @@ npf_alg_unregister(npf_t *npf, npf_alg_t
 bool
 npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di)
 {
-	npf_algset_t *aset = npc->npc_ctx->algset;
+	npf_t *npf = npc->npc_ctx;
+	npf_algset_t *aset = npf->algset;
 	bool match = false;
 	int s;
 
 	KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
 
-	s = pserialize_read_enter();
+	s = npf_ebr_enter(npf->ebr);
 	for (unsigned i = 0; i < aset->alg_count; i++) {
 		const npfa_funcs_t *f = >alg_funcs[i];
 
@@ -225,7 +225,7 @@ npf_alg_match(npf_cache_t *npc, npf_nat_
 			break;
 		}
 	}
-	pserialize_read_exit(s);
+	npf_ebr_exit(npf->ebr, s);
 	return match;
 }
 
@@ -243,12 +243,13 @@ npf_alg_match(npf_cache_t *npc, npf_nat_
 void
 npf_alg_exec(npf_cache_t *npc, npf_nat_t *nt, bool forw)
 {
-	npf_algset_t *aset = npc->npc_ctx->algset;
+	npf_t *npf = npc->npc_ctx;
+	npf_algset_t *aset = npf->algset;
 	int s;
 
 	KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
 
-	s = pserialize_read_enter();
+	s = npf_ebr_enter(npf->ebr);
 	for (unsigned i = 0; i < aset->alg_count; i++) {
 		const npfa_funcs_t *f = >alg_funcs[i];
 
@@ -256,11 +257,11 @@ npf_alg_exec(npf_cache_t *npc, npf_nat_t
 			f->translate(npc, nt, forw);
 		}
 	}
-	pserialize_read_exit(s);
+	npf_ebr_exit(npf->ebr, s);
 }
 
 /*
- * npf_alg_conn: query ALGs giving which may perform a custom state lookup.
+ * npf_alg_conn: query ALGs which may perform a custom state lookup.
  *
  *	The purpose of ALG connection inspection function is to provide
  *	ALGs with a mechanism to override the regular connection state

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 25 13:21:04 UTC 2019

Modified Files:
src/sys/net/npf: npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
npf_ifaddr.c npf_impl.h npf_nat.c npf_os.c
src/usr.sbin/npf/npfctl: npf_bpf_comp.c
src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c

Log Message:
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf.c
cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_alg.c
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.56 -r1.57 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_handler.c \
src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_ifaddr.c
cvs rdiff -u -r1.77 -r1.78 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.18 -r1.19 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sat Aug 24 13:20:52 UTC 2019

Modified Files:
src/lib/libnpf: Makefile
src/lib/npf: mod.mk
src/libexec/identd: Makefile
src/usr.sbin/npf/npfctl: Makefile
src/usr.sbin/npf/npfd: Makefile

Log Message:
libnpf fix: link the library itself to libnv; libnpf users should not be
expected to assume this dependency.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/Makefile
cvs rdiff -u -r1.7 -r1.8 src/lib/npf/mod.mk
cvs rdiff -u -r1.17 -r1.18 src/libexec/identd/Makefile
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/Makefile
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sat Aug 24 13:20:52 UTC 2019

Modified Files:
src/lib/libnpf: Makefile
src/lib/npf: mod.mk
src/libexec/identd: Makefile
src/usr.sbin/npf/npfctl: Makefile
src/usr.sbin/npf/npfd: Makefile

Log Message:
libnpf fix: link the library itself to libnv; libnpf users should not be
expected to assume this dependency.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/lib/libnpf/Makefile
cvs rdiff -u -r1.7 -r1.8 src/lib/npf/mod.mk
cvs rdiff -u -r1.17 -r1.18 src/libexec/identd/Makefile
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/Makefile
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/lib/libnpf/Makefile
diff -u src/lib/libnpf/Makefile:1.10 src/lib/libnpf/Makefile:1.11
--- src/lib/libnpf/Makefile:1.10	Sun Jan 27 04:39:33 2019
+++ src/lib/libnpf/Makefile	Sat Aug 24 13:20:52 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.10 2019/01/27 04:39:33 dholland Exp $
+# $NetBSD: Makefile,v 1.11 2019/08/24 13:20:52 rmind Exp $
 
 USE_SHLIBDIR=   yes
 
@@ -12,8 +12,12 @@ SRCS=		npf.c
 INCS=		npf.h
 INCSDIR=	/usr/include
 
+LIBNV!=		cd ${NETBSDSRCDIR}/external/bsd/libnv/lib && ${PRINTOBJDIR}
 CPPFLAGS+=	-I${NETBSDSRCDIR}/sys/external/bsd/libnv/dist
 
+DPADD+=		${LIBNV}/libnv.a
+LDADD+=		-L${LIBNV} -lnv
+
 WARNS=		5
 
 .include 

Index: src/lib/npf/mod.mk
diff -u src/lib/npf/mod.mk:1.7 src/lib/npf/mod.mk:1.8
--- src/lib/npf/mod.mk:1.7	Sat Sep 29 14:41:36 2018
+++ src/lib/npf/mod.mk	Sat Aug 24 13:20:52 2019
@@ -1,4 +1,4 @@
-#	$NetBSD: mod.mk,v 1.7 2018/09/29 14:41:36 rmind Exp $
+#	$NetBSD: mod.mk,v 1.8 2019/08/24 13:20:52 rmind Exp $
 
 .include 
 
@@ -25,8 +25,6 @@ SHLIBINSTALLDIR=${LIBROOTDIR}/npf
 
 LIB=		${MOD}
 SRCS=		npf${MOD}.c
-
-CPPFLAGS+=	-I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist
 LIBDPLIBS+=	npf ${NETBSDSRCDIR}/lib/libnpf
 
 .include 

Index: src/libexec/identd/Makefile
diff -u src/libexec/identd/Makefile:1.17 src/libexec/identd/Makefile:1.18
--- src/libexec/identd/Makefile:1.17	Sat Sep 29 14:41:37 2018
+++ src/libexec/identd/Makefile	Sat Aug 24 13:20:52 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.17 2018/09/29 14:41:37 rmind Exp $
+# $NetBSD: Makefile,v 1.18 2019/08/24 13:20:52 rmind Exp $
 
 .include 
 
@@ -22,10 +22,6 @@ CPPFLAGS+=-DWITH_PF
 .if (${MKNPF} != "no")
 SRCS+=	npf.c
 CPPFLAGS+=-DWITH_NPF
-
-PROGDPLIBS+= nv ${NETBSDSRCDIR}/external/bsd/libnv/lib
-CPPFLAGS+= -I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist
-
 LDADD+=-lnpf
 DPADD+=${LIBNPF}
 .endif

Index: src/usr.sbin/npf/npfctl/Makefile
diff -u src/usr.sbin/npf/npfctl/Makefile:1.13 src/usr.sbin/npf/npfctl/Makefile:1.14
--- src/usr.sbin/npf/npfctl/Makefile:1.13	Sat Sep 29 14:41:36 2018
+++ src/usr.sbin/npf/npfctl/Makefile	Sat Aug 24 13:20:52 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.13 2018/09/29 14:41:36 rmind Exp $
+# $NetBSD: Makefile,v 1.14 2019/08/24 13:20:52 rmind Exp $
 
 .include 
 
@@ -13,9 +13,6 @@ CPPFLAGS+=	-I${.CURDIR}
 SRCS+=		npf_scan.l npf_parse.y
 YHEADER=	1
 
-PROGDPLIBS+=	nv ${NETBSDSRCDIR}/external/bsd/libnv/lib
-CPPFLAGS+=	-I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist
-
 LDADD+=		-lnpf -lpcap -lutil -ly
 DPADD+=		${LIBNPF} ${LIBUTIL} ${LIBPCAP} ${LIBUTIL} ${LIBY}
 

Index: src/usr.sbin/npf/npfd/Makefile
diff -u src/usr.sbin/npf/npfd/Makefile:1.6 src/usr.sbin/npf/npfd/Makefile:1.7
--- src/usr.sbin/npf/npfd/Makefile:1.6	Sat Sep 29 14:41:36 2018
+++ src/usr.sbin/npf/npfd/Makefile	Sat Aug 24 13:20:52 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.6 2018/09/29 14:41:36 rmind Exp $
+# $NetBSD: Makefile,v 1.7 2019/08/24 13:20:52 rmind Exp $
 #
 # Public Domain
 #
@@ -9,9 +9,6 @@ MAN=		npfd.8
 SRCS=		npfd.c npfd_log.c
 CPPFLAGS+=	-I${.CURDIR}
 
-PROGDPLIBS+=	nv ${NETBSDSRCDIR}/external/bsd/libnv/lib
-CPPFLAGS+=	-I ${NETBSDSRCDIR}/sys/external/bsd/libnv/dist
-
 LDADD+=		-lnpf -lpcap -lutil
 DPADD+=		${LIBNPF} ${LIBPCAP} ${LIBUTIL}
 

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 21 21:45:47 UTC 2019

Modified Files:
src/lib/libnpf: libnpf.3 npf.c npf.h
src/sys/net/npf: npf.h npf_ctl.c npf_impl.h npf_os.c npf_tableset.c

Log Message:
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/lib/libnpf/libnpf.3
cvs rdiff -u -r1.46 -r1.47 src/lib/libnpf/npf.c
cvs rdiff -u -r1.36 -r1.37 src/lib/libnpf/npf.h
cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf.h
cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.76 -r1.77 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 21 21:45:47 UTC 2019

Modified Files:
src/lib/libnpf: libnpf.3 npf.c npf.h
src/sys/net/npf: npf.h npf_ctl.c npf_impl.h npf_os.c npf_tableset.c

Log Message:
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/lib/libnpf/libnpf.3
cvs rdiff -u -r1.46 -r1.47 src/lib/libnpf/npf.c
cvs rdiff -u -r1.36 -r1.37 src/lib/libnpf/npf.h
cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf.h
cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.76 -r1.77 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_tableset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/lib/libnpf/libnpf.3
diff -u src/lib/libnpf/libnpf.3:1.9 src/lib/libnpf/libnpf.3:1.10
--- src/lib/libnpf/libnpf.3:1.9	Tue Jul 23 14:18:20 2019
+++ src/lib/libnpf/libnpf.3	Wed Aug 21 21:45:47 2019
@@ -1,4 +1,4 @@
-.\"	$NetBSD: libnpf.3,v 1.9 2019/07/23 14:18:20 wiz Exp $
+.\"	$NetBSD: libnpf.3,v 1.10 2019/08/21 21:45:47 rmind Exp $
 .\"
 .\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 14, 2019
+.Dd August 21, 2019
 .Dt LIBNPF 3
 .Os
 .Sh NAME
@@ -41,7 +41,7 @@
 .Ft nl_config_t *
 .Fn npf_config_create "void"
 .Ft int
-.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo"
+.Fn npf_config_submit "nl_config_t *ncf" "int fd" "npf_error_t *errinfo"
 .Ft nl_config_t *
 .Fn npf_config_retrieve "int fd"
 .Ft int
@@ -104,6 +104,8 @@
 "const npf_addr_t *addr" "const npf_netmask_t mask"
 .Ft int
 .Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl"
+.Ft int
+.Fn npf_table_replace "int fd" "nl_table_t *tl" "npf_error_t *errinfo"
 .Ft void
 .Fn npf_table_destroy "nl_table_t *tl"
 .\" -
@@ -347,7 +349,9 @@ for IPv4 or
 for IPv6 address.
 Additionally,
 .Fa mask
-may be specified to indicate the translation network.
+may be specified to indicate the translation network;
+otherwise, it should be set to
+.Dv NPF_NO_NETMASK .
 In such case, a custom algorithm may need to be specified using the
 .Fn npf_nat_setalgo
 function.
@@ -423,11 +427,25 @@ must be either
 for IPv4 or
 .Dv AF_INET6
 for IPv6 address.
+If there is no mask, then
+.Fa mask
+should be set to
+.Dv NPF_NO_NETMASK .
+.\" ---
 .It Fn npf_table_insert "ncf" "tl"
 Add the table to the configuration object.
 This routine performs a check for duplicate table IDs.
 The table must not be referenced after insertion.
 .\" ---
+.It Fn npf_table_replace "fd" "tl" "errinfo"
+Submit the table object, specified by
+.Fa tl ,
+to the kernel, to replace the existing table with the
+corresponding table name and ID.
+On failure, the error information is written into the structure
+specified by
+.Fa errinfo .
+.\" ---
 .It Fn npf_table_destroy "tl"
 Destroy the specified table.
 .El

Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.46 src/lib/libnpf/npf.c:1.47
--- src/lib/libnpf/npf.c:1.46	Tue Jul 23 00:52:01 2019
+++ src/lib/libnpf/npf.c	Wed Aug 21 21:45:47 2019
@@ -28,7 +28,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.46 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.47 2019/08/21 21:45:47 rmind Exp $");
 
 #include 
 #include 
@@ -203,6 +203,30 @@ _npf_rules_process(nl_config_t *ncf, nvl
 }
 
 /*
+ * _npf_extract_error: check the error number field and extract the
+ * error details into the npf_error_t structure.
+ */
+static int
+_npf_extract_error(nvlist_t *resp, npf_error_t *errinfo)
+{
+	int error;
+
+	error = dnvlist_get_number(resp, "errno", 0);
+	if (error && errinfo) {
+		memset(errinfo, 0, sizeof(npf_error_t));
+
+		errinfo->id = dnvlist_get_number(resp, "id", 0);
+		errinfo->error_msg =
+		dnvlist_take_string(resp, "error-msg", NULL);
+		errinfo->source_file =
+		dnvlist_take_string(resp, "source-file", NULL);
+		errinfo->source_line =
+		dnvlist_take_number(resp, "source-line", 0);
+	}
+	return error;
+}
+
+/*
  * CONFIGURATION INTERFACE.
  */
 
@@ -233,17 +257,7 @@ npf_config_submit(nl_config_t *ncf, int 
 		assert(errnv == NULL);
 		return errno;
 	}
-	error = dnvlist_get_number(errnv, "errno", 0);
-	if (error && errinfo) {
-		memset(errinfo, 0, sizeof(npf_error_t));
-		errinfo->id = dnvlist_get_number(errnv, "id", 0);
-		errinfo->error_msg =
-		dnvlist_take_string(errnv, "error-msg", NULL);
-		errinfo->source_file =
-		dnvlist_take_string(errnv, "source-file", NULL);
-		errinfo->source_line =
-		dnvlist_take_number(errnv, "source-line", 0);
-	}
+	error = _npf_extract_error(errnv, errinfo);
 	nvlist_destroy(errnv);
 	return error;
 }
@@ -949,7 +963,7 @@ 

CVS commit: src/usr.sbin/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 21 21:41:54 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npfctl.c
src/usr.sbin/npf/npftest/libnpftest: npf_mbuf_subr.c npf_nbuf_test.c

Log Message:
- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes.  No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c \
src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Aug 21 21:41:54 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npfctl.c
src/usr.sbin/npf/npftest/libnpftest: npf_mbuf_subr.c npf_nbuf_test.c

Log Message:
- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes.  No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c \
src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.60 src/usr.sbin/npf/npfctl/npfctl.c:1.61
--- src/usr.sbin/npf/npfctl/npfctl.c:1.60	Thu Jul 25 00:48:55 2019
+++ src/usr.sbin/npf/npfctl/npfctl.c	Wed Aug 21 21:41:53 2019
@@ -28,7 +28,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: npfctl.c,v 1.60 2019/07/25 00:48:55 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.61 2019/08/21 21:41:53 rmind Exp $");
 
 #include 
 #include 
@@ -701,7 +701,7 @@ npfctl_open_dev(const char *path)
 	if (kernver != NPF_VERSION) {
 		errx(EXIT_FAILURE,
 		"incompatible NPF interface version (%d, kernel %d)\n"
-		"Hint: update %s?", NPF_VERSION, kernver, 
+		"Hint: update %s?", NPF_VERSION, kernver,
 		kernver > NPF_VERSION ? "userland" : "kernel");
 	}
 	return fd;

Index: src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c
diff -u src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c:1.9 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c:1.10
--- src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c:1.9	Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c	Wed Aug 21 21:41:53 2019
@@ -101,6 +101,7 @@ npfkern_m_ensure_contig(struct mbuf **m0
 		memcpy(dptr, m->m_data, m->m_len);
 		dptr += m->m_len;
 	}
+	npfkern_m_freem(*m0);
 	*m0 = m1;
 	(void)len;
 	return true;
Index: src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c
diff -u src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.9 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.10
--- src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.9	Thu Jul 25 01:18:05 2019
+++ src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c	Wed Aug 21 21:41:53 2019
@@ -190,22 +190,22 @@ validate_mbuf_data(char *bufa, char *buf
 bool
 npf_nbuf_test(bool verbose)
 {
-	struct mbuf *m1, *m2;
+	struct mbuf *m;
 	char *bufa, *bufb;
 	unsigned n = 1;
 	bool ok;
 
 	while (n--) {
-		m1 = mbuf_random_len(MBUF_CHAIN_LEN);
-		bufa = mbuf_getstring(m1);
-		bufb = parse_nbuf_chain(m1);
+		m = mbuf_random_len(MBUF_CHAIN_LEN);
+		bufa = mbuf_getstring(m);
+		bufb = parse_nbuf_chain(m);
 		ok = validate_mbuf_data(bufa, bufb);
 		CHECK_TRUE(ok);
 	}
 
-	m2 = mbuf_bytesize(MBUF_CHAIN_LEN);
-	bufa = mbuf_getstring(m2);
-	bufb = parse_nbuf_chain(m2);
+	m = mbuf_bytesize(MBUF_CHAIN_LEN);
+	bufa = mbuf_getstring(m);
+	bufb = parse_nbuf_chain(m);
 	ok = validate_mbuf_data(bufa, bufb);
 	CHECK_TRUE(ok);
 

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 11 20:26:34 UTC 2019

Modified Files:
src/sys/net/npf: npf.c npf_conf.c npf_conn.h npf_ctl.c npf_handler.c
npf_if.c npf_impl.h npf_inet.c npf_nat.c npf_os.c npf_params.c
npf_portmap.c npf_worker.c npfkern.h
src/usr.sbin/npf/npftest/libnpftest: npf_conn_test.c npf_nat_test.c
npf_perf_test.c npf_rule_test.c npf_test_subr.c

Log Message:
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf.c
cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conf.c \
src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.54 -r1.55 src/sys/net/npf/npf_ctl.c \
src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_handler.c \
src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_if.c
cvs rdiff -u -r1.75 -r1.76 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_params.c
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_portmap.c \
src/sys/net/npf/npfkern.h
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_worker.c
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npftest/libnpftest/npf_conn_test.c
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npftest/libnpftest/npf_nat_test.c
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c
cvs rdiff -u -r1.17 -r1.18 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
cvs rdiff -u -r1.15 -r1.16 \
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.c
diff -u src/sys/net/npf/npf.c:1.39 src/sys/net/npf/npf.c:1.40
--- src/sys/net/npf/npf.c:1.39	Tue Aug  6 11:40:15 2019
+++ src/sys/net/npf/npf.c	Sun Aug 11 20:26:33 2019
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.39 2019/08/06 11:40:15 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.40 2019/08/11 20:26:33 rmind Exp $");
 
 #include 
 #include 
@@ -49,7 +49,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.39
 static __read_mostly npf_t *	npf_kernel_ctx = NULL;
 
 __dso_public int
-npf_sysinit(unsigned nworkers)
+npfk_sysinit(unsigned nworkers)
 {
 	npf_bpf_sysinit();
 	npf_tableset_sysinit();
@@ -58,7 +58,7 @@ npf_sysinit(unsigned nworkers)
 }
 
 __dso_public void
-npf_sysfini(void)
+npfk_sysfini(void)
 {
 	npf_worker_sysfini();
 	npf_nat_sysfini();
@@ -67,7 +67,7 @@ npf_sysfini(void)
 }
 
 __dso_public npf_t *
-npf_create(int flags, const npf_mbufops_t *mbufops, const npf_ifops_t *ifops)
+npfk_create(int flags, const npf_mbufops_t *mbufops, const npf_ifops_t *ifops)
 {
 	npf_t *npf;
 
@@ -94,7 +94,7 @@ npf_create(int flags, const npf_mbufops_
 }
 
 __dso_public void
-npf_destroy(npf_t *npf)
+npfk_destroy(npf_t *npf)
 {
 	/*
 	 * Destroy the current configuration.  Note: at this point all
@@ -117,25 +117,25 @@ npf_destroy(npf_t *npf)
 }
 
 __dso_public int
-npf_load(npf_t *npf, void *config_ref, npf_error_t *err)
+npfk_load(npf_t *npf, void *config_ref, npf_error_t *err)
 {
 	return npfctl_load(npf, 0, config_ref);
 }
 
 __dso_public void
-npf_gc(npf_t *npf)
+npfk_gc(npf_t *npf)
 {
 	npf_conn_worker(npf);
 }
 
 __dso_public void
-npf_thread_register(npf_t *npf)
+npfk_thread_register(npf_t *npf)
 {
 	pserialize_register(npf->qsbr);
 }
 
 __dso_public void
-npf_thread_unregister(npf_t *npf)
+npfk_thread_unregister(npf_t *npf)
 {
 	pserialize_perform(npf->qsbr);
 	pserialize_unregister(npf->qsbr);
@@ -198,14 +198,14 @@ npf_stats_clear_cb(void *mem, void *arg,
  */
 
 __dso_public void
-npf_stats(npf_t *npf, uint64_t *buf)
+npfk_stats(npf_t *npf, uint64_t *buf)
 {
 	memset(buf, 0, NPF_STATS_SIZE);
 	percpu_foreach(npf->stats_percpu, npf_stats_collect, buf);
 }
 
 __dso_public void
-npf_stats_clear(npf_t *npf)
+npfk_stats_clear(npf_t *npf)
 {
 	percpu_foreach(npf->stats_percpu, npf_stats_clear_cb, NULL);
 }

Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.13 src/sys/net/npf/npf_conf.c:1.14
--- src/sys/net/npf/npf_conf.c:1.13	Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_conf.c	Sun Aug 11 20:26:33 2019
@@ -47,7 +47,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.13 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.14 2019/08/11 20:26:33 rmind Exp $");
 
 #include 
 #include 
@@ -169,7 +169,7 @@ npf_config_load(npf_t *npf, npf_ruleset_
 	/* Synchronise: drain all references. */
 	pserialize_perform(npf->qsbr);
 	if (flush) {
-		npf_portmap_flush(npf);
+		npf_portmap_flush(npf->portmap);
 		npf_ifmap_flush(npf);
 	}
 
Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.13 src/sys/net/npf/npf_os.c:1.14
--- src/sys/net/npf/npf_os.c:1.13	Sat 

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 11 20:26:34 UTC 2019

Modified Files:
src/sys/net/npf: npf.c npf_conf.c npf_conn.h npf_ctl.c npf_handler.c
npf_if.c npf_impl.h npf_inet.c npf_nat.c npf_os.c npf_params.c
npf_portmap.c npf_worker.c npfkern.h
src/usr.sbin/npf/npftest/libnpftest: npf_conn_test.c npf_nat_test.c
npf_perf_test.c npf_rule_test.c npf_test_subr.c

Log Message:
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf.c
cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conf.c \
src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.54 -r1.55 src/sys/net/npf/npf_ctl.c \
src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_handler.c \
src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_if.c
cvs rdiff -u -r1.75 -r1.76 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_params.c
cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_portmap.c \
src/sys/net/npf/npfkern.h
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_worker.c
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npftest/libnpftest/npf_conn_test.c
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npftest/libnpftest/npf_nat_test.c
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c
cvs rdiff -u -r1.17 -r1.18 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
cvs rdiff -u -r1.15 -r1.16 \
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 11 20:25:14 UTC 2019

Modified Files:
src/usr.sbin/npf: npf-params.7

Log Message:
npf-params(7): add more bpf.jit details.
>From David H. Gutteridge.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npf-params.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npf-params.7
diff -u src/usr.sbin/npf/npf-params.7:1.2 src/usr.sbin/npf/npf-params.7:1.3
--- src/usr.sbin/npf/npf-params.7:1.2	Tue Jul 23 14:24:02 2019
+++ src/usr.sbin/npf/npf-params.7	Sun Aug 11 20:25:14 2019
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf-params.7,v 1.2 2019/07/23 14:24:02 wiz Exp $
+.\" $NetBSD: npf-params.7,v 1.3 2019/08/11 20:25:14 rmind Exp $
 .\"
 .\" Copyright (c) 2019 Mindaugas Rasiukevicius 
 .\" All rights reserved.
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd February 26, 2019
+.Dd August 3, 2019
 .Dt NPF-PARAMS 7
 .Os
 .Sh NAME
@@ -44,7 +44,13 @@ or 1 ("on").
 .\" ---
 .Bl -tag -width "123456"
 .It Li bpf.jit
-BPF just-in time compilation.
+BPF just-in-time compilation: enables or disables
+.Xr bpfjit 4
+support.
+Some machine architectures are not presently supported by
+.Xr bpfjit 4 .
+Setting this parameter to off stops NPF from trying to enable this
+functionality, and generating a warning if it is unable to do so.
 Default: 1.
 .El
 .\" ---
@@ -121,6 +127,7 @@ set state.tcp.timeout.time_wait 0   
 .Sh SEE ALSO
 .Xr libnpf 3 ,
 .Xr npfkern 3 ,
+.Xr bpfjit 4 ,
 .Xr npf.conf 5 ,
 .Xr pcap-filter 7 ,
 .Xr npfctl 8

CVS commit: src/usr.sbin/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sun Aug 11 20:25:14 UTC 2019

Modified Files:
src/usr.sbin/npf: npf-params.7

Log Message:
npf-params(7): add more bpf.jit details.
>From David H. Gutteridge.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npf-params.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sat Aug 10 22:23:55 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c

Log Message:
npfctl show/validate: fix couple bugs in multiple table/port representation.
Fixes PR/54122.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28 src/usr.sbin/npf/npfctl/npf_show.c:1.29
--- src/usr.sbin/npf/npfctl/npf_show.c:1.28	Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_show.c	Sat Aug 10 22:23:55 2019
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2013 The NetBSD Foundation, Inc.
+ * Copyright (c) 2013-2019 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This code is derived from software contributed to The NetBSD Foundation
@@ -34,7 +34,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: npf_show.c,v 1.28 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.29 2019/08/10 22:23:55 rmind Exp $");
 
 #include 
 #define	__FAVOR_BSD
@@ -220,21 +220,29 @@ print_tcpflags(npf_conf_info_t *ctx __un
 }
 
 static char *
-print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
+print_pbarrier(npf_conf_info_t *ctx, const uint32_t *words __unused)
+{
+	if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) {
+		ctx->flags |= SEEN_SRC;
+		return estrdup("from any");
+	}
+	if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) {
+		ctx->flags |= SEEN_DST;
+		return estrdup("to any");
+	}
+	return NULL;
+}
+
+static char *
+print_portrange(npf_conf_info_t *ctx __unused, const uint32_t *words)
 {
 	u_int fport = words[0], tport = words[1];
-	const char *any_str = "";
 	char *p;
 
-	if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0)
-		any_str = "from any ";
-	if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0)
-		any_str = "to any ";
-
 	if (fport != tport) {
-		easprintf(, "%sport %u:%u", any_str, fport, tport);
+		easprintf(, "%u-%u", fport, tport);
 	} else {
-		easprintf(, "%sport %u", any_str, fport);
+		easprintf(, "%u", fport);
 	}
 	return p;
 }
@@ -283,12 +291,14 @@ static const struct mark_keyword_mapent 
 	{ BM_ICMP_CODE,	"code %s",	NULL, 0,	print_number,	1 },
 
 	{ BM_SRC_CIDR,	"from %s",	", ", SEEN_SRC,	print_address,	6 },
-	{ BM_SRC_TABLE,	"from %s",	NULL, SEEN_SRC,	print_table,	1 },
-	{ BM_SRC_PORTS,	"%s",		", ", 0,	print_portrange,2 },
+	{ BM_SRC_TABLE,	"from %s",	", ", SEEN_SRC,	print_table,	1 },
+	{ BM_SRC_PORTS,	"%s",		NULL, 0,	print_pbarrier,	2 },
+	{ BM_SRC_PORTS,	"port %s",	", ", 0,	print_portrange,2 },
 
 	{ BM_DST_CIDR,	"to %s",	", ", SEEN_DST,	print_address,	6 },
-	{ BM_DST_TABLE,	"to %s",	NULL, SEEN_DST,	print_table,	1 },
-	{ BM_DST_PORTS,	"%s",		", ", 0,	print_portrange,2 },
+	{ BM_DST_TABLE,	"to %s",	", ", SEEN_DST,	print_table,	1 },
+	{ BM_DST_PORTS,	"%s",		NULL, 0,	print_pbarrier,	2 },
+	{ BM_DST_PORTS,	"port %s",	", ", 0,	print_portrange,2 },
 };
 
 static const char * __attribute__((format_arg(2)))
@@ -314,13 +324,17 @@ scan_marks(npf_conf_info_t *ctx, const s
 			errx(EXIT_FAILURE, "byte-code marking inconsistency");
 		}
 		if (m == mk->mark) {
+			char *val;
+
 			/* Set the current mark and the flags. */
 			ctx->flags |= mk->set_flags;
 			ctx->curmark = m;
 
 			/* Value is processed by the print function. */
 			assert(mk->fwords == nwords);
-			vals[nvals++] = mk->printfn(ctx, marks);
+			if ((val = mk->printfn(ctx, marks)) != NULL) {
+vals[nvals++] = val;
+			}
 		}
 		marks += nwords;
 		mlen -= nwords;

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sat Aug 10 22:23:55 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c

Log Message:
npfctl show/validate: fix couple bugs in multiple table/port representation.
Fixes PR/54122.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Sat Aug 10 21:13:54 UTC 2019

Modified Files:
src/sys/net: if.h
src/sys/net/npf: npf_os.c
src/sys/sys: param.h

Log Message:
Add the ifnet_t::if_npf_private field.  Bump the kernel version.
Fixes PR/54098.


To generate a diff of this commit:
cvs rdiff -u -r1.274 -r1.275 src/sys/net/if.h
cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.605 -r1.606 src/sys/sys/param.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if.h
diff -u src/sys/net/if.h:1.274 src/sys/net/if.h:1.275
--- src/sys/net/if.h:1.274	Thu Jul  4 02:44:25 2019
+++ src/sys/net/if.h	Sat Aug 10 21:13:54 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: if.h,v 1.274 2019/07/04 02:44:25 ozaki-r Exp $	*/
+/*	$NetBSD: if.h,v 1.275 2019/08/10 21:13:54 rmind Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc.
@@ -340,6 +340,7 @@ typedef struct ifnet {
 	struct mowner	*if_mowner;	/* ?: who owns mbufs for this interface */
 
 	void		*if_agrprivate;	/* ?: used only when #if NAGR > 0 */
+	void		*if_npf_private;/* ?: associated NPF context */
 
 	/*
 	 * pf specific data, used only when #if NPF > 0.

Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.12 src/sys/net/npf/npf_os.c:1.13
--- src/sys/net/npf/npf_os.c:1.12	Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_os.c	Sat Aug 10 21:13:54 2019
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.12 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.13 2019/08/10 21:13:54 rmind Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pf.h"
@@ -313,7 +313,7 @@ npf_ifop_flush(void *arg)
 	KERNEL_LOCK(1, NULL);
 	IFNET_GLOBAL_LOCK();
 	IFNET_WRITER_FOREACH(ifp) {
-		ifp->if_pf_kif = arg;
+		ifp->if_npf_private = arg;
 	}
 	IFNET_GLOBAL_UNLOCK();
 	KERNEL_UNLOCK_ONE(NULL);
@@ -322,13 +322,13 @@ npf_ifop_flush(void *arg)
 static void *
 npf_ifop_getmeta(const ifnet_t *ifp)
 {
-	return ifp->if_pf_kif;
+	return ifp->if_npf_private;
 }
 
 static void
 npf_ifop_setmeta(ifnet_t *ifp, void *arg)
 {
-	ifp->if_pf_kif = arg;
+	ifp->if_npf_private = arg;
 }
 
 #ifdef _KERNEL

Index: src/sys/sys/param.h
diff -u src/sys/sys/param.h:1.605 src/sys/sys/param.h:1.606
--- src/sys/sys/param.h:1.605	Sat Aug 10 02:17:36 2019
+++ src/sys/sys/param.h	Sat Aug 10 21:13:54 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: param.h,v 1.605 2019/08/10 02:17:36 mrg Exp $	*/
+/*	$NetBSD: param.h,v 1.606 2019/08/10 21:13:54 rmind Exp $	*/
 
 /*-
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -67,7 +67,7 @@
  *	2.99.9		(299000900)
  */
 
-#define	__NetBSD_Version__	999000600	/* NetBSD 9.99.6 */
+#define	__NetBSD_Version__	999000700	/* NetBSD 9.99.7 */
 
 #define __NetBSD_Prereq__(M,m,p) (M) * 1) + \
 (m) * 100) + (p) * 100) <= __NetBSD_Version__)

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Aug  8 21:29:16 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npfctl.h

Log Message:
NPF: fix BPF byte-code generation for a port-range used in a group.
Resolved PR/52609 and PR/54169.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.14
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13	Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c	Thu Aug  8 21:29:15 2019
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2019 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -29,10 +29,60 @@
 
 /*
  * BPF byte-code generation for NPF rules.
+ *
+ * Overview
+ *
+ *	Each NPF rule is compiled into BPF micro-program.  There is a
+ *	BPF byte-code fragment for each higher-level filtering logic,
+ *	e.g. to match L4 protocol, IP/mask, etc.  The generation process
+ *	combines multiple BPF-byte code fragments into one program.
+ *
+ * Basic case
+ *
+ *	Consider a basic case, where all filters should match.  They
+ *	are expressed as logical conjunction, e.g.:
+ *
+ *		A and B and C and D
+ *
+ *	Each test (filter) criterion can be evaluated to true (match) or
+ *	false (no match) and the logic is as follows:
+ *
+ *	- If the value is true, then jump to the "next" test (offset 0).
+ *
+ *	- If the value is false, then jump to the JUMP_MAGIC value (0xff).
+ *	This "magic" value is used to indicate that it will have to be
+ *	patched at a later stage.
+ *
+ *	Once all byte-code fragments are combined into one, then there
+ *	are two additional steps:
+ *
+ *	- Two instructions are appended at the end of the program: return
+ *	"success" followed by return "failure".
+ *
+ *	- All jumps with the JUMP_MAGIC value are patched to point to the
+ *	"return failure" instruction.
+ *
+ *	Therefore, if all filter criteria will match, then the first
+ *	instruction will be reached, indicating a successful match of the
+ *	rule.  Otherwise, if any of the criteria will not match, it will
+ *	take the failure path and the rule will not matching.
+ *
+ * Grouping
+ *
+ *	Filters can have groups, which are have a meaning of logical
+ *	disjunction, e.g.:
+ *
+ *		A and B and (C or D)
+ *
+ *	In such case, the logic inside the group has to be inverted i.e.
+ *	the jump values swapped.  If the test value is true, then jump
+ *	out of the group; if false, then jump "next".  At the end of the
+ *	group, an addition failure path is appended and the JUMP_MAGIC
+ *	uses within the group are patched to jump past the said path.
  */
 
 #include 
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.14 2019/08/08 21:29:15 rmind Exp $");
 
 #include 
 #include 
@@ -75,7 +125,10 @@ struct npf_bpf {
 	sa_family_t		af;
 	uint32_t		flags;
 
-	/* The current group offset and block number. */
+	/*
+	 * The current group offset (counted in BPF instructions)
+	 * and block number at the start of the group.
+	 */
 	bool			ingroup;
 	u_int			goff;
 	u_int			gblock;
@@ -120,6 +173,7 @@ fixup_jumps(npf_bpf_t *ctx, u_int start,
 	for (u_int i = start; i < end; i++) {
 		struct bpf_insn *insn = >bf_insns[i];
 		const u_int fail_off = end - i;
+		bool seen_magic = false;
 
 		if (fail_off >= JUMP_MAGIC) {
 			errx(EXIT_FAILURE, "BPF generation error: "
@@ -128,15 +182,37 @@ fixup_jumps(npf_bpf_t *ctx, u_int start,
 		if (BPF_CLASS(insn->code) != BPF_JMP) {
 			continue;
 		}
-		if (swap) {
+		if (BPF_OP(insn->code) == BPF_JA) {
+			/*
+			 * BPF_JA can be used to jump to the failure path.
+			 * If we are swapping i.e. inside the group, then
+			 * jump "next"; groups have a failure path appended
+			 * at their end.
+			 */
+			if (insn->k == JUMP_MAGIC) {
+insn->k = swap ? 0 : fail_off;
+			}
+			continue;
+		}
+
+		/*
+		 * Fixup the "magic" value.  Swap only the "magic" jumps.
+		 */
+
+		if (insn->jt == JUMP_MAGIC) {
+			insn->jt = fail_off;
+			seen_magic = true;
+		}
+		if (insn->jf == JUMP_MAGIC) {
+			insn->jf = fail_off;
+			seen_magic = true;
+		}
+
+		if (seen_magic && swap) {
 			uint8_t jt = insn->jt;
 			insn->jt = insn->jf;
 			insn->jf = jt;
 		}
-		if (insn->jt == JUMP_MAGIC)
-			insn->jt = fail_off;
-		if (insn->jf == JUMP_MAGIC)
-			insn->jf = fail_off;
 	}
 }
 
@@ -225,11 +301,11 @@ npfctl_bpf_destroy(npf_bpf_t *ctx)
 }
 
 /*
- * npfctl_bpf_group: begin a logical group.  It merely uses logical
+ * 

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Aug  8 21:29:16 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npfctl.h

Log Message:
NPF: fix BPF byte-code generation for a port-range used in a group.
Resolved PR/52609 and PR/54169.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf/npftest/libnpftest

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 01:18:06 UTC 2019

Modified Files:
src/usr.sbin/npf/npftest/libnpftest: npf_nbuf_test.c

Log Message:
npftest: fix double-free in npf_nbuf_test().


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c
diff -u src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.8 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.9
--- src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c:1.8	Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c	Thu Jul 25 01:18:05 2019
@@ -201,7 +201,6 @@ npf_nbuf_test(bool verbose)
 		bufb = parse_nbuf_chain(m1);
 		ok = validate_mbuf_data(bufa, bufb);
 		CHECK_TRUE(ok);
-		m_freem(m1);
 	}
 
 	m2 = mbuf_bytesize(MBUF_CHAIN_LEN);
@@ -209,7 +208,6 @@ npf_nbuf_test(bool verbose)
 	bufb = parse_nbuf_chain(m2);
 	ok = validate_mbuf_data(bufa, bufb);
 	CHECK_TRUE(ok);
-	m_freem(m2);
 
 	(void)verbose;
 	return true;

CVS commit: src/usr.sbin/npf/npftest/libnpftest

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 01:18:06 UTC 2019

Modified Files:
src/usr.sbin/npf/npftest/libnpftest: npf_nbuf_test.c

Log Message:
npftest: fix double-free in npf_nbuf_test().


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 01:00:28 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
npf_portmap_flush: remove invalid assert (this routine can be callied via
the npf_destroy() path where the constraint is not applicable).


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_portmap.c
diff -u src/sys/net/npf/npf_portmap.c:1.2 src/sys/net/npf/npf_portmap.c:1.3
--- src/sys/net/npf/npf_portmap.c:1.2	Tue Jul 23 08:25:52 2019
+++ src/sys/net/npf/npf_portmap.c	Thu Jul 25 01:00:28 2019
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.3 2019/07/25 01:00:28 rmind Exp $");
 
 #include 
 #include 
@@ -461,8 +461,6 @@ npf_portmap_flush(npf_t *npf)
 	npf_portmap_t *pm = npf->portmap;
 	bitmap_t *bm;
 
-	KASSERT(npf_config_locked_p(npf));
-
 	while ((bm = LIST_FIRST(>bitmap_list)) != NULL) {
 		for (unsigned i = 0; i < PORTMAP_L0_WORDS; i++) {
 			uintptr_t bm1 = bm->bits0[i];

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 01:00:28 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
npf_portmap_flush: remove invalid assert (this routine can be callied via
the npf_destroy() path where the constraint is not applicable).


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 00:48:55 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c npfctl.c

Log Message:
npfctl: fix the bpf.jit parameter handling.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npfctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 00:48:55 UTC 2019

Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c npfctl.c

Log Message:
npfctl: fix the bpf.jit parameter handling.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npfctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.49 src/usr.sbin/npf/npfctl/npf_build.c:1.50
--- src/usr.sbin/npf/npfctl/npf_build.c:1.49	Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_build.c	Thu Jul 25 00:48:55 2019
@@ -32,7 +32,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: npf_build.c,v 1.49 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.50 2019/07/25 00:48:55 rmind Exp $");
 
 #include 
 #define	__FAVOR_BSD
@@ -969,6 +969,7 @@ npfctl_setparam(const char *name, int va
 {
 	if (strcmp(name, "bpf.jit") == 0) {
 		npfctl_bpfjit(val != 0);
+		return;
 	}
 	if (npf_param_set(npf_conf, name, val) != 0) {
 		yyerror("invalid parameter `%s` or its value", name);

Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.59 src/usr.sbin/npf/npfctl/npfctl.c:1.60
--- src/usr.sbin/npf/npfctl/npfctl.c:1.59	Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npfctl.c	Thu Jul 25 00:48:55 2019
@@ -28,7 +28,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: npfctl.c,v 1.59 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.60 2019/07/25 00:48:55 rmind Exp $");
 
 #include 
 #include 
@@ -231,7 +231,7 @@ npfctl_print_error(const npf_error_t *ne
 	const char *srcfile = ne->source_file;
 
 	if (ne->error_msg) {
-		warnx("%s", ne->error_msg);
+		errx(EXIT_FAILURE, "%s", ne->error_msg);
 	}
 	if (srcfile) {
 		warnx("source %s line %d", srcfile, ne->source_line);

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 00:02:56 UTC 2019

Modified Files:
src/distrib/sets/lists/man: mi
src/usr.sbin/npf: Makefile

Log Message:
Install the npf-params(7) man page.


To generate a diff of this commit:
cvs rdiff -u -r1.1648 -r1.1649 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/distrib/sets/lists/man/mi
diff -u src/distrib/sets/lists/man/mi:1.1648 src/distrib/sets/lists/man/mi:1.1649
--- src/distrib/sets/lists/man/mi:1.1648	Wed Jun 12 09:03:32 2019
+++ src/distrib/sets/lists/man/mi	Thu Jul 25 00:02:56 2019
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1648 2019/06/12 09:03:32 mrg Exp $
+# $NetBSD: mi,v 1.1649 2019/07/25 00:02:56 rmind Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -2317,6 +2317,7 @@
 ./usr/share/man/cat7/msafer.0			man-obsolete		obsolete
 ./usr/share/man/cat7/nls.0			man-reference-catman	.cat
 ./usr/share/man/cat7/npf.0			man-npf-catman		.cat,npf
+./usr/share/man/cat7/npf-params.0		man-npf-catman		.cat,npf
 ./usr/share/man/cat7/orders.0			man-reference-catman	.cat
 ./usr/share/man/cat7/packages.0			man-obsolete		obsolete
 ./usr/share/man/cat7/pcap-filter.0		man-netutil-catman	.cat
@@ -5383,6 +5384,7 @@
 ./usr/share/man/html7/module.html		man-reference-htmlman	html
 ./usr/share/man/html7/nls.html			man-reference-htmlman	html
 ./usr/share/man/html7/npf.html			man-npf-htmlman		html,npf
+./usr/share/man/html7/npf-params.html		man-npf-htmlman		html,npf
 ./usr/share/man/html7/orders.html		man-reference-htmlman	html
 ./usr/share/man/html7/pcap-filter.html		man-netutil-htmlman	html
 ./usr/share/man/html7/pcap-linktype.html	man-netutil-htmlman	html
@@ -8424,6 +8426,7 @@
 ./usr/share/man/man7/msafer.7			man-obsolete		obsolete
 ./usr/share/man/man7/nls.7			man-reference-man	.man
 ./usr/share/man/man7/npf.7			man-npf-man		.man,npf
+./usr/share/man/man7/npf-params.7		man-npf-man		.man,npf
 ./usr/share/man/man7/orders.7			man-reference-man	.man
 ./usr/share/man/man7/packages.7			man-obsolete		obsolete
 ./usr/share/man/man7/pcap-filter.7		man-netutil-man		.man

Index: src/usr.sbin/npf/Makefile
diff -u src/usr.sbin/npf/Makefile:1.6 src/usr.sbin/npf/Makefile:1.7
--- src/usr.sbin/npf/Makefile:1.6	Sat Jan  7 17:27:02 2017
+++ src/usr.sbin/npf/Makefile	Thu Jul 25 00:02:55 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.6 2017/01/07 17:27:02 christos Exp $
+# $NetBSD: Makefile,v 1.7 2019/07/25 00:02:55 rmind Exp $
 
 .include 
 
@@ -8,7 +8,7 @@ SUBDIR=		npfctl npfd
 SUBDIR+=	npftest
 .endif
 
-MAN=		npf.7
+MAN=		npf.7 npf-params.7
 
 .include 
 .include 

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Thu Jul 25 00:02:56 UTC 2019

Modified Files:
src/distrib/sets/lists/man: mi
src/usr.sbin/npf: Makefile

Log Message:
Install the npf-params(7) man page.


To generate a diff of this commit:
cvs rdiff -u -r1.1648 -r1.1649 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/modules/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Jul 24 23:49:08 UTC 2019

Modified Files:
src/sys/modules/npf: Makefile

Log Message:
Update the NPF kernel module Makefile.  Missed in the previous commit.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/modules/npf/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/modules/npf/Makefile
diff -u src/sys/modules/npf/Makefile:1.23 src/sys/modules/npf/Makefile:1.24
--- src/sys/modules/npf/Makefile:1.23	Sun Feb 17 04:05:55 2019
+++ src/sys/modules/npf/Makefile	Wed Jul 24 23:49:08 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.23 2019/02/17 04:05:55 rin Exp $
+# $NetBSD: Makefile,v 1.24 2019/07/24 23:49:08 rmind Exp $
 #
 # Public Domain.
 #
@@ -11,9 +11,11 @@ KMOD=		npf
 IOCONF=		npf.ioconf
 SRCS=		npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
 SRCS+=		npf_bpf.c npf_if.c npf_inet.c npf_mbuf.c npf_nat.c
-SRCS+=		npf_ruleset.c npf_conn.c npf_conndb.c npf_rproc.c
+SRCS+=		npf_params.c npf_ruleset.c npf_rproc.c
+SRCS+=		npf_conn.c npf_conndb.c npf_connkey.c npf_portmap.c
 SRCS+=		npf_state.c npf_state_tcp.c npf_tableset.c
-SRCS+=		lpm.c npf_sendpkt.c npf_worker.c npf_ifaddr.c npf_os.c
+SRCS+=		lpm.c npf_sendpkt.c npf_worker.c npf_os.c npf_ifaddr.c
+
 SRCS+=		nvlist.c nvpair.c nv_kern_netbsd.c dnvlist.c
 
 CPPFLAGS+=	-DINET6

CVS commit: src/sys/modules/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Wed Jul 24 23:49:08 UTC 2019

Modified Files:
src/sys/modules/npf: Makefile

Log Message:
Update the NPF kernel module Makefile.  Missed in the previous commit.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/modules/npf/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 08:25:52 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
NPF portmap: add a workaround for archs without 64-bit CAS.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 08:25:52 UTC 2019

Modified Files:
src/sys/net/npf: npf_portmap.c

Log Message:
NPF portmap: add a workaround for archs without 64-bit CAS.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_portmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_portmap.c
diff -u src/sys/net/npf/npf_portmap.c:1.1 src/sys/net/npf/npf_portmap.c:1.2
--- src/sys/net/npf/npf_portmap.c:1.1	Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_portmap.c	Tue Jul 23 08:25:52 2019
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.1 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_portmap.c,v 1.2 2019/07/23 08:25:52 rmind Exp $");
 
 #include 
 #include 
@@ -106,6 +106,8 @@ typedef struct {
 	int		max_port;
 } npf_portmap_params_t;
 
+static kmutex_t			portmap_lock;
+
 void
 npf_portmap_init(npf_t *npf)
 {
@@ -130,6 +132,8 @@ npf_portmap_init(npf_t *npf)
 	npf->portmap = kmem_zalloc(sizeof(npf_portmap_t), KM_SLEEP);
 	mutex_init(>portmap->list_lock, MUTEX_DEFAULT, IPL_SOFTNET);
 	npf->portmap->addr_map = thmap_create(0, NULL, THMAP_NOCOPY);
+
+	mutex_init(_lock, MUTEX_DEFAULT, IPL_SOFTNET);
 }
 
 void
@@ -146,10 +150,31 @@ npf_portmap_fini(npf_t *npf)
 	thmap_destroy(pm->addr_map);
 	mutex_destroy(>list_lock);
 	kmem_free(pm, sizeof(npf_portmap_t));
+
+	mutex_destroy(_lock);
 }
 
 /
 
+#if defined(_LP64)
+#define	__npf_atomic_cas_64	atomic_cas_64
+#else
+static uint64_t
+__npf_atomic_cas_64(volatile uint64_t *ptr, uint64_t old, uint64_t new)
+{
+	uint64_t prev;
+
+	mutex_enter(_lock);
+	prev = *ptr;
+	if (prev == old) {
+		*ptr = new;
+	}
+	mutex_exit(_lock);
+
+	return prev;
+}
+#endif
+
 /*
  * bitmap_word_isset: test whether the bit value is in the packed array.
  *
@@ -283,7 +308,7 @@ again:
 		 */
 		if ((nval = bitmap_word_cax(bval, -1, chunk_bit)) != 0) {
 			KASSERT((nval & PORTMAP_L1_TAG) == 0);
-			if (atomic_cas_64(>bits0[i], bval, nval) != bval) {
+			if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) {
 goto again;
 			}
 			return true;
@@ -315,7 +340,7 @@ again:
 		bm1p = (uintptr_t)bm1;
 		KASSERT((bm1p & PORTMAP_L1_TAG) == 0);
 		bm1p |= PORTMAP_L1_TAG;
-		if (atomic_cas_64(>bits0[i], bval, bm1p) != bval) {
+		if (__npf_atomic_cas_64(>bits0[i], bval, bm1p) != bval) {
 			kmem_intr_free(bm1, sizeof(bitmap_l1_t));
 			goto again;
 		}
@@ -332,7 +357,7 @@ again:
 		return false;
 	}
 	nval = oval | b;
-	if (atomic_cas_64(>bits1[i], oval, nval) != oval) {
+	if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) {
 		goto again;
 	}
 	return true;
@@ -356,7 +381,7 @@ again:
 		}
 		nval = bitmap_word_cax(bval, chunk_bit, chunk_bit);
 		KASSERT((nval & PORTMAP_L1_TAG) == 0);
-		if (atomic_cas_64(>bits0[i], bval, nval) != bval) {
+		if (__npf_atomic_cas_64(>bits0[i], bval, nval) != bval) {
 			goto again;
 		}
 		return true;
@@ -372,7 +397,7 @@ again:
 		return false;
 	}
 	nval = oval & ~b;
-	if (atomic_cas_64(>bits1[i], oval, nval) != oval) {
+	if (__npf_atomic_cas_64(>bits1[i], oval, nval) != oval) {
 		goto again;
 	}
 	return true;

CVS commit: src

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 00:52:02 UTC 2019

Modified Files:
src/lib/libnpf: libnpf.3 npf.c npf.h
src/sys/net/npf: files.npf npf.c npf.h npf_alg.c npf_alg_icmp.c
npf_conf.c npf_conn.c npf_conn.h npf_conndb.c npf_ctl.c
npf_handler.c npf_impl.h npf_inet.c npf_nat.c npf_os.c npf_rproc.c
npf_ruleset.c npf_state.c npf_state_tcp.c npf_tableset.c npfkern.h
src/sys/rump/net/lib/libnpf: Makefile
src/usr.sbin/npf/npfctl: npf.conf.5 npf_bpf_comp.c npf_build.c
npf_parse.y npf_scan.l npf_show.c npfctl.c npfctl.h
src/usr.sbin/npf/npftest: npfstream.c npftest.c npftest.conf
src/usr.sbin/npf/npftest/libnpftest: npf_bpf_test.c npf_conn_test.c
npf_mbuf_subr.c npf_nat_test.c npf_nbuf_test.c npf_perf_test.c
npf_rule_test.c npf_state_test.c npf_table_test.c npf_test.h
npf_test_subr.c
Added Files:
src/sys/net/npf: npf_connkey.c npf_params.c npf_portmap.c
src/usr.sbin/npf: npf-params.7

Log Message:
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
  userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/lib/libnpf/libnpf.3
cvs rdiff -u -r1.45 -r1.46 src/lib/libnpf/npf.c
cvs rdiff -u -r1.35 -r1.36 src/lib/libnpf/npf.h
cvs rdiff -u -r1.21 -r1.22 src/sys/net/npf/files.npf \
src/sys/net/npf/npf_state.c
cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf.c
cvs rdiff -u -r1.59 -r1.60 src/sys/net/npf/npf.h
cvs rdiff -u -r1.19 -r1.20 src/sys/net/npf/npf_alg.c \
src/sys/net/npf/npf_state_tcp.c
cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.26 -r1.27 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_conndb.c
cvs rdiff -u -r0 -r1.1 src/sys/net/npf/npf_connkey.c \
src/sys/net/npf/npf_params.c src/sys/net/npf/npf_portmap.c
cvs rdiff -u -r1.53 -r1.54 src/sys/net/npf/npf_ctl.c \
src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf_handler.c \
src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.74 -r1.75 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_rproc.c
cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_tableset.c
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npfkern.h
cvs rdiff -u -r1.26 -r1.27 src/sys/rump/net/lib/libnpf/Makefile
cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npf-params.7
cvs rdiff -u -r1.86 -r1.87 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npf_build.c \
src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/npf/npfctl/npf_show.c
cvs rdiff -u -r1.58 -r1.59 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/npfstream.c
cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npftest/npftest.c
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npftest/npftest.conf
cvs rdiff -u -r1.10 -r1.11 src/usr.sbin/npf/npftest/libnpftest/npf_bpf_test.c
cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npftest/libnpftest/npf_conn_test.c
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c \
src/usr.sbin/npf/npftest/libnpftest/npf_state_test.c
cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npftest/libnpftest/npf_nat_test.c \
src/usr.sbin/npf/npftest/libnpftest/npf_table_test.c
cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c \
src/usr.sbin/npf/npftest/libnpftest/npf_perf_test.c
cvs rdiff -u -r1.16 -r1.17 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/npf/npftest/libnpftest/npf_test.h
cvs rdiff -u -r1.14 -r1.15 \
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/external/bsd/libnv/dist

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 00:49:16 UTC 2019

Modified Files:
src/sys/external/bsd/libnv/dist: nv.h nvlist.c nvpair.c

Log Message:
- nvpair_create_stringf: use the in-kernel vasprintf().
- Make nvlist_add_stringf() availabe in the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/libnv/dist/nv.h
cvs rdiff -u -r1.7 -r1.8 src/sys/external/bsd/libnv/dist/nvlist.c
cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nvpair.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/external/bsd/libnv/dist

[Mindaugas Rasiukevicius]

Module Name:src
Committed By:   rmind
Date:   Tue Jul 23 00:49:16 UTC 2019

Modified Files:
src/sys/external/bsd/libnv/dist: nv.h nvlist.c nvpair.c

Log Message:
- nvpair_create_stringf: use the in-kernel vasprintf().
- Make nvlist_add_stringf() availabe in the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/libnv/dist/nv.h
cvs rdiff -u -r1.7 -r1.8 src/sys/external/bsd/libnv/dist/nvlist.c
cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nvpair.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/external/bsd/libnv/dist/nv.h
diff -u src/sys/external/bsd/libnv/dist/nv.h:1.2 src/sys/external/bsd/libnv/dist/nv.h:1.3
--- src/sys/external/bsd/libnv/dist/nv.h:1.2	Sat Sep  8 14:02:15 2018
+++ src/sys/external/bsd/libnv/dist/nv.h	Tue Jul 23 00:49:16 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: nv.h,v 1.2 2018/09/08 14:02:15 christos Exp $	*/
+/*	$NetBSD: nv.h,v 1.3 2019/07/23 00:49:16 rmind Exp $	*/
 
 /*-
  * SPDX-License-Identifier: BSD-2-Clause
@@ -152,9 +152,7 @@ void nvlist_add_bool(nvlist_t *nvl, cons
 void nvlist_add_number(nvlist_t *nvl, const char *name, uint64_t value);
 void nvlist_add_string(nvlist_t *nvl, const char *name, const char *value);
 void nvlist_add_stringf(nvlist_t *nvl, const char *name, const char *valuefmt, ...) __printflike(3, 4);
-#if !defined(_KERNEL) || defined(_VA_LIST_DECLARED)
 void nvlist_add_stringv(nvlist_t *nvl, const char *name, const char *valuefmt, va_list valueap) __printflike(3, 0);
-#endif
 void nvlist_add_nvlist(nvlist_t *nvl, const char *name, const nvlist_t *value);
 void nvlist_add_binary(nvlist_t *nvl, const char *name, const void *value, size_t size);
 void nvlist_add_bool_array(nvlist_t *nvl, const char *name, const bool *value, size_t nitems);

Index: src/sys/external/bsd/libnv/dist/nvlist.c
diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.7 src/sys/external/bsd/libnv/dist/nvlist.c:1.8
--- src/sys/external/bsd/libnv/dist/nvlist.c:1.7	Tue Feb 12 12:49:23 2019
+++ src/sys/external/bsd/libnv/dist/nvlist.c	Tue Jul 23 00:49:16 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $	*/
+/*	$NetBSD: nvlist.c,v 1.8 2019/07/23 00:49:16 rmind Exp $	*/
 
 /*-
  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $");
 #else
-__RCSID("$NetBSD: nvlist.c,v 1.7 2019/02/12 12:49:23 rmind Exp $");
+__RCSID("$NetBSD: nvlist.c,v 1.8 2019/07/23 00:49:16 rmind Exp $");
 #endif
 
 #include 
@@ -1507,7 +1507,7 @@ nvlist_add_nvpair(nvlist_t *nvl, const n
 	nvpair_insert(>nvl_head, newnvp, nvl);
 }
 
-#if !defined(_KERNEL) && !defined(_STANDALONE) && !defined(__NetBSD__)
+#if !defined(_STANDALONE)
 void
 nvlist_add_stringf(nvlist_t *nvl, const char *name, const char *valuefmt, ...)
 {

Index: src/sys/external/bsd/libnv/dist/nvpair.c
diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.6 src/sys/external/bsd/libnv/dist/nvpair.c:1.7
--- src/sys/external/bsd/libnv/dist/nvpair.c:1.6	Fri Feb 15 22:49:24 2019
+++ src/sys/external/bsd/libnv/dist/nvpair.c	Tue Jul 23 00:49:16 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $	*/
+/*	$NetBSD: nvpair.c,v 1.7 2019/07/23 00:49:16 rmind Exp $	*/
 
 /*-
  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $");
 #else
-__RCSID("$NetBSD: nvpair.c,v 1.6 2019/02/15 22:49:24 rmind Exp $");
+__RCSID("$NetBSD: nvpair.c,v 1.7 2019/07/23 00:49:16 rmind Exp $");
 #endif
 
 #include 
@@ -1191,7 +1191,7 @@ nvpair_name(const nvpair_t *nvp)
 	return (nvp->nvp_name);
 }
 
-#if !defined(_KERNEL) && !defined(_STANDALONE) && !defined(__NetBSD__)
+#if !defined(_STANDALONE)
 nvpair_t *
 nvpair_create_stringf(const char *name, const char *valuefmt, ...)
 {
@@ -1212,7 +1212,7 @@ nvpair_create_stringv(const char *name, 
 	char *str;
 	int len;
 
-	len = nv_vasprintf(, valuefmt, valueap);
+	len = vasprintf(, valuefmt, valueap);
 	if (len < 0)
 		return (NULL);
 	nvp = nvpair_create_string(name, str);

Re: CVS commit: src/sys/external/bsd/libnv/dist

[Mindaugas Rasiukevicius]

Martin Husemann  wrote:
> Can you try this patch?
> 
> rmind: can you *please* run the tests before commiting such changes?
> That would have immediately caught this.

Well, I did run libnv tests as well as NPF tests and they both passed,
just not on NetBSD. :)  Turns out NetBSD libnv and Github libnv code
bases deviated a little bit, causing a bug in NetBSD (but not upstream).
Anyway, I committed the fix.  As for the NetBSD tests: it takes forever
to recompile and rerun them, so it is not really practical for me.

-- 
Mindaugas

Re: CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

"Maxime Villard"  wrote:
> Module Name:  src
> Committed By: maxv
> Date: Fri Dec 15 21:00:26 UTC 2017
> 
> Modified Files:
>   src/sys/net/npf: npf.h
> 
> Log Message:
> Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
> bypass a certain number of filtering rules.
> 
> Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
> 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
> has large extensions.

Thanks for discovering and fixing this.  I think this is the first
serious remote vulnerability in NPF, although limited to IPv6 only.

> Fix this by using uint32_t. While here, it seems to me there is also a
> memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
> a value that goes beyond the mbuf.

A minor aspect, but promoting npf_hlen to uint32_t results in wasteful
padding in the struct, so it is better to re-order the struct members
in this case.

If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.  However, I think
we should implement some sanity check for the npc_hlen value.  RFC 7112
suggests that the IPv6 header chain should not exceed the MTU size (and
thus fit in the first fragment, in case of fragmentation).  Some value
along these lines could be the basis for a sanity check..

-- 
Mindaugas

Re: CVS commit: src/sys/net80211

[Mindaugas Rasiukevicius]

Hi,

David Young  wrote:
> On Tue, Jan 16, 2018 at 08:39:29AM +, Maxime Villard wrote:
> > Module Name:src
> > Committed By:   maxv
> > Date:   Tue Jan 16 08:39:29 UTC 2018
> > 
> > Modified Files:
> > src/sys/net80211: ieee80211_input.c
> > 
> 
> ...
> 
> IMO, changes like this are important and overdue, however, do keep in
> mind the provenance of this code: NetBSD -> FreeBSD.
> 
> Maybe you have written off ever re-synching with FreeBSD?  If so, do
> you have a plan for integrating useful features like virtual stations
> independently of their code?

I can just echo this part.  It is completely unrealistic that NetBSD can
maintain its own 802.11 stack these days.  A better approach would be to
sync the code with FreeBSD and treat is as an upstream, trying to merge
the fixes back there.  Not sure if diverging will help syncing the code.

IMO, 802.11n (and there is some FreeBSD code for 802.11ac) is much more
useful feature, as it would allow NetBSD users to use decent WiFI speeds.
Currently supported throughput is pretty miserable for these days..

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Alex,

Alexander Nasonov al...@yandex.ru wrote:
 Lourival Pereira Vieira Neto wrote:
  Module Name:src
  Committed By:   lneto
  Date:   Sat Jul 19 17:13:22 UTC 2014
  
  Modified Files:
  src/sys/modules/lua: lua.c
  src/sys/sys: lua.h
  
  Log Message:
  lua(4): added support for running Lua scripts in intr context
 
 Please revert this. You can't make a mechanical change
 (s/kmem_/kmem_intr_/g and so on) to enable lua in softintr
 context. You need to design it.
 
 What if GC kicks-in in softintr? What if the code tries to
 load a chunk of new code in softintr? And there are other
 questions.

I have explained to Lourival that softint context is a very constrained
environment and he should seek for a better design, e.g. have per-CPU
Lua state while keeping such Lua programs mostly stateless and sharing no
global state.  Ideally, we should have deterministic behaviour and memory
pre-allocation with such programs (whether it is Lua or not).

This is tricky with Lua, but I think he understands the implications and
issues.  The change is more of an initial step to (inefficiently) support
the capability.  Meanwhile, those interested can research and experiment
with NPF+Lua.  Such use of Lua is not really meant to be production-ready
at this point.

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

David Holland dholland-sourcechan...@netbsd.org wrote:
 On Tue, Jul 01, 2014 at 10:16:02AM +, Ryota Ozaki wrote:
   Log Message:
   Lock IFQ operations when NET_MPSAFE
   
   - Introduce NET_MPSAFE
 - not defined by default
 
 If it compiles (and is expected to continue to compile) please add it
 to ALL.
 

While it is okay for now, I think this knob should be only for the short
term (i.e. only for transitional period while making changes to the APIs).

-- 
Mindaugas

Re: CVS commit: src/sys/sys

[Mindaugas Rasiukevicius]

Tyler R. Retzlaff r...@netbsd.org wrote:
 Module Name:  src
 Committed By: rtr
 Date: Tue Jul  1 13:25:21 UTC 2014
 
 Modified Files:
   src/sys/sys: param.h
 
 Log Message:
 Bump to version 6.99.45 for removal of struct lwp * parameter from
 pr_ioctl

I do not think there is much point in doing this.  The protocols are not
really modular yet (no risk of breaking ABI) nor this interface is exposed
to userland.  So, technically you can bump the version, but practically it
is useless.

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Paul Goyette p...@whooppee.com wrote:
 On Sun, 18 May 2014, Mindaugas Rasiukevicius wrote:
 
 snip
 
  Log Message:
  Add struct pr_usrreqs with a pr_generic function and prepare for the
  dismantling of pr_usrreq in the protocols; no functional change
  intended. PRU_ATTACH/PRU_DETACH changes will follow soon.
 
  Bump for struct protosw.  Welcome to 6.99.62!
 
 6.99.62?  or 6.99.42?
 

Heh.  It is 6.99.42 (the one it should be).

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Nick Hudson sk...@netbsd.org wrote:
 Module Name:  src
 Committed By: skrll
 Date: Thu Mar 20 06:48:54 UTC 2014
 
 Modified Files:
   src/sys/arch/arm/ixp12x0: ixp12x0_intr.c
   src/sys/arch/arm/xscale: ixp425_if_npe.c ixp425_npe.c
 ixp425_npevar.h src/sys/arch/xen/include: xbdvar.h
   src/sys/coda: coda_vnops.c
   src/sys/dev/mca: ed_mca.c edc_mca.c edvar.h
   src/sys/dev/pci: cy82c693.c
   src/sys/dev/pci/cxgb: cxgb_osdep.h
   src/sys/net: if_tap.c if_tun.c
 
 Log Message:
 Mechanically replace simplelock with kmutex_t.
 

That is great!  Thanks.

-- 
Mindaugas

Re: CVS commit: src/sys/miscfs/genfs

[Mindaugas Rasiukevicius]

Taylor R Campbell campbell+netbsd-source-change...@mumble.net wrote:
Date: Wed, 12 Mar 2014 16:16:32 +0200
From: Jukka Ruohonen jruoho...@iki.fi
 
On Wed, Mar 12, 2014 at 09:39:23AM +, Juergen Hannken-Illjes wrote:
 Restructure layer_lock() to always lock before testing for dead node.
 Use ISSET() to test flags, add assertions.
 
As I wrote in the manual page, I'd rather see ISSET(3) et. al.
 disappear, i.e. these obscure rather than clarify...
 
 I disagree.  Phrases like `(vp-v_iflag  (VI_XLOCK | VI_CLEAN)) == 0'
 make my head's parser stumble -- there are just enough complements to
 juggle that it overwhelms my brain registers for the fast path.  I'd
 rather read `!ISSET(vp-v_iflag, (VI_XLOCK | VI_CLEAN))'.

I disagree.  For kernel developers, that kind of bitwise arithmetics and
masking ought to be intuitive.  If there is more logic and it gets long,
then separate it:

const bool foobar = (mask  (FOO | BAR)) == 0;
const bool baz = (mask  BAZ) != 0;

if (foobar  baz) ...

ISSET() is somewhat okay (although I do not use it), but I particularly
dislike __BIT() as I forget whether the 1st bit is n = 0 or whether this
API tries to be fancy and it is n = 1.  1U  n is just straigtforward.

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote:
  I have not had time to follow your VFS changes, but can you explain why
  did you remove VOP_LOCK/VOP_UNLOCK in tmpfs_reclaim()?  It was added to
  prevent from the racy access of tn_links.
 
 Hopefully a vnode lock is needed to access tn_links -- otherwise the
 VOP_LOCK/UNLOCK in tmpfs_reclaim() didn't protect it ...

Yes, tn_links is modified with the vnode lock held.  Unlocked access in
VOP_RECLAIM() racing with the release of the last last reference, used to
cause crashes due to premature reclamation attempts.  Given that VOP_LOCK()
acquires the vnode node, can you explain why this didn't protect it?

 As this commit prevents other threads from obtaining a lock while
 VOP_RECLAIM() is running the protection should be the same as before.

You mean VOP_RECLAIM() is now called with the vnode lock held?  Can you
please add an assert in tmpfs_reclaim() which demonstrates that?

Thanks.

-- 
Mindaugas

Re: CVS commit: src/sys/fs/tmpfs

[Mindaugas Rasiukevicius]

J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote:
 On Jan 8, 2014, at 5:11 PM, pedro martelletto pe...@netbsd.org wrote:
 
  Module Name:src
  Committed By:   pedro
  Date:   Wed Jan  8 16:11:04 UTC 2014
  
  Modified Files:
  src/sys/fs/tmpfs: tmpfs_subr.c
  
  Log Message:
  Allocate direntp on the stack in tmpfs_dir_getdents(), thus saving
  calls to kmem_zalloc() and kmem_free(); OK rmind@. From OpenBSD.
 
 Is it really a good idea to allocate 528 bytes on the kernel stack?
 File systems nest and already use much stack space.

It is harmless in this case since we get a few or more pages for the stack.

 Looks better to use a pool_cache.

It is worth to create a separate pool_cache(9) only if the allocations can
potentially be very intensive.

-- 
Mindaugas

Re: CVS commit: src/sys/fs/tmpfs

[Mindaugas Rasiukevicius]

Juergen Hannken-Illjes hann...@netbsd.org wrote:
 Module Name:  src
 Committed By: hannken
 Date: Fri Jan  3 09:53:12 UTC 2014
 
 Modified Files:
   src/sys/fs/tmpfs: tmpfs_subr.c tmpfs_vnops.c
 
 Log Message:
 Fix a race where thread1 runs VOP_REMOVE() and gets preempted in
 tmpfs_reclaim() before the call to tmpfs_free_node().  Thread2
 runs VFS_FHTOVP() and gets a new vnode attached to the node thread1
 is about to destroy.
 
 Change tmpfs_alloc_node() to always assign non-zero generation number
 and tmpfs_inactive() to set the generation number of unlinked nodes
 to zero.

Can you explain how does this help?  It still seems racy to me.
Why not just check for tn_links == 0 in tmpfs_fhtovp()?

-- 
Mindaugas

Re: CVS commit: src/sbin/mount_tmpfs

[Mindaugas Rasiukevicius]

Martin Husemann mar...@netbsd.org wrote:
 Module Name:  src
 Committed By: martin
 Date: Wed Dec  4 13:30:35 UTC 2013
 
 Modified Files:
   src/sbin/mount_tmpfs: mount_tmpfs.8 mount_tmpfs.c
 
 Log Message:
 Provide variants of the -s option to allow limiting the tmpfs dynamically
 at mount time to 1/Nth or to N percent of the available ram.

I think you confused err() with errx().  Also, why bother with the fraction
and the floating point?

-- 
Mindaugas

Re: CVS commit: src/sbin/mount_tmpfs

[Mindaugas Rasiukevicius]

Martin Husemann mar...@duskware.de wrote:
 On Wed, Dec 04, 2013 at 01:45:51PM +, Mindaugas Rasiukevicius wrote:
  I think you confused err() with errx().  Also, why bother with the
  fraction and the floating point?
 
 The err vs. errx may be debatable, but since this is usual called via
 other programs the name of the program (and thus the man page to look
 up details) may be usefull.

I mean you have them other way round:

+   len = sizeof(ram);
+   if (sysctlbyname(hw.physmem64, ram, len, NULL, 0))
+   err(EXIT_FAILURE, can't get \hw.physmem64\: %s, 
strerror(errno));

err() already appends the error string for you, while in in ram_fract()
and ram_percent() you want errx().

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Hello Juergen,

Juergen Hannken-Illjes hann...@netbsd.org wrote:
 Module Name:  src
 Committed By: hannken
 Date: Sat Nov 23 13:46:22 UTC 2013
 
 Modified Files:
   src/sys/kern: vfs_vnode.c
   src/sys/sys: vnode.h
 
 Log Message:
 Replace VI_INACTNOW and VI_INACTREDO with a new flag VI_CHANGING that gets
 set while a vnode changes state from active to inactive or from active
 or inactive to clean and protects vclean(); vrelel() and vrelel()
 against vget().
 
 Presented on tech-kern.

There are multiple reports of hangs in VFS (see something's wrong thread
on current-users@ and PR/48411).  It seems to be due to this change.  Can
you revert it for now?

Thanks.

-- 
Mindaugas

Re: CVS commit: src/sys/coda

[Mindaugas Rasiukevicius]

Christos Zoulas chris...@netbsd.org wrote:
 Module Name:  src
 Committed By: christos
 Date: Sat Nov 23 17:57:23 UTC 2013
 
 Modified Files:
   src/sys/coda: coda_vfsops.c
 
 Log Message:
 replace open-coded scan with macro; fix locking
 

-/* mount structure wasn't found */
-return(NULL);
+mutex_exit(mountlist_lock);
+return mp == TAILQ_END(mountlist) ? NULL : mp;

Although this is correct, TAILQ_END(mountlist) *suggests* access of
mountlist.  If it would be true, it would be unlocked and buggy access.
Why not just return mp; ?

It seems to me that TAILQ_END() makes the code more missleading without
doing any good.  What was the rationale behind adding and using it?

-- 
Mindaugas

Re: CVS commit: src/sys/coda

[Mindaugas Rasiukevicius]

chris...@zoulas.com (Christos Zoulas) wrote:
 On Nov 23,  6:14pm, rm...@netbsd.org (Mindaugas Rasiukevicius) wrote:
 -- Subject: Re: CVS commit: src/sys/coda
 
 | Although this is correct, TAILQ_END(mountlist) *suggests* access of
 | mountlist.  If it would be true, it would be unlocked and buggy access.
 | Why not just return mp; ?
 | 
 | It seems to me that TAILQ_END() makes the code more missleading without
 | doing any good.  What was the rationale behind adding and using it?
 
 I think it was provided so that the macros look the same across different
 ADT's. Don't shoot the messenger, I did not add it. But I will fix the
 locking non-issue...

Revision 1.54 of queue.h shows you.  Thanks for improving it, but I still
do not see the benefit of:

mp = mp == TAILQ_END(mountlist) ? NULL : mp;

Over:

return mp;

Everybody understood NULL, so why obfuscate the code?

-- 
Mindaugas

Re: CVS commit: src/sys/coda

[Mindaugas Rasiukevicius]

chris...@zoulas.com (Christos Zoulas) wrote:
 On Nov 23, 11:24pm, rm...@netbsd.org (Mindaugas Rasiukevicius) wrote:
 -- Subject: Re: CVS commit: src/sys/coda
 
 | mp = mp == TAILQ_END(mountlist) ? NULL : mp;
 | 
 | Over:
 | 
 | return mp;
 | 
 | Everybody understood NULL, so why obfuscate the code?
 
 The point (as I understand it) is so that if you want to change to another
 ADT where end != NULL (are there any now, that we have banned CIRCLEQ?)
 using the END macro lets you s/FOOQ/BARQ/ and have it mostly work.

Since 1990s (or even earlier) none of the lists in queue(3) had _END(),
apart from the circle queue (for a very obvious reason it makes sense).
Now that CIRCLEQ is banned - you added _END() for LIST and TAILQ.  I do
not follow the logic. :)

I would remove _END() macros to keep the way it always was.  If the goal
is to improve the interface, then now is a good time to design a new API,
but we already have a long thread on tech-userlevel for this..

-- 
Mindaugas

Re: CVS commit: src/usr.sbin/npf/npfctl

[Mindaugas Rasiukevicius]

Christos Zoulas chris...@netbsd.org wrote:
 Module Name:  src
 Committed By: christos
 Date: Tue Nov 19 17:01:45 UTC 2013
 
 Modified Files:
   src/usr.sbin/npf/npfctl: npf_show.c
 
 Log Message:
 CID 1129614: dereference after null
 

It should never be NULL.  Perhaps assert(tl != NULL)?

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

Alexander Nasonov al...@yandex.ru wrote:
  +./usr/lib/librumpkern_sljit.so
  base-rump-shlib rump
  +./usr/lib/librumpkern_sljit.so.0
  base-rump-shlib rump
  +./usr/lib/librumpkern_sljit.so.0.0
  base-rump-shlib rump
 
 A similar change was sitting in my local tree for quite a while but
 sljit API isn't yet stable enough to wrap it into a DSO.
 
 I kept bpbfjit and libsljit private (LIBISPRIVATE=yes) and used them
 only for libsljit and libbpfjit tests.
 
 Is it possible to do something similar in rump framework?

I think we can just create sys/rump/net/lib/libbpfjit/sljit as a library,
specify SUBDIR and compile the library itself with LIBISPRIVATE=yes.

-- 
Mindaugas

Re: CVS commit: src/usr.sbin/npf/npftest

[Mindaugas Rasiukevicius]

Alexander Nasonov al...@yandex.ru wrote:
 Mindaugas Rasiukevicius wrote:
  Module Name:src
  Committed By:   rmind
  Date:   Sat Nov 16 01:41:43 UTC 2013
  
  Modified Files:
  src/usr.sbin/npf/npftest: Makefile
  src/usr.sbin/npf/npftest/libnpftest: Makefile npf_bpf_test.c
  
  Log Message:
  Enable bpfjit for npftest.
 
 It breaks when MKSLJIT=no. I fixed the build already but I don't know
 if something else should be changed in npf_bpf_test.c file.

Nope, it is handled dynamically.

Thanks.

-- 
Mindaugas

Re: CVS commit: src/sys/fs/tmpfs

[Mindaugas Rasiukevicius]

J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote:
  Module Name:src
  Committed By:   rmind
  Date:   Fri Nov  8 15:44:23 UTC 2013
  
 ...
 
 The tests fs/vfs/t_union/tmpfs_basic and fs/vfs/t_union/tmpfs_whiteout
 start failing after this commit.
 

Fixed.

-- 
Mindaugas

Re: CVS commit: src/sys/net/npf

[Mindaugas Rasiukevicius]

Paul Goyette p...@whooppee.com wrote:
 On Tue, 29 Oct 2013, Mindaugas Rasiukevicius wrote:
 
  Module Name:src
  Committed By:   rmind
  Date:   Tue Oct 29 16:39:10 UTC 2013
 
  Modified Files:
  src/sys/net/npf: npf_impl.h npf_nat.c npf_session.c
 
  Log Message:
  npf_session_setnat: fix the race condition when the old connection is
  still being expired while a new/duplicate is being created.
 
 Should we have (or do we have) a regression test to catch this race 
 condition?

You would need to write a test simulating a particular condition and then
trying to brute-force the race.  It requires a bit of coding as it is not
an easy race to trigger.  Let me know if you want to volunteer.

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

chris...@zoulas.com (Christos Zoulas) wrote:
 On Nov 30, 11:39pm, plu...@rya-online.net (Iain Hibbert) wrote:
 -- Subject: Re: CVS commit: src/sys
 
 | On Fri, 30 Nov 2012, Christos Zoulas wrote:
 | 
 |  In article 20121130134954.ga14...@britannica.bec.de,
 |  Joerg Sonnenberger  jo...@britannica.bec.de wrote:
 |  On Fri, Nov 30, 2012 at 08:34:27AM -0500, Christos Zoulas wrote:
 |   | fd_set doesn't seem like an appropriate structure for this.
 |  
 |   I've been thinking about creating something more efficient, but I
 |   didn't come up with something better and decided that using fd_set
 |   was less complex.
 |  
 |  A plain bitmap is ok for this purpose. Something like:
 |  
 |  static uintptr_t inet4_reserve[65536 / sizeof(uintptr_t) /
 |  CHAR_BITS];
 | 
 |  Sure, but then I would have to rewrite or open code the access macros.
 |  I think that it would be a lot nicer to have a more general fdset
 |  that could be included multiple times, and provided the access macros.
 | 
 | well, there is bitstring(3) ..?
 
 I'll convert to that. Or cook a set of macros.
 
 christos

Or reuse this interface, which manages portmap atomically:

http://nxr.netbsd.org/xref/src/sys/net/npf/npf_nat.c?r=1.17#336

-- 
Mindaugas

Re: CVS commit: src/sys/uvm

[Mindaugas Rasiukevicius]

Matt Thomas m...@3am-software.com wrote:
 
 On Sep 3, 2012, at 3:33 PM, Mindaugas Rasiukevicius wrote:
 
  Matt Thomas m...@netbsd.org wrote:
  Module Name:   src
  Committed By:  matt
  Date:  Mon Sep  3 19:53:43 UTC 2012
  
  Modified Files:
 src/sys/uvm: uvm_km.c uvm_map.c
  
  Log Message:
  Switch to a spin lock (uvm_kentry_lock) which, fortunately, was sitting
  there unused.
  
  - pmap_growkernel() may use adaptive locks, which cannot be acquired
  with the spin lock held; so the change breaks at least x86 and alpha.
  
  - Why in the caller?  I think it would be better do leave it for the
  pmaps, e.g. they may re-use the locks which already provide the
  necessary protection and which need to be taken anyway (like in x86
  pmap).
 
 uvm_maxkaddr need a lock for its updating
 
 growkernel can be called uvm_km_mem_alloc which might be called
 at interrupt level.

The second point stands, but I see you already fixed it - thanks!

As for pmap_growkernel() being called from interrupt context - right, then
it seems Xen is broken, as its path in pmap_growkernel() acquires adaptive
pmaps_lock and might call pool_cache_invalidate() which can block..

-- 
Mindaugas

Re: CVS commit: src/sys/uvm

[Mindaugas Rasiukevicius]

Matt Thomas m...@netbsd.org wrote:
 Module Name:  src
 Committed By: matt
 Date: Mon Sep  3 19:53:43 UTC 2012
 
 Modified Files:
   src/sys/uvm: uvm_km.c uvm_map.c
 
 Log Message:
 Switch to a spin lock (uvm_kentry_lock) which, fortunately, was sitting
 there unused.

- pmap_growkernel() may use adaptive locks, which cannot be acquired with
  the spin lock held; so the change breaks at least x86 and alpha.

- Why in the caller?  I think it would be better do leave it for the pmaps,
  e.g. they may re-use the locks which already provide the necessary
  protection and which need to be taken anyway (like in x86 pmap).

-- 
Mindaugas

Re: CVS commit: src/sys/modules/bpf

[Mindaugas Rasiukevicius]

Matt Thomas m...@netbsd.org wrote:
 Module Name:  src
 Committed By: matt
 Date: Thu Aug  2 00:22:32 UTC 2012
 
 Modified Files:
   src/sys/modules/bpf: Makefile
 
 Log Message:
 Add missing paren.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.2 -r1.3 src/sys/modules/bpf/Makefile

Seems that make ignored the syntax error in .if statement, as it compiles
on e.g. x86 where the first check is true.  Is this a bug in make?

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Mindaugas Rasiukevicius rm...@netbsd.org wrote:
 Module Name:  src
 Committed By: rmind
 Date: Wed Aug  1 23:24:29 UTC 2012
 
 ...
 
 Log Message:
 Add BPF JIT compiler, currently supporting amd64 and i386.  Code obtained
 from FreeBSD.  Also, make few BPF fixes and simplifications while here.
 Note that bpf_jit_enable is false for now.

FYI:

FreeBSD has quite comprehensive regression tests for BPF.  With some
changes they run on NetBSD.

http://www.netbsd.org/~rmind/regress/bpf_tests.tar.bz2

Out of 84 tests, all pass with BPF JIT enabled (and disabled).

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

Hi Simon,

Simon Burge sim...@netbsd.org wrote:
 
   [ ... ]
  
  Log Message:
  
  Add MurmurHash2 -- a non-cryptographic hash function by Austin Appleby.
  The code is taken from the upstream and is in the public domain.
 
 I'm curious why you've chosen MurmurHash2 instead of MurmurHash3 given the
 known problems with MurmurHash2?  Also, should the filename have a 2 in
 it?

It meets my needs.  Are you referring to the weakness when using 4-bytes?
Anyway, that is why the file name does not have 2 in it, so that we could
add MurmurHash3 as well.

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

Simon Burge sim...@netbsd.org wrote:
 Mindaugas Rasiukevicius wrote:
 
  Simon Burge sim...@netbsd.org wrote:
   
 [ ... ]

Log Message:

Add MurmurHash2 -- a non-cryptographic hash function by Austin
Appleby. The code is taken from the upstream and is in the public
domain.
   
   I'm curious why you've chosen MurmurHash2 instead of MurmurHash3
   given the known problems with MurmurHash2?  Also, should the filename
   have a 2 in it?
  
  It meets my needs.
 
 What are your needs?  I don't see this change discussed anywhere.

I am going to use it in NPF as it shows better characteristics than
Jenkins lookup3.  It is a very small function.

  Are you referring to the weakness when using 4-bytes?
  Anyway, that is why the file name does not have 2 in it, so that we
  could add MurmurHash3 as well.
 
 That's completely different to the other hashes we have in the source
 tree.  Can you rename the file so that it's consistent please?

Because other hashes use very different interface, with a context and
common template in libc (rather horrible macros).  There is no need to
create a directory for every different version of MurmurHash.  Rather
undesirable, I would say.

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

Joerg Sonnenberger jo...@britannica.bec.de wrote:
  Log Message:
  Add MurmurHash2 -- a non-cryptographic hash function by Austin Appleby.
  The code is taken from the upstream and is in the public domain.
  
  OK christos@
 
 There are a number of issues with this. First of all, it pollutes the
 global namespace and can't be used safely from libc the way it is done.

How do you suggest to do it?

 Second, I don't really like adding a special purpose name of a hash
 function which is explicitly not designed to be endian neutral. We
 should provide a fast hash function and be able to change it without
 breaking assumptions, which this is not doing.

Well, the added function is endian-neutral and is generic implementation.
Idea is to provide optimised functions per architecture.  They would
merely override the generic one, but produce the same result regardless
of endianess.  Do you want to do it differently?

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

Simon Burge sim...@netbsd.org wrote:
Are you referring to the weakness when using 4-bytes?
Anyway, that is why the file name does not have 2 in it, so that we
could add MurmurHash3 as well.
   
   That's completely different to the other hashes we have in the source
   tree.  Can you rename the file so that it's consistent please?
  
  Because other hashes use very different interface, with a context and
  common template in libc (rather horrible macros).  There is no need to
  create a directory for every different version of MurmurHash.  Rather
  undesirable, I would say.
 
 I wasn't talking about creating a directory for every variant of murmur,
 just putting each variant in a separate .c file.  Eg:
 
   src/common/lib/libc/hash/murmurhash/murmurhash2.c
   src/common/lib/libc/hash/murmurhash/murmurhash3.c
 
 Or do you intend on adding other variants of murmur to the current .c
 file if/when needed?

Yes, I would like to add MurmurHash3 to the same module.  Having them in
the same module enables easier code reuse, when it's the case.  Do you
see a good reason to have them in separate modules?

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Manuel Bouyer bou...@antioche.eu.org wrote:
  Few minor points.  Does atabus_alloc_drives() need to use M_NOWAIT and
  malloc(9), instead of kmem(9)?
 
 At first glance I'd say it should always be called from the atabus thread,
 so it should be OK

Could you change it then?  Generally, KM_NOSLEEP should not be used unless
there is a very good reason.  It may fail even if there is free memory.

  Also, any reason why you use tsleep(9)
  instead of kpause(9) (in satapmp_subr.c and elsewhere)?  We are trying
  to get rid of the former.
 
 kpause(9) could be used here. But I prefer to keep sys/dev/ata consistent
 and convert all the code to kpause at the same time. It could have been
 done here, I just didn't think about it.
 Next opportunity will be with NCQ support, which I hope to look at soon.
 This also would be the time to make ata(4) MP-safe.

Cool!  NCQ and MP-safe ata(4) would be a major improvement for NetBSD!

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Manuel Bouyer bou...@netbsd.org wrote:
 Module Name:  src
 Committed By: bouyer
 Date: Mon Jul  2 18:15:48 UTC 2012
 
 ...
 
 Log Message:
 Add sata Port MultiPlier (PMP) support to the ata bus layer,
 as described in
 http://mail-index.netbsd.org/tech-kern/2012/06/23/msg013442.html
 PMP support in integrated to the atabus layer.

Nice piece of development!

Few minor points.  Does atabus_alloc_drives() need to use M_NOWAIT and
malloc(9), instead of kmem(9)?  Also, any reason why you use tsleep(9)
instead of kpause(9) (in satapmp_subr.c and elsewhere)?  We are trying
to get rid of the former.

-- 
Mindaugas

Re: CVS commit: src/sys/kern

[Mindaugas Rasiukevicius]

y...@mwd.biglobe.ne.jp (YAMAMOTO Takashi) wrote:
 hi,
 
  Module Name:src
  Committed By:   rmind
  Date:   Mon Jan 30 21:05:40 UTC 2012
  
  Modified Files:
  src/sys/kern: subr_kmem.c
  
  Log Message:
  Fix for KMEM_GUARD; do not use it from interrupt context.
 
 kmem_zalloc still seems broken and anyway the test looks too fragile.
 how about simply moving the #ifdef blocks to callers?

It was just a quick workaround to make it run.  I have changed KMGUARD
such that it could be called from interrupt context.  Might need some
tuning as memory consumption is even more significant, but that can be
done later.  KMGUARD already discovered 4 bugs.

 
 YAMAMOTO Takashi

-- 
Mindaugas

Re: CVS commit: src/sys/kern

[Mindaugas Rasiukevicius]

David Laight da...@l8s.co.uk wrote:
 On Sun, Jan 22, 2012 at 03:48:51AM +, Mindaugas Rasiukevicius wrote:
  Module Name:src
  Committed By:   rmind
  Date:   Sun Jan 22 03:48:51 UTC 2012
  
  Modified Files:
  src/sys/kern: kern_fileassoc.c
  
  Log Message:
  fileassoc_file_delete: pre-check whether fileassoc was used and thus
  avoid acquiring kernel-lock, which damages sys_unlink() performance.
 
 Erm... looking at the file the locking in there looks decidedly dubious.
 
 1) There doesn't seem to be any locking on the hash table.
 2) It isn't clear why the KERNEL_LOCK was acquired in one specific path.
 3) If fileassoc_file_delete() is expected to remove all references for
a vnode, something external must have forced the state of the vnode.
(otherwise the stuff might be added - inc. global init - while this
code is being called.

Yes, locking issues are known in this code (see e.g. PR/35351) and I would
say fileassoc(9) should be disabled by default while this is resolved.

However, I do not really have much interest in fixing fileassoc(9), so my
only concern was to fix performance degradation of unlink(2) due to it.

-- 
Mindaugas

Re: CVS commit: src/sys/arch

[Mindaugas Rasiukevicius]

Chuck Silvers c...@chuq.com wrote:
   Log Message:
   map all of physical memory using large pages.
   ported from openbsd years ago by Murray Armfield,
   updated for changes since then by me.
  
  This is cool, thanks!  Can you add an entry to src/doc/CHANGES?  Also,
  just wondering - did you try any benchmarks?  I would expect reasonable
  improvement.
 
 does it really make sense to list incremental performance improvements
 there? I can add it if folks want, but we don't tend to document misc
 performance improvements that have no API impact outside the kernel.

Yes, we should and do list such changes.  Also, 2.5% is quite good and it
is useful to collect such numbers in doc/CHANGES for marketing purposes.

 as for how much it helps, on a 12-CPU box build.sh release is about 2.5%
 faster.  if I enable __HAVE_CPU_UAREA_ROUTINES so that uareas are also
 accessed this way that gives an additional 0.5% speedup.

Cool!  Any reason why __HAVE_CPU_UAREA_ROUTINES is not enabled by default?

 coincidentally, this almost exactly compensates for the performance hit
 of enabling DIAGNOSTIC.

It really depends on the workload, e.g. effects on sysbench OLTP are quite
visible or e.g. PR/45734.

 
 -Chuck

-- 
Mindaugas

Re: CVS commit: src/sys/arch

[Mindaugas Rasiukevicius]

Chuck Silvers c...@netbsd.org wrote:
 Module Name:  src
 Committed By: chs
 Date: Sun Dec  4 16:24:13 UTC 2011
 
 Modified Files:
   src/sys/arch/amd64/amd64: locore.S machdep.c
   src/sys/arch/amd64/include: types.h
   src/sys/arch/x86/include: pmap.h
   src/sys/arch/x86/x86: pmap.c
 
 Log Message:
 map all of physical memory using large pages.
 ported from openbsd years ago by Murray Armfield,
 updated for changes since then by me.

This is cool, thanks!  Can you add an entry to src/doc/CHANGES?  Also,
just wondering - did you try any benchmarks?  I would expect reasonable
improvement.

-- 
Mindaugas

Re: CVS commit: src

[Mindaugas Rasiukevicius]

Martin Husemann mar...@duskware.de wrote:
 On Wed, Nov 23, 2011 at 03:19:55AM +, Christos Zoulas wrote:
  He does not want to write atf tests. In my opinion non-atf tests is
  better than no tests.
 
 IMHO non-atf tests are just as useless as the whole src/regress hierachy
 always was. BUT: finding someone to pick this new tests up and embed them
 in atf should be easy.

They are not useless at all.  Actually, I still use them.

 
 Martin

-- 
Mindaugas

Re: CVS commit: src/sys/arch/i386/i386

[Mindaugas Rasiukevicius]

J. Hannken-Illjes hann...@eis.cs.tu-bs.de wrote:
  Module Name:src
  Committed By:   yamt
  Date:   Mon Oct 31 12:42:53 UTC 2011
  
  Modified Files:
  src/sys/arch/i386/i386: dumpsys.c
  
  Log Message:
  dumpsys_seg: don't overwrite the previous mapping
 
 With this change in place core dumps from ddb (reboot 104) no longer work
 on MP machines.
 
 Before pmap_tlb_shootnow() always returned on the `tp-tp_count == 0'
 check.
 
 Now it goes into the `remote' case and hangs hard trying to reach other
 CPUs.

We could check for panicstr.  Not sure if that is desirable, though.

-- 
Mindaugas

Re: CVS commit: src/sys/kern

[Mindaugas Rasiukevicius]

Hello Juergen,

Juergen Hannken-Illjes hann...@netbsd.org wrote:
 Log Message:
 The path getnewvnode()-getcleanvnode()-vclean()-VOP_LOCK() will panic
 if the vnode we want to clean is a layered vnode and the caller already
 locked its lower vnode.
 
 Change getnewvnode() to always allocate a fresh vnode and add a helper
 thread (vdrain) to keep the number of allocated vnodes within
 desiredvnodes.
 
 Rename getcleanvnode() to cleanvnode() and let it take a vnode from the
 lists, clean and free it.

 ...
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.11 -r1.12 src/sys/kern/vfs_vnode.c

Not that I object to the change, but such approach was already discussed in
the past on tech-kern@ and rejected.  See the follow ups of this thread:

http://mail-index.netbsd.org/tech-kern/2009/08/17/msg005861.html

This significantly changes the dynamics of vnode cache and reclamation,
apart from making it single-threaded.  Given the current locking scheme
with its issues (and thus reclamation complexity), the change is probably
good enough for the medium term.  However, in the long term, I would say
that getnewvnode() behaviour should be restored.

-- 
Mindaugas

Re: CVS commit: src/sys

[Mindaugas Rasiukevicius]

Christos Zoulas chris...@netbsd.org wrote:
 Log Message:
 Add an optional pglist argument to uvm_obj_wirepages, to be
 filled with the list of pages that were wired.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.121 -r1.122 src/sys/kern/sysv_shm.c
 cvs rdiff -u -r1.174 -r1.175 src/sys/uvm/uvm_extern.h
 cvs rdiff -u -r1.10 -r1.11 src/sys/uvm/uvm_object.c

Why?

-- 
Mindaugas

Re: CVS commit: src/share/man/man9

[Mindaugas Rasiukevicius]

Jukka Ruohonen jruoho...@iki.fi wrote:
  
  Log Message:
  Fix .Xr to membar_ops(3), not membar(9).  Spotted by wiz@.
 
 Can you brief on what is the difference between membar_ops(3) and mb(9)?
 

mb(9) predates membar_ops(3).  I do not know why it was left when the
later interface was added.  It seems to me that mb(9) should be removed.
Some good notes from mb(9) man page can be moved to membar_ops(9) though.

-- 
Mindaugas

Re: CVS commit: src/sys/kern

[Mindaugas Rasiukevicius]

Masao Uebayashi uebay...@netbsd.org wrote:
 Module Name:  src
 Committed By: uebayasi
 Date: Sat Jul 30 05:24:17 UTC 2011
 
 Modified Files:
   src/sys/kern: kern_softint.c
 
 Log Message:
 Use kmem(9) to allocate per-cpu softint context.  No functional changes.
 

Why?  The allocation is page-sized, persistent and should preferably be
on page-boundary.

-- 
Mindaugas

Re: CVS commit: src/sys/uvm

[Mindaugas Rasiukevicius]

y...@mwd.biglobe.ne.jp (YAMAMOTO Takashi) wrote:
   Log Message:
   amap_copy(): Keep the source amap locked until its lock has been
   copied.
  
  btw, this code seems to assume that uvm_anfree does not release the
  lock even temporarily while the comment on uvm_anfree1 says the
  opposite.
  
  http://www.netbsd.org/~rmind/uvm_anon_freelst.diff
  
  Looks good?
 
 i don't understand what it solves.  can you explain a little?

Here is the updated patch after your changes:

http://www.netbsd.org/~rmind/uvm_anon_freelst2.diff

As you noted, uvm_anfree() can temporarily release the amap lock - that can
happen in amap_copy().  Patch closes the race by moving uvm_anfree() further,
and changes the semantics of the function, now called uvm_anon_freelst(), to
return with amap lock released (plus free anons without lock held).

-- 
Mindaugas

Re: CVS commit: src/sys/arch

[Mindaugas Rasiukevicius]

Manuel Bouyer bou...@netbsd.org wrote:
 Module Name:  src
 Committed By: bouyer
 Date: Sun Jul  3 10:40:16 UTC 2011
 
 Modified Files:
   src/sys/arch/amd64/conf: GENERIC
   src/sys/arch/i386/conf: GENERIC
 
 Log Message:
 Add back DIAGNOSTIC option to x86 GENERIC kernels, as discussed on
 tech-kern. This will have to be commented out on release branches.

Thanks for enabling this, however you have ignored points raised on
tech-kern@.  In such case, at least DEBUG and DDB on panic (plus trace
command) should be re-enabled as well.

And, most importantly, this is not communicated to -current users who
will get performance decrease after kernel update.  Apart from updating
motd, I was thinking about some printf()ed warning in the kernel..

-- 
Mindaugas

Re: CVS commit: src/sys/arch

[Mindaugas Rasiukevicius]

Manuel Bouyer bou...@antioche.eu.org wrote:
 On Sun, Jul 03, 2011 at 03:57:25PM +0100, Mindaugas Rasiukevicius wrote:
  Thanks for enabling this, however you have ignored points raised on
  tech-kern@.  In such case, at least DEBUG
 
 DEBUG is not as usefull as DIAGNOSTIC, and is very verbose.
 My main point is to get KASSERT() back again.
 
 DEBUG and LOCKDEBUG were mentionned, but I don't remmeber a clear
 consensus about thoses
 
  and DDB on panic (plus trace
  command) should be re-enabled as well.
 
 I also don't think we did reach a consensus about this either.

Well, I object on adding only DIAGNOSTIC, without DEBUG and DDB trace
enabled, as it is counter productive to the idea to gather more info.
LOCKDEBUG would be useful as well, but its very significant effect to
performance can be understood.

Also, it seems that nobody disagreed on enabling DDB trace (as well as
adding DEBUG option).  What makes you think that we did not reach the
consensus?

 With DDB on panic you don't get a core dump, you just see the system
 hang if running X11.
 With trace (assuming you're not running X11), you have the usefull panic
 message scroll away on a standard VGA screen.

Again, call ddb_vgapost was proposed.  You can still coredump, either
manually or just by adding another command.  Also, if automatic coredump
fails (to me it is often the case) - then info is left uncollected.

-- 
Mindaugas

Re: CVS commit: src/sys/arch

[Mindaugas Rasiukevicius]

Manuel Bouyer bou...@antioche.eu.org wrote:
 On Sun, Jul 03, 2011 at 06:09:10PM +0100, Mindaugas Rasiukevicius wrote:
   I also don't think we did reach a consensus about this either.
  
  Well, I object on adding only DIAGNOSTIC, without DEBUG and DDB trace
  enabled, as it is counter productive to the idea to gather more info.
 
 I can't see how DEBUG can give more infos for KASSERT().
 I can see how DDB trace will hide usefull infos from KASSERT().
 
  LOCKDEBUG would be useful as well, but its very significant effect to
  performance can be understood.
  
  Also, it seems that nobody disagreed on enabling DDB trace (as well as
  adding DEBUG option).  What makes you think that we did not reach the
  consensus?
 
 I did agree at fisrt, but then I sent
 http://mail-index.netbsd.org/tech-kern/2011/06/17/msg010736.html

There are over a hundred KDASSERT()s and plenty #ifdef DEBUG checks.
Crash reports without backtrace - that is very often useless, and we do
receive such reports in time, where we need to ask users to reproduce
it again and collect more information.  Naturally, we cannot expect our
users/admins to be fluent in DDB, but collecting more information is a
key in debugging more complex bugs, and backtrace is a bare minimum.

I think the change is half-baked and should we be reverted until we
reach the agreement on tech-kern@.

   With DDB on panic you don't get a core dump, you just see the system
   hang if running X11.
   With trace (assuming you're not running X11), you have the usefull
   panic message scroll away on a standard VGA screen.
  
  Again, call ddb_vgapost was proposed.  You can still coredump, either
 
 what will this do on a serial console ?

How is it related to serial console?

-- 
Mindaugas

Re: CVS commit: src/sys/uvm

[Mindaugas Rasiukevicius]

y...@mwd.biglobe.ne.jp (YAMAMOTO Takashi) wrote:
 hi,
 
  Module Name:src
  Committed By:   hannken
  Date:   Mon Jun 27 15:56:37 UTC 2011
  
  Modified Files:
  src/sys/uvm: uvm_amap.c
  
  Log Message:
  amap_copy(): Keep the source amap locked until its lock has been copied.
 
 btw, this code seems to assume that uvm_anfree does not release the lock
 even temporarily while the comment on uvm_anfree1 says the opposite.

Right.  Fix would be to always drop the lock in uvm_anfree() and call it
in the last point.  I will write a patch tomorrow.

 
 YAMAMOTO Takashi

-- 
Mindaugas

Re: CVS commit: src/sys/uvm

[Mindaugas Rasiukevicius]

tsugutomo.en...@jp.sony.com wrote:
  Modified Files:
  src/sys/uvm: uvm_amap.c
 
  Log Message:
  Clean-up, add asserts, slightly simplify.
 
 
  To generate a diff of this commit:
  cvs rdiff -u -r1.95 -r1.96 src/sys/uvm/uvm_amap.c
 
 In amap_copy(), I guess map entry may be clipped and need to recompute
 entry-end - entry-start after that.

Yes.. fixed.  Thanks!

-- 
Mindaugas