Module Name: src Committed By: christos Date: Sun Jan 29 00:15:54 UTC 2017
Modified Files: src/sys/net/npf: if_npflog.c npf.h npf_conn.c npf_conn.h npf_ctl.c npf_ext_log.c npf_ext_normalize.c npf_ext_rndblock.c npf_handler.c npf_impl.h npf_rproc.c npf_ruleset.c Added Files: src/sys/net/npf: if_npflog.h Log Message: - Increase copyin buffer size to 4M - Change log output format to be like the OpenBSD's pf including in the header the matching rule etc, and fill in the matching info. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/if_npflog.c \ src/sys/net/npf/npf_ext_normalize.c cvs rdiff -u -r0 -r1.1 src/sys/net/npf/if_npflog.h cvs rdiff -u -r1.53 -r1.54 src/sys/net/npf/npf.h cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_ext_log.c cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_ext_rndblock.c cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_handler.c cvs rdiff -u -r1.67 -r1.68 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.44 -r1.45 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/npf/if_npflog.c diff -u src/sys/net/npf/if_npflog.c:1.4 src/sys/net/npf/if_npflog.c:1.5 --- src/sys/net/npf/if_npflog.c:1.4 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/if_npflog.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $"); #include <sys/types.h> #include <sys/module.h> @@ -53,6 +53,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_npflog.c, #endif #include "npf_impl.h" +#include "if_npflog.h" MODULE(MODULE_CLASS_DRIVER, if_npflog, NULL); @@ -128,7 +129,7 @@ npflog_clone_create(struct if_clone *ifc KERNEL_LOCK(1, NULL); if_attach(ifp); if_alloc_sadl(ifp); - bpf_attach(ifp, DLT_NULL, 0); + bpf_attach(ifp, DLT_NPFLOG, NPFLOG_HDRLEN); LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry); KERNEL_UNLOCK_ONE(NULL); Index: src/sys/net/npf/npf_ext_normalize.c diff -u src/sys/net/npf/npf_ext_normalize.c:1.4 src/sys/net/npf/npf_ext_normalize.c:1.5 --- src/sys/net/npf/npf_ext_normalize.c:1.4 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/npf_ext_normalize.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ext_normalize.c,v 1.4 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -28,7 +28,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.4 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $"); #include <sys/types.h> #include <sys/module.h> @@ -143,7 +143,8 @@ npf_normalize_ip4(npf_cache_t *npc, npf_ * npf_normalize: the main routine to normalize IPv4 and/or TCP headers. */ static bool -npf_normalize(npf_cache_t *npc, void *params, int *decision) +npf_normalize(npf_cache_t *npc, void *params, const npf_match_info_t *mi, + int *decision) { npf_normalize_t *np = params; struct tcphdr *th = npc->npc_l4.tcp; Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.53 src/sys/net/npf/npf.h:1.54 --- src/sys/net/npf/npf.h:1.53 Mon Dec 26 18:39:18 2016 +++ src/sys/net/npf/npf.h Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.53 2016/12/26 23:39:18 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.54 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -196,11 +196,18 @@ struct npf_rproc; typedef struct npf_rproc npf_rproc_t; typedef struct { + uint64_t mi_rid; + u_int mi_retfl; + u_int mi_di; +} npf_match_info_t; + +typedef struct { unsigned int version; void * ctx; int (*ctor)(npf_rproc_t *, prop_dictionary_t); void (*dtor)(npf_rproc_t *, void *); - bool (*proc)(npf_cache_t *, void *, int *); + bool (*proc)(npf_cache_t *, void *, const npf_match_info_t *, + int *); } npf_ext_ops_t; void * npf_ext_register(npf_t *, const char *, const npf_ext_ops_t *); Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.22 src/sys/net/npf/npf_conn.c:1.23 --- src/sys/net/npf/npf_conn.c:1.22 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/npf_conn.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org> @@ -100,7 +100,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -723,10 +723,11 @@ npf_conn_expire(npf_conn_t *con) * npf_conn_pass: return true if connection is "pass" one, otherwise false. */ bool -npf_conn_pass(const npf_conn_t *con, npf_rproc_t **rp) +npf_conn_pass(const npf_conn_t *con, npf_match_info_t *mi, npf_rproc_t **rp) { KASSERT(con->c_refcnt > 0); if (__predict_true(con->c_flags & CONN_PASS)) { + *mi = con->c_mi; *rp = con->c_rproc; return true; } @@ -738,7 +739,7 @@ npf_conn_pass(const npf_conn_t *con, npf * rule procedure with it. */ void -npf_conn_setpass(npf_conn_t *con, npf_rproc_t *rp) +npf_conn_setpass(npf_conn_t *con, const npf_match_info_t *mi, npf_rproc_t *rp) { KASSERT((con->c_flags & CONN_ACTIVE) == 0); KASSERT(con->c_refcnt > 0); @@ -751,6 +752,8 @@ npf_conn_setpass(npf_conn_t *con, npf_rp */ atomic_or_uint(&con->c_flags, CONN_PASS); con->c_rproc = rp; + if (rp) + con->c_mi = *mi; } /* Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.11 src/sys/net/npf/npf_conn.h:1.12 --- src/sys/net/npf/npf_conn.h:1.11 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/npf_conn.h Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.11 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_conn.h,v 1.12 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -88,6 +88,7 @@ struct npf_conn { npf_state_t c_state; u_int c_refcnt; uint64_t c_atime; + npf_match_info_t c_mi; }; #endif @@ -106,8 +107,10 @@ npf_conn_t * npf_conn_inspect(npf_cache_ npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool); void npf_conn_release(npf_conn_t *); void npf_conn_expire(npf_conn_t *); -bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **); -void npf_conn_setpass(npf_conn_t *, npf_rproc_t *); +bool npf_conn_pass(const npf_conn_t *, npf_match_info_t *, + npf_rproc_t **); +void npf_conn_setpass(npf_conn_t *, const npf_match_info_t *, + npf_rproc_t *); int npf_conn_setnat(const npf_cache_t *, npf_conn_t *, npf_nat_t *, u_int); npf_nat_t * npf_conn_getnat(npf_conn_t *, const int, bool *); Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.46 src/sys/net/npf/npf_ctl.c:1.47 --- src/sys/net/npf/npf_ctl.c:1.46 Mon Jan 2 16:49:51 2017 +++ src/sys/net/npf/npf_ctl.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -38,7 +38,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $"); #include <sys/param.h> #include <sys/conf.h> @@ -513,7 +513,8 @@ npfctl_load(npf_t *npf, u_long cmd, void /* Retrieve the dictionary. */ #if !defined(_NPF_TESTING) && !defined(_NPF_STANDALONE) - error = prop_dictionary_copyin_ioctl(pref, cmd, &npf_dict); + error = prop_dictionary_copyin_ioctl_size(pref, cmd, &npf_dict, + 4 * 1024 * 1024); if (error) return error; #else Index: src/sys/net/npf/npf_ext_log.c diff -u src/sys/net/npf/npf_ext_log.c:1.10 src/sys/net/npf/npf_ext_log.c:1.11 --- src/sys/net/npf/npf_ext_log.c:1.10 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/npf_ext_log.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $"); #include <sys/types.h> #include <sys/module.h> @@ -52,6 +52,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ext_log. #endif #include "npf_impl.h" +#include "if_npflog.h" NPF_EXT_MODULE(npf_ext_log, ""); @@ -81,21 +82,54 @@ npf_log_dtor(npf_rproc_t *rp, void *meta } static bool -npf_log(npf_cache_t *npc, void *meta, int *decision) +npf_log(npf_cache_t *npc, void *meta, const npf_match_info_t *mi, int *decision) { struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf); const npf_ext_log_t *log = meta; struct psref psref; ifnet_t *ifp; - int family; + struct npfloghdr hdr; + memset(&hdr, 0, sizeof(hdr)); /* Set the address family. */ if (npf_iscached(npc, NPC_IP4)) { - family = AF_INET; + hdr.af = AF_INET; } else if (npf_iscached(npc, NPC_IP6)) { - family = AF_INET6; + hdr.af = AF_INET6; } else { - family = AF_UNSPEC; + hdr.af = AF_UNSPEC; + } + + hdr.length = NPFLOG_REAL_HDRLEN; + hdr.action = *decision == NPF_DECISION_PASS ? + 0 /* pass */ : 1 /* block */; + hdr.reason = 0; /* match */ + struct nbuf *nb = npc->npc_nbuf; + const char *ifname = nb && nb->nb_ifid ? + npf_ifmap_getname(npc->npc_ctx, nb->nb_ifid) : "???"; + + strlcpy(hdr.ifname, ifname, sizeof(hdr.ifname)); + + hdr.rulenr = htonl((uint32_t)mi->mi_rid); + hdr.subrulenr = htonl((uint32_t)(mi->mi_rid >> 32)); + strlcpy(hdr.ruleset, "rules", sizeof(hdr.ruleset)); + + hdr.uid = UID_MAX; + hdr.pid = (pid_t)-1; + hdr.rule_uid = UID_MAX; + hdr.rule_pid = (pid_t)-1; + + switch (mi->mi_di) { + default: + case PFIL_IN|PFIL_OUT: + hdr.dir = 0; + break; + case PFIL_IN: + hdr.dir = 1; + break; + case PFIL_OUT: + hdr.dir = 2; + break; } KERNEL_LOCK(1, NULL); @@ -111,7 +145,8 @@ npf_log(npf_cache_t *npc, void *meta, in /* Pass through BPF. */ ifp->if_opackets++; ifp->if_obytes += m->m_pkthdr.len; - bpf_mtap_af(ifp, family, m); + if (ifp->if_bpf) + bpf_mtap2(ifp->if_bpf, &hdr, NPFLOG_HDRLEN, m); if_put(ifp, &psref); KERNEL_UNLOCK_ONE(NULL); Index: src/sys/net/npf/npf_ext_rndblock.c diff -u src/sys/net/npf/npf_ext_rndblock.c:1.6 src/sys/net/npf/npf_ext_rndblock.c:1.7 --- src/sys/net/npf/npf_ext_rndblock.c:1.6 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/npf_ext_rndblock.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ext_rndblock.c,v 1.6 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_ext_rndblock.c,v 1.7 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2012 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.6 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.7 2017/01/29 00:15:54 christos Exp $"); #include <sys/types.h> #include <sys/cprng.h> @@ -99,7 +99,8 @@ npf_ext_rndblock_dtor(npf_rproc_t *rp, v * npf_ext_rndblock: main routine implementing the extension functionality. */ static bool -npf_ext_rndblock(npf_cache_t *npc, void *meta, int *decision) +npf_ext_rndblock(npf_cache_t *npc, void *meta, const npf_match_info_t *mi, + int *decision) { npf_ext_rndblock_t *rndblock = meta; unsigned long c; Index: src/sys/net/npf/npf_handler.c diff -u src/sys/net/npf/npf_handler.c:1.35 src/sys/net/npf/npf_handler.c:1.36 --- src/sys/net/npf/npf_handler.c:1.35 Mon Dec 26 18:05:06 2016 +++ src/sys/net/npf/npf_handler.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_handler.c,v 1.35 2016/12/26 23:05:06 christos Exp $ */ +/* $NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.35 2016/12/26 23:05:06 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $"); #include <sys/types.h> #include <sys/param.h> @@ -129,9 +129,9 @@ npf_packet_handler(npf_t *npf, struct mb npf_conn_t *con; npf_rule_t *rl; npf_rproc_t *rp; - int error, retfl; + int error, decision; uint32_t ntag; - int decision; + npf_match_info_t mi; /* QSBR checkpoint. */ pserialize_checkpoint(npf->qsbr); @@ -146,9 +146,12 @@ npf_packet_handler(npf_t *npf, struct mb npc.npc_nbuf = &nbuf; npc.npc_info = 0; + mi.mi_di = di; + mi.mi_rid = 0; + mi.mi_retfl = 0; + decision = NPF_DECISION_BLOCK; error = 0; - retfl = 0; rp = NULL; /* Cache everything. Determine whether it is an IP fragment. */ @@ -177,7 +180,7 @@ npf_packet_handler(npf_t *npf, struct mb con = npf_conn_inspect(&npc, di, &error); /* If "passing" connection found - skip the ruleset inspection. */ - if (con && npf_conn_pass(con, &rp)) { + if (con && npf_conn_pass(con, &mi, &rp)) { npf_stats_inc(npf, NPF_STAT_PASS_CONN); KASSERT(error == 0); goto pass; @@ -213,7 +216,7 @@ npf_packet_handler(npf_t *npf, struct mb rp = npf_rule_getrproc(rl); /* Conclude with the rule and release the lock. */ - error = npf_rule_conclude(rl, &retfl); + error = npf_rule_conclude(rl, &mi); npf_config_read_exit(slock); if (error) { @@ -226,16 +229,16 @@ npf_packet_handler(npf_t *npf, struct mb * Establish a "pass" connection, if required. Just proceed if * connection creation fails (e.g. due to unsupported protocol). */ - if ((retfl & NPF_RULE_STATEFUL) != 0 && !con) { + if ((mi.mi_retfl & NPF_RULE_STATEFUL) != 0 && !con) { con = npf_conn_establish(&npc, di, - (retfl & NPF_RULE_MULTIENDS) == 0); + (mi.mi_retfl & NPF_RULE_MULTIENDS) == 0); if (con) { /* * Note: the reference on the rule procedure is * transfered to the connection. It will be * released on connection destruction. */ - npf_conn_setpass(con, rp); + npf_conn_setpass(con, &mi, rp); } } pass: @@ -250,7 +253,7 @@ block: * Execute the rule procedure, if any is associated. * It may reverse the decision from pass to block. */ - if (rp && !npf_rproc_run(&npc, rp, &decision)) { + if (rp && !npf_rproc_run(&npc, rp, &mi, &decision)) { if (con) { npf_conn_release(con); } @@ -289,7 +292,7 @@ out: * Depending on the flags and protocol, return TCP reset (RST) or * ICMP destination unreachable. */ - if (retfl && npf_return_block(&npc, retfl)) { + if (mi.mi_retfl && npf_return_block(&npc, mi.mi_retfl)) { *mp = NULL; } Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.67 src/sys/net/npf/npf_impl.h:1.68 --- src/sys/net/npf/npf_impl.h:1.67 Mon Jan 2 19:58:05 2017 +++ src/sys/net/npf/npf_impl.h Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.67 2017/01/03 00:58:05 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.68 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -339,7 +339,7 @@ void npf_ruleset_gc(npf_ruleset_t *); npf_rule_t * npf_ruleset_inspect(npf_cache_t *, const npf_ruleset_t *, const int, const int); -int npf_rule_conclude(const npf_rule_t *, int *); +int npf_rule_conclude(const npf_rule_t *, npf_match_info_t *); /* Rule interface. */ npf_rule_t * npf_rule_alloc(npf_t *, prop_dictionary_t); @@ -366,7 +366,8 @@ npf_rproc_t * npf_rproc_create(prop_dict void npf_rproc_acquire(npf_rproc_t *); void npf_rproc_release(npf_rproc_t *); const char * npf_rproc_getname(const npf_rproc_t *); -bool npf_rproc_run(npf_cache_t *, npf_rproc_t *, int *); +bool npf_rproc_run(npf_cache_t *, npf_rproc_t *, + const npf_match_info_t *, int *); /* State handling. */ bool npf_state_init(npf_cache_t *, npf_state_t *); Index: src/sys/net/npf/npf_rproc.c diff -u src/sys/net/npf/npf_rproc.c:1.15 src/sys/net/npf/npf_rproc.c:1.16 --- src/sys/net/npf/npf_rproc.c:1.15 Wed Dec 28 16:55:04 2016 +++ src/sys/net/npf/npf_rproc.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_rproc.c,v 1.15 2016/12/28 21:55:04 christos Exp $ */ +/* $NetBSD: npf_rproc.c,v 1.16 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -358,7 +358,8 @@ npf_rproc_assign(npf_rproc_t *rp, void * * => Reference on the rule procedure must be held. */ bool -npf_rproc_run(npf_cache_t *npc, npf_rproc_t *rp, int *decision) +npf_rproc_run(npf_cache_t *npc, npf_rproc_t *rp, const npf_match_info_t *mi, + int *decision) { const unsigned extcount = rp->rp_ext_count; @@ -370,7 +371,7 @@ npf_rproc_run(npf_cache_t *npc, npf_rpro const npf_ext_ops_t *extops = ext->ext_ops; KASSERT(ext->ext_refcnt > 0); - if (!extops->proc(npc, rp->rp_ext_meta[i], decision)) { + if (!extops->proc(npc, rp->rp_ext_meta[i], mi, decision)) { return false; } Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.44 src/sys/net/npf/npf_ruleset.c:1.45 --- src/sys/net/npf/npf_ruleset.c:1.44 Wed Dec 28 16:55:04 2016 +++ src/sys/net/npf/npf_ruleset.c Sat Jan 28 19:15:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.44 2016/12/28 21:55:04 christos Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $ */ /*- * Copyright (c) 2009-2015 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.44 2016/12/28 21:55:04 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -201,6 +201,7 @@ npf_ruleset_insert(npf_ruleset_t *rlset, rlset->rs_rules[n] = rl; rlset->rs_nitems++; + rl->r_id = ++rlset->rs_idcnt; if (rl->r_skip_to < ++n) { rl->r_skip_to = SKIPTO_ADJ_FLAG | n; @@ -426,6 +427,7 @@ npf_ruleset_flush(npf_ruleset_t *rlset, LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry); rl = rl->r_next; } + rlset->rs_idcnt = 0; return 0; } @@ -986,10 +988,11 @@ npf_ruleset_inspect(npf_cache_t *npc, co * => Returns ENETUNREACH if "block" and 0 if "pass". */ int -npf_rule_conclude(const npf_rule_t *rl, int *retfl) +npf_rule_conclude(const npf_rule_t *rl, npf_match_info_t *mi) { /* If not passing - drop the packet. */ - *retfl = rl->r_attr; + mi->mi_retfl = rl->r_attr; + mi->mi_rid = rl->r_id; return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH; } Added files: Index: src/sys/net/npf/if_npflog.h diff -u /dev/null src/sys/net/npf/if_npflog.h:1.1 --- /dev/null Sat Jan 28 19:15:55 2017 +++ src/sys/net/npf/if_npflog.h Sat Jan 28 19:15:54 2017 @@ -0,0 +1,63 @@ +/* $NetBSD: if_npflog.h,v 1.1 2017/01/29 00:15:54 christos Exp $ */ + +/* + * Copyright 2001 Niels Provos <pro...@citi.umich.edu> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _NET_NPF_IF_NPFLOG_H_ +#define _NET_NPF_IF_NPFLOG_H_ + +#ifndef _KERNEL +#error "not supposed to be exposed to userland" +#endif + +#define NPFLOG_RULESET_NAME_SIZE 16 + +/* + * For now, we use a header compatible with pflog. + * This will be improved in the future. + */ + +struct npfloghdr { + uint8_t length; + sa_family_t af; + uint8_t action; + uint8_t reason; + char ifname[IFNAMSIZ]; + char ruleset[NPFLOG_RULESET_NAME_SIZE]; + uint32_t rulenr; + uint32_t subrulenr; + uint32_t uid; + uint32_t pid; + uint32_t rule_uid; + uint32_t rule_pid; + uint8_t dir; + uint8_t pad[3]; +}; + +#define DLT_NPFLOG DLT_PFLOG + +#define NPFLOG_HDRLEN sizeof(struct npfloghdr) +#define NPFLOG_REAL_HDRLEN offsetof(struct npfloghdr, pad) + +#endif /* _NET_NPF_IF_NPFLOG_H_ */