Module Name: src
Committed By: martin
Date: Sun Sep 1 13:21:39 UTC 2019
Modified Files:
src/sys/net/npf [netbsd-9]: npf.c npf.h npf_alg.c npf_conf.c npf_ctl.c
npf_handler.c npf_ifaddr.c npf_impl.h npf_nat.c npf_os.c
src/sys/sys [netbsd-9]: mbuf.h
src/usr.sbin/npf/npfctl [netbsd-9]: npf_bpf_comp.c
src/usr.sbin/npf/npftest/libnpftest [netbsd-9]: npf_rule_test.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #141):
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
To generate a diff of this commit:
cvs rdiff -u -r1.38.2.2 -r1.38.2.3 src/sys/net/npf/npf.c
cvs rdiff -u -r1.60.2.1 -r1.60.2.2 src/sys/net/npf/npf.h
cvs rdiff -u -r1.20 -r1.20.2.1 src/sys/net/npf/npf_alg.c
cvs rdiff -u -r1.13.2.1 -r1.13.2.2 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.54.2.2 -r1.54.2.3 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.46.2.1 -r1.46.2.2 src/sys/net/npf/npf_handler.c \
src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.5 -r1.5.4.1 src/sys/net/npf/npf_ifaddr.c
cvs rdiff -u -r1.75.2.2 -r1.75.2.3 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.12.2.2 -r1.12.2.3 src/sys/net/npf/npf_os.c
cvs rdiff -u -r1.219 -r1.219.4.1 src/sys/sys/mbuf.h
cvs rdiff -u -r1.13.2.1 -r1.13.2.2 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.17.2.1 -r1.17.2.2 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.c
diff -u src/sys/net/npf/npf.c:1.38.2.2 src/sys/net/npf/npf.c:1.38.2.3
--- src/sys/net/npf/npf.c:1.38.2.2 Tue Aug 13 14:35:55 2019
+++ src/sys/net/npf/npf.c Sun Sep 1 13:21:39 2019
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38.2.2 2019/08/13 14:35:55 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.38.2.3 2019/09/01 13:21:39 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -72,7 +72,7 @@ npfk_create(int flags, const npf_mbufops
npf_t *npf;
npf = kmem_zalloc(sizeof(npf_t), KM_SLEEP);
- npf->qsbr = pserialize_create();
+ npf->ebr = npf_ebr_create();
npf->stats_percpu = percpu_alloc(NPF_STATS_SIZE);
npf->mbufops = mbufops;
@@ -111,7 +111,7 @@ npfk_destroy(npf_t *npf)
npf_state_sysfini(npf);
npf_param_fini(npf);
- pserialize_destroy(npf->qsbr);
+ npf_ebr_destroy(npf->ebr);
percpu_free(npf->stats_percpu, NPF_STATS_SIZE);
kmem_free(npf, sizeof(npf_t));
}
@@ -131,14 +131,14 @@ npfk_gc(npf_t *npf)
__dso_public void
npfk_thread_register(npf_t *npf)
{
- pserialize_register(npf->qsbr);
+ npf_ebr_register(npf->ebr);
}
__dso_public void
npfk_thread_unregister(npf_t *npf)
{
- pserialize_perform(npf->qsbr);
- pserialize_unregister(npf->qsbr);
+ npf_ebr_full_sync(npf->ebr);
+ npf_ebr_unregister(npf->ebr);
}
void
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.60.2.1 src/sys/net/npf/npf.h:1.60.2.2
--- src/sys/net/npf/npf.h:1.60.2.1 Sun Sep 1 13:13:14 2019
+++ src/sys/net/npf/npf.h Sun Sep 1 13:21:39 2019
@@ -253,8 +253,9 @@ bool npf_autounload_p(void);
#define NPF_LAYER_2 2
#define NPF_LAYER_3 3
-/* XXX mbuf.h: just for now. */
-#define PACKET_TAG_NPF 10
+/*
+ * Flags passed via nbuf tags.
+ */
#define NPF_NTAG_PASS 0x0001
/*
Index: src/sys/net/npf/npf_alg.c
diff -u src/sys/net/npf/npf_alg.c:1.20 src/sys/net/npf/npf_alg.c:1.20.2.1
--- src/sys/net/npf/npf_alg.c:1.20 Tue Jul 23 00:52:01 2019
+++ src/sys/net/npf/npf_alg.c Sun Sep 1 13:21:39 2019
@@ -33,13 +33,12 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.20 2019/07/23 00:52:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.20.2.1 2019/09/01 13:21:39 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/kmem.h>
-#include <sys/pserialize.h>
#include <sys/module.h>
#endif
@@ -185,7 +184,7 @@ npf_alg_unregister(npf_t *npf, npf_alg_t
afuncs->match = NULL;
afuncs->translate = NULL;
afuncs->inspect = NULL;
- pserialize_perform(npf->qsbr);
+ npf_ebr_full_sync(npf->ebr);
/* Finally, unregister the ALG. */
npf_ruleset_freealg(npf_config_natset(npf), alg);
@@ -210,13 +209,14 @@ npf_alg_unregister(npf_t *npf, npf_alg_t
bool
npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di)
{
- npf_algset_t *aset = npc->npc_ctx->algset;
+ npf_t *npf = npc->npc_ctx;
+ npf_algset_t *aset = npf->algset;
bool match = false;
int s;
KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
- s = pserialize_read_enter();
+ s = npf_ebr_enter(npf->ebr);
for (unsigned i = 0; i < aset->alg_count; i++) {
const npfa_funcs_t *f = &aset->alg_funcs[i];
@@ -225,7 +225,7 @@ npf_alg_match(npf_cache_t *npc, npf_nat_
break;
}
}
- pserialize_read_exit(s);
+ npf_ebr_exit(npf->ebr, s);
return match;
}
@@ -243,12 +243,13 @@ npf_alg_match(npf_cache_t *npc, npf_nat_
void
npf_alg_exec(npf_cache_t *npc, npf_nat_t *nt, bool forw)
{
- npf_algset_t *aset = npc->npc_ctx->algset;
+ npf_t *npf = npc->npc_ctx;
+ npf_algset_t *aset = npf->algset;
int s;
KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
- s = pserialize_read_enter();
+ s = npf_ebr_enter(npf->ebr);
for (unsigned i = 0; i < aset->alg_count; i++) {
const npfa_funcs_t *f = &aset->alg_funcs[i];
@@ -256,11 +257,11 @@ npf_alg_exec(npf_cache_t *npc, npf_nat_t
f->translate(npc, nt, forw);
}
}
- pserialize_read_exit(s);
+ npf_ebr_exit(npf->ebr, s);
}
/*
- * npf_alg_conn: query ALGs giving which may perform a custom state lookup.
+ * npf_alg_conn: query ALGs which may perform a custom state lookup.
*
* The purpose of ALG connection inspection function is to provide
* ALGs with a mechanism to override the regular connection state
@@ -279,11 +280,12 @@ npf_alg_exec(npf_cache_t *npc, npf_nat_t
npf_conn_t *
npf_alg_conn(npf_cache_t *npc, int di)
{
- npf_algset_t *aset = npc->npc_ctx->algset;
+ npf_t *npf = npc->npc_ctx;
+ npf_algset_t *aset = npf->algset;
npf_conn_t *con = NULL;
int s;
- s = pserialize_read_enter();
+ s = npf_ebr_enter(npf->ebr);
for (unsigned i = 0; i < aset->alg_count; i++) {
const npfa_funcs_t *f = &aset->alg_funcs[i];
@@ -292,7 +294,7 @@ npf_alg_conn(npf_cache_t *npc, int di)
if ((con = f->inspect(npc, di)) != NULL)
break;
}
- pserialize_read_exit(s);
+ npf_ebr_exit(npf->ebr, s);
return con;
}
Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.13.2.1 src/sys/net/npf/npf_conf.c:1.13.2.2
--- src/sys/net/npf/npf_conf.c:1.13.2.1 Tue Aug 13 14:35:55 2019
+++ src/sys/net/npf/npf_conf.c Sun Sep 1 13:21:39 2019
@@ -47,53 +47,57 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.13.2.1 2019/08/13 14:35:55 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.13.2.2 2019/09/01 13:21:39 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/atomic.h>
#include <sys/kmem.h>
-#include <sys/pserialize.h>
#include <sys/mutex.h>
#endif
#include "npf_impl.h"
#include "npf_conn.h"
-struct npf_config {
- npf_ruleset_t * n_rules;
- npf_tableset_t * n_tables;
- npf_ruleset_t * n_nat_rules;
- npf_rprocset_t * n_rprocs;
- bool n_default_pass;
-};
-
void
npf_config_init(npf_t *npf)
{
- npf_ruleset_t *rlset, *nset;
- npf_rprocset_t *rpset;
- npf_tableset_t *tset;
+ npf_config_t *nc;
mutex_init(&npf->config_lock, MUTEX_DEFAULT, IPL_SOFTNET);
+ nc = npf_config_create();
+
+ /*
+ * Load an empty configuration.
+ */
+ nc->ruleset = npf_ruleset_create(0);
+ nc->nat_ruleset = npf_ruleset_create(0);
+ nc->rule_procs = npf_rprocset_create();
+ nc->tableset = npf_tableset_create(0);
+ nc->default_pass = true;
- /* Load the empty configuration. */
- tset = npf_tableset_create(0);
- rpset = npf_rprocset_create();
- rlset = npf_ruleset_create(0);
- nset = npf_ruleset_create(0);
- npf_config_load(npf, rlset, tset, nset, rpset, NULL, true);
+ npf_config_load(npf, nc, NULL, true);
KASSERT(npf->config != NULL);
}
-static void
+npf_config_t *
+npf_config_create(void)
+{
+ return kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
+}
+
+void
npf_config_destroy(npf_config_t *nc)
{
- npf_ruleset_destroy(nc->n_rules);
- npf_ruleset_destroy(nc->n_nat_rules);
- npf_rprocset_destroy(nc->n_rprocs);
- npf_tableset_destroy(nc->n_tables);
+ /*
+ * Note: the rulesets must be destroyed first, in order to drop
+ * any references to the tableset.
+ */
+ npf_ruleset_destroy(nc->ruleset);
+ npf_ruleset_destroy(nc->nat_ruleset);
+ npf_rprocset_destroy(nc->rule_procs);
+ npf_tableset_destroy(nc->tableset);
kmem_free(nc, sizeof(npf_config_t));
}
@@ -105,7 +109,7 @@ npf_config_fini(npf_t *npf)
/* Flush the connections. */
mutex_enter(&npf->config_lock);
npf_conn_tracking(npf, false);
- pserialize_perform(npf->qsbr);
+ npf_ebr_full_sync(npf->ebr);
npf_conn_load(npf, cd, false);
npf_ifmap_flush(npf);
mutex_exit(&npf->config_lock);
@@ -119,19 +123,12 @@ npf_config_fini(npf_t *npf)
* Performs the necessary synchronisation and destroys the old config.
*/
void
-npf_config_load(npf_t *npf, npf_ruleset_t *rset, npf_tableset_t *tset,
- npf_ruleset_t *nset, npf_rprocset_t *rpset,
- npf_conndb_t *conns, bool flush)
+npf_config_load(npf_t *npf, npf_config_t *nc, npf_conndb_t *conns, bool flush)
{
const bool load = conns != NULL;
- npf_config_t *nc, *onc;
+ npf_config_t *onc;
- nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
- nc->n_rules = rset;
- nc->n_tables = tset;
- nc->n_nat_rules = nset;
- nc->n_rprocs = rpset;
- nc->n_default_pass = flush;
+ nc->default_pass = flush;
/*
* Acquire the lock and perform the first phase:
@@ -140,9 +137,9 @@ npf_config_load(npf_t *npf, npf_ruleset_
*/
mutex_enter(&npf->config_lock);
if ((onc = npf->config) != NULL) {
- npf_ruleset_reload(npf, rset, onc->n_rules, load);
- npf_tableset_reload(npf, tset, onc->n_tables);
- npf_ruleset_reload(npf, nset, onc->n_nat_rules, load);
+ npf_ruleset_reload(npf, nc->ruleset, onc->ruleset, load);
+ npf_tableset_reload(npf, nc->tableset, onc->tableset);
+ npf_ruleset_reload(npf, nc->nat_ruleset, onc->nat_ruleset, load);
}
/*
@@ -167,7 +164,7 @@ npf_config_load(npf_t *npf, npf_ruleset_
}
/* Synchronise: drain all references. */
- pserialize_perform(npf->qsbr);
+ npf_ebr_full_sync(npf->ebr);
if (flush) {
npf_portmap_flush(npf->portmap);
npf_ifmap_flush(npf);
@@ -191,10 +188,11 @@ done:
* Writer-side exclusive locking.
*/
-void
+npf_config_t *
npf_config_enter(npf_t *npf)
{
mutex_enter(&npf->config_lock);
+ return npf->config;
}
void
@@ -213,7 +211,7 @@ void
npf_config_sync(npf_t *npf)
{
KASSERT(npf_config_locked_p(npf));
- pserialize_perform(npf->qsbr);
+ npf_ebr_full_sync(npf->ebr);
}
/*
@@ -221,15 +219,15 @@ npf_config_sync(npf_t *npf)
*/
int
-npf_config_read_enter(void)
+npf_config_read_enter(npf_t *npf)
{
- return pserialize_read_enter();
+ return npf_ebr_enter(npf->ebr);
}
void
-npf_config_read_exit(int s)
+npf_config_read_exit(npf_t *npf, int s)
{
- pserialize_read_exit(s);
+ npf_ebr_exit(npf->ebr, s);
}
/*
@@ -239,29 +237,27 @@ npf_config_read_exit(int s)
npf_ruleset_t *
npf_config_ruleset(npf_t *npf)
{
- return npf->config->n_rules;
+ KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
+ return npf->config->ruleset;
}
npf_ruleset_t *
npf_config_natset(npf_t *npf)
{
- return npf->config->n_nat_rules;
+ KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
+ return npf->config->nat_ruleset;
}
npf_tableset_t *
npf_config_tableset(npf_t *npf)
{
- return npf->config->n_tables;
-}
-
-npf_rprocset_t *
-npf_config_rprocs(npf_t *npf)
-{
- return npf->config->n_rprocs;
+ KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
+ return npf->config->tableset;
}
bool
npf_default_pass(npf_t *npf)
{
- return npf->config->n_default_pass;
+ KASSERT(npf_config_locked_p(npf) || npf_ebr_incrit_p(npf->ebr));
+ return npf->config->default_pass;
}
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.54.2.2 src/sys/net/npf/npf_ctl.c:1.54.2.3
--- src/sys/net/npf/npf_ctl.c:1.54.2.2 Sun Sep 1 13:13:14 2019
+++ src/sys/net/npf/npf_ctl.c Sun Sep 1 13:21:39 2019
@@ -36,7 +36,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.54.2.2 2019/09/01 13:13:14 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.54.2.3 2019/09/01 13:21:39 martin Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -53,28 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v
nvlist_add_string((e), "source-file", __FILE__); \
nvlist_add_number((e), "source-line", __LINE__);
-#ifdef _KERNEL
-/*
- * npfctl_switch: enable or disable packet inspection.
- */
-int
-npfctl_switch(void *data)
-{
- const bool onoff = *(int *)data ? true : false;
- int error;
-
- if (onoff) {
- /* Enable: add pfil hooks. */
- error = npf_pfil_register(false);
- } else {
- /* Disable: remove pfil hooks. */
- npf_pfil_unregister(false);
- error = 0;
- }
- return error;
-}
-#endif
-
static int
npf_nvlist_copyin(npf_t *npf, void *data, nvlist_t **nvl)
{
@@ -237,7 +215,7 @@ out:
static int __noinline
npf_mk_tables(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
- npf_tableset_t **tblsetp)
+ npf_config_t *nc)
{
const nvlist_t * const *tables;
npf_tableset_t *tblset;
@@ -267,7 +245,7 @@ npf_mk_tables(npf_t *npf, nvlist_t *npf_
error = npf_tableset_insert(tblset, t);
KASSERT(error == 0);
}
- *tblsetp = tblset;
+ nc->tableset = tblset;
return error;
}
@@ -305,7 +283,7 @@ npf_mk_singlerproc(npf_t *npf, const nvl
static int __noinline
npf_mk_rprocs(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
- npf_rprocset_t **rpsetp)
+ npf_config_t *nc)
{
const nvlist_t * const *rprocs;
npf_rprocset_t *rpset;
@@ -333,7 +311,7 @@ npf_mk_rprocs(npf_t *npf, nvlist_t *npf_
}
npf_rprocset_insert(rpset, rp);
}
- *rpsetp = rpset;
+ nc->rule_procs = rpset;
return error;
}
@@ -435,7 +413,7 @@ err:
static int __noinline
npf_mk_rules(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
- npf_rprocset_t *rpset, npf_ruleset_t **rlsetp)
+ npf_config_t *nc)
{
const nvlist_t * const *rules;
npf_ruleset_t *rlset;
@@ -458,7 +436,8 @@ npf_mk_rules(npf_t *npf, nvlist_t *npf_d
npf_rule_t *rl = NULL;
const char *name;
- error = npf_mk_singlerule(npf, rule, rpset, &rl, errdict);
+ error = npf_mk_singlerule(npf, rule, nc->rule_procs, &rl,
+ errdict);
if (error) {
break;
}
@@ -471,7 +450,7 @@ npf_mk_rules(npf_t *npf, nvlist_t *npf_d
}
npf_ruleset_insert(rlset, rl);
}
- *rlsetp = rlset;
+ nc->ruleset = rlset;
return error;
}
@@ -526,8 +505,8 @@ out:
}
static int __noinline
-npf_mk_natlist(npf_t *npf, nvlist_t *npf_dict, npf_tableset_t *tblset,
- nvlist_t *errdict, npf_ruleset_t **ntsetp)
+npf_mk_natlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
+ npf_config_t *nc)
{
const nvlist_t * const *nat_rules;
npf_ruleset_t *ntset;
@@ -552,13 +531,14 @@ npf_mk_natlist(npf_t *npf, nvlist_t *npf
const nvlist_t *nat = nat_rules[i];
npf_rule_t *rl = NULL;
- error = npf_mk_singlenat(npf, nat, ntset, tblset, errdict, &rl);
+ error = npf_mk_singlenat(npf, nat, ntset, nc->tableset,
+ errdict, &rl);
if (error) {
break;
}
npf_ruleset_insert(ntset, rl);
}
- *ntsetp = ntset;
+ nc->nat_ruleset = ntset;
return error;
}
@@ -567,7 +547,7 @@ npf_mk_natlist(npf_t *npf, nvlist_t *npf
*/
static int __noinline
npf_mk_connlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
- npf_ruleset_t *natlist, npf_conndb_t **conndb)
+ npf_config_t *nc, npf_conndb_t **conndb)
{
const nvlist_t * const *conns;
npf_conndb_t *cd;
@@ -584,7 +564,7 @@ npf_mk_connlist(npf_t *npf, nvlist_t *np
const nvlist_t *conn = conns[i];
/* Construct and insert the connection. */
- error = npf_conn_import(npf, cd, conn, natlist);
+ error = npf_conn_import(npf, cd, conn, nc->nat_ruleset);
if (error) {
NPF_ERR_DEBUG(errdict);
break;
@@ -606,15 +586,13 @@ npf_mk_connlist(npf_t *npf, nvlist_t *np
static int
npfctl_load_nvlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict)
{
- npf_tableset_t *tblset = NULL;
- npf_ruleset_t *ntset = NULL;
- npf_rprocset_t *rpset = NULL;
- npf_ruleset_t *rlset = NULL;
+ npf_config_t *nc;
npf_conndb_t *conndb = NULL;
uint64_t ver;
bool flush;
int error;
+ nc = npf_config_create();
ver = dnvlist_get_number(npf_dict, "version", UINT64_MAX);
if (ver != NPF_VERSION) {
error = EPROGMISMATCH;
@@ -628,55 +606,41 @@ npfctl_load_nvlist(npf_t *npf, nvlist_t
if (error) {
goto fail;
}
- error = npf_mk_tables(npf, npf_dict, errdict, &tblset);
+ error = npf_mk_tables(npf, npf_dict, errdict, nc);
if (error) {
goto fail;
}
- error = npf_mk_rprocs(npf, npf_dict, errdict, &rpset);
+ error = npf_mk_rprocs(npf, npf_dict, errdict, nc);
if (error) {
goto fail;
}
- error = npf_mk_natlist(npf, npf_dict, tblset, errdict, &ntset);
+ error = npf_mk_natlist(npf, npf_dict, errdict, nc);
if (error) {
goto fail;
}
- error = npf_mk_rules(npf, npf_dict, errdict, rpset, &rlset);
+ error = npf_mk_rules(npf, npf_dict, errdict, nc);
if (error) {
goto fail;
}
- error = npf_mk_connlist(npf, npf_dict, errdict, ntset, &conndb);
+ error = npf_mk_connlist(npf, npf_dict, errdict, nc, &conndb);
if (error) {
goto fail;
}
+ flush = dnvlist_get_bool(npf_dict, "flush", false);
+ nc->default_pass = flush;
+
/*
* Finally - perform the load.
*/
- flush = dnvlist_get_bool(npf_dict, "flush", false);
- npf_config_load(npf, rlset, tblset, ntset, rpset, conndb, flush);
+ npf_config_load(npf, nc, conndb, flush);
npf_mk_params(npf, npf_dict, errdict, true /* set the params */);
/* Done. Since data is consumed now, we shall not destroy it. */
- tblset = NULL;
- rpset = NULL;
- rlset = NULL;
- ntset = NULL;
+ nc = NULL;
fail:
- /*
- * Note: the rulesets must be destroyed first, in order to drop
- * any references to the tableset.
- */
- if (rlset) {
- npf_ruleset_destroy(rlset);
- }
- if (ntset) {
- npf_ruleset_destroy(ntset);
- }
- if (rpset) {
- npf_rprocset_destroy(rpset);
- }
- if (tblset) {
- npf_tableset_destroy(tblset);
+ if (nc) {
+ npf_config_destroy(nc);
}
nvlist_destroy(npf_dict);
return error;
@@ -710,6 +674,7 @@ npfctl_load(npf_t *npf, u_long cmd, void
int
npfctl_save(npf_t *npf, u_long cmd, void *data)
{
+ npf_config_t *nc;
nvlist_t *npf_dict;
int error;
@@ -719,24 +684,24 @@ npfctl_save(npf_t *npf, u_long cmd, void
/*
* Serialise the whole NPF config, including connections.
*/
- npf_config_enter(npf);
+ nc = npf_config_enter(npf);
error = npf_conndb_export(npf, npf_dict);
if (error) {
goto out;
}
- error = npf_ruleset_export(npf, npf_config_ruleset(npf), "rules", npf_dict);
+ error = npf_ruleset_export(npf, nc->ruleset, "rules", npf_dict);
if (error) {
goto out;
}
- error = npf_ruleset_export(npf, npf_config_natset(npf), "nat", npf_dict);
+ error = npf_ruleset_export(npf, nc->nat_ruleset, "nat", npf_dict);
if (error) {
goto out;
}
- error = npf_tableset_export(npf, npf_config_tableset(npf), npf_dict);
+ error = npf_tableset_export(npf, nc->tableset, npf_dict);
if (error) {
goto out;
}
- error = npf_rprocset_export(npf_config_rprocs(npf), npf_dict);
+ error = npf_rprocset_export(nc->rule_procs, npf_dict);
if (error) {
goto out;
}
@@ -744,7 +709,7 @@ npfctl_save(npf_t *npf, u_long cmd, void
if (error) {
goto out;
}
- nvlist_add_bool(npf_dict, "active", npf_pfil_registered_p());
+ nvlist_add_bool(npf_dict, "active", npf_active_p());
error = npf_nvlist_copyout(npf, data, npf_dict);
npf_dict = NULL;
out:
@@ -763,19 +728,15 @@ static int __noinline
npfctl_table_replace_nvlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict)
{
npf_table_t *tbl, *gc_tbl = NULL;
- npf_tableset_t *tblset;
+ npf_config_t *nc;
int error = 0;
- npf_config_enter(npf);
- tblset = npf_config_tableset(npf);
-
- /* Get the entries or binary data. */
- error = npf_mk_table(npf, npf_dict, errdict, tblset, &tbl, true);
+ nc = npf_config_enter(npf);
+ error = npf_mk_table(npf, npf_dict, errdict, nc->tableset, &tbl, true);
if (error) {
goto err;
}
-
- gc_tbl = npf_tableset_swap(tblset, tbl);
+ gc_tbl = npf_tableset_swap(nc->tableset, tbl);
if (gc_tbl == NULL) {
error = EINVAL;
gc_tbl = tbl;
@@ -845,6 +806,7 @@ npfctl_rule(npf_t *npf, u_long cmd, void
npf_ruleset_t *rlset;
npf_rule_t *rl = NULL;
const char *ruleset_name;
+ npf_config_t *nc;
uint32_t rcmd;
int error = 0;
bool natset;
@@ -861,8 +823,8 @@ npfctl_rule(npf_t *npf, u_long cmd, void
goto out;
}
- npf_config_enter(npf);
- rlset = natset ? npf_config_natset(npf) : npf_config_ruleset(npf);
+ nc = npf_config_enter(npf);
+ rlset = natset ? nc->nat_ruleset : nc->ruleset;
switch (rcmd) {
case NPF_CMD_RULE_ADD: {
retdict = nvlist_create(0);
@@ -871,7 +833,7 @@ npfctl_rule(npf_t *npf, u_long cmd, void
* Translation rule.
*/
error = npf_mk_singlenat(npf, npf_rule, rlset,
- npf_config_tableset(npf), retdict, &rl);
+ nc->tableset, retdict, &rl);
} else {
/*
* Standard rule.
@@ -953,7 +915,7 @@ npfctl_table(npf_t *npf, void *data)
{
const npf_ioctl_table_t *nct = data;
char tname[NPF_TABLE_MAXNAMELEN];
- npf_tableset_t *ts;
+ npf_config_t *nc;
npf_table_t *t;
int error;
@@ -962,9 +924,8 @@ npfctl_table(npf_t *npf, void *data)
return error;
}
- npf_config_enter(npf);
- ts = npf_config_tableset(npf);
- if ((t = npf_tableset_getbyname(ts, tname)) == NULL) {
+ nc = npf_config_enter(npf);
+ if ((t = npf_tableset_getbyname(nc->tableset, tname)) == NULL) {
npf_config_exit(npf);
return EINVAL;
}
Index: src/sys/net/npf/npf_handler.c
diff -u src/sys/net/npf/npf_handler.c:1.46.2.1 src/sys/net/npf/npf_handler.c:1.46.2.2
--- src/sys/net/npf/npf_handler.c:1.46.2.1 Tue Aug 13 14:35:55 2019
+++ src/sys/net/npf/npf_handler.c Sun Sep 1 13:21:39 2019
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.46.2.1 2019/08/13 14:35:55 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.46.2.2 2019/09/01 13:21:39 martin Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -193,13 +193,13 @@ npfk_packet_handler(npf_t *npf, struct m
}
/* Acquire the lock, inspect the ruleset using this packet. */
- int slock = npf_config_read_enter();
+ int slock = npf_config_read_enter(npf);
npf_ruleset_t *rlset = npf_config_ruleset(npf);
rl = npf_ruleset_inspect(&npc, rlset, di, NPF_LAYER_3);
if (__predict_false(rl == NULL)) {
const bool pass = npf_default_pass(npf);
- npf_config_read_exit(slock);
+ npf_config_read_exit(npf, slock);
if (pass) {
npf_stats_inc(npf, NPF_STAT_PASS_DEFAULT);
@@ -218,7 +218,7 @@ npfk_packet_handler(npf_t *npf, struct m
/* Conclude with the rule and release the lock. */
error = npf_rule_conclude(rl, &mi);
- npf_config_read_exit(slock);
+ npf_config_read_exit(npf, slock);
if (error) {
npf_stats_inc(npf, NPF_STAT_BLOCK_RULESET);
@@ -246,6 +246,7 @@ npfk_packet_handler(npf_t *npf, struct m
pass:
decision = NPF_DECISION_PASS;
KASSERT(error == 0);
+
/*
* Perform NAT.
*/
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.46.2.1 src/sys/net/npf/npf_nat.c:1.46.2.2
--- src/sys/net/npf/npf_nat.c:1.46.2.1 Tue Aug 13 14:35:55 2019
+++ src/sys/net/npf/npf_nat.c Sun Sep 1 13:21:39 2019
@@ -67,7 +67,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.46.2.1 2019/08/13 14:35:55 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.46.2.2 2019/09/01 13:21:39 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -381,19 +381,20 @@ npf_nat_which(const unsigned type, bool
static npf_natpolicy_t *
npf_nat_inspect(npf_cache_t *npc, const int di)
{
- int slock = npf_config_read_enter();
- npf_ruleset_t *rlset = npf_config_natset(npc->npc_ctx);
+ npf_t *npf = npc->npc_ctx;
+ int slock = npf_config_read_enter(npf);
+ npf_ruleset_t *rlset = npf_config_natset(npf);
npf_natpolicy_t *np;
npf_rule_t *rl;
rl = npf_ruleset_inspect(npc, rlset, di, NPF_LAYER_3);
if (rl == NULL) {
- npf_config_read_exit(slock);
+ npf_config_read_exit(npf, slock);
return NULL;
}
np = npf_rule_getnat(rl);
atomic_inc_uint(&np->n_refcnt);
- npf_config_read_exit(slock);
+ npf_config_read_exit(npf, slock);
return np;
}
@@ -444,6 +445,7 @@ npf_nat_create(npf_cache_t *npc, npf_nat
{
const int proto = npc->npc_proto;
const unsigned alen = npc->npc_alen;
+ npf_t *npf = npc->npc_ctx;
npf_addr_t *taddr;
npf_nat_t *nt;
@@ -455,7 +457,7 @@ npf_nat_create(npf_cache_t *npc, npf_nat
if (__predict_false(!nt)) {
return NULL;
}
- npf_stats_inc(npc->npc_ctx, NPF_STAT_NAT_CREATE);
+ npf_stats_inc(npf, NPF_STAT_NAT_CREATE);
nt->nt_natpolicy = np;
nt->nt_conn = con;
nt->nt_alg = NULL;
@@ -464,12 +466,16 @@ npf_nat_create(npf_cache_t *npc, npf_nat
* Select the translation address.
*/
if (np->n_flags & NPF_NAT_USETABLE) {
+ int slock = npf_config_read_enter(npf);
taddr = npf_nat_getaddr(npc, np, alen);
if (__predict_false(!taddr)) {
+ npf_config_read_exit(npf, slock);
pool_cache_put(nat_cache, nt);
return NULL;
}
memcpy(&nt->nt_taddr, taddr, alen);
+ npf_config_read_exit(npf, slock);
+
} else if (np->n_algo == NPF_ALGO_NETMAP) {
const unsigned which = npf_nat_which(np->n_type, true);
npf_nat_algo_netmap(npc, np, which, &nt->nt_taddr);
Index: src/sys/net/npf/npf_ifaddr.c
diff -u src/sys/net/npf/npf_ifaddr.c:1.5 src/sys/net/npf/npf_ifaddr.c:1.5.4.1
--- src/sys/net/npf/npf_ifaddr.c:1.5 Sat Jan 19 21:19:32 2019
+++ src/sys/net/npf/npf_ifaddr.c Sun Sep 1 13:21:39 2019
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.5 2019/01/19 21:19:32 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ifaddr.c,v 1.5.4.1 2019/09/01 13:21:39 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -51,8 +51,8 @@ lookup_ifnet_table(npf_t *npf, ifnet_t *
{
const npf_ifops_t *ifops = npf->ifops;
char tname[NPF_TABLE_MAXNAMELEN];
- npf_tableset_t *ts;
const char *ifname;
+ npf_config_t *nc;
npf_table_t *t;
u_int tid;
@@ -61,13 +61,12 @@ lookup_ifnet_table(npf_t *npf, ifnet_t *
snprintf(tname, sizeof(tname), ".ifnet-%s", ifname);
KERNEL_LOCK(1, NULL);
- npf_config_enter(npf);
- ts = npf_config_tableset(npf);
+ nc = npf_config_enter(npf);
/*
* Check whether this interface is of any interest to us.
*/
- t = npf_tableset_getbyname(ts, tname);
+ t = npf_tableset_getbyname(nc->tableset, tname);
if (!t) {
goto out;
}
@@ -88,7 +87,7 @@ out:
static void
replace_ifnet_table(npf_t *npf, npf_table_t *newt)
{
- npf_tableset_t *ts = npf_config_tableset(npf);
+ npf_tableset_t *ts = npf->config->tableset;
npf_table_t *oldt;
KERNEL_UNLOCK_ONE(NULL);
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.75.2.2 src/sys/net/npf/npf_impl.h:1.75.2.3
--- src/sys/net/npf/npf_impl.h:1.75.2.2 Sun Sep 1 13:13:14 2019
+++ src/sys/net/npf/npf_impl.h Sun Sep 1 13:21:39 2019
@@ -75,7 +75,6 @@ struct npf_rprocset;
struct npf_portmap;
struct npf_nat;
struct npf_conn;
-struct npf_config;
typedef struct npf_ruleset npf_ruleset_t;
typedef struct npf_rule npf_rule_t;
@@ -85,7 +84,6 @@ typedef struct npf_rprocset npf_rprocset
typedef struct npf_alg npf_alg_t;
typedef struct npf_natpolicy npf_natpolicy_t;
typedef struct npf_conn npf_conn_t;
-typedef struct npf_config npf_config_t;
struct npf_conndb;
struct npf_table;
@@ -98,10 +96,22 @@ typedef struct npf_table npf_table_t;
typedef struct npf_tableset npf_tableset_t;
typedef struct npf_algset npf_algset_t;
+#ifdef __NetBSD__
+typedef void ebr_t;
+#endif
+
/*
* DEFINITIONS.
*/
+typedef struct {
+ npf_ruleset_t * ruleset;
+ npf_ruleset_t * nat_ruleset;
+ npf_rprocset_t * rule_procs;
+ npf_tableset_t * tableset;
+ bool default_pass;
+} npf_config_t;
+
typedef void (*npf_workfunc_t)(npf_t *);
typedef struct {
@@ -195,7 +205,7 @@ typedef enum {
struct npf {
/* Active NPF configuration. */
kmutex_t config_lock;
- pserialize_t qsbr;
+ ebr_t * ebr;
npf_config_t * config;
/* BPF byte-code context. */
@@ -265,20 +275,21 @@ void npf_rproc_assign(npf_rproc_t *, vo
void npf_config_init(npf_t *);
void npf_config_fini(npf_t *);
-void npf_config_enter(npf_t *);
+npf_config_t * npf_config_enter(npf_t *);
void npf_config_exit(npf_t *);
void npf_config_sync(npf_t *);
bool npf_config_locked_p(npf_t *);
-int npf_config_read_enter(void);
-void npf_config_read_exit(int s);
+int npf_config_read_enter(npf_t *);
+void npf_config_read_exit(npf_t *, int);
-void npf_config_load(npf_t *, npf_ruleset_t *, npf_tableset_t *,
- npf_ruleset_t *, npf_rprocset_t *, npf_conndb_t *, bool);
+npf_config_t * npf_config_create(void);
+void npf_config_destroy(npf_config_t *);
+void npf_config_load(npf_t *, npf_config_t *, npf_conndb_t *, bool);
npf_ruleset_t * npf_config_ruleset(npf_t *npf);
npf_ruleset_t * npf_config_natset(npf_t *npf);
npf_tableset_t *npf_config_tableset(npf_t *npf);
-npf_rprocset_t *npf_config_rprocs(npf_t *);
bool npf_default_pass(npf_t *);
+bool npf_active_p(void);
int npf_worker_sysinit(unsigned);
void npf_worker_sysfini(void);
@@ -286,8 +297,6 @@ void npf_worker_signal(npf_t *);
void npf_worker_register(npf_t *, npf_workfunc_t);
void npf_worker_unregister(npf_t *, npf_workfunc_t);
-int npfctl_switch(void *);
-int npfctl_reload(u_long, void *);
int npfctl_save(npf_t *, u_long, void *);
int npfctl_load(npf_t *, u_long, void *);
int npfctl_rule(npf_t *, u_long, void *);
@@ -317,11 +326,6 @@ void npf_ifaddr_sync(npf_t *, ifnet_t *
void npf_ifaddr_flush(npf_t *, ifnet_t *);
void npf_ifaddr_syncall(npf_t *);
-/* Packet filter hooks. */
-int npf_pfil_register(bool);
-void npf_pfil_unregister(bool);
-bool npf_pfil_registered_p(void);
-
/* Protocol helpers. */
int npf_cache_all(npf_cache_t *);
void npf_recache(npf_cache_t *);
@@ -503,6 +507,16 @@ void npf_alg_exec(npf_cache_t *, npf_na
npf_conn_t * npf_alg_conn(npf_cache_t *, int);
int npf_alg_export(npf_t *, nvlist_t *);
+/* Wrappers for the reclamation mechanism. */
+ebr_t * npf_ebr_create(void);
+void npf_ebr_destroy(ebr_t *);
+void npf_ebr_register(ebr_t *);
+void npf_ebr_unregister(ebr_t *);
+int npf_ebr_enter(ebr_t *);
+void npf_ebr_exit(ebr_t *, int);
+void npf_ebr_full_sync(ebr_t *);
+bool npf_ebr_incrit_p(ebr_t *);
+
/* Debugging routines. */
const char * npf_addr_dump(const npf_addr_t *, int);
void npf_state_dump(const npf_state_t *);
@@ -514,10 +528,4 @@ void npf_state_setsampler(void (*)(npf_
void npf_setkernctx(npf_t *);
npf_t * npf_getkernctx(void);
-#ifdef __NetBSD__
-#define pserialize_register(x)
-#define pserialize_checkpoint(x)
-#define pserialize_unregister(x)
-#endif
-
#endif /* _NPF_IMPL_H_ */
Index: src/sys/net/npf/npf_os.c
diff -u src/sys/net/npf/npf_os.c:1.12.2.2 src/sys/net/npf/npf_os.c:1.12.2.3
--- src/sys/net/npf/npf_os.c:1.12.2.2 Sun Sep 1 13:13:14 2019
+++ src/sys/net/npf/npf_os.c Sun Sep 1 13:21:39 2019
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.12.2.2 2019/09/01 13:13:14 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.12.2.3 2019/09/01 13:21:39 martin Exp $");
#ifdef _KERNEL_OPT
#include "pf.h"
@@ -50,6 +50,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1
#include <sys/kmem.h>
#include <sys/lwp.h>
#include <sys/module.h>
+#include <sys/pserialize.h>
#include <sys/socketvar.h>
#include <sys/uio.h>
@@ -83,6 +84,9 @@ MODULE(MODULE_CLASS_MISC, npf, "bpf");
MODULE(MODULE_CLASS_DRIVER, npf, "bpf");
#endif
+static int npf_pfil_register(bool);
+static void npf_pfil_unregister(bool);
+
static int npf_dev_open(dev_t, int, int, lwp_t *);
static int npf_dev_close(dev_t, int, int, lwp_t *);
static int npf_dev_ioctl(dev_t, u_long, void *, int, lwp_t *);
@@ -225,6 +229,26 @@ npf_stats_export(npf_t *npf, void *data)
return error;
}
+/*
+ * npfctl_switch: enable or disable packet inspection.
+ */
+static int
+npfctl_switch(void *data)
+{
+ const bool onoff = *(int *)data ? true : false;
+ int error;
+
+ if (onoff) {
+ /* Enable: add pfil hooks. */
+ error = npf_pfil_register(false);
+ } else {
+ /* Disable: remove pfil hooks. */
+ npf_pfil_unregister(false);
+ error = 0;
+ }
+ return error;
+}
+
static int
npf_dev_ioctl(dev_t dev, u_long cmd, void *data, int flag, lwp_t *l)
{
@@ -289,7 +313,7 @@ bool
npf_autounload_p(void)
{
npf_t *npf = npf_getkernctx();
- return !npf_pfil_registered_p() && npf_default_pass(npf);
+ return !npf_active_p() && npf_default_pass(npf);
}
/*
@@ -393,7 +417,7 @@ npf_ifaddrhook(void *arg, u_long cmd, vo
/*
* npf_pfil_register: register pfil(9) hooks.
*/
-int
+static int
npf_pfil_register(bool init)
{
npf_t *npf = npf_getkernctx();
@@ -462,7 +486,7 @@ out:
/*
* npf_pfil_unregister: unregister pfil(9) hooks.
*/
-void
+static void
npf_pfil_unregister(bool fini)
{
npf_t *npf = npf_getkernctx();
@@ -489,8 +513,64 @@ npf_pfil_unregister(bool fini)
}
bool
-npf_pfil_registered_p(void)
+npf_active_p(void)
{
return pfil_registered;
}
+
+#endif
+
+#ifdef __NetBSD__
+
+ebr_t *
+npf_ebr_create(void)
+{
+ return pserialize_create();
+}
+
+void
+npf_ebr_destroy(ebr_t *ebr)
+{
+ pserialize_destroy(ebr);
+}
+
+void
+npf_ebr_register(ebr_t *ebr)
+{
+ KASSERT(ebr != NULL); (void)ebr;
+}
+
+void
+npf_ebr_unregister(ebr_t *ebr)
+{
+ KASSERT(ebr != NULL); (void)ebr;
+}
+
+int
+npf_ebr_enter(ebr_t *ebr)
+{
+ KASSERT(ebr != NULL); (void)ebr;
+ return pserialize_read_enter();
+}
+
+void
+npf_ebr_exit(ebr_t *ebr, int s)
+{
+ KASSERT(ebr != NULL); (void)ebr;
+ pserialize_read_exit(s);
+}
+
+void
+npf_ebr_full_sync(ebr_t *ebr)
+{
+ pserialize_perform(ebr);
+}
+
+bool
+npf_ebr_incrit_p(ebr_t *ebr)
+{
+ KASSERT(ebr != NULL); (void)ebr;
+ return pserialize_in_read_section();
+}
+
#endif
Index: src/sys/sys/mbuf.h
diff -u src/sys/sys/mbuf.h:1.219 src/sys/sys/mbuf.h:1.219.4.1
--- src/sys/sys/mbuf.h:1.219 Thu Jan 17 02:47:15 2019
+++ src/sys/sys/mbuf.h Sun Sep 1 13:21:39 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $ */
+/* $NetBSD: mbuf.h,v 1.219.4.1 2019/09/01 13:21:39 martin Exp $ */
/*
* Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc.
@@ -799,6 +799,7 @@ int m_tag_copy_chain(struct mbuf *, stru
/* Packet tag types */
#define PACKET_TAG_NONE 0 /* Nothing */
#define PACKET_TAG_SO 4 /* sending socket pointer */
+#define PACKET_TAG_NPF 10 /* packet filter */
#define PACKET_TAG_PF 11 /* packet filter */
#define PACKET_TAG_ALTQ_QID 12 /* ALTQ queue id */
#define PACKET_TAG_IPSEC_OUT_DONE 18
Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13.2.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13.2.2
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13.2.1 Sun Aug 11 10:10:23 2019
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Sun Sep 1 13:21:39 2019
@@ -32,14 +32,14 @@
*
* Overview
*
- * Each NPF rule is compiled into BPF micro-program. There is a
+ * Each NPF rule is compiled into a BPF micro-program. There is a
* BPF byte-code fragment for each higher-level filtering logic,
* e.g. to match L4 protocol, IP/mask, etc. The generation process
* combines multiple BPF-byte code fragments into one program.
*
* Basic case
*
- * Consider a basic case, where all filters should match. They
+ * Consider a basic case where all filters should match. They
* are expressed as logical conjunction, e.g.:
*
* A and B and C and D
@@ -56,8 +56,8 @@
* Once all byte-code fragments are combined into one, then there
* are two additional steps:
*
- * - Two instructions are appended at the end of the program: return
- * "success" followed by return "failure".
+ * - Two instructions are appended at the end of the program: "return
+ * success" followed by "return failure".
*
* - All jumps with the JUMP_MAGIC value are patched to point to the
* "return failure" instruction.
@@ -65,11 +65,11 @@
* Therefore, if all filter criteria will match, then the first
* instruction will be reached, indicating a successful match of the
* rule. Otherwise, if any of the criteria will not match, it will
- * take the failure path and the rule will not matching.
+ * take the failure path and the rule will not be matching.
*
* Grouping
*
- * Filters can have groups, which are have a meaning of logical
+ * Filters can have groups, which have a meaning of logical
* disjunction, e.g.:
*
* A and B and (C or D)
@@ -82,7 +82,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13.2.1 2019/08/11 10:10:23 martin Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13.2.2 2019/09/01 13:21:39 martin Exp $");
#include <stdlib.h>
#include <stdbool.h>
Index: src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
diff -u src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.17.2.1 src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.17.2.2
--- src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.17.2.1 Tue Aug 13 14:35:55 2019
+++ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Sun Sep 1 13:21:39 2019
@@ -68,7 +68,7 @@ run_raw_testcase(unsigned i)
m = mbuf_get_pkt(AF_INET, IPPROTO_UDP, t->src, t->dst, 9000, 9000);
npc = get_cached_pkt(m, t->ifname);
- slock = npf_config_read_enter();
+ slock = npf_config_read_enter(npf);
rl = npf_ruleset_inspect(npc, npf_config_ruleset(npf), t->di, NPF_LAYER_3);
if (rl) {
npf_match_info_t mi;
@@ -76,7 +76,7 @@ run_raw_testcase(unsigned i)
} else {
error = ENOENT;
}
- npf_config_read_exit(slock);
+ npf_config_read_exit(npf, slock);
put_cached_pkt(npc);
return error;
