Module Name: src
Committed By: christos
Date: Sun Jan 29 00:15:54 UTC 2017
Modified Files:
src/sys/net/npf: if_npflog.c npf.h npf_conn.c npf_conn.h npf_ctl.c
npf_ext_log.c npf_ext_normalize.c npf_ext_rndblock.c npf_handler.c
npf_impl.h npf_rproc.c npf_ruleset.c
Added Files:
src/sys/net/npf: if_npflog.h
Log Message:
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/if_npflog.c \
src/sys/net/npf/npf_ext_normalize.c
cvs rdiff -u -r0 -r1.1 src/sys/net/npf/if_npflog.h
cvs rdiff -u -r1.53 -r1.54 src/sys/net/npf/npf.h
cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_ext_log.c
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_ext_rndblock.c
cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_handler.c
cvs rdiff -u -r1.67 -r1.68 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_rproc.c
cvs rdiff -u -r1.44 -r1.45 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/if_npflog.c
diff -u src/sys/net/npf/if_npflog.c:1.4 src/sys/net/npf/if_npflog.c:1.5
--- src/sys/net/npf/if_npflog.c:1.4 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/if_npflog.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.4 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/module.h>
@@ -53,6 +53,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_npflog.c,
#endif
#include "npf_impl.h"
+#include "if_npflog.h"
MODULE(MODULE_CLASS_DRIVER, if_npflog, NULL);
@@ -128,7 +129,7 @@ npflog_clone_create(struct if_clone *ifc
KERNEL_LOCK(1, NULL);
if_attach(ifp);
if_alloc_sadl(ifp);
- bpf_attach(ifp, DLT_NULL, 0);
+ bpf_attach(ifp, DLT_NPFLOG, NPFLOG_HDRLEN);
LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
KERNEL_UNLOCK_ONE(NULL);
Index: src/sys/net/npf/npf_ext_normalize.c
diff -u src/sys/net/npf/npf_ext_normalize.c:1.4 src/sys/net/npf/npf_ext_normalize.c:1.5
--- src/sys/net/npf/npf_ext_normalize.c:1.4 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_ext_normalize.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ext_normalize.c,v 1.4 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.4 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.5 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/module.h>
@@ -143,7 +143,8 @@ npf_normalize_ip4(npf_cache_t *npc, npf_
* npf_normalize: the main routine to normalize IPv4 and/or TCP headers.
*/
static bool
-npf_normalize(npf_cache_t *npc, void *params, int *decision)
+npf_normalize(npf_cache_t *npc, void *params, const npf_match_info_t *mi,
+ int *decision)
{
npf_normalize_t *np = params;
struct tcphdr *th = npc->npc_l4.tcp;
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.53 src/sys/net/npf/npf.h:1.54
--- src/sys/net/npf/npf.h:1.53 Mon Dec 26 18:39:18 2016
+++ src/sys/net/npf/npf.h Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.53 2016/12/26 23:39:18 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.54 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -196,11 +196,18 @@ struct npf_rproc;
typedef struct npf_rproc npf_rproc_t;
typedef struct {
+ uint64_t mi_rid;
+ u_int mi_retfl;
+ u_int mi_di;
+} npf_match_info_t;
+
+typedef struct {
unsigned int version;
void * ctx;
int (*ctor)(npf_rproc_t *, prop_dictionary_t);
void (*dtor)(npf_rproc_t *, void *);
- bool (*proc)(npf_cache_t *, void *, int *);
+ bool (*proc)(npf_cache_t *, void *, const npf_match_info_t *,
+ int *);
} npf_ext_ops_t;
void * npf_ext_register(npf_t *, const char *, const npf_ext_ops_t *);
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.22 src/sys/net/npf/npf_conn.c:1.23
--- src/sys/net/npf/npf_conn.c:1.22 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_conn.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -100,7 +100,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.22 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.23 2017/01/29 00:15:54 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -723,10 +723,11 @@ npf_conn_expire(npf_conn_t *con)
* npf_conn_pass: return true if connection is "pass" one, otherwise false.
*/
bool
-npf_conn_pass(const npf_conn_t *con, npf_rproc_t **rp)
+npf_conn_pass(const npf_conn_t *con, npf_match_info_t *mi, npf_rproc_t **rp)
{
KASSERT(con->c_refcnt > 0);
if (__predict_true(con->c_flags & CONN_PASS)) {
+ *mi = con->c_mi;
*rp = con->c_rproc;
return true;
}
@@ -738,7 +739,7 @@ npf_conn_pass(const npf_conn_t *con, npf
* rule procedure with it.
*/
void
-npf_conn_setpass(npf_conn_t *con, npf_rproc_t *rp)
+npf_conn_setpass(npf_conn_t *con, const npf_match_info_t *mi, npf_rproc_t *rp)
{
KASSERT((con->c_flags & CONN_ACTIVE) == 0);
KASSERT(con->c_refcnt > 0);
@@ -751,6 +752,8 @@ npf_conn_setpass(npf_conn_t *con, npf_rp
*/
atomic_or_uint(&con->c_flags, CONN_PASS);
con->c_rproc = rp;
+ if (rp)
+ con->c_mi = *mi;
}
/*
Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.11 src/sys/net/npf/npf_conn.h:1.12
--- src/sys/net/npf/npf_conn.h:1.11 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_conn.h Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.h,v 1.11 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_conn.h,v 1.12 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -88,6 +88,7 @@ struct npf_conn {
npf_state_t c_state;
u_int c_refcnt;
uint64_t c_atime;
+ npf_match_info_t c_mi;
};
#endif
@@ -106,8 +107,10 @@ npf_conn_t * npf_conn_inspect(npf_cache_
npf_conn_t * npf_conn_establish(npf_cache_t *, int, bool);
void npf_conn_release(npf_conn_t *);
void npf_conn_expire(npf_conn_t *);
-bool npf_conn_pass(const npf_conn_t *, npf_rproc_t **);
-void npf_conn_setpass(npf_conn_t *, npf_rproc_t *);
+bool npf_conn_pass(const npf_conn_t *, npf_match_info_t *,
+ npf_rproc_t **);
+void npf_conn_setpass(npf_conn_t *, const npf_match_info_t *,
+ npf_rproc_t *);
int npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
npf_nat_t *, u_int);
npf_nat_t * npf_conn_getnat(npf_conn_t *, const int, bool *);
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.46 src/sys/net/npf/npf_ctl.c:1.47
--- src/sys/net/npf/npf_ctl.c:1.46 Mon Jan 2 16:49:51 2017
+++ src/sys/net/npf/npf_ctl.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.46 2017/01/02 21:49:51 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.47 2017/01/29 00:15:54 christos Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -513,7 +513,8 @@ npfctl_load(npf_t *npf, u_long cmd, void
/* Retrieve the dictionary. */
#if !defined(_NPF_TESTING) && !defined(_NPF_STANDALONE)
- error = prop_dictionary_copyin_ioctl(pref, cmd, &npf_dict);
+ error = prop_dictionary_copyin_ioctl_size(pref, cmd, &npf_dict,
+ 4 * 1024 * 1024);
if (error)
return error;
#else
Index: src/sys/net/npf/npf_ext_log.c
diff -u src/sys/net/npf/npf_ext_log.c:1.10 src/sys/net/npf/npf_ext_log.c:1.11
--- src/sys/net/npf/npf_ext_log.c:1.10 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_ext_log.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.10 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.11 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/module.h>
@@ -52,6 +52,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ext_log.
#endif
#include "npf_impl.h"
+#include "if_npflog.h"
NPF_EXT_MODULE(npf_ext_log, "");
@@ -81,21 +82,54 @@ npf_log_dtor(npf_rproc_t *rp, void *meta
}
static bool
-npf_log(npf_cache_t *npc, void *meta, int *decision)
+npf_log(npf_cache_t *npc, void *meta, const npf_match_info_t *mi, int *decision)
{
struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf);
const npf_ext_log_t *log = meta;
struct psref psref;
ifnet_t *ifp;
- int family;
+ struct npfloghdr hdr;
+ memset(&hdr, 0, sizeof(hdr));
/* Set the address family. */
if (npf_iscached(npc, NPC_IP4)) {
- family = AF_INET;
+ hdr.af = AF_INET;
} else if (npf_iscached(npc, NPC_IP6)) {
- family = AF_INET6;
+ hdr.af = AF_INET6;
} else {
- family = AF_UNSPEC;
+ hdr.af = AF_UNSPEC;
+ }
+
+ hdr.length = NPFLOG_REAL_HDRLEN;
+ hdr.action = *decision == NPF_DECISION_PASS ?
+ 0 /* pass */ : 1 /* block */;
+ hdr.reason = 0; /* match */
+ struct nbuf *nb = npc->npc_nbuf;
+ const char *ifname = nb && nb->nb_ifid ?
+ npf_ifmap_getname(npc->npc_ctx, nb->nb_ifid) : "???";
+
+ strlcpy(hdr.ifname, ifname, sizeof(hdr.ifname));
+
+ hdr.rulenr = htonl((uint32_t)mi->mi_rid);
+ hdr.subrulenr = htonl((uint32_t)(mi->mi_rid >> 32));
+ strlcpy(hdr.ruleset, "rules", sizeof(hdr.ruleset));
+
+ hdr.uid = UID_MAX;
+ hdr.pid = (pid_t)-1;
+ hdr.rule_uid = UID_MAX;
+ hdr.rule_pid = (pid_t)-1;
+
+ switch (mi->mi_di) {
+ default:
+ case PFIL_IN|PFIL_OUT:
+ hdr.dir = 0;
+ break;
+ case PFIL_IN:
+ hdr.dir = 1;
+ break;
+ case PFIL_OUT:
+ hdr.dir = 2;
+ break;
}
KERNEL_LOCK(1, NULL);
@@ -111,7 +145,8 @@ npf_log(npf_cache_t *npc, void *meta, in
/* Pass through BPF. */
ifp->if_opackets++;
ifp->if_obytes += m->m_pkthdr.len;
- bpf_mtap_af(ifp, family, m);
+ if (ifp->if_bpf)
+ bpf_mtap2(ifp->if_bpf, &hdr, NPFLOG_HDRLEN, m);
if_put(ifp, &psref);
KERNEL_UNLOCK_ONE(NULL);
Index: src/sys/net/npf/npf_ext_rndblock.c
diff -u src/sys/net/npf/npf_ext_rndblock.c:1.6 src/sys/net/npf/npf_ext_rndblock.c:1.7
--- src/sys/net/npf/npf_ext_rndblock.c:1.6 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_ext_rndblock.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ext_rndblock.c,v 1.6 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_ext_rndblock.c,v 1.7 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.6 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.7 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/cprng.h>
@@ -99,7 +99,8 @@ npf_ext_rndblock_dtor(npf_rproc_t *rp, v
* npf_ext_rndblock: main routine implementing the extension functionality.
*/
static bool
-npf_ext_rndblock(npf_cache_t *npc, void *meta, int *decision)
+npf_ext_rndblock(npf_cache_t *npc, void *meta, const npf_match_info_t *mi,
+ int *decision)
{
npf_ext_rndblock_t *rndblock = meta;
unsigned long c;
Index: src/sys/net/npf/npf_handler.c
diff -u src/sys/net/npf/npf_handler.c:1.35 src/sys/net/npf/npf_handler.c:1.36
--- src/sys/net/npf/npf_handler.c:1.35 Mon Dec 26 18:05:06 2016
+++ src/sys/net/npf/npf_handler.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.35 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.35 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -129,9 +129,9 @@ npf_packet_handler(npf_t *npf, struct mb
npf_conn_t *con;
npf_rule_t *rl;
npf_rproc_t *rp;
- int error, retfl;
+ int error, decision;
uint32_t ntag;
- int decision;
+ npf_match_info_t mi;
/* QSBR checkpoint. */
pserialize_checkpoint(npf->qsbr);
@@ -146,9 +146,12 @@ npf_packet_handler(npf_t *npf, struct mb
npc.npc_nbuf = &nbuf;
npc.npc_info = 0;
+ mi.mi_di = di;
+ mi.mi_rid = 0;
+ mi.mi_retfl = 0;
+
decision = NPF_DECISION_BLOCK;
error = 0;
- retfl = 0;
rp = NULL;
/* Cache everything. Determine whether it is an IP fragment. */
@@ -177,7 +180,7 @@ npf_packet_handler(npf_t *npf, struct mb
con = npf_conn_inspect(&npc, di, &error);
/* If "passing" connection found - skip the ruleset inspection. */
- if (con && npf_conn_pass(con, &rp)) {
+ if (con && npf_conn_pass(con, &mi, &rp)) {
npf_stats_inc(npf, NPF_STAT_PASS_CONN);
KASSERT(error == 0);
goto pass;
@@ -213,7 +216,7 @@ npf_packet_handler(npf_t *npf, struct mb
rp = npf_rule_getrproc(rl);
/* Conclude with the rule and release the lock. */
- error = npf_rule_conclude(rl, &retfl);
+ error = npf_rule_conclude(rl, &mi);
npf_config_read_exit(slock);
if (error) {
@@ -226,16 +229,16 @@ npf_packet_handler(npf_t *npf, struct mb
* Establish a "pass" connection, if required. Just proceed if
* connection creation fails (e.g. due to unsupported protocol).
*/
- if ((retfl & NPF_RULE_STATEFUL) != 0 && !con) {
+ if ((mi.mi_retfl & NPF_RULE_STATEFUL) != 0 && !con) {
con = npf_conn_establish(&npc, di,
- (retfl & NPF_RULE_MULTIENDS) == 0);
+ (mi.mi_retfl & NPF_RULE_MULTIENDS) == 0);
if (con) {
/*
* Note: the reference on the rule procedure is
* transfered to the connection. It will be
* released on connection destruction.
*/
- npf_conn_setpass(con, rp);
+ npf_conn_setpass(con, &mi, rp);
}
}
pass:
@@ -250,7 +253,7 @@ block:
* Execute the rule procedure, if any is associated.
* It may reverse the decision from pass to block.
*/
- if (rp && !npf_rproc_run(&npc, rp, &decision)) {
+ if (rp && !npf_rproc_run(&npc, rp, &mi, &decision)) {
if (con) {
npf_conn_release(con);
}
@@ -289,7 +292,7 @@ out:
* Depending on the flags and protocol, return TCP reset (RST) or
* ICMP destination unreachable.
*/
- if (retfl && npf_return_block(&npc, retfl)) {
+ if (mi.mi_retfl && npf_return_block(&npc, mi.mi_retfl)) {
*mp = NULL;
}
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.67 src/sys/net/npf/npf_impl.h:1.68
--- src/sys/net/npf/npf_impl.h:1.67 Mon Jan 2 19:58:05 2017
+++ src/sys/net/npf/npf_impl.h Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.67 2017/01/03 00:58:05 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.68 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -339,7 +339,7 @@ void npf_ruleset_gc(npf_ruleset_t *);
npf_rule_t * npf_ruleset_inspect(npf_cache_t *, const npf_ruleset_t *,
const int, const int);
-int npf_rule_conclude(const npf_rule_t *, int *);
+int npf_rule_conclude(const npf_rule_t *, npf_match_info_t *);
/* Rule interface. */
npf_rule_t * npf_rule_alloc(npf_t *, prop_dictionary_t);
@@ -366,7 +366,8 @@ npf_rproc_t * npf_rproc_create(prop_dict
void npf_rproc_acquire(npf_rproc_t *);
void npf_rproc_release(npf_rproc_t *);
const char * npf_rproc_getname(const npf_rproc_t *);
-bool npf_rproc_run(npf_cache_t *, npf_rproc_t *, int *);
+bool npf_rproc_run(npf_cache_t *, npf_rproc_t *,
+ const npf_match_info_t *, int *);
/* State handling. */
bool npf_state_init(npf_cache_t *, npf_state_t *);
Index: src/sys/net/npf/npf_rproc.c
diff -u src/sys/net/npf/npf_rproc.c:1.15 src/sys/net/npf/npf_rproc.c:1.16
--- src/sys/net/npf/npf_rproc.c:1.15 Wed Dec 28 16:55:04 2016
+++ src/sys/net/npf/npf_rproc.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_rproc.c,v 1.15 2016/12/28 21:55:04 christos Exp $ */
+/* $NetBSD: npf_rproc.c,v 1.16 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -358,7 +358,8 @@ npf_rproc_assign(npf_rproc_t *rp, void *
* => Reference on the rule procedure must be held.
*/
bool
-npf_rproc_run(npf_cache_t *npc, npf_rproc_t *rp, int *decision)
+npf_rproc_run(npf_cache_t *npc, npf_rproc_t *rp, const npf_match_info_t *mi,
+ int *decision)
{
const unsigned extcount = rp->rp_ext_count;
@@ -370,7 +371,7 @@ npf_rproc_run(npf_cache_t *npc, npf_rpro
const npf_ext_ops_t *extops = ext->ext_ops;
KASSERT(ext->ext_refcnt > 0);
- if (!extops->proc(npc, rp->rp_ext_meta[i], decision)) {
+ if (!extops->proc(npc, rp->rp_ext_meta[i], mi, decision)) {
return false;
}
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.44 src/sys/net/npf/npf_ruleset.c:1.45
--- src/sys/net/npf/npf_ruleset.c:1.44 Wed Dec 28 16:55:04 2016
+++ src/sys/net/npf/npf_ruleset.c Sat Jan 28 19:15:54 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.44 2016/12/28 21:55:04 christos Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $ */
/*-
* Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.44 2016/12/28 21:55:04 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.45 2017/01/29 00:15:54 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -201,6 +201,7 @@ npf_ruleset_insert(npf_ruleset_t *rlset,
rlset->rs_rules[n] = rl;
rlset->rs_nitems++;
+ rl->r_id = ++rlset->rs_idcnt;
if (rl->r_skip_to < ++n) {
rl->r_skip_to = SKIPTO_ADJ_FLAG | n;
@@ -426,6 +427,7 @@ npf_ruleset_flush(npf_ruleset_t *rlset,
LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry);
rl = rl->r_next;
}
+ rlset->rs_idcnt = 0;
return 0;
}
@@ -986,10 +988,11 @@ npf_ruleset_inspect(npf_cache_t *npc, co
* => Returns ENETUNREACH if "block" and 0 if "pass".
*/
int
-npf_rule_conclude(const npf_rule_t *rl, int *retfl)
+npf_rule_conclude(const npf_rule_t *rl, npf_match_info_t *mi)
{
/* If not passing - drop the packet. */
- *retfl = rl->r_attr;
+ mi->mi_retfl = rl->r_attr;
+ mi->mi_rid = rl->r_id;
return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH;
}
Added files:
Index: src/sys/net/npf/if_npflog.h
diff -u /dev/null src/sys/net/npf/if_npflog.h:1.1
--- /dev/null Sat Jan 28 19:15:55 2017
+++ src/sys/net/npf/if_npflog.h Sat Jan 28 19:15:54 2017
@@ -0,0 +1,63 @@
+/* $NetBSD: if_npflog.h,v 1.1 2017/01/29 00:15:54 christos Exp $ */
+
+/*
+ * Copyright 2001 Niels Provos <pro...@citi.umich.edu>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _NET_NPF_IF_NPFLOG_H_
+#define _NET_NPF_IF_NPFLOG_H_
+
+#ifndef _KERNEL
+#error "not supposed to be exposed to userland"
+#endif
+
+#define NPFLOG_RULESET_NAME_SIZE 16
+
+/*
+ * For now, we use a header compatible with pflog.
+ * This will be improved in the future.
+ */
+
+struct npfloghdr {
+ uint8_t length;
+ sa_family_t af;
+ uint8_t action;
+ uint8_t reason;
+ char ifname[IFNAMSIZ];
+ char ruleset[NPFLOG_RULESET_NAME_SIZE];
+ uint32_t rulenr;
+ uint32_t subrulenr;
+ uint32_t uid;
+ uint32_t pid;
+ uint32_t rule_uid;
+ uint32_t rule_pid;
+ uint8_t dir;
+ uint8_t pad[3];
+};
+
+#define DLT_NPFLOG DLT_PFLOG
+
+#define NPFLOG_HDRLEN sizeof(struct npfloghdr)
+#define NPFLOG_REAL_HDRLEN offsetof(struct npfloghdr, pad)
+
+#endif /* _NET_NPF_IF_NPFLOG_H_ */
