CVS commit: src/sys/net/npf

Christos Zoulas Sat, 28 Jan 2017 16:16:58 -0800

Module Name:    src
Committed By:   christos
Date:           Sun Jan 29 00:15:54 UTC 2017


Modified Files:
        src/sys/net/npf: if_npflog.c npf.h npf_conn.c npf_conn.h npf_ctl.c
            npf_ext_log.c npf_ext_normalize.c npf_ext_rndblock.c npf_handler.c
            npf_impl.h npf_rproc.c npf_ruleset.c
Added Files:
        src/sys/net/npf: if_npflog.h

Log Message:
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
  the header the matching rule etc, and fill in the matching info.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/if_npflog.c \
    src/sys/net/npf/npf_ext_normalize.c
cvs rdiff -u -r0 -r1.1 src/sys/net/npf/if_npflog.h
cvs rdiff -u -r1.53 -r1.54 src/sys/net/npf/npf.h
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_ext_log.c
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_ext_rndblock.c
cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_handler.c
cvs rdiff -u -r1.67 -r1.68 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_rproc.c
cvs rdiff -u -r1.44 -r1.45 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/if_npflog.c
diff -u src/sys/net/npf/if_npflog.c:1.4 src/sys/net/npf/if_npflog.c:1.5
--- src/sys/net/npf/if_npflog.c:1.4	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/if_npflog.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/module.h>
@@ -53,6 +53,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_npflog.c,
 #endif
 
 #include "npf_impl.h"
+#include "if_npflog.h"
 
 MODULE(MODULE_CLASS_DRIVER, if_npflog, NULL);
 
@@ -128,7 +129,7 @@ npflog_clone_create(struct if_clone *ifc
 	KERNEL_LOCK(1, NULL);
 	if_attach(ifp);
 	if_alloc_sadl(ifp);
-	bpf_attach(ifp, DLT_NULL, 0);
+	bpf_attach(ifp, DLT_NPFLOG, NPFLOG_HDRLEN);
 	LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
 	KERNEL_UNLOCK_ONE(NULL);
 
Index: src/sys/net/npf/npf_ext_normalize.c
diff -u src/sys/net/npf/npf_ext_normalize.c:1.4 src/sys/net/npf/npf_ext_normalize.c:1.5
--- src/sys/net/npf/npf_ext_normalize.c:1.4	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_ext_normalize.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ext_normalize.c,v 1.4 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.4 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/module.h>
@@ -143,7 +143,8 @@ npf_normalize_ip4(npf_cache_t *npc, npf_
  * npf_normalize: the main routine to normalize IPv4 and/or TCP headers.
  */
 static bool
-npf_normalize(npf_cache_t *npc, void *params, int *decision)
+npf_normalize(npf_cache_t *npc, void *params, const npf_match_info_t *mi,
+    int *decision)
 {
 	npf_normalize_t *np = params;
 	struct tcphdr *th = npc->npc_l4.tcp;

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.53 src/sys/net/npf/npf.h:1.54
--- src/sys/net/npf/npf.h:1.53	Mon Dec 26 18:39:18 2016
+++ src/sys/net/npf/npf.h	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.53 2016/12/26 23:39:18 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.54 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -196,11 +196,18 @@ struct npf_rproc;
 typedef struct npf_rproc	npf_rproc_t;
 
 typedef struct {
+	uint64_t	mi_rid;
+	u_int		mi_retfl;
+	u_int		mi_di;
+} npf_match_info_t;
+
+typedef struct {
 	unsigned int	version;
 	void *		ctx;
 	int		(*ctor)(npf_rproc_t *, prop_dictionary_t);
 	void		(*dtor)(npf_rproc_t *, void *);
-	bool		(*proc)(npf_cache_t *, void *, int *);
+	bool		(*proc)(npf_cache_t *, void *, const npf_match_info_t *,
+				int *);
 } npf_ext_ops_t;
 
 void *		npf_ext_register(npf_t *, const char *, const npf_ext_ops_t *);

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.22 src/sys/net/npf/npf_conn.c:1.23
--- src/sys/net/npf/npf_conn.c:1.22	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_conn.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -100,7 +100,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -723,10 +723,11 @@ npf_conn_expire(npf_conn_t *con)
  * npf_conn_pass: return true if connection is "pass" one, otherwise false.
  */
 bool
-npf_conn_pass(const npf_conn_t *con, npf_rproc_t **rp)
+npf_conn_pass(const npf_conn_t *con, npf_match_info_t *mi, npf_rproc_t **rp)
 {
 	KASSERT(con->c_refcnt > 0);
 	if (__predict_true(con->c_flags & CONN_PASS)) {
+		*mi = con->c_mi;
 		*rp = con->c_rproc;
 		return true;
 	}
@@ -738,7 +739,7 @@ npf_conn_pass(const npf_conn_t *con, npf
  * rule procedure with it.
  */
 void
-npf_conn_setpass(npf_conn_t *con, npf_rproc_t *rp)
+npf_conn_setpass(npf_conn_t *con, const npf_match_info_t *mi, npf_rproc_t *rp)
 {
 	KASSERT((con->c_flags & CONN_ACTIVE) == 0);
 	KASSERT(con->c_refcnt > 0);
@@ -751,6 +752,8 @@ npf_conn_setpass(npf_conn_t *con, npf_rp
 	 */
 	atomic_or_uint(&con->c_flags, CONN_PASS);
 	con->c_rproc = rp;
+	if (rp)
+		con->c_mi = *mi;
 }
 
 /*

Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.11 src/sys/net/npf/npf_conn.h:1.12
--- src/sys/net/npf/npf_conn.h:1.11	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_conn.h	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.h,v 1.11 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: npf_conn.h,v 1.12 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -88,6 +88,7 @@ struct npf_conn {
 	npf_state_t		c_state;
 	u_int			c_refcnt;
 	uint64_t		c_atime;
+	npf_match_info_t	c_mi;
 };
 
 #endif
@@ -106,8 +107,10 @@ npf_conn_t *	npf_conn_inspect(npf_cache_
 npf_conn_t *	npf_conn_establish(npf_cache_t *, int, bool);
 void		npf_conn_release(npf_conn_t *);
 void		npf_conn_expire(npf_conn_t *);
-bool		npf_conn_pass(const npf_conn_t *, npf_rproc_t **);
-void		npf_conn_setpass(npf_conn_t *, npf_rproc_t *);
+bool		npf_conn_pass(const npf_conn_t *, npf_match_info_t *,
+		    npf_rproc_t **);
+void		npf_conn_setpass(npf_conn_t *, const npf_match_info_t *,
+		    npf_rproc_t *);
 int		npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
 		    npf_nat_t *, u_int);
 npf_nat_t *	npf_conn_getnat(npf_conn_t *, const int, bool *);

Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.46 src/sys/net/npf/npf_ctl.c:1.47
--- src/sys/net/npf/npf_ctl.c:1.46	Mon Jan  2 16:49:51 2017
+++ src/sys/net/npf/npf_ctl.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/conf.h>
@@ -513,7 +513,8 @@ npfctl_load(npf_t *npf, u_long cmd, void
 
 	/* Retrieve the dictionary. */
 #if !defined(_NPF_TESTING) && !defined(_NPF_STANDALONE)
-	error = prop_dictionary_copyin_ioctl(pref, cmd, &npf_dict);
+	error = prop_dictionary_copyin_ioctl_size(pref, cmd, &npf_dict,
+	    4 * 1024 * 1024);
 	if (error)
 		return error;
 #else

Index: src/sys/net/npf/npf_ext_log.c
diff -u src/sys/net/npf/npf_ext_log.c:1.10 src/sys/net/npf/npf_ext_log.c:1.11
--- src/sys/net/npf/npf_ext_log.c:1.10	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_ext_log.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/module.h>
@@ -52,6 +52,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ext_log.
 #endif
 
 #include "npf_impl.h"
+#include "if_npflog.h"
 
 NPF_EXT_MODULE(npf_ext_log, "");
 
@@ -81,21 +82,54 @@ npf_log_dtor(npf_rproc_t *rp, void *meta
 }
 
 static bool
-npf_log(npf_cache_t *npc, void *meta, int *decision)
+npf_log(npf_cache_t *npc, void *meta, const npf_match_info_t *mi, int *decision)
 {
 	struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf);
 	const npf_ext_log_t *log = meta;
 	struct psref psref;
 	ifnet_t *ifp;
-	int family;
+	struct npfloghdr hdr;
 
+	memset(&hdr, 0, sizeof(hdr));
 	/* Set the address family. */
 	if (npf_iscached(npc, NPC_IP4)) {
-		family = AF_INET;
+		hdr.af = AF_INET;
 	} else if (npf_iscached(npc, NPC_IP6)) {
-		family = AF_INET6;
+		hdr.af = AF_INET6;
 	} else {
-		family = AF_UNSPEC;
+		hdr.af = AF_UNSPEC;
+	}
+
+	hdr.length = NPFLOG_REAL_HDRLEN;
+	hdr.action = *decision == NPF_DECISION_PASS ?
+	    0 /* pass */ : 1 /* block */;
+	hdr.reason = 0;	/* match */
+	struct nbuf *nb = npc->npc_nbuf;
+	const char *ifname = nb && nb->nb_ifid ? 
+	    npf_ifmap_getname(npc->npc_ctx, nb->nb_ifid) : "???";
+
+	strlcpy(hdr.ifname, ifname, sizeof(hdr.ifname));
+
+	hdr.rulenr = htonl((uint32_t)mi->mi_rid);
+	hdr.subrulenr = htonl((uint32_t)(mi->mi_rid >> 32));
+	strlcpy(hdr.ruleset, "rules", sizeof(hdr.ruleset));
+
+	hdr.uid = UID_MAX;
+	hdr.pid = (pid_t)-1;
+	hdr.rule_uid = UID_MAX;
+	hdr.rule_pid = (pid_t)-1;
+
+	switch (mi->mi_di) {
+	default:
+	case PFIL_IN|PFIL_OUT:
+		hdr.dir = 0;
+		break;
+	case PFIL_IN:
+		hdr.dir = 1;
+		break;
+	case PFIL_OUT:
+		hdr.dir = 2;
+		break;
 	}
 
 	KERNEL_LOCK(1, NULL);
@@ -111,7 +145,8 @@ npf_log(npf_cache_t *npc, void *meta, in
 	/* Pass through BPF. */
 	ifp->if_opackets++;
 	ifp->if_obytes += m->m_pkthdr.len;
-	bpf_mtap_af(ifp, family, m);
+	if (ifp->if_bpf)
+		bpf_mtap2(ifp->if_bpf, &hdr, NPFLOG_HDRLEN, m);
 	if_put(ifp, &psref);
 
 	KERNEL_UNLOCK_ONE(NULL);

Index: src/sys/net/npf/npf_ext_rndblock.c
diff -u src/sys/net/npf/npf_ext_rndblock.c:1.6 src/sys/net/npf/npf_ext_rndblock.c:1.7
--- src/sys/net/npf/npf_ext_rndblock.c:1.6	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_ext_rndblock.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ext_rndblock.c,v 1.6 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: npf_ext_rndblock.c,v 1.7 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2012 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.6 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.7 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/cprng.h>
@@ -99,7 +99,8 @@ npf_ext_rndblock_dtor(npf_rproc_t *rp, v
  * npf_ext_rndblock: main routine implementing the extension functionality.
  */
 static bool
-npf_ext_rndblock(npf_cache_t *npc, void *meta, int *decision)
+npf_ext_rndblock(npf_cache_t *npc, void *meta, const npf_match_info_t *mi,
+    int *decision)
 {
 	npf_ext_rndblock_t *rndblock = meta;
 	unsigned long c;

Index: src/sys/net/npf/npf_handler.c
diff -u src/sys/net/npf/npf_handler.c:1.35 src/sys/net/npf/npf_handler.c:1.36
--- src/sys/net/npf/npf_handler.c:1.35	Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_handler.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_handler.c,v 1.35 2016/12/26 23:05:06 christos Exp $	*/
+/*	$NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.35 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -129,9 +129,9 @@ npf_packet_handler(npf_t *npf, struct mb
 	npf_conn_t *con;
 	npf_rule_t *rl;
 	npf_rproc_t *rp;
-	int error, retfl;
+	int error, decision;
 	uint32_t ntag;
-	int decision;
+	npf_match_info_t mi;
 
 	/* QSBR checkpoint. */
 	pserialize_checkpoint(npf->qsbr);
@@ -146,9 +146,12 @@ npf_packet_handler(npf_t *npf, struct mb
 	npc.npc_nbuf = &nbuf;
 	npc.npc_info = 0;
 
+	mi.mi_di = di;
+	mi.mi_rid = 0;
+	mi.mi_retfl = 0;
+
 	decision = NPF_DECISION_BLOCK;
 	error = 0;
-	retfl = 0;
 	rp = NULL;
 
 	/* Cache everything.  Determine whether it is an IP fragment. */
@@ -177,7 +180,7 @@ npf_packet_handler(npf_t *npf, struct mb
 	con = npf_conn_inspect(&npc, di, &error);
 
 	/* If "passing" connection found - skip the ruleset inspection. */
-	if (con && npf_conn_pass(con, &rp)) {
+	if (con && npf_conn_pass(con, &mi, &rp)) {
 		npf_stats_inc(npf, NPF_STAT_PASS_CONN);
 		KASSERT(error == 0);
 		goto pass;
@@ -213,7 +216,7 @@ npf_packet_handler(npf_t *npf, struct mb
 	rp = npf_rule_getrproc(rl);
 
 	/* Conclude with the rule and release the lock. */
-	error = npf_rule_conclude(rl, &retfl);
+	error = npf_rule_conclude(rl, &mi);
 	npf_config_read_exit(slock);
 
 	if (error) {
@@ -226,16 +229,16 @@ npf_packet_handler(npf_t *npf, struct mb
 	 * Establish a "pass" connection, if required.  Just proceed if
 	 * connection creation fails (e.g. due to unsupported protocol).
 	 */
-	if ((retfl & NPF_RULE_STATEFUL) != 0 && !con) {
+	if ((mi.mi_retfl & NPF_RULE_STATEFUL) != 0 && !con) {
 		con = npf_conn_establish(&npc, di,
-		    (retfl & NPF_RULE_MULTIENDS) == 0);
+		    (mi.mi_retfl & NPF_RULE_MULTIENDS) == 0);
 		if (con) {
 			/*
 			 * Note: the reference on the rule procedure is
 			 * transfered to the connection.  It will be
 			 * released on connection destruction.
 			 */
-			npf_conn_setpass(con, rp);
+			npf_conn_setpass(con, &mi, rp);
 		}
 	}
 pass:
@@ -250,7 +253,7 @@ block:
 	 * Execute the rule procedure, if any is associated.
 	 * It may reverse the decision from pass to block.
 	 */
-	if (rp && !npf_rproc_run(&npc, rp, &decision)) {
+	if (rp && !npf_rproc_run(&npc, rp, &mi, &decision)) {
 		if (con) {
 			npf_conn_release(con);
 		}
@@ -289,7 +292,7 @@ out:
 	 * Depending on the flags and protocol, return TCP reset (RST) or
 	 * ICMP destination unreachable.
 	 */
-	if (retfl && npf_return_block(&npc, retfl)) {
+	if (mi.mi_retfl && npf_return_block(&npc, mi.mi_retfl)) {
 		*mp = NULL;
 	}
 

Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.67 src/sys/net/npf/npf_impl.h:1.68
--- src/sys/net/npf/npf_impl.h:1.67	Mon Jan  2 19:58:05 2017
+++ src/sys/net/npf/npf_impl.h	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.67 2017/01/03 00:58:05 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.68 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -339,7 +339,7 @@ void		npf_ruleset_gc(npf_ruleset_t *);
 
 npf_rule_t *	npf_ruleset_inspect(npf_cache_t *, const npf_ruleset_t *,
 		    const int, const int);
-int		npf_rule_conclude(const npf_rule_t *, int *);
+int		npf_rule_conclude(const npf_rule_t *, npf_match_info_t *);
 
 /* Rule interface. */
 npf_rule_t *	npf_rule_alloc(npf_t *, prop_dictionary_t);
@@ -366,7 +366,8 @@ npf_rproc_t *	npf_rproc_create(prop_dict
 void		npf_rproc_acquire(npf_rproc_t *);
 void		npf_rproc_release(npf_rproc_t *);
 const char *	npf_rproc_getname(const npf_rproc_t *);
-bool		npf_rproc_run(npf_cache_t *, npf_rproc_t *, int *);
+bool		npf_rproc_run(npf_cache_t *, npf_rproc_t *,
+		    const npf_match_info_t *, int *);
 
 /* State handling. */
 bool		npf_state_init(npf_cache_t *, npf_state_t *);

Index: src/sys/net/npf/npf_rproc.c
diff -u src/sys/net/npf/npf_rproc.c:1.15 src/sys/net/npf/npf_rproc.c:1.16
--- src/sys/net/npf/npf_rproc.c:1.15	Wed Dec 28 16:55:04 2016
+++ src/sys/net/npf/npf_rproc.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_rproc.c,v 1.15 2016/12/28 21:55:04 christos Exp $	*/
+/*	$NetBSD: npf_rproc.c,v 1.16 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -358,7 +358,8 @@ npf_rproc_assign(npf_rproc_t *rp, void *
  * => Reference on the rule procedure must be held.
  */
 bool
-npf_rproc_run(npf_cache_t *npc, npf_rproc_t *rp, int *decision)
+npf_rproc_run(npf_cache_t *npc, npf_rproc_t *rp, const npf_match_info_t *mi,
+    int *decision)
 {
 	const unsigned extcount = rp->rp_ext_count;
 
@@ -370,7 +371,7 @@ npf_rproc_run(npf_cache_t *npc, npf_rpro
 		const npf_ext_ops_t *extops = ext->ext_ops;
 
 		KASSERT(ext->ext_refcnt > 0);
-		if (!extops->proc(npc, rp->rp_ext_meta[i], decision)) {
+		if (!extops->proc(npc, rp->rp_ext_meta[i], mi, decision)) {
 			return false;
 		}
 

Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.44 src/sys/net/npf/npf_ruleset.c:1.45
--- src/sys/net/npf/npf_ruleset.c:1.44	Wed Dec 28 16:55:04 2016
+++ src/sys/net/npf/npf_ruleset.c	Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ruleset.c,v 1.44 2016/12/28 21:55:04 christos Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $	*/
 
 /*-
  * Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.44 2016/12/28 21:55:04 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -201,6 +201,7 @@ npf_ruleset_insert(npf_ruleset_t *rlset,
 
 	rlset->rs_rules[n] = rl;
 	rlset->rs_nitems++;
+	rl->r_id = ++rlset->rs_idcnt;
 
 	if (rl->r_skip_to < ++n) {
 		rl->r_skip_to = SKIPTO_ADJ_FLAG | n;
@@ -426,6 +427,7 @@ npf_ruleset_flush(npf_ruleset_t *rlset, 
 		LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry);
 		rl = rl->r_next;
 	}
+	rlset->rs_idcnt = 0;
 	return 0;
 }
 
@@ -986,10 +988,11 @@ npf_ruleset_inspect(npf_cache_t *npc, co
  * => Returns ENETUNREACH if "block" and 0 if "pass".
  */
 int
-npf_rule_conclude(const npf_rule_t *rl, int *retfl)
+npf_rule_conclude(const npf_rule_t *rl, npf_match_info_t *mi)
 {
 	/* If not passing - drop the packet. */
-	*retfl = rl->r_attr;
+	mi->mi_retfl = rl->r_attr;
+	mi->mi_rid = rl->r_id;
 	return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH;
 }
 

Added files:

Index: src/sys/net/npf/if_npflog.h
diff -u /dev/null src/sys/net/npf/if_npflog.h:1.1
--- /dev/null	Sat Jan 28 19:15:55 2017
+++ src/sys/net/npf/if_npflog.h	Sat Jan 28 19:15:54 2017
@@ -0,0 +1,63 @@
+/*	$NetBSD: if_npflog.h,v 1.1 2017/01/29 00:15:54 christos Exp $	*/
+
+/*
+ * Copyright 2001 Niels Provos <[email protected]>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _NET_NPF_IF_NPFLOG_H_
+#define _NET_NPF_IF_NPFLOG_H_
+
+#ifndef _KERNEL
+#error "not supposed to be exposed to userland"
+#endif
+
+#define NPFLOG_RULESET_NAME_SIZE	16
+
+/*
+ * For now, we use a header compatible with pflog.
+ * This will be improved in the future.
+ */
+
+struct npfloghdr {
+	uint8_t		length;
+	sa_family_t	af;
+	uint8_t		action;
+	uint8_t		reason;
+	char		ifname[IFNAMSIZ];
+	char		ruleset[NPFLOG_RULESET_NAME_SIZE];
+	uint32_t	rulenr;
+	uint32_t	subrulenr;
+	uint32_t	uid;
+	uint32_t	pid;
+	uint32_t	rule_uid;
+	uint32_t	rule_pid;
+	uint8_t		dir;
+	uint8_t		pad[3];
+};
+
+#define DLT_NPFLOG	DLT_PFLOG
+
+#define NPFLOG_HDRLEN		sizeof(struct npfloghdr)
+#define NPFLOG_REAL_HDRLEN	offsetof(struct npfloghdr, pad)
+
+#endif /* _NET_NPF_IF_NPFLOG_H_ */

CVS commit: src/sys/net/npf

Reply via email to