Module Name: src Committed By: riz Date: Mon Feb 18 18:26:15 UTC 2013
Modified Files: src/lib/libnpf [netbsd-6]: npf.c npf.h src/sys/net/npf [netbsd-6]: npf_ctl.c npf_impl.h npf_ruleset.c src/usr.sbin/npf/npfctl [netbsd-6]: npf_build.c npf_disassemble.c npfctl.8 npfctl.c npfctl.h src/usr.sbin/npf/npftest/libnpftest [netbsd-6]: npf_rule_test.c Log Message: Pull up following revision(s) (requested by rmind in ticket #829): usr.sbin/npf/npfctl/npfctl.8: revision 1.13 usr.sbin/npf/npfctl/npf_build.c: revision 1.21 lib/libnpf/npf.c: revision 1.18 sys/net/npf/npf_ctl.c: revision 1.23 usr.sbin/npf/npfctl/npfctl.h: revision 1.27 lib/libnpf/npf.h: revision 1.15 sys/net/npf/npf_ruleset.c: revision 1.19 sys/net/npf/npf_impl.h: revision 1.28 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.17 usr.sbin/npf/npfctl/npfctl.c: revision 1.31 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.6 - Convert NPF dynamic rule ID to just incremented 64-bit counter. - Fix multiple bugs. Also, update the man page. To generate a diff of this commit: cvs rdiff -u -r1.7.2.9 -r1.7.2.10 src/lib/libnpf/npf.c cvs rdiff -u -r1.6.2.7 -r1.6.2.8 src/lib/libnpf/npf.h cvs rdiff -u -r1.12.2.8 -r1.12.2.9 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.10.2.13 -r1.10.2.14 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.10.2.6 -r1.10.2.7 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.4.2.11 -r1.4.2.12 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.3.2.11 -r1.3.2.12 src/usr.sbin/npf/npfctl/npf_disassemble.c cvs rdiff -u -r1.6.6.5 -r1.6.6.6 src/usr.sbin/npf/npfctl/npfctl.8 cvs rdiff -u -r1.10.2.14 -r1.10.2.15 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.11.2.12 -r1.11.2.13 src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.1.2.5 -r1.1.2.6 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.7.2.9 src/lib/libnpf/npf.c:1.7.2.10 --- src/lib/libnpf/npf.c:1.7.2.9 Mon Feb 11 21:49:48 2013 +++ src/lib/libnpf/npf.c Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.7.2.9 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npf.c,v 1.7.2.10 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2010-2013 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.9 2013/02/11 21:49:48 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.10 2013/02/18 18:26:14 riz Exp $"); #include <sys/types.h> #include <netinet/in_systm.h> @@ -263,25 +263,23 @@ _npf_prop_array_lookup(prop_array_t arra */ int -npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uintptr_t *id) +npf_ruleset_add(int fd, const char *rname, nl_rule_t *rl, uint64_t *id) { prop_dictionary_t rldict = rl->nrl_dict; prop_dictionary_t ret; - uint64_t id64; int error; prop_dictionary_set_cstring(rldict, "ruleset-name", rname); prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_ADD); error = prop_dictionary_sendrecv_ioctl(rldict, fd, IOC_NPF_RULE, &ret); if (!error) { - prop_dictionary_get_uint64(ret, "id", &id64); - *id = (uintptr_t)id64; + prop_dictionary_get_uint64(ret, "id", id); } return error; } int -npf_ruleset_remove(int fd, const char *rname, uintptr_t id) +npf_ruleset_remove(int fd, const char *rname, uint64_t id) { prop_dictionary_t rldict; @@ -291,8 +289,7 @@ npf_ruleset_remove(int fd, const char *r } prop_dictionary_set_cstring(rldict, "ruleset-name", rname); prop_dictionary_set_uint32(rldict, "command", NPF_CMD_RULE_REMOVE); - __CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t)); - prop_dictionary_set_uint64(rldict, "id", (uint64_t)id); + prop_dictionary_set_uint64(rldict, "id", id); return prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_RULE); } Index: src/lib/libnpf/npf.h diff -u src/lib/libnpf/npf.h:1.6.2.7 src/lib/libnpf/npf.h:1.6.2.8 --- src/lib/libnpf/npf.h:1.6.2.7 Mon Feb 11 21:49:48 2013 +++ src/lib/libnpf/npf.h Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.6.2.7 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npf.h,v 1.6.2.8 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2011-2013 The NetBSD Foundation, Inc. @@ -79,8 +79,8 @@ void npf_config_destroy(nl_config_t *); nl_config_t * npf_config_retrieve(int, bool *, bool *); int npf_config_flush(int); -int npf_ruleset_add(int, const char *, nl_rule_t *, uintptr_t *); -int npf_ruleset_remove(int, const char *, uintptr_t); +int npf_ruleset_add(int, const char *, nl_rule_t *, uint64_t *); +int npf_ruleset_remove(int, const char *, uint64_t); int npf_ruleset_remkey(int, const char *, const void *, size_t); int npf_ruleset_flush(int, const char *); Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.12.2.8 src/sys/net/npf/npf_ctl.c:1.12.2.9 --- src/sys/net/npf/npf_ctl.c:1.12.2.8 Mon Feb 11 21:49:48 2013 +++ src/sys/net/npf/npf_ctl.c Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.12.2.8 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.12.2.9 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.8 2013/02/11 21:49:48 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.9 2013/02/18 18:26:14 riz Exp $"); #include <sys/param.h> #include <sys/conf.h> @@ -558,8 +558,6 @@ npfctl_rule(u_long cmd, void *data) return EINVAL; } retdict = prop_dictionary_create(); - prop_dictionary_set_uint64(retdict, "id", - (uint64_t)(uintptr_t)rl); } npf_config_enter(); @@ -569,19 +567,20 @@ npfctl_rule(u_long cmd, void *data) case NPF_CMD_RULE_ADD: { if ((error = npf_ruleset_add(rlset, ruleset_name, rl)) == 0) { /* Success. */ + uint64_t id = npf_rule_getid(rl); + prop_dictionary_set_uint64(retdict, "id", id); rl = NULL; } break; } case NPF_CMD_RULE_REMOVE: { - uint64_t id64; + uint64_t id; - CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t)); - if (!prop_dictionary_get_uint64(npf_rule, "id", &id64)) { + if (!prop_dictionary_get_uint64(npf_rule, "id", &id)) { error = EINVAL; break; } - error = npf_ruleset_remove(rlset, ruleset_name, (uintptr_t)id64); + error = npf_ruleset_remove(rlset, ruleset_name, id); break; } case NPF_CMD_RULE_REMKEY: { Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.10.2.13 src/sys/net/npf/npf_impl.h:1.10.2.14 --- src/sys/net/npf/npf_impl.h:1.10.2.13 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf_impl.h Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.10.2.13 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf_impl.h,v 1.10.2.14 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -232,7 +232,7 @@ npf_rule_t * npf_ruleset_sharepm(npf_rul void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *); int npf_ruleset_add(npf_ruleset_t *, const char *, npf_rule_t *); -int npf_ruleset_remove(npf_ruleset_t *, const char *, uintptr_t); +int npf_ruleset_remove(npf_ruleset_t *, const char *, uint64_t); int npf_ruleset_remkey(npf_ruleset_t *, const char *, const void *, size_t); prop_dictionary_t npf_ruleset_list(npf_ruleset_t *, const char *); @@ -248,6 +248,7 @@ npf_rule_t * npf_rule_alloc(prop_diction void npf_rule_setcode(npf_rule_t *, int, void *, size_t); void npf_rule_setrproc(npf_rule_t *, npf_rproc_t *); void npf_rule_free(npf_rule_t *); +uint64_t npf_rule_getid(const npf_rule_t *); npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *); void npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *); npf_rproc_t * npf_rule_getrproc(npf_rule_t *); Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.10.2.6 src/sys/net/npf/npf_ruleset.c:1.10.2.7 --- src/sys/net/npf/npf_ruleset.c:1.10.2.6 Mon Feb 11 21:49:48 2013 +++ src/sys/net/npf/npf_ruleset.c Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.10.2.6 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.10.2.7 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.10.2.6 2013/02/11 21:49:48 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.10.2.7 2013/02/18 18:26:14 riz Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -61,6 +61,9 @@ struct npf_ruleset { LIST_HEAD(, npf_rule) rs_dynamic; LIST_HEAD(, npf_rule) rs_gc; + /* Unique ID counter. */ + uint64_t rs_idcnt; + /* Number of array slots and active rules. */ u_int rs_slots; u_int rs_nitems; @@ -100,7 +103,8 @@ struct npf_rule { npf_rule_t * r_parent; } /* C11 */; - /* Dictionary. */ + /* Rule ID and the original dictionary. */ + uint64_t r_id; prop_dictionary_t r_dict; /* Rule name and all-list entry. */ @@ -114,6 +118,9 @@ struct npf_rule { #define NPF_DYNAMIC_GROUP_P(attr) \ (((attr) & NPF_DYNAMIC_GROUP) == NPF_DYNAMIC_GROUP) +#define NPF_DYNAMIC_RULE_P(attr) \ + (((attr) & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) + npf_ruleset_t * npf_ruleset_create(size_t slots) { @@ -121,9 +128,11 @@ npf_ruleset_create(size_t slots) npf_ruleset_t *rlset; rlset = kmem_zalloc(len, KM_SLEEP); - rlset->rs_slots = slots; LIST_INIT(&rlset->rs_dynamic); LIST_INIT(&rlset->rs_all); + LIST_INIT(&rlset->rs_gc); + rlset->rs_slots = slots; + return rlset; } @@ -133,7 +142,7 @@ npf_ruleset_unlink(npf_ruleset_t *rlset, if (NPF_DYNAMIC_GROUP_P(rl->r_attr)) { LIST_REMOVE(rl, r_dentry); } - if ((rl->r_attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) { + if (NPF_DYNAMIC_RULE_P(rl->r_attr)) { npf_rule_t *rg = rl->r_parent; TAILQ_REMOVE(&rg->r_subset, rl, r_entry); } @@ -201,11 +210,14 @@ npf_ruleset_add(npf_ruleset_t *rlset, co rg = npf_ruleset_lookup(rlset, rname); if (rg == NULL) { - return ENOENT; + return ESRCH; + } + if (!NPF_DYNAMIC_RULE_P(rl->r_attr)) { + return EINVAL; } - /* Dynamic rule. */ - rl->r_attr |= NPF_RULE_DYNAMIC; + /* Dynamic rule - assign a unique ID and save the parent. */ + rl->r_id = ++rlset->rs_idcnt; rl->r_parent = rg; /* @@ -248,22 +260,22 @@ npf_ruleset_add(npf_ruleset_t *rlset, co } int -npf_ruleset_remove(npf_ruleset_t *rlset, const char *rname, uintptr_t id) +npf_ruleset_remove(npf_ruleset_t *rlset, const char *rname, uint64_t id) { npf_rule_t *rg, *rl; if ((rg = npf_ruleset_lookup(rlset, rname)) == NULL) { - return ENOENT; + return ESRCH; } TAILQ_FOREACH(rl, &rg->r_subset, r_entry) { /* Compare ID. On match, remove and return. */ - if ((uintptr_t)rl == id) { + if (rl->r_id == id) { npf_ruleset_unlink(rlset, rl); LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry); - break; + return 0; } } - return 0; + return ENOENT; } int @@ -275,7 +287,7 @@ npf_ruleset_remkey(npf_ruleset_t *rlset, KASSERT(len && len <= NPF_RULE_MAXKEYLEN); if ((rg = npf_ruleset_lookup(rlset, rname)) == NULL) { - return ENOENT; + return ESRCH; } /* Find the last in the list. */ @@ -284,10 +296,10 @@ npf_ruleset_remkey(npf_ruleset_t *rlset, if (memcmp(rl->r_key, key, len) == 0) { npf_ruleset_unlink(rlset, rl); LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry); - break; + return 0; } } - return 0; + return ENOENT; } prop_dictionary_t @@ -311,9 +323,11 @@ npf_ruleset_list(npf_ruleset_t *rlset, c TAILQ_FOREACH(rl, &rg->r_subset, r_entry) { if (rl->r_dict && !prop_array_add(rules, rl->r_dict)) { prop_object_release(rldict); + prop_object_release(rules); return NULL; } } + if (!prop_dictionary_set(rldict, "rules", rules)) { prop_object_release(rldict); rldict = NULL; @@ -328,7 +342,7 @@ npf_ruleset_flush(npf_ruleset_t *rlset, npf_rule_t *rg, *rl; if ((rg = npf_ruleset_lookup(rlset, rname)) == NULL) { - return ENOENT; + return ESRCH; } while ((rl = TAILQ_FIRST(&rg->r_subset)) != NULL) { npf_ruleset_unlink(rlset, rl); @@ -356,29 +370,34 @@ npf_ruleset_gc(npf_ruleset_t *rlset) void npf_ruleset_reload(npf_ruleset_t *rlset, npf_ruleset_t *arlset) { - npf_rule_t *rl; + npf_rule_t *rg; KASSERT(npf_config_locked_p()); - LIST_FOREACH(rl, &rlset->rs_dynamic, r_dentry) { - npf_rule_t *arl, *it; + LIST_FOREACH(rg, &rlset->rs_dynamic, r_dentry) { + npf_rule_t *arg, *rl; - if ((arl = npf_ruleset_lookup(arlset, rl->r_name)) == NULL) { + if ((arg = npf_ruleset_lookup(arlset, rg->r_name)) == NULL) { continue; } /* * Copy the list-head structure and move the rules from the * old ruleset to the new by reinserting to a new all-rules - * list. Note that the rules are still active and therefore - * accessible for inspection via the old ruleset. + * list and resetting the parent rule. Note that the rules + * are still active and therefore accessible for inspection + * via the old ruleset. */ - memcpy(&rl->r_subset, &arl->r_subset, sizeof(rl->r_subset)); - TAILQ_FOREACH(it, &rl->r_subset, r_entry) { + memcpy(&rg->r_subset, &arg->r_subset, sizeof(rg->r_subset)); + TAILQ_FOREACH(rl, &rg->r_subset, r_entry) { LIST_REMOVE(rl, r_aentry); LIST_INSERT_HEAD(&rlset->rs_all, rl, r_aentry); + rl->r_parent = rg; } } + + /* Inherit the ID counter. */ + rlset->rs_idcnt = arlset->rs_idcnt; } /* @@ -506,7 +525,7 @@ npf_rule_alloc(prop_dictionary_t rldict) memcpy(rl->r_key, key, len); } - if ((rl->r_attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) { + if (NPF_DYNAMIC_RULE_P(rl->r_attr)) { rl->r_dict = prop_dictionary_copy(rldict); } @@ -565,10 +584,18 @@ npf_rule_free(npf_rule_t *rl) } /* + * npf_rule_getid: return the unique ID of a rule. * npf_rule_getrproc: acquire a reference and return rule procedure, if any. * npf_rule_getnat: get NAT policy assigned to the rule. */ +uint64_t +npf_rule_getid(const npf_rule_t *rl) +{ + KASSERT(NPF_DYNAMIC_RULE_P(rl->r_attr)); + return rl->r_id; +} + npf_rproc_t * npf_rule_getrproc(npf_rule_t *rl) { Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.4.2.11 src/usr.sbin/npf/npfctl/npf_build.c:1.4.2.12 --- src/usr.sbin/npf/npfctl/npf_build.c:1.4.2.11 Mon Feb 11 21:49:48 2013 +++ src/usr.sbin/npf/npfctl/npf_build.c Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.4.2.11 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npf_build.c,v 1.4.2.12 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2011-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_build.c,v 1.4.2.11 2013/02/11 21:49:48 riz Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.4.2.12 2013/02/18 18:26:14 riz Exp $"); #include <sys/types.h> #include <sys/ioctl.h> @@ -501,12 +501,13 @@ npfctl_build_group_end(void) * if any, and insert into the ruleset of current group, or set the rule. */ void -npfctl_build_rule(int attr, u_int if_idx, sa_family_t family, +npfctl_build_rule(uint32_t attr, u_int if_idx, sa_family_t family, const opt_proto_t *op, const filt_opts_t *fopts, const char *rproc) { nl_rule_t *rl; attr |= (npf_conf ? 0 : NPF_RULE_DYNAMIC); + rl = npf_rule_create(NULL, attr, if_idx); npfctl_build_ncode(rl, family, op, fopts, false); if (rproc) { Index: src/usr.sbin/npf/npfctl/npf_disassemble.c diff -u src/usr.sbin/npf/npfctl/npf_disassemble.c:1.3.2.11 src/usr.sbin/npf/npfctl/npf_disassemble.c:1.3.2.12 --- src/usr.sbin/npf/npfctl/npf_disassemble.c:1.3.2.11 Mon Feb 11 21:49:48 2013 +++ src/usr.sbin/npf/npfctl/npf_disassemble.c Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_disassemble.c,v 1.3.2.11 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npf_disassemble.c,v 1.3.2.12 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2012 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ * FIXME: config generation should be redesigned.. */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_disassemble.c,v 1.3.2.11 2013/02/11 21:49:48 riz Exp $"); +__RCSID("$NetBSD: npf_disassemble.c,v 1.3.2.12 2013/02/18 18:26:14 riz Exp $"); #include <stdio.h> #include <stdlib.h> @@ -611,6 +611,9 @@ npfctl_show_rule(nl_rule_t *nrl, unsigne if (ifname) { printf(", interface %s", ifname); } + if (rg.rg_attr & NPF_RULE_DYNAMIC) { + printf(", dynamic"); + } puts(") {"); return; } Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.6.6.5 src/usr.sbin/npf/npfctl/npfctl.8:1.6.6.6 --- src/usr.sbin/npf/npfctl/npfctl.8:1.6.6.5 Mon Feb 11 21:49:47 2013 +++ src/usr.sbin/npf/npfctl/npfctl.8 Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.6.6.5 2013/02/11 21:49:47 riz Exp $ +.\" $NetBSD: npfctl.8,v 1.6.6.6 2013/02/18 18:26:14 riz Exp $ .\" .\" Copyright (c) 2009-2013 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 11, 2013 +.Dd February 16, 2013 .Dt NPFCTL 8 .Os .Sh NAME @@ -93,6 +93,7 @@ On success, returns a unique identifier the rule with .Ic rem-id command. +The identifier is alphanumeric string. .It Ic rule Ar name Ic rem Aq rule-syntax Remove a rule from a dynamic ruleset specified by .Ar name . @@ -106,6 +107,12 @@ Remove a rule specified by unique .Ar id from a dynamic ruleset specified by .Ar name . +.It Ic rule Ar name Ic list +List all rules in the dynamic ruleset specified by +.Ar name . +.It Ic rule Ar name Ic flush +Remove all rules from the dynamic ruleset specified by +.Ar name . .\" --- .It Ic table Ar tid Ic add Aq Ar addr/mask In table Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.10.2.14 src/usr.sbin/npf/npfctl/npfctl.c:1.10.2.15 --- src/usr.sbin/npf/npfctl/npfctl.c:1.10.2.14 Mon Feb 11 21:49:48 2013 +++ src/usr.sbin/npf/npfctl/npfctl.c Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.10.2.14 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npfctl.c,v 1.10.2.15 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npfctl.c,v 1.10.2.14 2013/02/11 21:49:48 riz Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.10.2.15 2013/02/18 18:26:14 riz Exp $"); #include <sys/ioctl.h> #include <sys/stat.h> @@ -124,6 +124,9 @@ usage(void) "\t%s rule \"rule-name\" rem-id <rule-id>\n", progname); fprintf(stderr, + "\t%s rule \"rule-name\" { list | flush }\n", + progname); + fprintf(stderr, "\t%s table <tid> { add | rem | test } <address/mask>\n", progname); fprintf(stderr, @@ -411,7 +414,7 @@ npfctl_rule(int fd, int argc, char **arg const char *ruleset_name = argv[0]; const char *cmd = argv[1]; int error, action = 0; - uintptr_t rule_id; + uint64_t rule_id; nl_rule_t *rl; for (int n = 0; ruleops[n].cmd != NULL; n++) { @@ -441,7 +444,7 @@ npfctl_rule(int fd, int argc, char **arg error = npf_ruleset_remkey(fd, ruleset_name, key, sizeof(key)); break; case NPF_CMD_RULE_REMOVE: - rule_id = (uintptr_t)strtoull(argv[0], NULL, 16); + rule_id = strtoull(argv[0], NULL, 16); error = npf_ruleset_remove(fd, ruleset_name, rule_id); break; case NPF_CMD_RULE_LIST: @@ -458,15 +461,15 @@ npfctl_rule(int fd, int argc, char **arg case 0: /* Success. */ break; + case ESRCH: + errx(EXIT_FAILURE, "ruleset \"%s\" not found", ruleset_name); case ENOENT: - errx(EXIT_FAILURE, "ruleset \"%s\" or the specified rule in " - "it not found", ruleset_name); - break; + errx(EXIT_FAILURE, "rule was not found"); default: errx(EXIT_FAILURE, "rule operation: %s", strerror(error)); } if (action == NPF_CMD_RULE_ADD) { - printf("OK %" PRIXPTR "\n", rule_id); + printf("OK %" PRIx64 "\n", rule_id); } exit(EXIT_SUCCESS); } Index: src/usr.sbin/npf/npfctl/npfctl.h diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.11.2.12 src/usr.sbin/npf/npfctl/npfctl.h:1.11.2.13 --- src/usr.sbin/npf/npfctl/npfctl.h:1.11.2.12 Mon Feb 11 21:49:48 2013 +++ src/usr.sbin/npf/npfctl/npfctl.h Mon Feb 18 18:26:14 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.h,v 1.11.2.12 2013/02/11 21:49:48 riz Exp $ */ +/* $NetBSD: npfctl.h,v 1.11.2.13 2013/02/18 18:26:14 riz Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -196,7 +196,7 @@ unsigned long npfctl_debug_addif(const c void npfctl_build_rproc(const char *, npfvar_t *); void npfctl_build_group(const char *, int, u_int, bool); void npfctl_build_group_end(void); -void npfctl_build_rule(int, u_int, sa_family_t, +void npfctl_build_rule(uint32_t, u_int, sa_family_t, const opt_proto_t *, const filt_opts_t *, const char *); void npfctl_build_natseg(int, int, u_int, const addr_port_t *, const addr_port_t *, const filt_opts_t *); Index: src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.1.2.5 src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.1.2.6 --- src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.1.2.5 Mon Feb 11 21:49:50 2013 +++ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Mon Feb 18 18:26:15 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_rule_test.c,v 1.1.2.5 2013/02/11 21:49:50 riz Exp $ */ +/* $NetBSD: npf_rule_test.c,v 1.1.2.6 2013/02/18 18:26:15 riz Exp $ */ /* * NPF ruleset test. @@ -130,6 +130,7 @@ npf_rule_test(bool verbose) npf_ruleset_t *rlset; npf_rule_t *rl; bool fail = false; + uint64_t id; int error; for (unsigned i = 0; i < __arraycount(test_cases); i++) { @@ -171,7 +172,8 @@ npf_rule_test(bool verbose) error = npf_test_first(verbose); fail |= (error != RESULT_BLOCK); - error = npf_ruleset_remove(rlset, "test-rules", (uintptr_t)rl); + id = npf_rule_getid(rl); + error = npf_ruleset_remove(rlset, "test-rules", id); fail |= error != 0; npf_config_exit();