CVS commit: src/sys/net/npf

Thu, 08 Dec 2016 15:07:50 -0800 

Module Name:    src
Committed By:   rmind
Date:           Thu Dec  8 23:07:12 UTC 2016

Modified Files:
        src/sys/net/npf: npf.h npf_conn.c npf_handler.c npf_mbuf.c

Log Message:
NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces.  Per discussion with christos@.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf.h
cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.c \
    src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.48
--- src/sys/net/npf/npf.h:1.47	Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h	Thu Dec  8 23:07:11 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.48 2016/12/08 23:07:11 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -116,8 +116,8 @@ void *		nbuf_ensure_contig(nbuf_t *, siz
 void *		nbuf_ensure_writable(nbuf_t *, size_t);
 
 bool		nbuf_cksum_barrier(nbuf_t *, int);
-int		nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
-int		nbuf_find_tag(nbuf_t *, uint32_t, void **);
+int		nbuf_add_tag(nbuf_t *, uint32_t);
+int		nbuf_find_tag(nbuf_t *, uint32_t *);
 
 /*
  * Packet information cache.
@@ -259,8 +259,8 @@ bool		npf_autounload_p(void);
 #define	NPF_LAYER_2			2
 #define	NPF_LAYER_3			3
 
-/* XXX mbuf.h: just for now. */
-#define	PACKET_TAG_NPF			10
+/* Packet tags. */
+#define	NPF_NTAG_PASS			0x0001
 
 /*
  * Rule commands (non-ioctl).

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.16 src/sys/net/npf/npf_conn.c:1.17
--- src/sys/net/npf/npf_conn.c:1.16	Thu Feb  5 22:04:03 2015
+++ src/sys/net/npf/npf_conn.c	Thu Dec  8 23:07:11 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $	*/
+/*	$NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -99,7 +99,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.16 2015/02/05 22:04:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.17 2016/12/08 23:07:11 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -432,11 +432,21 @@ npf_conn_inspect(npf_cache_t *npc, const
 	ok = npf_state_inspect(npc, &con->c_state, forw);
 	mutex_exit(&con->c_lock);
 
+	/* If invalid state: let the rules deal with it. */
 	if (__predict_false(!ok)) {
-		/* Invalid: let the rules deal with it. */
 		npf_conn_release(con);
 		npf_stats_inc(NPF_STAT_INVALID_STATE);
-		con = NULL;
+		return NULL;
+	}
+
+	/*
+	 * If this is multi-end state, then specially tag the packet
+	 * so it will be just passed-through on other interfaces.
+	 */
+	if (con->c_ifid == 0 && nbuf_add_tag(nbuf, NPF_NTAG_PASS) != 0) {
+		npf_conn_release(con);
+		*error = ENOMEM;
+		return NULL;
 	}
 	return con;
 }
Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.16 src/sys/net/npf/npf_mbuf.c:1.17
--- src/sys/net/npf/npf_mbuf.c:1.16	Fri Mar 18 10:09:46 2016
+++ src/sys/net/npf/npf_mbuf.c	Thu Dec  8 23:07:11 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $	*/
+/*	$NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.16 2016/03/18 10:09:46 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.17 2016/12/08 23:07:11 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -274,7 +274,7 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di)
  * => Returns 0 on success or errno on failure.
  */
 int
-nbuf_add_tag(nbuf_t *nbuf, uint32_t key, uint32_t val)
+nbuf_add_tag(nbuf_t *nbuf, uint32_t val)
 {
 	struct mbuf *m = nbuf->nb_mbuf0;
 	struct m_tag *mt;
@@ -298,7 +298,7 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t key,
  * => Returns 0 on success or errno on failure.
  */
 int
-nbuf_find_tag(nbuf_t *nbuf, uint32_t key, void **data)
+nbuf_find_tag(nbuf_t *nbuf, uint32_t *val)
 {
 	struct mbuf *m = nbuf->nb_mbuf0;
 	struct m_tag *mt;
@@ -309,6 +309,6 @@ nbuf_find_tag(nbuf_t *nbuf, uint32_t key
 	if (mt == NULL) {
 		return EINVAL;
 	}
-	*data = (void *)(mt + 1);
+	*val = *(uint32_t *)(mt + 1);
 	return 0;
 }

Index: src/sys/net/npf/npf_handler.c
diff -u src/sys/net/npf/npf_handler.c:1.33 src/sys/net/npf/npf_handler.c:1.34
--- src/sys/net/npf/npf_handler.c:1.33	Wed Jul 23 01:25:34 2014
+++ src/sys/net/npf/npf_handler.c	Thu Dec  8 23:07:11 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_handler.c,v 1.33 2014/07/23 01:25:34 rmind Exp $	*/
+/*	$NetBSD: npf_handler.c,v 1.34 2016/12/08 23:07:11 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.33 2014/07/23 01:25:34 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.34 2016/12/08 23:07:11 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -147,6 +147,7 @@ npf_packet_handler(void *arg, struct mbu
 	npf_rule_t *rl;
 	npf_rproc_t *rp;
 	int error, retfl;
+	uint32_t ntag;
 	int decision;
 
 	/*
@@ -179,6 +180,12 @@ npf_packet_handler(void *arg, struct mbu
 		}
 	}
 
+	/* Just pass-through if specially tagged. */
+	if (nbuf_find_tag(&nbuf, &ntag) == 0 && (ntag & NPF_NTAG_PASS) != 0) {
+		con = NULL;
+		goto pass;
+	}
+
 	/* Inspect the list of connections (if found, acquires a reference). */
 	con = npf_conn_inspect(&npc, di, &error);

Reply via email to