CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Wed Aug 23 18:22:51 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf_ruleset.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1725): sys/net/npf/npf_ruleset.c: revision 1.52 The analysis documented in PR misc/56990 is correct. Fix by not returning when encountering a ruleset rule. The code up to now would stop at any group rule. ruleset rules are marked as group rule and a dynamic rule. processing is only finished when a result is present AND we are looking at a plain group rule. To generate a diff of this commit: cvs rdiff -u -r1.48.2.3 -r1.48.2.4 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Wed Aug 23 18:22:51 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf_ruleset.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1725): sys/net/npf/npf_ruleset.c: revision 1.52 The analysis documented in PR misc/56990 is correct. Fix by not returning when encountering a ruleset rule. The code up to now would stop at any group rule. ruleset rules are marked as group rule and a dynamic rule. processing is only finished when a result is present AND we are looking at a plain group rule. To generate a diff of this commit: cvs rdiff -u -r1.48.2.3 -r1.48.2.4 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.48.2.3 src/sys/net/npf/npf_ruleset.c:1.48.2.4 --- src/sys/net/npf/npf_ruleset.c:1.48.2.3 Sat Jun 20 15:46:48 2020 +++ src/sys/net/npf/npf_ruleset.c Wed Aug 23 18:22:51 2023 @@ -34,7 +34,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.48.2.3 2020/06/20 15:46:48 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.48.2.4 2023/08/23 18:22:51 martin Exp $"); #include #include @@ -891,7 +891,7 @@ npf_ruleset_inspect(npf_cache_t *npc, co KASSERT(n < skip_to); /* Group is a barrier: return a matching if found any. */ - if ((attr & NPF_RULE_GROUP) != 0 && final_rl) { + if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP && final_rl) { break; }
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Aug 21 12:20:07 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf_tableset.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1718): sys/net/npf/npf_tableset.c: revision 1.41 npf(9): Drop table lock around copyout. It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock. We need t_lock in order to iterate over the list of entries. However, during copyout itself, we only need to ensure that the object we're copying out isn't freed by npf_table_remove or npf_table_gc. Fortunately, the only caller of npf_table_list, npf_table_remove, and npf_table_gc is npfctl_table, and it serializes all of them by the npf config lock. So we can safely drop t_lock across copyout. PR kern/57136 PR kern/57181 To generate a diff of this commit: cvs rdiff -u -r1.33.2.2 -r1.33.2.3 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Aug 21 12:20:07 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf_tableset.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1718): sys/net/npf/npf_tableset.c: revision 1.41 npf(9): Drop table lock around copyout. It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock. We need t_lock in order to iterate over the list of entries. However, during copyout itself, we only need to ensure that the object we're copying out isn't freed by npf_table_remove or npf_table_gc. Fortunately, the only caller of npf_table_list, npf_table_remove, and npf_table_gc is npfctl_table, and it serializes all of them by the npf config lock. So we can safely drop t_lock across copyout. PR kern/57136 PR kern/57181 To generate a diff of this commit: cvs rdiff -u -r1.33.2.2 -r1.33.2.3 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.33.2.2 src/sys/net/npf/npf_tableset.c:1.33.2.3 --- src/sys/net/npf/npf_tableset.c:1.33.2.2 Sat Jun 20 15:46:47 2020 +++ src/sys/net/npf/npf_tableset.c Mon Aug 21 12:20:07 2023 @@ -46,7 +46,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.33.2.2 2020/06/20 15:46:47 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.33.2.3 2023/08/21 12:20:07 martin Exp $"); #include #include @@ -758,15 +758,17 @@ table_ent_copyout(const npf_addr_t *addr } static int -table_generic_list(const npf_table_t *t, void *ubuf, size_t len) +table_generic_list(npf_table_t *t, void *ubuf, size_t len) { npf_tblent_t *ent; size_t off = 0; int error = 0; LIST_FOREACH(ent, >t_list, te_listent) { + mutex_exit(>t_lock); error = table_ent_copyout(>te_addr, ent->te_alen, ent->te_preflen, ubuf, len, ); + mutex_enter(>t_lock); if (error) break; }
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Tue Mar 14 17:11:13 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf.h npf_mbuf.c npf_sendpkt.c Log Message: Pull up following revision(s) (requested by kardel in ticket #119): sys/net/npf/npf_mbuf.c: revision 1.25 sys/net/npf/npf.h: revision 1.64 sys/net/npf/npf_sendpkt.c: revision 1.23 PR kern/56052: allow block-return packets passed through without rule matching. Included up-stream ashttps://github.com/rmind/npf/pull/115 To generate a diff of this commit: cvs rdiff -u -r1.60.2.3 -r1.60.2.4 src/sys/net/npf/npf.h cvs rdiff -u -r1.22.4.1 -r1.22.4.2 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.21.4.1 -r1.21.4.2 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.60.2.3 src/sys/net/npf/npf.h:1.60.2.4 --- src/sys/net/npf/npf.h:1.60.2.3 Sat Jun 20 15:46:47 2020 +++ src/sys/net/npf/npf.h Tue Mar 14 17:11:13 2023 @@ -122,6 +122,7 @@ void * nbuf_ensure_writable(nbuf_t *, s bool nbuf_cksum_barrier(nbuf_t *, int); int nbuf_add_tag(nbuf_t *, uint32_t); +int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t); int nbuf_find_tag(nbuf_t *, uint32_t *); /* Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.22.4.1 src/sys/net/npf/npf_mbuf.c:1.22.4.2 --- src/sys/net/npf/npf_mbuf.c:1.22.4.1 Sat Jun 20 15:46:47 2020 +++ src/sys/net/npf/npf_mbuf.c Tue Mar 14 17:11:13 2023 @@ -36,7 +36,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.22.4.1 2020/06/20 15:46:47 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.22.4.2 2023/03/14 17:11:13 martin Exp $"); #include #include @@ -297,14 +297,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di) } /* - * nbuf_add_tag: associate a tag with the network buffer. + * npf_mbuf_add_tag: associate a tag with the network buffer. * * => Returns 0 on success or error number on failure. */ int -nbuf_add_tag(nbuf_t *nbuf, uint32_t val) +npf_mbuf_add_tag(nbuf_t *nbuf, struct mbuf *m, uint32_t val) { - struct mbuf *m = nbuf->nb_mbuf0; #ifdef _KERNEL struct m_tag *mt; uint32_t *dat; @@ -328,6 +327,18 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t val) } /* + * nbuf_add_tag: associate a tag with the network buffer. + * + * => Returns 0 on success or error number on failure. + */ +int +nbuf_add_tag(nbuf_t *nbuf, uint32_t val) +{ + struct mbuf *m = nbuf->nb_mbuf0; + return npf_mbuf_add_tag(nbuf, m, val); +} + +/* * nbuf_find_tag: find a tag associated with a network buffer. * * => Returns 0 on success or error number on failure. Index: src/sys/net/npf/npf_sendpkt.c diff -u src/sys/net/npf/npf_sendpkt.c:1.21.4.1 src/sys/net/npf/npf_sendpkt.c:1.21.4.2 --- src/sys/net/npf/npf_sendpkt.c:1.21.4.1 Sat Jun 20 15:46:47 2020 +++ src/sys/net/npf/npf_sendpkt.c Tue Mar 14 17:11:13 2023 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.21.4.1 2020/06/20 15:46:47 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.21.4.2 2023/03/14 17:11:13 martin Exp $"); #include #include @@ -197,6 +197,9 @@ npf_return_tcp(npf_cache_t *npc) } } + /* don't look at our generated reject packets going out */ + (void)npf_mbuf_add_tag(npc->npc_nbuf, m, NPF_NTAG_PASS); + /* Pass to IP layer. */ if (npf_iscached(npc, NPC_IP4)) { return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); @@ -215,6 +218,9 @@ npf_return_icmp(const npf_cache_t *npc) { struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf); + /* don't look at our generated reject packets going out */ + (void)nbuf_add_tag(npc->npc_nbuf, NPF_NTAG_PASS); + if (npf_iscached(npc, NPC_IP4)) { icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT, 0, 0); return 0;
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Tue Mar 14 17:11:13 UTC 2023 Modified Files: src/sys/net/npf [netbsd-9]: npf.h npf_mbuf.c npf_sendpkt.c Log Message: Pull up following revision(s) (requested by kardel in ticket #119): sys/net/npf/npf_mbuf.c: revision 1.25 sys/net/npf/npf.h: revision 1.64 sys/net/npf/npf_sendpkt.c: revision 1.23 PR kern/56052: allow block-return packets passed through without rule matching. Included up-stream ashttps://github.com/rmind/npf/pull/115 To generate a diff of this commit: cvs rdiff -u -r1.60.2.3 -r1.60.2.4 src/sys/net/npf/npf.h cvs rdiff -u -r1.22.4.1 -r1.22.4.2 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.21.4.1 -r1.21.4.2 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Wed Aug 7 08:28:37 UTC 2019 Modified Files: src/sys/net/npf [netbsd-9]: npf.c npf_conn.c npf_conn.h Log Message: Pull up following revision(s) (requested by rmind in ticket #25): sys/net/npf/npf_conn.h: revision 1.17 sys/net/npf/npf.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.28 sys/net/npf/npf_conn.c: revision 1.29 Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. - npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@) To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/net/npf/npf.c cvs rdiff -u -r1.27 -r1.27.2.1 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.c diff -u src/sys/net/npf/npf.c:1.38 src/sys/net/npf/npf.c:1.38.2.1 --- src/sys/net/npf/npf.c:1.38 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf.c Wed Aug 7 08:28:37 2019 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38.2.1 2019/08/07 08:28:37 martin Exp $"); #include #include @@ -79,13 +79,17 @@ npf_create(int flags, const npf_mbufops_ npf_param_init(npf); npf_state_sysinit(npf); npf_ifmap_init(npf, ifops); - npf_conn_init(npf, flags); + npf_conn_init(npf); npf_portmap_init(npf); npf_alg_init(npf); npf_ext_init(npf); /* Load an empty configuration. */ npf_config_init(npf); + + if ((flags & NPF_NO_GC) == 0) { + npf_worker_register(npf, npf_conn_worker); + } return npf; } Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.27 src/sys/net/npf/npf_conn.c:1.27.2.1 --- src/sys/net/npf/npf_conn.c:1.27 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_conn.c Wed Aug 7 08:28:37 2019 @@ -107,7 +107,7 @@ #ifdef _KERNEL #include -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.27 2019/07/23 00:52:01 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.27.2.1 2019/08/07 08:28:37 martin Exp $"); #include #include @@ -149,7 +149,7 @@ static nvlist_t *npf_conn_export(npf_t * */ void -npf_conn_init(npf_t *npf, int flags) +npf_conn_init(npf_t *npf) { npf->conn_cache[0] = pool_cache_init( offsetof(npf_conn_t, c_keys[NPF_CONNKEY_V4WORDS * 2]), @@ -161,10 +161,6 @@ npf_conn_init(npf_t *npf, int flags) mutex_init(>conn_lock, MUTEX_DEFAULT, IPL_NONE); npf->conn_tracking = CONN_TRACKING_OFF; npf->conn_db = npf_conndb_create(); - - if ((flags & NPF_NO_GC) == 0) { - npf_worker_register(npf, npf_conn_worker); - } npf_conndb_sysinit(npf); } @@ -429,6 +425,7 @@ npf_conn_establish(npf_cache_t *npc, int con->c_proto = npc->npc_proto; CTASSERT(sizeof(con->c_proto) >= sizeof(npc->npc_proto)); + con->c_alen = alen; /* Initialize the protocol state. */ if (!npf_state_init(npc, >c_state)) { @@ -499,9 +496,7 @@ err: void npf_conn_destroy(npf_t *npf, npf_conn_t *con) { - const npf_connkey_t *key = npf_conn_getforwkey(con); - const unsigned alen = NPF_CONNKEY_ALEN(key); - const unsigned idx __unused = NPF_CONNCACHE(alen); + const unsigned idx __unused = NPF_CONNCACHE(con->c_alen); KASSERT(con->c_refcnt == 0); @@ -794,6 +789,7 @@ npf_conn_export(npf_t *npf, npf_conn_t * fw = npf_conn_getforwkey(con); alen = NPF_CONNKEY_ALEN(fw); + KASSERT(alen == con->c_alen); bk = npf_conn_getbackkey(con, alen); kdict = npf_connkey_export(fw); Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.16 src/sys/net/npf/npf_conn.h:1.16.2.1 --- src/sys/net/npf/npf_conn.h:1.16 Tue Jul 23 00:52:01 2019 +++ src/sys/net/npf/npf_conn.h Wed Aug 7 08:28:37 2019 @@ -50,7 +50,8 @@ struct npf_conn { * Protocol, address length, the interface ID (if zero, * then the state is global) and connection flags. */ - unsigned c_proto; + uint16_t c_proto; + uint16_t c_alen; unsigned c_ifid; unsigned c_flags; @@ -123,7 +124,7 @@ void npf_connkey_print(const npf_connke /* * Connection tracking interface. */ -void npf_conn_init(npf_t *, int); +void npf_conn_init(npf_t *); void npf_conn_fini(npf_t *); void npf_conn_tracking(npf_t *, bool); void npf_conn_load(npf_t *, npf_conndb_t *, bool);
CVS commit: [netbsd-9] src/sys/net/npf
Module Name:src Committed By: martin Date: Wed Aug 7 08:28:37 UTC 2019 Modified Files: src/sys/net/npf [netbsd-9]: npf.c npf_conn.c npf_conn.h Log Message: Pull up following revision(s) (requested by rmind in ticket #25): sys/net/npf/npf_conn.h: revision 1.17 sys/net/npf/npf.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.28 sys/net/npf/npf_conn.c: revision 1.29 Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. - npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@) To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/net/npf/npf.c cvs rdiff -u -r1.27 -r1.27.2.1 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.