CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Wed Aug 23 18:22:51 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf_ruleset.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1725): sys/net/npf/npf_ruleset.c: revision 1.52 The analysis documented in PR misc/56990 is correct. Fix by not returning when encountering a ruleset rule. The code up to now would stop at any group rule. ruleset rules are marked as group rule and a dynamic rule. processing is only finished when a result is present AND we are looking at a plain group rule. To generate a diff of this commit: cvs rdiff -u -r1.48.2.3 -r1.48.2.4 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Wed Aug 23 18:22:51 UTC 2023
Modified Files:
src/sys/net/npf [netbsd-9]: npf_ruleset.c
Log Message:
Pull up following revision(s) (requested by kardel in ticket #1725):
sys/net/npf/npf_ruleset.c: revision 1.52
The analysis documented in PR misc/56990 is correct.
Fix by not returning when encountering a ruleset rule.
The code up to now would stop at any group rule.
ruleset rules are marked as group rule and a dynamic rule.
processing is only finished when a result is present AND
we are looking at a plain group rule.
To generate a diff of this commit:
cvs rdiff -u -r1.48.2.3 -r1.48.2.4 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.48.2.3 src/sys/net/npf/npf_ruleset.c:1.48.2.4
--- src/sys/net/npf/npf_ruleset.c:1.48.2.3 Sat Jun 20 15:46:48 2020
+++ src/sys/net/npf/npf_ruleset.c Wed Aug 23 18:22:51 2023
@@ -34,7 +34,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.48.2.3 2020/06/20 15:46:48 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.48.2.4 2023/08/23 18:22:51 martin Exp $");
#include
#include
@@ -891,7 +891,7 @@ npf_ruleset_inspect(npf_cache_t *npc, co
KASSERT(n < skip_to);
/* Group is a barrier: return a matching if found any. */
- if ((attr & NPF_RULE_GROUP) != 0 && final_rl) {
+ if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP && final_rl) {
break;
}
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Aug 21 12:20:07 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf_tableset.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1718): sys/net/npf/npf_tableset.c: revision 1.41 npf(9): Drop table lock around copyout. It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock. We need t_lock in order to iterate over the list of entries. However, during copyout itself, we only need to ensure that the object we're copying out isn't freed by npf_table_remove or npf_table_gc. Fortunately, the only caller of npf_table_list, npf_table_remove, and npf_table_gc is npfctl_table, and it serializes all of them by the npf config lock. So we can safely drop t_lock across copyout. PR kern/57136 PR kern/57181 To generate a diff of this commit: cvs rdiff -u -r1.33.2.2 -r1.33.2.3 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Mon Aug 21 12:20:07 UTC 2023
Modified Files:
src/sys/net/npf [netbsd-9]: npf_tableset.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1718):
sys/net/npf/npf_tableset.c: revision 1.41
npf(9): Drop table lock around copyout.
It is forbidden to hold a spin lock around copyout, and t_lock is a
spin lock.
We need t_lock in order to iterate over the list of entries.
However, during copyout itself, we only need to ensure that the
object we're copying out isn't freed by npf_table_remove or
npf_table_gc.
Fortunately, the only caller of npf_table_list, npf_table_remove, and
npf_table_gc is npfctl_table, and it serializes all of them by the
npf config lock. So we can safely drop t_lock across copyout.
PR kern/57136
PR kern/57181
To generate a diff of this commit:
cvs rdiff -u -r1.33.2.2 -r1.33.2.3 src/sys/net/npf/npf_tableset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.33.2.2 src/sys/net/npf/npf_tableset.c:1.33.2.3
--- src/sys/net/npf/npf_tableset.c:1.33.2.2 Sat Jun 20 15:46:47 2020
+++ src/sys/net/npf/npf_tableset.c Mon Aug 21 12:20:07 2023
@@ -46,7 +46,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.33.2.2 2020/06/20 15:46:47 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.33.2.3 2023/08/21 12:20:07 martin Exp $");
#include
#include
@@ -758,15 +758,17 @@ table_ent_copyout(const npf_addr_t *addr
}
static int
-table_generic_list(const npf_table_t *t, void *ubuf, size_t len)
+table_generic_list(npf_table_t *t, void *ubuf, size_t len)
{
npf_tblent_t *ent;
size_t off = 0;
int error = 0;
LIST_FOREACH(ent, >t_list, te_listent) {
+ mutex_exit(>t_lock);
error = table_ent_copyout(>te_addr,
ent->te_alen, ent->te_preflen, ubuf, len, );
+ mutex_enter(>t_lock);
if (error)
break;
}
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Tue Mar 14 17:11:13 UTC 2023
Modified Files:
src/sys/net/npf [netbsd-9]: npf.h npf_mbuf.c npf_sendpkt.c
Log Message:
Pull up following revision(s) (requested by kardel in ticket #119):
sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23
PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
To generate a diff of this commit:
cvs rdiff -u -r1.60.2.3 -r1.60.2.4 src/sys/net/npf/npf.h
cvs rdiff -u -r1.22.4.1 -r1.22.4.2 src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.21.4.1 -r1.21.4.2 src/sys/net/npf/npf_sendpkt.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.60.2.3 src/sys/net/npf/npf.h:1.60.2.4
--- src/sys/net/npf/npf.h:1.60.2.3 Sat Jun 20 15:46:47 2020
+++ src/sys/net/npf/npf.h Tue Mar 14 17:11:13 2023
@@ -122,6 +122,7 @@ void * nbuf_ensure_writable(nbuf_t *, s
bool nbuf_cksum_barrier(nbuf_t *, int);
int nbuf_add_tag(nbuf_t *, uint32_t);
+int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t);
int nbuf_find_tag(nbuf_t *, uint32_t *);
/*
Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.22.4.1 src/sys/net/npf/npf_mbuf.c:1.22.4.2
--- src/sys/net/npf/npf_mbuf.c:1.22.4.1 Sat Jun 20 15:46:47 2020
+++ src/sys/net/npf/npf_mbuf.c Tue Mar 14 17:11:13 2023
@@ -36,7 +36,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.22.4.1 2020/06/20 15:46:47 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.22.4.2 2023/03/14 17:11:13 martin Exp $");
#include
#include
@@ -297,14 +297,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di)
}
/*
- * nbuf_add_tag: associate a tag with the network buffer.
+ * npf_mbuf_add_tag: associate a tag with the network buffer.
*
* => Returns 0 on success or error number on failure.
*/
int
-nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
+npf_mbuf_add_tag(nbuf_t *nbuf, struct mbuf *m, uint32_t val)
{
- struct mbuf *m = nbuf->nb_mbuf0;
#ifdef _KERNEL
struct m_tag *mt;
uint32_t *dat;
@@ -328,6 +327,18 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
}
/*
+ * nbuf_add_tag: associate a tag with the network buffer.
+ *
+ * => Returns 0 on success or error number on failure.
+ */
+int
+nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
+{
+ struct mbuf *m = nbuf->nb_mbuf0;
+ return npf_mbuf_add_tag(nbuf, m, val);
+}
+
+/*
* nbuf_find_tag: find a tag associated with a network buffer.
*
* => Returns 0 on success or error number on failure.
Index: src/sys/net/npf/npf_sendpkt.c
diff -u src/sys/net/npf/npf_sendpkt.c:1.21.4.1 src/sys/net/npf/npf_sendpkt.c:1.21.4.2
--- src/sys/net/npf/npf_sendpkt.c:1.21.4.1 Sat Jun 20 15:46:47 2020
+++ src/sys/net/npf/npf_sendpkt.c Tue Mar 14 17:11:13 2023
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.21.4.1 2020/06/20 15:46:47 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.21.4.2 2023/03/14 17:11:13 martin Exp $");
#include
#include
@@ -197,6 +197,9 @@ npf_return_tcp(npf_cache_t *npc)
}
}
+ /* don't look at our generated reject packets going out */
+ (void)npf_mbuf_add_tag(npc->npc_nbuf, m, NPF_NTAG_PASS);
+
/* Pass to IP layer. */
if (npf_iscached(npc, NPC_IP4)) {
return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
@@ -215,6 +218,9 @@ npf_return_icmp(const npf_cache_t *npc)
{
struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf);
+ /* don't look at our generated reject packets going out */
+ (void)nbuf_add_tag(npc->npc_nbuf, NPF_NTAG_PASS);
+
if (npf_iscached(npc, NPC_IP4)) {
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT, 0, 0);
return 0;
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Tue Mar 14 17:11:13 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf.h npf_mbuf.c npf_sendpkt.c Log Message: Pull up following revision(s) (requested by kardel in ticket #119): sys/net/npf/npf_mbuf.c: revision 1.25 sys/net/npf/npf.h: revision 1.64 sys/net/npf/npf_sendpkt.c: revision 1.23 PR kern/56052: allow block-return packets passed through without rule matching. Included up-stream ashttps://github.com/rmind/npf/pull/115 To generate a diff of this commit: cvs rdiff -u -r1.60.2.3 -r1.60.2.4 src/sys/net/npf/npf.h cvs rdiff -u -r1.22.4.1 -r1.22.4.2 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.21.4.1 -r1.21.4.2 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Wed Aug 7 08:28:37 UTC 2019
Modified Files:
src/sys/net/npf [netbsd-9]: npf.c npf_conn.c npf_conn.h
Log Message:
Pull up following revision(s) (requested by rmind in ticket #25):
sys/net/npf/npf_conn.h: revision 1.17
sys/net/npf/npf.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.28
sys/net/npf/npf_conn.c: revision 1.29
Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.
- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/net/npf/npf.c
cvs rdiff -u -r1.27 -r1.27.2.1 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/net/npf/npf_conn.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.c
diff -u src/sys/net/npf/npf.c:1.38 src/sys/net/npf/npf.c:1.38.2.1
--- src/sys/net/npf/npf.c:1.38 Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf.c Wed Aug 7 08:28:37 2019
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38.2.1 2019/08/07 08:28:37 martin Exp $");
#include
#include
@@ -79,13 +79,17 @@ npf_create(int flags, const npf_mbufops_
npf_param_init(npf);
npf_state_sysinit(npf);
npf_ifmap_init(npf, ifops);
- npf_conn_init(npf, flags);
+ npf_conn_init(npf);
npf_portmap_init(npf);
npf_alg_init(npf);
npf_ext_init(npf);
/* Load an empty configuration. */
npf_config_init(npf);
+
+ if ((flags & NPF_NO_GC) == 0) {
+ npf_worker_register(npf, npf_conn_worker);
+ }
return npf;
}
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.27 src/sys/net/npf/npf_conn.c:1.27.2.1
--- src/sys/net/npf/npf_conn.c:1.27 Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_conn.c Wed Aug 7 08:28:37 2019
@@ -107,7 +107,7 @@
#ifdef _KERNEL
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.27 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.27.2.1 2019/08/07 08:28:37 martin Exp $");
#include
#include
@@ -149,7 +149,7 @@ static nvlist_t *npf_conn_export(npf_t *
*/
void
-npf_conn_init(npf_t *npf, int flags)
+npf_conn_init(npf_t *npf)
{
npf->conn_cache[0] = pool_cache_init(
offsetof(npf_conn_t, c_keys[NPF_CONNKEY_V4WORDS * 2]),
@@ -161,10 +161,6 @@ npf_conn_init(npf_t *npf, int flags)
mutex_init(>conn_lock, MUTEX_DEFAULT, IPL_NONE);
npf->conn_tracking = CONN_TRACKING_OFF;
npf->conn_db = npf_conndb_create();
-
- if ((flags & NPF_NO_GC) == 0) {
- npf_worker_register(npf, npf_conn_worker);
- }
npf_conndb_sysinit(npf);
}
@@ -429,6 +425,7 @@ npf_conn_establish(npf_cache_t *npc, int
con->c_proto = npc->npc_proto;
CTASSERT(sizeof(con->c_proto) >= sizeof(npc->npc_proto));
+ con->c_alen = alen;
/* Initialize the protocol state. */
if (!npf_state_init(npc, >c_state)) {
@@ -499,9 +496,7 @@ err:
void
npf_conn_destroy(npf_t *npf, npf_conn_t *con)
{
- const npf_connkey_t *key = npf_conn_getforwkey(con);
- const unsigned alen = NPF_CONNKEY_ALEN(key);
- const unsigned idx __unused = NPF_CONNCACHE(alen);
+ const unsigned idx __unused = NPF_CONNCACHE(con->c_alen);
KASSERT(con->c_refcnt == 0);
@@ -794,6 +789,7 @@ npf_conn_export(npf_t *npf, npf_conn_t *
fw = npf_conn_getforwkey(con);
alen = NPF_CONNKEY_ALEN(fw);
+ KASSERT(alen == con->c_alen);
bk = npf_conn_getbackkey(con, alen);
kdict = npf_connkey_export(fw);
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.16 src/sys/net/npf/npf_conn.h:1.16.2.1
--- src/sys/net/npf/npf_conn.h:1.16 Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_conn.h Wed Aug 7 08:28:37 2019
@@ -50,7 +50,8 @@ struct npf_conn {
* Protocol, address length, the interface ID (if zero,
* then the state is global) and connection flags.
*/
- unsigned c_proto;
+ uint16_t c_proto;
+ uint16_t c_alen;
unsigned c_ifid;
unsigned c_flags;
@@ -123,7 +124,7 @@ void npf_connkey_print(const npf_connke
/*
* Connection tracking interface.
*/
-void npf_conn_init(npf_t *, int);
+void npf_conn_init(npf_t *);
void npf_conn_fini(npf_t *);
void npf_conn_tracking(npf_t *, bool);
void npf_conn_load(npf_t *, npf_conndb_t *, bool);
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Wed Aug 7 08:28:37 UTC 2019 Modified Files: src/sys/net/npf [netbsd-9]: npf.c npf_conn.c npf_conn.h Log Message: Pull up following revision(s) (requested by rmind in ticket #25): sys/net/npf/npf_conn.h: revision 1.17 sys/net/npf/npf.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.28 sys/net/npf/npf_conn.c: revision 1.29 Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. - npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@) To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/net/npf/npf.c cvs rdiff -u -r1.27 -r1.27.2.1 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
