Module Name: src Committed By: rmind Date: Sun Jan 15 00:49:49 UTC 2012
Modified Files: src/lib/libnpf: npf.3 npf.c npf.h src/sys/net/npf: npf.c npf.h npf_ctl.c npf_handler.c npf_instr.c npf_nat.c npf_processor.c npf_ruleset.c npf_tableset.c src/usr.sbin/npf/npfctl: npf_build.c npf_parse.y npf_var.c npfctl.c npfctl.h Log Message: - Expire all sessions on flush. - Enable checking for zero mask in IP{4,6}MATCH after npfctl changes. - Make locking symmetric for npf_ruleset_inspect(). - Sync function prototypes in npf(3) man page with reality. - Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libnpf/npf.3 cvs rdiff -u -r1.5 -r1.6 src/lib/libnpf/npf.c cvs rdiff -u -r1.4 -r1.5 src/lib/libnpf/npf.h cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf.c cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf.h \ src/sys/net/npf/npf_handler.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_instr.c \ src/sys/net/npf/npf_nat.c src/sys/net/npf/npf_ruleset.c \ src/sys/net/npf/npf_tableset.c cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_processor.c cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npfctl/npf_parse.y \ src/usr.sbin/npf/npfctl/npf_var.c cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libnpf/npf.3 diff -u src/lib/libnpf/npf.3:1.3 src/lib/libnpf/npf.3:1.4 --- src/lib/libnpf/npf.3:1.3 Tue Mar 22 07:28:41 2011 +++ src/lib/libnpf/npf.3 Sun Jan 15 00:49:47 2012 @@ -1,6 +1,6 @@ -.\" $NetBSD: npf.3,v 1.3 2011/03/22 07:28:41 jruoho Exp $ +.\" $NetBSD: npf.3,v 1.4 2012/01/15 00:49:47 rmind Exp $ .\" -.\" Copyright (c) 2011 The NetBSD Foundation, Inc. +.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 22, 2011 +.Dd January 14, 2012 .Dt NPF 3 .Os .Sh NAME @@ -44,6 +44,8 @@ .Fn npf_config_submit "nl_config_t *ncf" "int fd" .Ft void .Fn npf_config_destroy "nl_config_t *ncf" +.Ft int +.Fn npf_config_flush "int fd" .\" --- .Ft nl_rule_t * .Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx" @@ -67,13 +69,13 @@ .Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp" .\" --- .Ft nl_nat_t * -.Fn npf_nat_create "int type" "int flags" "u_int if_idx" \ +.Fn npf_nat_create "int type" "u_int flags" "u_int if_idx" \ "npf_addr_t *addr" "int af" "in_port_t port" .Ft int .Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri" .\" --- .Ft nl_table_t * -.Fn npf_table_create "int index" "int type" +.Fn npf_table_create "u_int id" "int type" .Ft int .Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask" .Ft bool @@ -84,7 +86,7 @@ .Fn npf_table_destroy "nl_table_t *tl" .\" --- .Ft int -.Fn npf_update_rule "int fd" "char *rname" "nl_rule_t *rl" +.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl" .Ft int .Fn npf_sessions_send "int fd" "const char *fpath" .Ft int @@ -109,6 +111,8 @@ to the kernel. .It Fn npf_config_destroy "ncf" Destroy the configuration .Fa ncf . +.It Fn npf_config_flush "fd" +Flush the current configuration. .El .\" --- .Ss Rule interface @@ -247,10 +251,10 @@ Insert NAT policy, its rule, into the sp .It Fn npf_table_create "index" "type" Create NPF table of specified type. The following types are supported: -.Bl -tag -width "NPF_TABLE_RBTREE " +.Bl -tag -width "NPF_TABLE_TREE " .It Dv NPF_TABLE_HASH Indicates to use hash table for storage. -.It Dv NPF_TABLE_RBTREE +.It Dv NPF_TABLE_TREE Indicates to use red-black tree for storage. Table is identified by .Fa index , Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.5 src/lib/libnpf/npf.c:1.6 --- src/lib/libnpf/npf.c:1.5 Sat Nov 26 23:42:27 2011 +++ src/lib/libnpf/npf.c Sun Jan 15 00:49:47 2012 @@ -1,7 +1,7 @@ -/* $NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $ */ +/* $NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $ */ /*- - * Copyright (c) 2010-2011 The NetBSD Foundation, Inc. + * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $"); #include <sys/types.h> #include <netinet/in_systm.h> @@ -56,6 +56,7 @@ struct nl_config { pri_t ncf_nat_pri; /* Custom file to externalise property-list. */ const char * ncf_plist; + bool ncf_flush; }; struct nl_rule { @@ -92,6 +93,7 @@ npf_config_create(void) ncf->ncf_nat_pri = 1; ncf->ncf_plist = NULL; + ncf->ncf_flush = false; return ncf; } @@ -111,6 +113,7 @@ npf_config_submit(nl_config_t *ncf, int prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list); prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list); prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list); + prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush); if (plist) { if (!prop_dictionary_externalize_to_file(npf_dict, plist)) { @@ -123,6 +126,22 @@ npf_config_submit(nl_config_t *ncf, int return error; } +int +npf_config_flush(int fd) +{ + nl_config_t *ncf; + int error; + + ncf = npf_config_create(); + if (ncf == NULL) { + return ENOMEM; + } + ncf->ncf_flush = true; + error = npf_config_submit(ncf, fd); + npf_config_destroy(ncf); + return error; +} + void npf_config_destroy(nl_config_t *ncf) { @@ -510,7 +529,6 @@ npf_table_destroy(nl_table_t *tl) */ int -/*ARGSUSED*/ npf_update_rule(int fd, const char *rname __unused, nl_rule_t *rl) { prop_dictionary_t rldict = rl->nrl_dict; Index: src/lib/libnpf/npf.h diff -u src/lib/libnpf/npf.h:1.4 src/lib/libnpf/npf.h:1.5 --- src/lib/libnpf/npf.h:1.4 Sat Nov 26 23:42:27 2011 +++ src/lib/libnpf/npf.h Sun Jan 15 00:49:47 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.4 2011/11/26 23:42:27 christos Exp $ */ +/* $NetBSD: npf.h,v 1.5 2012/01/15 00:49:47 rmind Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -63,6 +63,7 @@ typedef struct nl_rule nl_nat_t; nl_config_t * npf_config_create(void); int npf_config_submit(nl_config_t *, int); void npf_config_destroy(nl_config_t *); +int npf_config_flush(int); #ifdef _NPF_PRIVATE void _npf_config_setsubmit(nl_config_t *, const char *); #endif Index: src/sys/net/npf/npf.c diff -u src/sys/net/npf/npf.c:1.6 src/sys/net/npf/npf.c:1.7 --- src/sys/net/npf/npf.c:1.6 Sun Nov 6 13:08:04 2011 +++ src/sys/net/npf/npf.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $ */ +/* $NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -285,9 +285,6 @@ npf_reload(npf_ruleset_t *rset, npf_tabl /* Unlock. Everything goes "live" now. */ rw_exit(&npf_lock); - /* Turn on/off session tracking accordingly. */ - npf_session_tracking(true); - if (onc) { /* Destroy unloaded structures. */ npf_core_destroy(onc); Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.11 src/sys/net/npf/npf.h:1.12 --- src/sys/net/npf/npf.h:1.11 Tue Nov 29 20:05:30 2011 +++ src/sys/net/npf/npf.h Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.11 2011/11/29 20:05:30 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.12 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. @@ -248,7 +248,7 @@ void npf_hook_unregister(npf_rule_t *, /* Table types. */ #define NPF_TABLE_HASH 1 -#define NPF_TABLE_RBTREE 2 +#define NPF_TABLE_TREE 2 /* Layers. */ #define NPF_LAYER_2 2 Index: src/sys/net/npf/npf_handler.c diff -u src/sys/net/npf/npf_handler.c:1.11 src/sys/net/npf/npf_handler.c:1.12 --- src/sys/net/npf/npf_handler.c:1.11 Tue Nov 29 20:05:30 2011 +++ src/sys/net/npf/npf_handler.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $ */ +/* $NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -156,6 +156,7 @@ npf_packet_handler(void *arg, struct mbu rlset = npf_core_ruleset(); rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3); if (rl == NULL) { + npf_core_exit(); if (default_pass) { npf_stats_inc(NPF_STAT_PASS_DEFAULT); goto pass; Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.10 src/sys/net/npf/npf_ctl.c:1.11 --- src/sys/net/npf/npf_ctl.c:1.10 Tue Nov 29 20:05:30 2011 +++ src/sys/net/npf/npf_ctl.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $"); #include <sys/param.h> #include <sys/conf.h> @@ -376,6 +376,7 @@ npfctl_reload(u_long cmd, void *data) npf_ruleset_t *rlset = NULL; npf_ruleset_t *nset = NULL; prop_dictionary_t dict; + bool flush; int error; /* Retrieve the dictionary. */ @@ -413,12 +414,18 @@ npfctl_reload(u_long cmd, void *data) goto fail; } + flush = false; + prop_dictionary_get_bool(dict, "flush", &flush); + /* * Finally - reload ruleset, tableset and NAT policies. * Operation will be performed as a single transaction. */ npf_reload(rlset, tblset, nset); + /* Turn on/off session tracking accordingly. */ + npf_session_tracking(!flush); + /* Done. Since data is consumed now, we shall not destroy it. */ tblset = NULL; rlset = NULL; Index: src/sys/net/npf/npf_instr.c diff -u src/sys/net/npf/npf_instr.c:1.8 src/sys/net/npf/npf_instr.c:1.9 --- src/sys/net/npf/npf_instr.c:1.8 Tue Nov 29 20:05:30 2011 +++ src/sys/net/npf/npf_instr.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */ +/* $NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $"); #include <sys/param.h> #include <sys/kernel.h> @@ -50,9 +50,9 @@ __KERNEL_RCSID(0, "$NetBSD: npf_instr.c, #define NPF_PORTRANGE_MATCH(r, p) (p >= (r >> 16) && p <= (r & 0xffff)) /* - * npf_match_ether: find and check Ethernet and possible VLAN headers. + * npf_match_ether: find and check Ethernet with possible VLAN headers. * - * => Stores value in to advance to layer 3 header (usually, IPv4). + * => Stores value in the register for advancing to layer 3 header. * => Returns zero on success or -1 on failure. */ int @@ -127,11 +127,6 @@ npf_match_ipmask(npf_cache_t *npc, nbuf_ } KASSERT(npf_iscached(npc, NPC_IP46)); } -#if 1 /* XXX */ - if (mask == 0) { - return 0; - } -#endif addr = sd ? npc->npc_srcip : npc->npc_dstip; if (mask != NPF_NO_NETMASK) { npf_calculate_masked_addr(&cmpaddr, addr, mask); Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.8 src/sys/net/npf/npf_nat.c:1.9 --- src/sys/net/npf/npf_nat.c:1.8 Sat Nov 19 22:51:25 2011 +++ src/sys/net/npf/npf_nat.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.8 2011/11/19 22:51:25 tls Exp $ */ +/* $NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc. @@ -76,7 +76,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.8 2011/11/19 22:51:25 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $"); #include <sys/param.h> #include <sys/kernel.h> @@ -402,6 +402,7 @@ npf_nat_inspect(npf_cache_t *npc, nbuf_t rlset = npf_core_natset(); rl = npf_ruleset_inspect(npc, nbuf, rlset, ifp, di, NPF_LAYER_3); if (rl == NULL) { + npf_core_exit(); return NULL; } np = npf_rule_getnat(rl); Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.8 src/sys/net/npf/npf_ruleset.c:1.9 --- src/sys/net/npf/npf_ruleset.c:1.8 Thu Dec 8 23:36:57 2011 +++ src/sys/net/npf/npf_ruleset.c Sun Jan 15 00:49:49 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $ */ /*- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $"); #include <sys/param.h> #include <sys/kernel.h> @@ -458,8 +458,7 @@ npf_ruleset_replace(const char *name, np * Loop through the rules in the set and run n-code processor of each rule * against the packet (nbuf chain). If sub-ruleset is found, inspect it. * - * => If not found, core ruleset lock is released. - * => Caller should protect the nbuf chain. + * => Caller is responsible for nbuf chain protection. */ npf_rule_t * npf_ruleset_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_ruleset_t *mainrlset, @@ -508,9 +507,6 @@ again: final_rl = NULL; goto again; } - if (final_rl == NULL) { - npf_core_exit(); - } return final_rl; } Index: src/sys/net/npf/npf_tableset.c diff -u src/sys/net/npf/npf_tableset.c:1.8 src/sys/net/npf/npf_tableset.c:1.9 --- src/sys/net/npf/npf_tableset.c:1.8 Tue Nov 29 20:05:30 2011 +++ src/sys/net/npf/npf_tableset.c Sun Jan 15 00:49:49 2012 @@ -1,7 +1,7 @@ -/* $NetBSD: npf_tableset.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */ +/* $NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $ */ /*- - * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. + * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.8 2011/11/29 20:05:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $"); #include <sys/param.h> #include <sys/kernel.h> @@ -208,7 +208,7 @@ npf_table_create(u_int tid, int type, si t = kmem_zalloc(sizeof(npf_table_t), KM_SLEEP); switch (type) { - case NPF_TABLE_RBTREE: + case NPF_TABLE_TREE: rb_tree_init(&t->t_rbtree, &table_rbtree_ops); break; case NPF_TABLE_HASH: @@ -247,7 +247,7 @@ npf_table_destroy(npf_table_t *t) } hashdone(t->t_hashl, HASH_LIST, t->t_hashmask); break; - case NPF_TABLE_RBTREE: + case NPF_TABLE_TREE: while ((e = rb_tree_iterate(&t->t_rbtree, NULL, RB_DIR_LEFT)) != NULL) { rb_tree_remove_node(&t->t_rbtree, e); @@ -331,7 +331,7 @@ npf_table_check(npf_tableset_t *tset, u_ if (tset[tid] != NULL) { return EEXIST; } - if (type != NPF_TABLE_RBTREE && type != NPF_TABLE_HASH) { + if (type != NPF_TABLE_TREE && type != NPF_TABLE_HASH) { return EINVAL; } return 0; @@ -384,7 +384,7 @@ npf_table_add_cidr(npf_tableset_t *tset, error = EEXIST; } break; - case NPF_TABLE_RBTREE: + case NPF_TABLE_TREE: /* Insert entry. Returns false, if duplicate. */ if (rb_tree_insert_node(&t->t_rbtree, e) != e) { error = EEXIST; @@ -444,7 +444,7 @@ npf_table_rem_cidr(npf_tableset_t *tset, error = ESRCH; } break; - case NPF_TABLE_RBTREE: + case NPF_TABLE_TREE: /* Key: (address & mask). */ npf_calculate_masked_addr(&val, addr, mask); e = rb_tree_find_node(&t->t_rbtree, &val); @@ -491,7 +491,7 @@ npf_table_match_addr(npf_tableset_t *tse break; } break; - case NPF_TABLE_RBTREE: + case NPF_TABLE_TREE: e = rb_tree_find_node(&t->t_rbtree, addr); KASSERT(e && npf_compare_cidr(addr, e->te_mask, &e->te_addr, NPF_NO_NETMASK) == 0); Index: src/sys/net/npf/npf_processor.c diff -u src/sys/net/npf/npf_processor.c:1.7 src/sys/net/npf/npf_processor.c:1.8 --- src/sys/net/npf/npf_processor.c:1.7 Tue Nov 29 20:05:30 2011 +++ src/sys/net/npf/npf_processor.c Sun Jan 15 00:49:49 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_processor.c,v 1.7 2011/11/29 20:05:30 rmind Exp $ */ +/* $NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $ */ /*- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc. @@ -54,7 +54,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.7 2011/11/29 20:05:30 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $"); #include <sys/param.h> #include <sys/kernel.h> @@ -283,13 +283,14 @@ cisc_like: cmpval = npf_match_ether(nbuf, d, n, i, ®s[NPF_NREGS - 1]); break; case NPF_OPCODE_IP4MASK: - /* Source/destination, network address, subnet mask. */ + /* Source/destination, network address, subnet. */ i_ptr = nc_fetch_word(i_ptr, &d); i_ptr = nc_fetch_double(i_ptr, &addr.s6_addr32[0], &n); cmpval = npf_match_ipmask(npc, nbuf, n_ptr, d, &addr, (npf_netmask_t)n); break; case NPF_OPCODE_IP6MASK: + /* Source/destination, network address, subnet. */ i_ptr = nc_fetch_word(i_ptr, &d); i_ptr = nc_fetch_double(i_ptr, &addr.s6_addr32[0], &addr.s6_addr32[1]); @@ -455,7 +456,7 @@ jmp_check: if (error) { return error; } - if (/* XXX !val ||*/ (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) { + if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) { return NPF_ERR_INVAL; } break; @@ -464,7 +465,7 @@ jmp_check: if (error) { return error; } - if (/* XXX !val ||*/ (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) { + if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) { return NPF_ERR_INVAL; } break; Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.1 src/usr.sbin/npf/npfctl/npf_build.c:1.2 --- src/usr.sbin/npf/npfctl/npf_build.c:1.1 Sun Jan 8 21:34:21 2012 +++ src/usr.sbin/npf/npfctl/npf_build.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.1 2012/01/08 21:34:21 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_build.c,v 1.1 2012/01/08 21:34:21 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $"); #include <sys/types.h> #include <sys/ioctl.h> @@ -79,21 +79,6 @@ npfctl_config_send(int fd) return error; } -int -npfctl_config_flush(int fd) -{ - int ret; - - /* Pass empty configuration to flush. */ - npfctl_config_init(false); - defgroup_set = true; - ret = npfctl_config_send(fd); - if (ret) { - return ret; - } - return npf_sessions_send(fd, NULL); -} - bool npfctl_table_exists_p(const char *id) { Index: src/usr.sbin/npf/npfctl/npf_parse.y diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.2 src/usr.sbin/npf/npfctl/npf_parse.y:1.3 --- src/usr.sbin/npf/npfctl/npf_parse.y:1.2 Thu Jan 12 20:41:33 2012 +++ src/usr.sbin/npf/npfctl/npf_parse.y Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.2 2012/01/12 20:41:33 christos Exp $ */ +/* $NetBSD: npf_parse.y,v 1.3 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -240,7 +240,7 @@ table table_type : HASH { $$ = NPF_TABLE_HASH; } - | TREE { $$ = NPF_TABLE_RBTREE; } + | TREE { $$ = NPF_TABLE_TREE; } ; table_store Index: src/usr.sbin/npf/npfctl/npf_var.c diff -u src/usr.sbin/npf/npfctl/npf_var.c:1.2 src/usr.sbin/npf/npfctl/npf_var.c:1.3 --- src/usr.sbin/npf/npfctl/npf_var.c:1.2 Thu Jan 12 20:41:33 2012 +++ src/usr.sbin/npf/npfctl/npf_var.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_var.c,v 1.2 2012/01/12 20:41:33 christos Exp $ */ +/* $NetBSD: npf_var.c,v 1.3 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_var.c,v 1.2 2012/01/12 20:41:33 christos Exp $"); +__RCSID("$NetBSD: npf_var.c,v 1.3 2012/01/15 00:49:48 rmind Exp $"); #include <stdlib.h> #include <string.h> @@ -217,9 +217,10 @@ npfvar_get_data1(const npfvar_t *vp, int el = el->e_next; } - if (vp->v_type == NPFVAR_VAR_ID) - return npfvar_get_data1(npfvar_lookup(el->e_data), type, 0, - level + 1); + if (vp->v_type == NPFVAR_VAR_ID) { + npfvar_t *rvp = npfvar_lookup(el->e_data); + return npfvar_get_data1(rvp, type, 0, level + 1); + } return el->e_data; } Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.8 src/usr.sbin/npf/npfctl/npfctl.c:1.9 --- src/usr.sbin/npf/npfctl/npfctl.c:1.8 Sun Jan 8 21:34:21 2012 +++ src/usr.sbin/npf/npfctl/npfctl.c Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.8 2012/01/08 21:34:21 rmind Exp $ */ +/* $NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npfctl.c,v 1.8 2012/01/08 21:34:21 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $"); #include <sys/ioctl.h> #include <sys/stat.h> @@ -239,7 +239,7 @@ npfctl(int action, int argc, char **argv ret = npfctl_config_send(fd); break; case NPFCTL_FLUSH: - ret = npfctl_config_flush(fd); + ret = npf_config_flush(fd); break; case NPFCTL_TABLE: if (argc < 5) { Index: src/usr.sbin/npf/npfctl/npfctl.h diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.9 src/usr.sbin/npf/npfctl/npfctl.h:1.10 --- src/usr.sbin/npf/npfctl/npfctl.h:1.9 Tue Jan 10 23:39:32 2012 +++ src/usr.sbin/npf/npfctl/npfctl.h Sun Jan 15 00:49:48 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.h,v 1.9 2012/01/10 23:39:32 joerg Exp $ */ +/* $NetBSD: npfctl.h,v 1.10 2012/01/15 00:49:48 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -144,7 +144,6 @@ void npfctl_gennc_tcpfl(nc_ctx_t *, uin void npfctl_config_init(bool); int npfctl_config_send(int); -int npfctl_config_flush(int); void npfctl_build_rproc(const char *, npfvar_t *); void npfctl_build_group(const char *, int, u_int);