Module Name: src
Committed By: rmind
Date: Sun Jan 15 00:49:49 UTC 2012
Modified Files:
src/lib/libnpf: npf.3 npf.c npf.h
src/sys/net/npf: npf.c npf.h npf_ctl.c npf_handler.c npf_instr.c
npf_nat.c npf_processor.c npf_ruleset.c npf_tableset.c
src/usr.sbin/npf/npfctl: npf_build.c npf_parse.y npf_var.c npfctl.c
npfctl.h
Log Message:
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/lib/libnpf/npf.3
cvs rdiff -u -r1.5 -r1.6 src/lib/libnpf/npf.c
cvs rdiff -u -r1.4 -r1.5 src/lib/libnpf/npf.h
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf.c
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf.h \
src/sys/net/npf/npf_handler.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_instr.c \
src/sys/net/npf/npf_nat.c src/sys/net/npf/npf_ruleset.c \
src/sys/net/npf/npf_tableset.c
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_processor.c
cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npfctl/npf_parse.y \
src/usr.sbin/npf/npfctl/npf_var.c
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npfctl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.3
diff -u src/lib/libnpf/npf.3:1.3 src/lib/libnpf/npf.3:1.4
--- src/lib/libnpf/npf.3:1.3 Tue Mar 22 07:28:41 2011
+++ src/lib/libnpf/npf.3 Sun Jan 15 00:49:47 2012
@@ -1,6 +1,6 @@
-.\" $NetBSD: npf.3,v 1.3 2011/03/22 07:28:41 jruoho Exp $
+.\" $NetBSD: npf.3,v 1.4 2012/01/15 00:49:47 rmind Exp $
.\"
-.\" Copyright (c) 2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd March 22, 2011
+.Dd January 14, 2012
.Dt NPF 3
.Os
.Sh NAME
@@ -44,6 +44,8 @@
.Fn npf_config_submit "nl_config_t *ncf" "int fd"
.Ft void
.Fn npf_config_destroy "nl_config_t *ncf"
+.Ft int
+.Fn npf_config_flush "int fd"
.\" ---
.Ft nl_rule_t *
.Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx"
@@ -67,13 +69,13 @@
.Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp"
.\" ---
.Ft nl_nat_t *
-.Fn npf_nat_create "int type" "int flags" "u_int if_idx" \
+.Fn npf_nat_create "int type" "u_int flags" "u_int if_idx" \
"npf_addr_t *addr" "int af" "in_port_t port"
.Ft int
.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri"
.\" ---
.Ft nl_table_t *
-.Fn npf_table_create "int index" "int type"
+.Fn npf_table_create "u_int id" "int type"
.Ft int
.Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
.Ft bool
@@ -84,7 +86,7 @@
.Fn npf_table_destroy "nl_table_t *tl"
.\" ---
.Ft int
-.Fn npf_update_rule "int fd" "char *rname" "nl_rule_t *rl"
+.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
.Ft int
.Fn npf_sessions_send "int fd" "const char *fpath"
.Ft int
@@ -109,6 +111,8 @@ to the kernel.
.It Fn npf_config_destroy "ncf"
Destroy the configuration
.Fa ncf .
+.It Fn npf_config_flush "fd"
+Flush the current configuration.
.El
.\" ---
.Ss Rule interface
@@ -247,10 +251,10 @@ Insert NAT policy, its rule, into the sp
.It Fn npf_table_create "index" "type"
Create NPF table of specified type.
The following types are supported:
-.Bl -tag -width "NPF_TABLE_RBTREE "
+.Bl -tag -width "NPF_TABLE_TREE "
.It Dv NPF_TABLE_HASH
Indicates to use hash table for storage.
-.It Dv NPF_TABLE_RBTREE
+.It Dv NPF_TABLE_TREE
Indicates to use red-black tree for storage.
Table is identified by
.Fa index ,
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.5 src/lib/libnpf/npf.c:1.6
--- src/lib/libnpf/npf.c:1.5 Sat Nov 26 23:42:27 2011
+++ src/lib/libnpf/npf.c Sun Jan 15 00:49:47 2012
@@ -1,7 +1,7 @@
-/* $NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $ */
+/* $NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $ */
/*-
- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -56,6 +56,7 @@ struct nl_config {
pri_t ncf_nat_pri;
/* Custom file to externalise property-list. */
const char * ncf_plist;
+ bool ncf_flush;
};
struct nl_rule {
@@ -92,6 +93,7 @@ npf_config_create(void)
ncf->ncf_nat_pri = 1;
ncf->ncf_plist = NULL;
+ ncf->ncf_flush = false;
return ncf;
}
@@ -111,6 +113,7 @@ npf_config_submit(nl_config_t *ncf, int
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
+ prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
if (plist) {
if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
@@ -123,6 +126,22 @@ npf_config_submit(nl_config_t *ncf, int
return error;
}
+int
+npf_config_flush(int fd)
+{
+ nl_config_t *ncf;
+ int error;
+
+ ncf = npf_config_create();
+ if (ncf == NULL) {
+ return ENOMEM;
+ }
+ ncf->ncf_flush = true;
+ error = npf_config_submit(ncf, fd);
+ npf_config_destroy(ncf);
+ return error;
+}
+
void
npf_config_destroy(nl_config_t *ncf)
{
@@ -510,7 +529,6 @@ npf_table_destroy(nl_table_t *tl)
*/
int
-/*ARGSUSED*/
npf_update_rule(int fd, const char *rname __unused, nl_rule_t *rl)
{
prop_dictionary_t rldict = rl->nrl_dict;
Index: src/lib/libnpf/npf.h
diff -u src/lib/libnpf/npf.h:1.4 src/lib/libnpf/npf.h:1.5
--- src/lib/libnpf/npf.h:1.4 Sat Nov 26 23:42:27 2011
+++ src/lib/libnpf/npf.h Sun Jan 15 00:49:47 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.4 2011/11/26 23:42:27 christos Exp $ */
+/* $NetBSD: npf.h,v 1.5 2012/01/15 00:49:47 rmind Exp $ */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -63,6 +63,7 @@ typedef struct nl_rule nl_nat_t;
nl_config_t * npf_config_create(void);
int npf_config_submit(nl_config_t *, int);
void npf_config_destroy(nl_config_t *);
+int npf_config_flush(int);
#ifdef _NPF_PRIVATE
void _npf_config_setsubmit(nl_config_t *, const char *);
#endif
Index: src/sys/net/npf/npf.c
diff -u src/sys/net/npf/npf.c:1.6 src/sys/net/npf/npf.c:1.7
--- src/sys/net/npf/npf.c:1.6 Sun Nov 6 13:08:04 2011
+++ src/sys/net/npf/npf.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $ */
+/* $NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -285,9 +285,6 @@ npf_reload(npf_ruleset_t *rset, npf_tabl
/* Unlock. Everything goes "live" now. */
rw_exit(&npf_lock);
- /* Turn on/off session tracking accordingly. */
- npf_session_tracking(true);
-
if (onc) {
/* Destroy unloaded structures. */
npf_core_destroy(onc);
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.11 src/sys/net/npf/npf.h:1.12
--- src/sys/net/npf/npf.h:1.11 Tue Nov 29 20:05:30 2011
+++ src/sys/net/npf/npf.h Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.11 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.12 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -248,7 +248,7 @@ void npf_hook_unregister(npf_rule_t *,
/* Table types. */
#define NPF_TABLE_HASH 1
-#define NPF_TABLE_RBTREE 2
+#define NPF_TABLE_TREE 2
/* Layers. */
#define NPF_LAYER_2 2
Index: src/sys/net/npf/npf_handler.c
diff -u src/sys/net/npf/npf_handler.c:1.11 src/sys/net/npf/npf_handler.c:1.12
--- src/sys/net/npf/npf_handler.c:1.11 Tue Nov 29 20:05:30 2011
+++ src/sys/net/npf/npf_handler.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -156,6 +156,7 @@ npf_packet_handler(void *arg, struct mbu
rlset = npf_core_ruleset();
rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
if (rl == NULL) {
+ npf_core_exit();
if (default_pass) {
npf_stats_inc(NPF_STAT_PASS_DEFAULT);
goto pass;
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.10 src/sys/net/npf/npf_ctl.c:1.11
--- src/sys/net/npf/npf_ctl.c:1.10 Tue Nov 29 20:05:30 2011
+++ src/sys/net/npf/npf_ctl.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -376,6 +376,7 @@ npfctl_reload(u_long cmd, void *data)
npf_ruleset_t *rlset = NULL;
npf_ruleset_t *nset = NULL;
prop_dictionary_t dict;
+ bool flush;
int error;
/* Retrieve the dictionary. */
@@ -413,12 +414,18 @@ npfctl_reload(u_long cmd, void *data)
goto fail;
}
+ flush = false;
+ prop_dictionary_get_bool(dict, "flush", &flush);
+
/*
* Finally - reload ruleset, tableset and NAT policies.
* Operation will be performed as a single transaction.
*/
npf_reload(rlset, tblset, nset);
+ /* Turn on/off session tracking accordingly. */
+ npf_session_tracking(!flush);
+
/* Done. Since data is consumed now, we shall not destroy it. */
tblset = NULL;
rlset = NULL;
Index: src/sys/net/npf/npf_instr.c
diff -u src/sys/net/npf/npf_instr.c:1.8 src/sys/net/npf/npf_instr.c:1.9
--- src/sys/net/npf/npf_instr.c:1.8 Tue Nov 29 20:05:30 2011
+++ src/sys/net/npf/npf_instr.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -50,9 +50,9 @@ __KERNEL_RCSID(0, "$NetBSD: npf_instr.c,
#define NPF_PORTRANGE_MATCH(r, p) (p >= (r >> 16) && p <= (r & 0xffff))
/*
- * npf_match_ether: find and check Ethernet and possible VLAN headers.
+ * npf_match_ether: find and check Ethernet with possible VLAN headers.
*
- * => Stores value in to advance to layer 3 header (usually, IPv4).
+ * => Stores value in the register for advancing to layer 3 header.
* => Returns zero on success or -1 on failure.
*/
int
@@ -127,11 +127,6 @@ npf_match_ipmask(npf_cache_t *npc, nbuf_
}
KASSERT(npf_iscached(npc, NPC_IP46));
}
-#if 1 /* XXX */
- if (mask == 0) {
- return 0;
- }
-#endif
addr = sd ? npc->npc_srcip : npc->npc_dstip;
if (mask != NPF_NO_NETMASK) {
npf_calculate_masked_addr(&cmpaddr, addr, mask);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.8 src/sys/net/npf/npf_nat.c:1.9
--- src/sys/net/npf/npf_nat.c:1.8 Sat Nov 19 22:51:25 2011
+++ src/sys/net/npf/npf_nat.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.8 2011/11/19 22:51:25 tls Exp $ */
+/* $NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.8 2011/11/19 22:51:25 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -402,6 +402,7 @@ npf_nat_inspect(npf_cache_t *npc, nbuf_t
rlset = npf_core_natset();
rl = npf_ruleset_inspect(npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
if (rl == NULL) {
+ npf_core_exit();
return NULL;
}
np = npf_rule_getnat(rl);
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.8 src/sys/net/npf/npf_ruleset.c:1.9
--- src/sys/net/npf/npf_ruleset.c:1.8 Thu Dec 8 23:36:57 2011
+++ src/sys/net/npf/npf_ruleset.c Sun Jan 15 00:49:49 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -458,8 +458,7 @@ npf_ruleset_replace(const char *name, np
* Loop through the rules in the set and run n-code processor of each rule
* against the packet (nbuf chain). If sub-ruleset is found, inspect it.
*
- * => If not found, core ruleset lock is released.
- * => Caller should protect the nbuf chain.
+ * => Caller is responsible for nbuf chain protection.
*/
npf_rule_t *
npf_ruleset_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_ruleset_t *mainrlset,
@@ -508,9 +507,6 @@ again:
final_rl = NULL;
goto again;
}
- if (final_rl == NULL) {
- npf_core_exit();
- }
return final_rl;
}
Index: src/sys/net/npf/npf_tableset.c
diff -u src/sys/net/npf/npf_tableset.c:1.8 src/sys/net/npf/npf_tableset.c:1.9
--- src/sys/net/npf/npf_tableset.c:1.8 Tue Nov 29 20:05:30 2011
+++ src/sys/net/npf/npf_tableset.c Sun Jan 15 00:49:49 2012
@@ -1,7 +1,7 @@
-/* $NetBSD: npf_tableset.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $ */
/*-
- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -208,7 +208,7 @@ npf_table_create(u_int tid, int type, si
t = kmem_zalloc(sizeof(npf_table_t), KM_SLEEP);
switch (type) {
- case NPF_TABLE_RBTREE:
+ case NPF_TABLE_TREE:
rb_tree_init(&t->t_rbtree, &table_rbtree_ops);
break;
case NPF_TABLE_HASH:
@@ -247,7 +247,7 @@ npf_table_destroy(npf_table_t *t)
}
hashdone(t->t_hashl, HASH_LIST, t->t_hashmask);
break;
- case NPF_TABLE_RBTREE:
+ case NPF_TABLE_TREE:
while ((e = rb_tree_iterate(&t->t_rbtree, NULL,
RB_DIR_LEFT)) != NULL) {
rb_tree_remove_node(&t->t_rbtree, e);
@@ -331,7 +331,7 @@ npf_table_check(npf_tableset_t *tset, u_
if (tset[tid] != NULL) {
return EEXIST;
}
- if (type != NPF_TABLE_RBTREE && type != NPF_TABLE_HASH) {
+ if (type != NPF_TABLE_TREE && type != NPF_TABLE_HASH) {
return EINVAL;
}
return 0;
@@ -384,7 +384,7 @@ npf_table_add_cidr(npf_tableset_t *tset,
error = EEXIST;
}
break;
- case NPF_TABLE_RBTREE:
+ case NPF_TABLE_TREE:
/* Insert entry. Returns false, if duplicate. */
if (rb_tree_insert_node(&t->t_rbtree, e) != e) {
error = EEXIST;
@@ -444,7 +444,7 @@ npf_table_rem_cidr(npf_tableset_t *tset,
error = ESRCH;
}
break;
- case NPF_TABLE_RBTREE:
+ case NPF_TABLE_TREE:
/* Key: (address & mask). */
npf_calculate_masked_addr(&val, addr, mask);
e = rb_tree_find_node(&t->t_rbtree, &val);
@@ -491,7 +491,7 @@ npf_table_match_addr(npf_tableset_t *tse
break;
}
break;
- case NPF_TABLE_RBTREE:
+ case NPF_TABLE_TREE:
e = rb_tree_find_node(&t->t_rbtree, addr);
KASSERT(e && npf_compare_cidr(addr, e->te_mask, &e->te_addr,
NPF_NO_NETMASK) == 0);
Index: src/sys/net/npf/npf_processor.c
diff -u src/sys/net/npf/npf_processor.c:1.7 src/sys/net/npf/npf_processor.c:1.8
--- src/sys/net/npf/npf_processor.c:1.7 Tue Nov 29 20:05:30 2011
+++ src/sys/net/npf/npf_processor.c Sun Jan 15 00:49:49 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_processor.c,v 1.7 2011/11/29 20:05:30 rmind Exp $ */
+/* $NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $ */
/*-
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -54,7 +54,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.7 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -283,13 +283,14 @@ cisc_like:
cmpval = npf_match_ether(nbuf, d, n, i, ®s[NPF_NREGS - 1]);
break;
case NPF_OPCODE_IP4MASK:
- /* Source/destination, network address, subnet mask. */
+ /* Source/destination, network address, subnet. */
i_ptr = nc_fetch_word(i_ptr, &d);
i_ptr = nc_fetch_double(i_ptr, &addr.s6_addr32[0], &n);
cmpval = npf_match_ipmask(npc, nbuf, n_ptr, d, &addr,
(npf_netmask_t)n);
break;
case NPF_OPCODE_IP6MASK:
+ /* Source/destination, network address, subnet. */
i_ptr = nc_fetch_word(i_ptr, &d);
i_ptr = nc_fetch_double(i_ptr,
&addr.s6_addr32[0], &addr.s6_addr32[1]);
@@ -455,7 +456,7 @@ jmp_check:
if (error) {
return error;
}
- if (/* XXX !val ||*/ (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
+ if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
return NPF_ERR_INVAL;
}
break;
@@ -464,7 +465,7 @@ jmp_check:
if (error) {
return error;
}
- if (/* XXX !val ||*/ (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
+ if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
return NPF_ERR_INVAL;
}
break;
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.1 src/usr.sbin/npf/npfctl/npf_build.c:1.2
--- src/usr.sbin/npf/npfctl/npf_build.c:1.1 Sun Jan 8 21:34:21 2012
+++ src/usr.sbin/npf/npfctl/npf_build.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.1 2012/01/08 21:34:21 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.1 2012/01/08 21:34:21 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -79,21 +79,6 @@ npfctl_config_send(int fd)
return error;
}
-int
-npfctl_config_flush(int fd)
-{
- int ret;
-
- /* Pass empty configuration to flush. */
- npfctl_config_init(false);
- defgroup_set = true;
- ret = npfctl_config_send(fd);
- if (ret) {
- return ret;
- }
- return npf_sessions_send(fd, NULL);
-}
-
bool
npfctl_table_exists_p(const char *id)
{
Index: src/usr.sbin/npf/npfctl/npf_parse.y
diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.2 src/usr.sbin/npf/npfctl/npf_parse.y:1.3
--- src/usr.sbin/npf/npfctl/npf_parse.y:1.2 Thu Jan 12 20:41:33 2012
+++ src/usr.sbin/npf/npfctl/npf_parse.y Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.2 2012/01/12 20:41:33 christos Exp $ */
+/* $NetBSD: npf_parse.y,v 1.3 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -240,7 +240,7 @@ table
table_type
: HASH { $$ = NPF_TABLE_HASH; }
- | TREE { $$ = NPF_TABLE_RBTREE; }
+ | TREE { $$ = NPF_TABLE_TREE; }
;
table_store
Index: src/usr.sbin/npf/npfctl/npf_var.c
diff -u src/usr.sbin/npf/npfctl/npf_var.c:1.2 src/usr.sbin/npf/npfctl/npf_var.c:1.3
--- src/usr.sbin/npf/npfctl/npf_var.c:1.2 Thu Jan 12 20:41:33 2012
+++ src/usr.sbin/npf/npfctl/npf_var.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_var.c,v 1.2 2012/01/12 20:41:33 christos Exp $ */
+/* $NetBSD: npf_var.c,v 1.3 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_var.c,v 1.2 2012/01/12 20:41:33 christos Exp $");
+__RCSID("$NetBSD: npf_var.c,v 1.3 2012/01/15 00:49:48 rmind Exp $");
#include <stdlib.h>
#include <string.h>
@@ -217,9 +217,10 @@ npfvar_get_data1(const npfvar_t *vp, int
el = el->e_next;
}
- if (vp->v_type == NPFVAR_VAR_ID)
- return npfvar_get_data1(npfvar_lookup(el->e_data), type, 0,
- level + 1);
+ if (vp->v_type == NPFVAR_VAR_ID) {
+ npfvar_t *rvp = npfvar_lookup(el->e_data);
+ return npfvar_get_data1(rvp, type, 0, level + 1);
+ }
return el->e_data;
}
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.8 src/usr.sbin/npf/npfctl/npfctl.c:1.9
--- src/usr.sbin/npf/npfctl/npfctl.c:1.8 Sun Jan 8 21:34:21 2012
+++ src/usr.sbin/npf/npfctl/npfctl.c Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.8 2012/01/08 21:34:21 rmind Exp $ */
+/* $NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.8 2012/01/08 21:34:21 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -239,7 +239,7 @@ npfctl(int action, int argc, char **argv
ret = npfctl_config_send(fd);
break;
case NPFCTL_FLUSH:
- ret = npfctl_config_flush(fd);
+ ret = npf_config_flush(fd);
break;
case NPFCTL_TABLE:
if (argc < 5) {
Index: src/usr.sbin/npf/npfctl/npfctl.h
diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.9 src/usr.sbin/npf/npfctl/npfctl.h:1.10
--- src/usr.sbin/npf/npfctl/npfctl.h:1.9 Tue Jan 10 23:39:32 2012
+++ src/usr.sbin/npf/npfctl/npfctl.h Sun Jan 15 00:49:48 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.h,v 1.9 2012/01/10 23:39:32 joerg Exp $ */
+/* $NetBSD: npfctl.h,v 1.10 2012/01/15 00:49:48 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -144,7 +144,6 @@ void npfctl_gennc_tcpfl(nc_ctx_t *, uin
void npfctl_config_init(bool);
int npfctl_config_send(int);
-int npfctl_config_flush(int);
void npfctl_build_rproc(const char *, npfvar_t *);
void npfctl_build_group(const char *, int, u_int);
