Module Name: src
Committed By: rmind
Date: Sun Dec 23 21:01:05 UTC 2012
Modified Files:
src/lib/libnpf: npf.3 npf.c npf.h
src/sys/net/npf: npf.h npf_ctl.c
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npfctl.c
Log Message:
- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/lib/libnpf/npf.3
cvs rdiff -u -r1.14 -r1.15 src/lib/libnpf/npf.c
cvs rdiff -u -r1.11 -r1.12 src/lib/libnpf/npf.h
cvs rdiff -u -r1.23 -r1.24 src/sys/net/npf/npf.h
cvs rdiff -u -r1.19 -r1.20 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.25 -r1.26 src/usr.sbin/npf/npfctl/npf.conf.5 \
src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.3
diff -u src/lib/libnpf/npf.3:1.5 src/lib/libnpf/npf.3:1.6
--- src/lib/libnpf/npf.3:1.5 Sun Jul 1 23:21:07 2012
+++ src/lib/libnpf/npf.3 Sun Dec 23 21:01:05 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.3,v 1.5 2012/07/01 23:21:07 rmind Exp $
+.\" $NetBSD: npf.3,v 1.6 2012/12/23 21:01:05 rmind Exp $
.\"
.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd July 1, 2012
+.Dd December 23, 2012
.Dt NPF 3
.Os
.Sh NAME
@@ -77,20 +77,14 @@
.Ft nl_table_t *
.Fn npf_table_create "u_int id" "int type"
.Ft int
-.Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
+.Fn npf_table_add_entry "nl_table_t *tl" "int "af" \
+"in_addr_t addr" "in_addr_t mask"
.Ft bool
.Fn npf_table_exists_p "nl_config_t *ncf" "u_int tid"
.Ft int
.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl"
.Ft void
.Fn npf_table_destroy "nl_table_t *tl"
-.\" ---
-.Ft int
-.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
-.Ft int
-.Fn npf_sessions_send "int fd" "const char *fpath"
-.Ft int
-.Fn npf_sessions_recv "int fd" "const char *fpath"
.\" -----
.Sh DESCRIPTION
The
@@ -261,13 +255,20 @@ Table is identified by
which should be in the range between 1 and
.Dv NPF_MAX_TABLE_ID .
.El
-.It Fn npf_table_add_entry "tl" "addr" "mask"
-Add an entry of IPv4 address and mask, specified by
+.It Fn npf_table_add_entry "tl" "af" "addr" "mask"
+Add an entry of IP address and mask, specified by
.Fa addr
and
.Fa mask ,
to the table specified by
.Fa tl .
+Family, specified by
+.Fa fa ,
+must be either
+.Dv AF_INET
+for IPv4 or
+.Dv AF_INET6
+for IPv6 address.
.It Fn npf_table_exists_p "ncf" "name"
Determine whether table with ID
.Fa tid
@@ -285,19 +286,6 @@ Routine performs a check for duplicate t
Destroy the specified table.
.El
.\" -----
-.Ss Session interface
-.Bl -tag -width 4n
-.It Fn npf_update_rule "fd" "rname" "rl"
-.It Fn npf_sessions_send "fd" "fpath"
-Read the file specified by
-.Fa fpath ,
-and send sessions saved in it to the kernel.
-.It Fn npf_sessions_recv "fd" "fpath"
-Receive currently loaded session from the kernel, and save them to a file
-specified by
-.Fa fpath .
-.El
-.\" -----
.Sh SEE ALSO
.Xr npfctl 8 ,
.Xr npf_ncode 9
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.14 src/lib/libnpf/npf.c:1.15
--- src/lib/libnpf/npf.c:1.14 Sun Oct 28 16:27:20 2012
+++ src/lib/libnpf/npf.c Sun Dec 23 21:01:05 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.14 2012/10/28 16:27:20 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.14 2012/10/28 16:27:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -121,14 +121,15 @@ npf_config_submit(nl_config_t *ncf, int
if (npf_dict == NULL) {
return ENOMEM;
}
- if (ncf->ncf_debug) {
- prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
- }
+ prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
+ if (ncf->ncf_debug) {
+ prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
+ }
if (plist) {
if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
@@ -664,24 +665,36 @@ npf_table_create(u_int id, int type)
}
int
-npf_table_add_entry(nl_table_t *tl, const int alen,
- const npf_addr_t *addr, const npf_netmask_t mask)
+npf_table_add_entry(nl_table_t *tl, int af, const npf_addr_t *addr,
+ const npf_netmask_t mask)
{
prop_dictionary_t tldict = tl->ntl_dict, entdict;
prop_array_t tblents;
prop_data_t addrdata;
+ unsigned alen;
/* Create the table entry. */
entdict = prop_dictionary_create();
if (entdict == NULL) {
return ENOMEM;
}
+
+ switch (af) {
+ case AF_INET:
+ alen = sizeof(struct in_addr);
+ break;
+ case AF_INET6:
+ alen = sizeof(struct in6_addr);
+ break;
+ default:
+ return EINVAL;
+ }
+
addrdata = prop_data_create_data(addr, alen);
prop_dictionary_set(entdict, "addr", addrdata);
prop_dictionary_set_uint8(entdict, "mask", mask);
prop_object_release(addrdata);
- /* Insert the entry. */
tblents = prop_dictionary_get(tldict, "entries");
prop_array_add(tblents, entdict);
prop_object_release(entdict);
Index: src/lib/libnpf/npf.h
diff -u src/lib/libnpf/npf.h:1.11 src/lib/libnpf/npf.h:1.12
--- src/lib/libnpf/npf.h:1.11 Sun Sep 16 13:47:42 2012
+++ src/lib/libnpf/npf.h Sun Dec 23 21:01:05 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.11 2012/09/16 13:47:42 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.12 2012/12/23 21:01:05 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -103,20 +103,20 @@ nl_nat_t * npf_nat_create(int, u_int, u_
int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
nl_table_t * npf_table_create(u_int, int);
-int npf_table_add_entry(nl_table_t *, const int,
+int npf_table_add_entry(nl_table_t *, int,
const npf_addr_t *, const npf_netmask_t);
bool npf_table_exists_p(nl_config_t *, u_int);
int npf_table_insert(nl_config_t *, nl_table_t *);
void npf_table_destroy(nl_table_t *);
-int npf_update_rule(int, const char *, nl_rule_t *);
-int npf_sessions_send(int, const char *);
-int npf_sessions_recv(int, const char *);
-
#ifdef _NPF_PRIVATE
#include <ifaddrs.h>
+int npf_update_rule(int, const char *, nl_rule_t *);
+int npf_sessions_send(int, const char *);
+int npf_sessions_recv(int, const char *);
+
void _npf_config_error(nl_config_t *, nl_error_t *);
void _npf_config_setsubmit(nl_config_t *, const char *);
int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.23 src/sys/net/npf/npf.h:1.24
--- src/sys/net/npf/npf.h:1.23 Mon Dec 10 01:11:13 2012
+++ src/sys/net/npf/npf.h Sun Dec 23 21:01:03 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.23 2012/12/10 01:11:13 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.24 2012/12/23 21:01:03 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 7
+#define NPF_VERSION 8
/*
* Public declarations and definitions.
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.19 src/sys/net/npf/npf_ctl.c:1.20
--- src/sys/net/npf/npf_ctl.c:1.19 Mon Oct 29 02:27:12 2012
+++ src/sys/net/npf/npf_ctl.c Sun Dec 23 21:01:03 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.19 2012/10/29 02:27:12 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.20 2012/12/23 21:01:03 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.19 2012/10/29 02:27:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.20 2012/12/23 21:01:03 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -458,6 +458,7 @@ npfctl_reload(u_long cmd, void *data)
npf_tableset_t *tblset = NULL;
npf_ruleset_t *rlset = NULL;
npf_ruleset_t *nset = NULL;
+ uint32_t ver = 0;
bool flush;
int error;
@@ -470,8 +471,13 @@ npfctl_reload(u_long cmd, void *data)
npf_dict = (prop_dictionary_t)pref;
#endif
- /* Dictionary for error reporting. */
+ /* Dictionary for error reporting and version check. */
errdict = prop_dictionary_create();
+ prop_dictionary_get_uint32(npf_dict, "version", &ver);
+ if (ver != NPF_VERSION) {
+ error = EPROGMISMATCH;
+ goto fail;
+ }
/* NAT policies. */
nset = npf_ruleset_create();
@@ -720,6 +726,7 @@ npfctl_table(void *data)
case NPF_IOCTL_TBLENT_LOOKUP:
error = npf_table_lookup(tblset, nct->nct_tid,
nct->nct_data.ent.alen, &nct->nct_data.ent.addr);
+ break;
case NPF_IOCTL_TBLENT_ADD:
error = npf_table_insert(tblset, nct->nct_tid,
nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.25 src/usr.sbin/npf/npfctl/npf.conf.5:1.26
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.25 Thu Dec 6 22:36:51 2012
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 23 21:01:04 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.25 2012/12/06 22:36:51 rmind Exp $
+.\" $NetBSD: npf.conf.5,v 1.26 2012/12/23 21:01:04 rmind Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 6, 2012
+.Dd December 23, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -98,9 +98,11 @@ The file should contain a list of IP add
Tables of type "hash" can only contain IP addresses.
.Ss Interfaces
Interfaces can be specified as the values of the variables:
+.Pp
.Bd -literal
$pub_if_list = { ifnet(wm0), ifnet(wm1) }
.Ed
+.Pp
In the context of filtering, an interface provides a list of its
all IP addresses, including IPv4 and IPv6.
Specific interface addresses can be selected by the family, e.g.:
@@ -285,6 +287,7 @@ map $ext_if dynamic 10.1.1.2 port 22 <-
procedure "log" {
# Note: npf_ext_log kernel module should be loaded, if not built-in.
+ # Also, the interface created, e.g.: ifconfig npflog0 create
log: npflog0
}
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.25 src/usr.sbin/npf/npfctl/npfctl.c:1.26
--- src/usr.sbin/npf/npfctl/npfctl.c:1.25 Mon Dec 10 02:26:04 2012
+++ src/usr.sbin/npf/npfctl/npfctl.c Sun Dec 23 21:01:04 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.25 2012/12/10 02:26:04 rmind Exp $ */
+/* $NetBSD: npfctl.c,v 1.26 2012/12/23 21:01:04 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.25 2012/12/10 02:26:04 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.26 2012/12/23 21:01:04 rmind Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -294,7 +294,7 @@ again:
errx(EXIT_FAILURE, "invalid CIDR '%s'", arg);
}
nct.nct_data.ent.alen = alen;
- memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, sizeof(npf_addr_t));
+ memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, alen);
nct.nct_data.ent.mask = fam.fam_mask;
}
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.16 src/usr.sbin/npf/npfctl/npf_build.c:1.17
--- src/usr.sbin/npf/npfctl/npf_build.c:1.16 Mon Dec 10 02:26:04 2012
+++ src/usr.sbin/npf/npfctl/npf_build.c Sun Dec 23 21:01:04 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.16 2012/12/10 02:26:04 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.17 2012/12/23 21:01:04 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.16 2012/12/10 02:26:04 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.17 2012/12/23 21:01:04 rmind Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -617,7 +617,8 @@ npfctl_fill_table(nl_table_t *tl, u_int
}
/* Create and add a table entry. */
- npf_table_add_entry(tl, alen, &fam.fam_addr, fam.fam_mask);
+ npf_table_add_entry(tl, fam.fam_family,
+ &fam.fam_addr, fam.fam_mask);
}
if (buf != NULL) {
free(buf);
