Sun Sep 16 13:47:43 2012 UTC ()
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
(rmind)
diff -r1.635 -r1.636 src/distrib/sets/lists/base/shl.mi
diff -r1.47 -r1.48 src/distrib/sets/lists/modules/mi
diff -r1.188 -r1.189 src/lib/Makefile
diff -r1.2 -r1.3 src/lib/libnpf/Makefile
diff -r1.12 -r1.13 src/lib/libnpf/npf.c
diff -r1.10 -r1.11 src/lib/libnpf/npf.h
diff -r0 -r1.1 src/lib/npf/Makefile
diff -r0 -r1.1 src/lib/npf/Makefile.inc
diff -r0 -r1.1 src/lib/npf/ext_log/Makefile
diff -r0 -r1.1 src/lib/npf/ext_log/npfext_log.c
diff -r0 -r1.1 src/lib/npf/ext_log/shlib_version
diff -r0 -r1.1 src/lib/npf/ext_normalise/Makefile
diff -r0 -r1.1 src/lib/npf/ext_normalise/npfext_normalise.c
diff -r0 -r1.1 src/lib/npf/ext_normalise/shlib_version
diff -r1.110 -r1.111 src/sys/modules/Makefile
diff -r1.10 -r1.11 src/sys/modules/npf/Makefile
diff -r0 -r1.1 src/sys/modules/npf_ext_log/Makefile
diff -r0 -r1.1 src/sys/modules/npf_ext_normalise/Makefile
diff -r1.7 -r1.8 src/sys/net/npf/files.npf
diff -r1.12 -r1.13 src/sys/net/npf/npf.c
diff -r1.20 -r1.21 src/sys/net/npf/npf.h
diff -r1.17 -r1.18 src/sys/net/npf/npf_ctl.c
diff -r0 -r1.1 src/sys/net/npf/npf_ext_log.c
diff -r0 -r1.1 src/sys/net/npf/npf_ext_normalise.c
diff -r1.21 -r1.22 src/sys/net/npf/npf_handler.c
diff -r1.22 -r1.23 src/sys/net/npf/npf_impl.h
diff -r1.16 -r1.17 src/sys/net/npf/npf_inet.c
diff -r1.4 -r0 src/sys/net/npf/npf_log.c
diff -r1.2 -r1.3 src/sys/net/npf/npf_rproc.c
diff -r1.1 -r1.2 src/sys/rump/net/lib/libnpf/Makefile
diff -r1.7 -r1.8 src/usr.sbin/npf/npfctl/Makefile
diff -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_build.c
diff -r0 -r1.1 src/usr.sbin/npf/npfctl/npf_extmod.c
diff -r1.12 -r1.13 src/usr.sbin/npf/npfctl/npf_parse.y
diff -r1.5 -r1.6 src/usr.sbin/npf/npfctl/npf_scan.l
diff -r1.3 -r1.4 src/usr.sbin/npf/npfctl/npf_var.h
diff -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.c
diff -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.h
--- src/distrib/sets/lists/base/shl.mi 2012/08/08 14:08:02 1.635
+++ src/distrib/sets/lists/base/shl.mi 2012/09/16 13:47:43 1.636
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: shl.mi,v 1.635 2012/08/08 14:08:02 christos Exp $ | | 1 | # $NetBSD: shl.mi,v 1.636 2012/09/16 13:47:43 rmind Exp $ |
2 | # | | 2 | # |
3 | # Note: Don't delete entries from here - mark them as "obsolete" instead, | | 3 | # Note: Don't delete entries from here - mark them as "obsolete" instead, |
4 | # unless otherwise stated below. | | 4 | # unless otherwise stated below. |
5 | # | | 5 | # |
6 | # Note: Do not mark "old" major and major.minor shared libraries as | | 6 | # Note: Do not mark "old" major and major.minor shared libraries as |
7 | # "obsolete"; just remove the entry, as third-party applications | | 7 | # "obsolete"; just remove the entry, as third-party applications |
8 | # may be linked against the old major shared library, and | | 8 | # may be linked against the old major shared library, and |
9 | # that is a symlink to the old major.minor shared library. | | 9 | # that is a symlink to the old major.minor shared library. |
10 | # e.g., "lib<name>.so.<N>" and "lib<name>.so.<N>.<M>" | | 10 | # e.g., "lib<name>.so.<N>" and "lib<name>.so.<N>.<M>" |
11 | # Exceptions to this rule may include shared libraries that | | 11 | # Exceptions to this rule may include shared libraries that |
12 | # are dlopen()ed at run-time, such as extra locales, etc. | | 12 | # are dlopen()ed at run-time, such as extra locales, etc. |
13 | # | | 13 | # |
14 | # Note: libtermcap and libtermlib are hardlinked and share the same version. | | 14 | # Note: libtermcap and libtermlib are hardlinked and share the same version. |
| @@ -716,26 +716,32 @@ | | | @@ -716,26 +716,32 @@ |
716 | ./usr/lib/libwrap.so.1.0 base-net-shlib | | 716 | ./usr/lib/libwrap.so.1.0 base-net-shlib |
717 | ./usr/lib/libz.so base-sys-shlib | | 717 | ./usr/lib/libz.so base-sys-shlib |
718 | ./usr/lib/libz.so.1 base-sys-shlib | | 718 | ./usr/lib/libz.so.1 base-sys-shlib |
719 | ./usr/lib/libz.so.1.0 base-sys-shlib | | 719 | ./usr/lib/libz.so.1.0 base-sys-shlib |
720 | ./usr/lib/libzfs.so base-zfs-shlib dynamicroot,zfs | | 720 | ./usr/lib/libzfs.so base-zfs-shlib dynamicroot,zfs |
721 | ./usr/lib/libzfs.so.0 base-zfs-shlib dynamicroot,zfs | | 721 | ./usr/lib/libzfs.so.0 base-zfs-shlib dynamicroot,zfs |
722 | ./usr/lib/libzfs.so.0.0 base-zfs-shlib zfs,dynamicroot | | 722 | ./usr/lib/libzfs.so.0.0 base-zfs-shlib zfs,dynamicroot |
723 | ./usr/lib/libzpool.so base-zfs-shlib dynamicroot,zfs | | 723 | ./usr/lib/libzpool.so base-zfs-shlib dynamicroot,zfs |
724 | ./usr/lib/libzpool.so.0 base-zfs-shlib dynamicroot,zfs | | 724 | ./usr/lib/libzpool.so.0 base-zfs-shlib dynamicroot,zfs |
725 | ./usr/lib/libzpool.so.0.0 base-zfs-shlib zfs,dynamicroot | | 725 | ./usr/lib/libzpool.so.0.0 base-zfs-shlib zfs,dynamicroot |
726 | ./usr/lib/libzpool_pic.a base-zfs-shlib zfs,dynamicroot | | 726 | ./usr/lib/libzpool_pic.a base-zfs-shlib zfs,dynamicroot |
727 | ./usr/lib/lua/5.1/gpio.so base-sys-shlib | | 727 | ./usr/lib/lua/5.1/gpio.so base-sys-shlib |
728 | ./usr/lib/lua/5.1/sqlite.so base-sys-shlib | | 728 | ./usr/lib/lua/5.1/sqlite.so base-sys-shlib |
| | | 729 | ./usr/lib/npf/ext_log.so base-npf-shlib npf |
| | | 730 | ./usr/lib/npf/ext_log.so.0 base-npf-shlib npf |
| | | 731 | ./usr/lib/npf/ext_log.so.0.0 base-npf-shlib npf |
| | | 732 | ./usr/lib/npf/ext_normalise.so base-npf-shlib npf |
| | | 733 | ./usr/lib/npf/ext_normalise.so.0 base-npf-shlib npf |
| | | 734 | ./usr/lib/npf/ext_normalise.so.0.0 base-npf-shlib npf |
729 | ./usr/lib/nss_mdns.so.0 base-obsolete obsolete | | 735 | ./usr/lib/nss_mdns.so.0 base-obsolete obsolete |
730 | ./usr/lib/nss_mdnsd.so.0 base-mdns-shlib mdns | | 736 | ./usr/lib/nss_mdnsd.so.0 base-mdns-shlib mdns |
731 | ./usr/lib/nss_multicast_dns.so.0 base-mdns-shlib mdns | | 737 | ./usr/lib/nss_multicast_dns.so.0 base-mdns-shlib mdns |
732 | ./usr/lib/security/pam_afslog.so.3 base-sys-shlib kerberos,pam | | 738 | ./usr/lib/security/pam_afslog.so.3 base-sys-shlib kerberos,pam |
733 | ./usr/lib/security/pam_chroot.so.3 base-sys-shlib pam | | 739 | ./usr/lib/security/pam_chroot.so.3 base-sys-shlib pam |
734 | ./usr/lib/security/pam_deny.so.3 base-sys-shlib pam | | 740 | ./usr/lib/security/pam_deny.so.3 base-sys-shlib pam |
735 | ./usr/lib/security/pam_echo.so.3 base-sys-shlib pam | | 741 | ./usr/lib/security/pam_echo.so.3 base-sys-shlib pam |
736 | ./usr/lib/security/pam_exec.so.3 base-sys-shlib pam | | 742 | ./usr/lib/security/pam_exec.so.3 base-sys-shlib pam |
737 | ./usr/lib/security/pam_ftpusers.so.3 base-sys-shlib pam | | 743 | ./usr/lib/security/pam_ftpusers.so.3 base-sys-shlib pam |
738 | ./usr/lib/security/pam_group.so.3 base-sys-shlib pam | | 744 | ./usr/lib/security/pam_group.so.3 base-sys-shlib pam |
739 | ./usr/lib/security/pam_guest.so.3 base-sys-shlib pam | | 745 | ./usr/lib/security/pam_guest.so.3 base-sys-shlib pam |
740 | ./usr/lib/security/pam_krb5.so.3 base-sys-shlib kerberos,pam | | 746 | ./usr/lib/security/pam_krb5.so.3 base-sys-shlib kerberos,pam |
741 | ./usr/lib/security/pam_ksu.so.3 base-sys-shlib kerberos,pam | | 747 | ./usr/lib/security/pam_ksu.so.3 base-sys-shlib kerberos,pam |
--- src/distrib/sets/lists/modules/mi 2012/08/06 10:44:08 1.47
+++ src/distrib/sets/lists/modules/mi 2012/09/16 13:47:43 1.48
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: mi,v 1.47 2012/08/06 10:44:08 martin Exp $ | | 1 | # $NetBSD: mi,v 1.48 2012/09/16 13:47:43 rmind Exp $ |
2 | # | | 2 | # |
3 | # Note: don't delete entries from here - mark them as "obsolete" instead. | | 3 | # Note: don't delete entries from here - mark them as "obsolete" instead. |
4 | # | | 4 | # |
5 | # IMPORTANT: When you add a module here, you have to add it twice to | | 5 | # IMPORTANT: When you add a module here, you have to add it twice to |
6 | # md.evbppc as well. evbppc does not use mi, because | | 6 | # md.evbppc as well. evbppc does not use mi, because |
7 | # powerpc-4xx and powerpc-booke modules are incompatible. | | 7 | # powerpc-4xx and powerpc-booke modules are incompatible. |
8 | # Sorry for any inconvenience this may cause, the management. | | 8 | # Sorry for any inconvenience this may cause, the management. |
9 | # | | 9 | # |
10 | ./etc/mtree/set.modules modules-sys-root kmod | | 10 | ./etc/mtree/set.modules modules-sys-root kmod |
11 | ./stand/@MACHINE@ base-kernel-modules kmod | | 11 | ./stand/@MACHINE@ base-kernel-modules kmod |
12 | ./stand/@MACHINE@/@OSRELEASE@ base-kernel-modules kmod | | 12 | ./stand/@MACHINE@/@OSRELEASE@ base-kernel-modules kmod |
13 | ./@MODULEDIR@ base-kernel-modules kmod | | 13 | ./@MODULEDIR@ base-kernel-modules kmod |
14 | ./@MODULEDIR@/accf_dataready base-kernel-modules kmod | | 14 | ./@MODULEDIR@/accf_dataready base-kernel-modules kmod |
| @@ -105,26 +105,30 @@ | | | @@ -105,26 +105,30 @@ |
105 | ./@MODULEDIR@/nand/nand.kmod base-kernel-modules kmod | | 105 | ./@MODULEDIR@/nand/nand.kmod base-kernel-modules kmod |
106 | ./@MODULEDIR@/nandemulator base-kernel-modules kmod | | 106 | ./@MODULEDIR@/nandemulator base-kernel-modules kmod |
107 | ./@MODULEDIR@/nandemulator/nandemulator.kmod base-kernel-modules kmod | | 107 | ./@MODULEDIR@/nandemulator/nandemulator.kmod base-kernel-modules kmod |
108 | ./@MODULEDIR@/nfs base-kernel-modules kmod | | 108 | ./@MODULEDIR@/nfs base-kernel-modules kmod |
109 | ./@MODULEDIR@/nfs/nfs.kmod base-kernel-modules kmod | | 109 | ./@MODULEDIR@/nfs/nfs.kmod base-kernel-modules kmod |
110 | ./@MODULEDIR@/nfsserver base-kernel-modules kmod | | 110 | ./@MODULEDIR@/nfsserver base-kernel-modules kmod |
111 | ./@MODULEDIR@/nfsserver/nfsserver.kmod base-kernel-modules kmod | | 111 | ./@MODULEDIR@/nfsserver/nfsserver.kmod base-kernel-modules kmod |
112 | ./@MODULEDIR@/nilfs base-kernel-modules kmod | | 112 | ./@MODULEDIR@/nilfs base-kernel-modules kmod |
113 | ./@MODULEDIR@/nilfs/nilfs.kmod base-kernel-modules kmod | | 113 | ./@MODULEDIR@/nilfs/nilfs.kmod base-kernel-modules kmod |
114 | ./@MODULEDIR@/npf base-kernel-modules kmod | | 114 | ./@MODULEDIR@/npf base-kernel-modules kmod |
115 | ./@MODULEDIR@/npf/npf.kmod base-kernel-modules kmod | | 115 | ./@MODULEDIR@/npf/npf.kmod base-kernel-modules kmod |
116 | ./@MODULEDIR@/npf_alg_icmp base-kernel-modules kmod | | 116 | ./@MODULEDIR@/npf_alg_icmp base-kernel-modules kmod |
117 | ./@MODULEDIR@/npf_alg_icmp/npf_alg_icmp.kmod base-kernel-modules kmod | | 117 | ./@MODULEDIR@/npf_alg_icmp/npf_alg_icmp.kmod base-kernel-modules kmod |
| | | 118 | ./@MODULEDIR@/npf_ext_log base-kernel-modules kmod |
| | | 119 | ./@MODULEDIR@/npf_ext_log/npf_ext_log.kmod base-kernel-modules kmod |
| | | 120 | ./@MODULEDIR@/npf_ext_normalise base-kernel-modules kmod |
| | | 121 | ./@MODULEDIR@/npf_ext_normalise/npf_ext_normalise.kmod base-kernel-modules kmod |
118 | ./@MODULEDIR@/ntfs base-kernel-modules kmod | | 122 | ./@MODULEDIR@/ntfs base-kernel-modules kmod |
119 | ./@MODULEDIR@/ntfs/ntfs.kmod base-kernel-modules kmod | | 123 | ./@MODULEDIR@/ntfs/ntfs.kmod base-kernel-modules kmod |
120 | ./@MODULEDIR@/null base-kernel-modules kmod | | 124 | ./@MODULEDIR@/null base-kernel-modules kmod |
121 | ./@MODULEDIR@/null/null.kmod base-kernel-modules kmod | | 125 | ./@MODULEDIR@/null/null.kmod base-kernel-modules kmod |
122 | ./@MODULEDIR@/onewire base-kernel-modules kmod | | 126 | ./@MODULEDIR@/onewire base-kernel-modules kmod |
123 | ./@MODULEDIR@/onewire/onewire.kmod base-kernel-modules kmod | | 127 | ./@MODULEDIR@/onewire/onewire.kmod base-kernel-modules kmod |
124 | ./@MODULEDIR@/overlay base-kernel-modules kmod | | 128 | ./@MODULEDIR@/overlay base-kernel-modules kmod |
125 | ./@MODULEDIR@/overlay/overlay.kmod base-kernel-modules kmod | | 129 | ./@MODULEDIR@/overlay/overlay.kmod base-kernel-modules kmod |
126 | ./@MODULEDIR@/pciverbose base-kernel-modules kmod | | 130 | ./@MODULEDIR@/pciverbose base-kernel-modules kmod |
127 | ./@MODULEDIR@/pciverbose/pciverbose.kmod base-kernel-modules kmod | | 131 | ./@MODULEDIR@/pciverbose/pciverbose.kmod base-kernel-modules kmod |
128 | ./@MODULEDIR@/pf base-kernel-modules kmod | | 132 | ./@MODULEDIR@/pf base-kernel-modules kmod |
129 | ./@MODULEDIR@/pf/pf.kmod base-kernel-modules kmod | | 133 | ./@MODULEDIR@/pf/pf.kmod base-kernel-modules kmod |
130 | ./@MODULEDIR@/portal base-obsolete obsolete | | 134 | ./@MODULEDIR@/portal base-obsolete obsolete |
--- src/lib/Makefile 2012/08/17 16:22:27 1.188
+++ src/lib/Makefile 2012/09/16 13:47:41 1.189
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: Makefile,v 1.188 2012/08/17 16:22:27 joerg Exp $ | | 1 | # $NetBSD: Makefile,v 1.189 2012/09/16 13:47:41 rmind Exp $ |
2 | # from: @(#)Makefile 5.25.1.1 (Berkeley) 5/7/91 | | 2 | # from: @(#)Makefile 5.25.1.1 (Berkeley) 5/7/91 |
3 | | | 3 | |
4 | .include <bsd.own.mk> | | 4 | .include <bsd.own.mk> |
5 | | | 5 | |
6 | SUBDIR= csu .WAIT | | 6 | SUBDIR= csu .WAIT |
7 | | | 7 | |
8 | .if (${MKGCC} != "no") | | 8 | .if (${MKGCC} != "no") |
9 | . if ${HAVE_GCC} == 4 | | 9 | . if ${HAVE_GCC} == 4 |
10 | . if (${USE_COMPILERCRTSTUFF} == "yes") | | 10 | . if (${USE_COMPILERCRTSTUFF} == "yes") |
11 | SUBDIR+= ../gnu/lib/crtstuff4 .WAIT | | 11 | SUBDIR+= ../gnu/lib/crtstuff4 .WAIT |
12 | . endif | | 12 | . endif |
13 | SUBDIR+= ../gnu/lib/libgcc4 .WAIT | | 13 | SUBDIR+= ../gnu/lib/libgcc4 .WAIT |
14 | . else | | 14 | . else |
| @@ -100,26 +100,27 @@ SUBDIR+= libdm # depends on libprop | | | @@ -100,26 +100,27 @@ SUBDIR+= libdm # depends on libprop |
100 | SUBDIR+= libedit # depends on libterminfo | | 100 | SUBDIR+= libedit # depends on libterminfo |
101 | SUBDIR+= libexecinfo # depends on libelf | | 101 | SUBDIR+= libexecinfo # depends on libelf |
102 | SUBDIR+= libppath # depends on libprop | | 102 | SUBDIR+= libppath # depends on libprop |
103 | SUBDIR+= libperfuse # depends on libpuffs | | 103 | SUBDIR+= libperfuse # depends on libpuffs |
104 | SUBDIR+= libquota # depends on libprop and librpcsvc | | 104 | SUBDIR+= libquota # depends on libprop and librpcsvc |
105 | SUBDIR+= librefuse # depends on libpuffs | | 105 | SUBDIR+= librefuse # depends on libpuffs |
106 | .if (${MKRUMP} != "no") | | 106 | .if (${MKRUMP} != "no") |
107 | SUBDIR+= librumpuser # depends on libpthread | | 107 | SUBDIR+= librumpuser # depends on libpthread |
108 | SUBDIR+= librumphijack # depends on librumpclient and libpthread | | 108 | SUBDIR+= librumphijack # depends on librumpclient and libpthread |
109 | .endif | | 109 | .endif |
110 | | | 110 | |
111 | .if (${MKNPF} != "no") | | 111 | .if (${MKNPF} != "no") |
112 | SUBDIR+= libnpf # depends on libprop | | 112 | SUBDIR+= libnpf # depends on libprop |
| | | 113 | SUBDIR+= npf |
113 | .endif | | 114 | .endif |
114 | | | 115 | |
115 | .if (${MKCRYPTO} != "no") | | 116 | .if (${MKCRYPTO} != "no") |
116 | SUBDIR+= ../crypto/external/bsd/openssl/lib # depends on libcrypt | | 117 | SUBDIR+= ../crypto/external/bsd/openssl/lib # depends on libcrypt |
117 | .endif | | 118 | .endif |
118 | | | 119 | |
119 | SUBDIR+= ../external/bsd/file/lib # depends on libz | | 120 | SUBDIR+= ../external/bsd/file/lib # depends on libz |
120 | | | 121 | |
121 | .if (${MKISCSI} != "no") | | 122 | .if (${MKISCSI} != "no") |
122 | SUBDIR+= ../external/bsd/iscsi/lib # depends on libpthread | | 123 | SUBDIR+= ../external/bsd/iscsi/lib # depends on libpthread |
123 | .endif | | 124 | .endif |
124 | | | 125 | |
125 | SUBDIR+= ../external/bsd/libarchive/lib # depends on libxz | | 126 | SUBDIR+= ../external/bsd/libarchive/lib # depends on libxz |
--- src/lib/libnpf/Makefile 2012/03/21 05:37:42 1.2
+++ src/lib/libnpf/Makefile 2012/09/16 13:47:42 1.3
| @@ -1,20 +1,20 @@ | | | @@ -1,20 +1,20 @@ |
1 | # $NetBSD: Makefile,v 1.2 2012/03/21 05:37:42 matt Exp $ | | 1 | # $NetBSD: Makefile,v 1.3 2012/09/16 13:47:42 rmind Exp $ |
2 | | | 2 | |
3 | .include <bsd.own.mk> | | 3 | .include <bsd.own.mk> |
4 | | | 4 | |
5 | LIB= npf | | 5 | LIB= npf |
6 | MAN= npf.3 | | 6 | MAN= npf.3 |
7 | | | 7 | |
8 | SRCS= npf.c | | 8 | SRCS= npf.c |
9 | | | 9 | |
10 | INCS= npf.h | | 10 | INCS= npf.h |
11 | INCSDIR= /usr/include | | 11 | INCSDIR= /usr/include |
12 | | | 12 | |
13 | LIBDPLIBS+= prop ${.CURDIR}/../libprop | | 13 | LIBDPLIBS+= prop ${.CURDIR}/../libprop |
14 | LDADD+= -lprop | | 14 | LDADD+= -lprop |
15 | DPADD+= ${LIBPROP} | | 15 | DPADD+= ${LIBPROP} |
16 | | | 16 | |
17 | WARNS?= 5 | | 17 | WARNS= 5 |
18 | NOLINT= # defined (note: deliberately) | | 18 | NOLINT= # disabled deliberately |
19 | | | 19 | |
20 | .include <bsd.lib.mk> | | 20 | .include <bsd.lib.mk> |
--- src/lib/libnpf/npf.c 2012/08/15 18:44:56 1.12
+++ src/lib/libnpf/npf.c 2012/09/16 13:47:42 1.13
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf.c,v 1.12 2012/08/15 18:44:56 rmind Exp $ */ | | 1 | /* $NetBSD: npf.c,v 1.13 2012/09/16 13:47:42 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -20,27 +20,27 @@ | | | @@ -20,27 +20,27 @@ |
20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | #include <sys/cdefs.h> | | 32 | #include <sys/cdefs.h> |
33 | __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.12 2012/08/15 18:44:56 rmind Exp $"); | | 33 | __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.13 2012/09/16 13:47:42 rmind Exp $"); |
34 | | | 34 | |
35 | #include <sys/types.h> | | 35 | #include <sys/types.h> |
36 | #include <netinet/in_systm.h> | | 36 | #include <netinet/in_systm.h> |
37 | #include <netinet/in.h> | | 37 | #include <netinet/in.h> |
38 | #include <net/if.h> | | 38 | #include <net/if.h> |
39 | #include <prop/proplib.h> | | 39 | #include <prop/proplib.h> |
40 | | | 40 | |
41 | #include <stdlib.h> | | 41 | #include <stdlib.h> |
42 | #include <string.h> | | 42 | #include <string.h> |
43 | #include <assert.h> | | 43 | #include <assert.h> |
44 | #include <errno.h> | | 44 | #include <errno.h> |
45 | #include <err.h> | | 45 | #include <err.h> |
46 | | | 46 | |
| @@ -68,26 +68,31 @@ struct nl_config { | | | @@ -68,26 +68,31 @@ struct nl_config { |
68 | | | 68 | |
69 | struct nl_rule { | | 69 | struct nl_rule { |
70 | prop_dictionary_t nrl_dict; | | 70 | prop_dictionary_t nrl_dict; |
71 | }; | | 71 | }; |
72 | | | 72 | |
73 | struct nl_rproc { | | 73 | struct nl_rproc { |
74 | prop_dictionary_t nrp_dict; | | 74 | prop_dictionary_t nrp_dict; |
75 | }; | | 75 | }; |
76 | | | 76 | |
77 | struct nl_table { | | 77 | struct nl_table { |
78 | prop_dictionary_t ntl_dict; | | 78 | prop_dictionary_t ntl_dict; |
79 | }; | | 79 | }; |
80 | | | 80 | |
| | | 81 | struct nl_ext { |
| | | 82 | const char * nxt_name; |
| | | 83 | prop_dictionary_t nxt_dict; |
| | | 84 | }; |
| | | 85 | |
81 | /* | | 86 | /* |
82 | * CONFIGURATION INTERFACE. | | 87 | * CONFIGURATION INTERFACE. |
83 | */ | | 88 | */ |
84 | | | 89 | |
85 | nl_config_t * | | 90 | nl_config_t * |
86 | npf_config_create(void) | | 91 | npf_config_create(void) |
87 | { | | 92 | { |
88 | nl_config_t *ncf; | | 93 | nl_config_t *ncf; |
89 | | | 94 | |
90 | ncf = calloc(1, sizeof(*ncf)); | | 95 | ncf = calloc(1, sizeof(*ncf)); |
91 | if (ncf == NULL) { | | 96 | if (ncf == NULL) { |
92 | return NULL; | | 97 | return NULL; |
93 | } | | 98 | } |
| @@ -240,26 +245,63 @@ _npf_prop_array_lookup(prop_array_t arra | | | @@ -240,26 +245,63 @@ _npf_prop_array_lookup(prop_array_t arra |
240 | | | 245 | |
241 | it = prop_array_iterator(array); | | 246 | it = prop_array_iterator(array); |
242 | while ((dict = prop_object_iterator_next(it)) != NULL) { | | 247 | while ((dict = prop_object_iterator_next(it)) != NULL) { |
243 | const char *lname; | | 248 | const char *lname; |
244 | prop_dictionary_get_cstring_nocopy(dict, key, &lname); | | 249 | prop_dictionary_get_cstring_nocopy(dict, key, &lname); |
245 | if (strcmp(name, lname) == 0) | | 250 | if (strcmp(name, lname) == 0) |
246 | break; | | 251 | break; |
247 | } | | 252 | } |
248 | prop_object_iterator_release(it); | | 253 | prop_object_iterator_release(it); |
249 | return dict ? true : false; | | 254 | return dict ? true : false; |
250 | } | | 255 | } |
251 | | | 256 | |
252 | /* | | 257 | /* |
| | | 258 | * NPF EXTENSION INTERFACE. |
| | | 259 | */ |
| | | 260 | |
| | | 261 | nl_ext_t * |
| | | 262 | npf_ext_construct(const char *name) |
| | | 263 | { |
| | | 264 | nl_ext_t *ext; |
| | | 265 | |
| | | 266 | ext = malloc(sizeof(*ext)); |
| | | 267 | if (ext == NULL) { |
| | | 268 | return NULL; |
| | | 269 | } |
| | | 270 | ext->nxt_name = strdup(name); |
| | | 271 | if (ext->nxt_name == NULL) { |
| | | 272 | free(ext); |
| | | 273 | return NULL; |
| | | 274 | } |
| | | 275 | ext->nxt_dict = prop_dictionary_create(); |
| | | 276 | |
| | | 277 | return ext; |
| | | 278 | } |
| | | 279 | |
| | | 280 | void |
| | | 281 | npf_ext_param_u32(nl_ext_t *ext, const char *key, uint32_t val) |
| | | 282 | { |
| | | 283 | prop_dictionary_t extdict = ext->nxt_dict; |
| | | 284 | prop_dictionary_set_uint32(extdict, key, val); |
| | | 285 | } |
| | | 286 | |
| | | 287 | void |
| | | 288 | npf_ext_param_bool(nl_ext_t *ext, const char *key, bool val) |
| | | 289 | { |
| | | 290 | prop_dictionary_t extdict = ext->nxt_dict; |
| | | 291 | prop_dictionary_set_bool(extdict, key, val); |
| | | 292 | } |
| | | 293 | |
| | | 294 | /* |
253 | * RULE INTERFACE. | | 295 | * RULE INTERFACE. |
254 | */ | | 296 | */ |
255 | | | 297 | |
256 | nl_rule_t * | | 298 | nl_rule_t * |
257 | npf_rule_create(const char *name, uint32_t attr, u_int if_idx) | | 299 | npf_rule_create(const char *name, uint32_t attr, u_int if_idx) |
258 | { | | 300 | { |
259 | prop_dictionary_t rldict; | | 301 | prop_dictionary_t rldict; |
260 | nl_rule_t *rl; | | 302 | nl_rule_t *rl; |
261 | | | 303 | |
262 | rl = malloc(sizeof(*rl)); | | 304 | rl = malloc(sizeof(*rl)); |
263 | if (rl == NULL) { | | 305 | if (rl == NULL) { |
264 | return NULL; | | 306 | return NULL; |
265 | } | | 307 | } |
| @@ -357,26 +399,27 @@ _npf_rule_foreach1(prop_array_t rules, u | | | @@ -357,26 +399,27 @@ _npf_rule_foreach1(prop_array_t rules, u |
357 | it = prop_array_iterator(rules); | | 399 | it = prop_array_iterator(rules); |
358 | if (it == NULL) { | | 400 | if (it == NULL) { |
359 | return ENOMEM; | | 401 | return ENOMEM; |
360 | } | | 402 | } |
361 | while ((rldict = prop_object_iterator_next(it)) != NULL) { | | 403 | while ((rldict = prop_object_iterator_next(it)) != NULL) { |
362 | prop_array_t subrules; | | 404 | prop_array_t subrules; |
363 | nl_rule_t nrl; | | 405 | nl_rule_t nrl; |
364 | | | 406 | |
365 | nrl.nrl_dict = rldict; | | 407 | nrl.nrl_dict = rldict; |
366 | (*func)(&nrl, nlevel); | | 408 | (*func)(&nrl, nlevel); |
367 | | | 409 | |
368 | subrules = prop_dictionary_get(rldict, "subrules"); | | 410 | subrules = prop_dictionary_get(rldict, "subrules"); |
369 | (void)_npf_rule_foreach1(subrules, nlevel + 1, func); | | 411 | (void)_npf_rule_foreach1(subrules, nlevel + 1, func); |
| | | 412 | prop_object_release(subrules); |
370 | } | | 413 | } |
371 | prop_object_iterator_release(it); | | 414 | prop_object_iterator_release(it); |
372 | return 0; | | 415 | return 0; |
373 | } | | 416 | } |
374 | | | 417 | |
375 | int | | 418 | int |
376 | _npf_rule_foreach(nl_config_t *ncf, nl_rule_callback_t func) | | 419 | _npf_rule_foreach(nl_config_t *ncf, nl_rule_callback_t func) |
377 | { | | 420 | { |
378 | | | 421 | |
379 | return _npf_rule_foreach1(ncf->ncf_rules_list, 0, func); | | 422 | return _npf_rule_foreach1(ncf->ncf_rules_list, 0, func); |
380 | } | | 423 | } |
381 | | | 424 | |
382 | pri_t | | 425 | pri_t |
| @@ -418,77 +461,74 @@ npf_rule_destroy(nl_rule_t *rl) | | | @@ -418,77 +461,74 @@ npf_rule_destroy(nl_rule_t *rl) |
418 | | | 461 | |
419 | prop_object_release(rl->nrl_dict); | | 462 | prop_object_release(rl->nrl_dict); |
420 | free(rl); | | 463 | free(rl); |
421 | } | | 464 | } |
422 | | | 465 | |
423 | /* | | 466 | /* |
424 | * RULE PROCEDURE INTERFACE. | | 467 | * RULE PROCEDURE INTERFACE. |
425 | */ | | 468 | */ |
426 | | | 469 | |
427 | nl_rproc_t * | | 470 | nl_rproc_t * |
428 | npf_rproc_create(const char *name) | | 471 | npf_rproc_create(const char *name) |
429 | { | | 472 | { |
430 | prop_dictionary_t rpdict; | | 473 | prop_dictionary_t rpdict; |
| | | 474 | prop_array_t extcalls; |
431 | nl_rproc_t *nrp; | | 475 | nl_rproc_t *nrp; |
432 | | | 476 | |
433 | nrp = malloc(sizeof(nl_rproc_t)); | | 477 | nrp = malloc(sizeof(nl_rproc_t)); |
434 | if (nrp == NULL) { | | 478 | if (nrp == NULL) { |
435 | return NULL; | | 479 | return NULL; |
436 | } | | 480 | } |
437 | rpdict = prop_dictionary_create(); | | 481 | rpdict = prop_dictionary_create(); |
438 | if (rpdict == NULL) { | | 482 | if (rpdict == NULL) { |
439 | free(nrp); | | 483 | free(nrp); |
440 | return NULL; | | 484 | return NULL; |
441 | } | | 485 | } |
442 | prop_dictionary_set_cstring(rpdict, "name", name); | | 486 | prop_dictionary_set_cstring(rpdict, "name", name); |
443 | nrp->nrp_dict = rpdict; | | | |
444 | return nrp; | | | |
445 | } | | | |
446 | | | 487 | |
447 | bool | | 488 | extcalls = prop_array_create(); |
448 | npf_rproc_exists_p(nl_config_t *ncf, const char *name) | | 489 | if (extcalls == NULL) { |
449 | { | | 490 | prop_object_release(rpdict); |
| | | 491 | free(nrp); |
| | | 492 | return NULL; |
| | | 493 | } |
| | | 494 | prop_dictionary_set(rpdict, "extcalls", extcalls); |
| | | 495 | prop_object_release(extcalls); |
450 | | | 496 | |
451 | return _npf_prop_array_lookup(ncf->ncf_rproc_list, "name", name); | | 497 | nrp->nrp_dict = rpdict; |
| | | 498 | return nrp; |
452 | } | | 499 | } |
453 | | | 500 | |
454 | int | | 501 | int |
455 | _npf_rproc_setnorm(nl_rproc_t *rp, bool rnd, bool no_df, u_int minttl, | | 502 | npf_rproc_extcall(nl_rproc_t *rp, nl_ext_t *ext) |
456 | u_int maxmss) | | | |
457 | { | | 503 | { |
458 | prop_dictionary_t rpdict = rp->nrp_dict; | | 504 | prop_dictionary_t rpdict = rp->nrp_dict; |
459 | uint32_t fl = 0; | | 505 | prop_dictionary_t extdict = ext->nxt_dict; |
460 | | | 506 | prop_array_t extcalls; |
461 | prop_dictionary_set_bool(rpdict, "randomize-id", rnd); | | | |
462 | prop_dictionary_set_bool(rpdict, "no-df", no_df); | | | |
463 | prop_dictionary_set_uint32(rpdict, "min-ttl", minttl); | | | |
464 | prop_dictionary_set_uint32(rpdict, "max-mss", maxmss); | | | |
465 | | | 507 | |
466 | prop_dictionary_get_uint32(rpdict, "flags", &fl); | | 508 | extcalls = prop_dictionary_get(rpdict, "extcalls"); |
467 | prop_dictionary_set_uint32(rpdict, "flags", fl | NPF_RPROC_NORMALIZE); | | 509 | if (_npf_prop_array_lookup(extcalls, "name", ext->nxt_name)) { |
| | | 510 | return EEXIST; |
| | | 511 | } |
| | | 512 | prop_dictionary_set_cstring(extdict, "name", ext->nxt_name); |
| | | 513 | prop_array_add(extcalls, extdict); |
468 | return 0; | | 514 | return 0; |
469 | } | | 515 | } |
470 | | | 516 | |
471 | int | | 517 | bool |
472 | _npf_rproc_setlog(nl_rproc_t *rp, u_int if_idx) | | 518 | npf_rproc_exists_p(nl_config_t *ncf, const char *name) |
473 | { | | 519 | { |
474 | prop_dictionary_t rpdict = rp->nrp_dict; | | | |
475 | uint32_t fl = 0; | | | |
476 | | | | |
477 | prop_dictionary_set_uint32(rpdict, "log-interface", if_idx); | | | |
478 | | | 520 | |
479 | prop_dictionary_get_uint32(rpdict, "flags", &fl); | | 521 | return _npf_prop_array_lookup(ncf->ncf_rproc_list, "name", name); |
480 | prop_dictionary_set_uint32(rpdict, "flags", fl | NPF_RPROC_LOG); | | | |
481 | return 0; | | | |
482 | } | | 522 | } |
483 | | | 523 | |
484 | int | | 524 | int |
485 | npf_rproc_insert(nl_config_t *ncf, nl_rproc_t *rp) | | 525 | npf_rproc_insert(nl_config_t *ncf, nl_rproc_t *rp) |
486 | { | | 526 | { |
487 | prop_dictionary_t rpdict = rp->nrp_dict; | | 527 | prop_dictionary_t rpdict = rp->nrp_dict; |
488 | const char *name; | | 528 | const char *name; |
489 | | | 529 | |
490 | if (!prop_dictionary_get_cstring_nocopy(rpdict, "name", &name)) { | | 530 | if (!prop_dictionary_get_cstring_nocopy(rpdict, "name", &name)) { |
491 | return EINVAL; | | 531 | return EINVAL; |
492 | } | | 532 | } |
493 | if (npf_rproc_exists_p(ncf, name)) { | | 533 | if (npf_rproc_exists_p(ncf, name)) { |
494 | return EEXIST; | | 534 | return EEXIST; |
--- src/lib/libnpf/npf.h 2012/08/12 03:35:14 1.10
+++ src/lib/libnpf/npf.h 2012/09/16 13:47:42 1.11
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf.h,v 1.10 2012/08/12 03:35:14 rmind Exp $ */ | | 1 | /* $NetBSD: npf.h,v 1.11 2012/09/16 13:47:42 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -25,44 +25,46 @@ | | | @@ -25,44 +25,46 @@ |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | #ifndef _NPF_LIB_H_ | | 32 | #ifndef _NPF_LIB_H_ |
33 | #define _NPF_LIB_H_ | | 33 | #define _NPF_LIB_H_ |
34 | | | 34 | |
35 | #include <sys/types.h> | | 35 | #include <sys/types.h> |
36 | #include <net/npf.h> | | 36 | #include <net/npf.h> |
37 | | | 37 | |
38 | #ifdef _NPF_TESTING | | | |
39 | #include "testing.h" | | | |
40 | #endif | | | |
41 | | | | |
42 | __BEGIN_DECLS | | 38 | __BEGIN_DECLS |
43 | | | 39 | |
44 | struct nl_config; | | 40 | struct nl_config; |
45 | struct nl_rule; | | 41 | struct nl_rule; |
46 | struct nl_rproc; | | 42 | struct nl_rproc; |
47 | struct nl_table; | | 43 | struct nl_table; |
48 | | | 44 | |
49 | typedef struct nl_config nl_config_t; | | 45 | typedef struct nl_config nl_config_t; |
50 | typedef struct nl_rule nl_rule_t; | | 46 | typedef struct nl_rule nl_rule_t; |
51 | typedef struct nl_rproc nl_rproc_t; | | 47 | typedef struct nl_rproc nl_rproc_t; |
52 | typedef struct nl_table nl_table_t; | | 48 | typedef struct nl_table nl_table_t; |
53 | | | 49 | |
54 | typedef struct nl_rule nl_nat_t; | | 50 | typedef struct nl_rule nl_nat_t; |
55 | | | 51 | |
| | | 52 | typedef struct nl_ext nl_ext_t; |
| | | 53 | |
| | | 54 | typedef int (*npfext_initfunc_t)(void); |
| | | 55 | typedef nl_ext_t *(*npfext_consfunc_t)(const char *); |
| | | 56 | typedef int (*npfext_paramfunc_t)(nl_ext_t *, const char *, const char *); |
| | | 57 | |
56 | #ifdef _NPF_PRIVATE | | 58 | #ifdef _NPF_PRIVATE |
57 | | | 59 | |
58 | typedef struct { | | 60 | typedef struct { |
59 | int ne_id; | | 61 | int ne_id; |
60 | char * ne_source_file; | | 62 | char * ne_source_file; |
61 | u_int ne_source_line; | | 63 | u_int ne_source_line; |
62 | int ne_ncode_error; | | 64 | int ne_ncode_error; |
63 | int ne_ncode_errat; | | 65 | int ne_ncode_errat; |
64 | } nl_error_t; | | 66 | } nl_error_t; |
65 | | | 67 | |
66 | typedef void (*nl_rule_callback_t)(nl_rule_t *, unsigned); | | 68 | typedef void (*nl_rule_callback_t)(nl_rule_t *, unsigned); |
67 | typedef void (*nl_table_callback_t)(unsigned, int); | | 69 | typedef void (*nl_table_callback_t)(unsigned, int); |
68 | | | 70 | |
| @@ -71,34 +73,39 @@ typedef void (*nl_table_callback_t)(unsi | | | @@ -71,34 +73,39 @@ typedef void (*nl_table_callback_t)(unsi |
71 | #define NPF_CODE_NCODE 1 | | 73 | #define NPF_CODE_NCODE 1 |
72 | #define NPF_CODE_BPF 2 | | 74 | #define NPF_CODE_BPF 2 |
73 | | | 75 | |
74 | #define NPF_PRI_NEXT (-1) | | 76 | #define NPF_PRI_NEXT (-1) |
75 | | | 77 | |
76 | #define NPF_MAX_TABLE_ID (16) | | 78 | #define NPF_MAX_TABLE_ID (16) |
77 | | | 79 | |
78 | nl_config_t * npf_config_create(void); | | 80 | nl_config_t * npf_config_create(void); |
79 | int npf_config_submit(nl_config_t *, int); | | 81 | int npf_config_submit(nl_config_t *, int); |
80 | void npf_config_destroy(nl_config_t *); | | 82 | void npf_config_destroy(nl_config_t *); |
81 | nl_config_t * npf_config_retrieve(int, bool *, bool *); | | 83 | nl_config_t * npf_config_retrieve(int, bool *, bool *); |
82 | int npf_config_flush(int); | | 84 | int npf_config_flush(int); |
83 | | | 85 | |
| | | 86 | nl_ext_t * npf_ext_construct(const char *name); |
| | | 87 | void npf_ext_param_u32(nl_ext_t *, const char *, uint32_t); |
| | | 88 | void npf_ext_param_bool(nl_ext_t *, const char *, bool); |
| | | 89 | |
84 | nl_rule_t * npf_rule_create(const char *, uint32_t, u_int); | | 90 | nl_rule_t * npf_rule_create(const char *, uint32_t, u_int); |
85 | int npf_rule_setcode(nl_rule_t *, int, const void *, size_t); | | 91 | int npf_rule_setcode(nl_rule_t *, int, const void *, size_t); |
86 | int npf_rule_setproc(nl_config_t *, nl_rule_t *, const char *); | | 92 | int npf_rule_setproc(nl_config_t *, nl_rule_t *, const char *); |
87 | bool npf_rule_exists_p(nl_config_t *, const char *); | | 93 | bool npf_rule_exists_p(nl_config_t *, const char *); |
88 | int npf_rule_insert(nl_config_t *, nl_rule_t *, nl_rule_t *, pri_t); | | 94 | int npf_rule_insert(nl_config_t *, nl_rule_t *, nl_rule_t *, pri_t); |
89 | void npf_rule_destroy(nl_rule_t *); | | 95 | void npf_rule_destroy(nl_rule_t *); |
90 | | | 96 | |
91 | nl_rproc_t * npf_rproc_create(const char *); | | 97 | nl_rproc_t * npf_rproc_create(const char *); |
| | | 98 | int npf_rproc_extcall(nl_rproc_t *, nl_ext_t *); |
92 | bool npf_rproc_exists_p(nl_config_t *, const char *); | | 99 | bool npf_rproc_exists_p(nl_config_t *, const char *); |
93 | int npf_rproc_insert(nl_config_t *, nl_rproc_t *); | | 100 | int npf_rproc_insert(nl_config_t *, nl_rproc_t *); |
94 | | | 101 | |
95 | nl_nat_t * npf_nat_create(int, u_int, u_int, npf_addr_t *, int, in_port_t); | | 102 | nl_nat_t * npf_nat_create(int, u_int, u_int, npf_addr_t *, int, in_port_t); |
96 | int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t); | | 103 | int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t); |
97 | | | 104 | |
98 | nl_table_t * npf_table_create(u_int, int); | | 105 | nl_table_t * npf_table_create(u_int, int); |
99 | int npf_table_add_entry(nl_table_t *, const int, | | 106 | int npf_table_add_entry(nl_table_t *, const int, |
100 | const npf_addr_t *, const npf_netmask_t); | | 107 | const npf_addr_t *, const npf_netmask_t); |
101 | bool npf_table_exists_p(nl_config_t *, u_int); | | 108 | bool npf_table_exists_p(nl_config_t *, u_int); |
102 | int npf_table_insert(nl_config_t *, nl_table_t *); | | 109 | int npf_table_insert(nl_config_t *, nl_table_t *); |
103 | void npf_table_destroy(nl_table_t *); | | 110 | void npf_table_destroy(nl_table_t *); |
104 | | | 111 | |
| @@ -110,23 +117,21 @@ int npf_sessions_recv(int, const char * | | | @@ -110,23 +117,21 @@ int npf_sessions_recv(int, const char * |
110 | | | 117 | |
111 | #include <ifaddrs.h> | | 118 | #include <ifaddrs.h> |
112 | | | 119 | |
113 | void _npf_config_error(nl_config_t *, nl_error_t *); | | 120 | void _npf_config_error(nl_config_t *, nl_error_t *); |
114 | void _npf_config_setsubmit(nl_config_t *, const char *); | | 121 | void _npf_config_setsubmit(nl_config_t *, const char *); |
115 | int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t); | | 122 | int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t); |
116 | pri_t _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *, | | 123 | pri_t _npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *, |
117 | u_int *); | | 124 | u_int *); |
118 | const void * _npf_rule_ncode(nl_rule_t *, size_t *); | | 125 | const void * _npf_rule_ncode(nl_rule_t *, size_t *); |
119 | const char * _npf_rule_rproc(nl_rule_t *); | | 126 | const char * _npf_rule_rproc(nl_rule_t *); |
120 | int _npf_nat_foreach(nl_config_t *, nl_rule_callback_t); | | 127 | int _npf_nat_foreach(nl_config_t *, nl_rule_callback_t); |
121 | void _npf_nat_getinfo(nl_nat_t *, int *, u_int *, npf_addr_t *, | | 128 | void _npf_nat_getinfo(nl_nat_t *, int *, u_int *, npf_addr_t *, |
122 | size_t *, in_port_t *); | | 129 | size_t *, in_port_t *); |
123 | int _npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int); | | | |
124 | int _npf_rproc_setlog(nl_rproc_t *, u_int); | | | |
125 | void _npf_table_foreach(nl_config_t *, nl_table_callback_t); | | 130 | void _npf_table_foreach(nl_config_t *, nl_table_callback_t); |
126 | | | 131 | |
127 | void _npf_debug_addif(nl_config_t *, struct ifaddrs *, u_int); | | 132 | void _npf_debug_addif(nl_config_t *, struct ifaddrs *, u_int); |
128 | #endif | | 133 | #endif |
129 | | | 134 | |
130 | __END_DECLS | | 135 | __END_DECLS |
131 | | | 136 | |
132 | #endif /* _NPF_LIB_H_ */ | | 137 | #endif /* _NPF_LIB_H_ */ |
# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:41 rmind Exp $
.include <bsd.own.mk>
.if ${MKPIC} != "no"
SUBDIR= ext_log ext_normalise
.endif
.include <bsd.subdir.mk>
# $NetBSD: Makefile.inc,v 1.1 2012/09/16 13:47:42 rmind Exp $
WARNS= 5
MKLINT= no
.if exists(${.CURDIR}/../../Makefile.inc)
.include "${.CURDIR}/../../Makefile.inc"
.endif
# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:42 rmind Exp $
.include <bsd.own.mk>
LIBISMODULE= yes
LIBDIR= /usr/lib/npf
LIB= ext_log
SRCS= npfext_log.c
WARNS= 5
.include <bsd.lib.mk>
/* $NetBSD: npfext_log.c,v 1.1 2012/09/16 13:47:42 rmind Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Mindaugas Rasiukevicius.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: npfext_log.c,v 1.1 2012/09/16 13:47:42 rmind Exp $");
#include <sys/types.h>
#include <net/if.h>
#include <string.h>
#include <assert.h>
#include <errno.h>
#include <npf.h>
int npfext_log_init(void);
nl_ext_t * npfext_log_construct(const char *);
int npfext_log_param(nl_ext_t *, const char *, const char *);
int
npfext_log_init(void)
{
/* Nothing to initialise. */
return 0;
}
nl_ext_t *
npfext_log_construct(const char *name)
{
assert(strcmp(name, "log") == 0);
return npf_ext_construct(name);
}
int
npfext_log_param(nl_ext_t *ext, const char *param, const char *val __unused)
{
unsigned long if_idx;
assert(param != NULL);
if_idx = if_nametoindex(param);
if (if_idx == 0) {
return EINVAL;
}
npf_ext_param_u32(ext, "log-interface", if_idx);
return 0;
}
# $NetBSD: shlib_version,v 1.1 2012/09/16 13:47:42 rmind Exp $
major=0
minor=0
# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:42 rmind Exp $
.include <bsd.own.mk>
LIBISMODULE= yes
LIBDIR= /usr/lib/npf
LIB= ext_normalise
SRCS= npfext_normalise.c
WARNS= 5
.include <bsd.lib.mk>
/* $NetBSD: npfext_normalise.c,v 1.1 2012/09/16 13:47:42 rmind Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: npfext_normalise.c,v 1.1 2012/09/16 13:47:42 rmind Exp $");
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <errno.h>
#include <npf.h>
int npfext_normalise_init(void);
nl_ext_t * npfext_normalise_construct(const char *);
int npfext_normalise_param(nl_ext_t *, const char *, const char *);
int
npfext_normalise_init(void)
{
/* Nothing to initialise. */
return 0;
}
nl_ext_t *
npfext_normalise_construct(const char *name)
{
assert(strcmp(name, "normalise") == 0);
return npf_ext_construct(name);
}
int
npfext_normalise_param(nl_ext_t *ext, const char *param, const char *val)
{
enum ptype {
PARAM_BOOL,
PARAM_U32
};
static const struct param {
const char * name;
enum ptype type;
bool reqval;
} params[] = {
{ "random-id", PARAM_BOOL, false },
{ "no-df", PARAM_BOOL, false },
{ "min-ttl", PARAM_U32, true },
{ "max-mss", PARAM_U32, true },
};
for (unsigned i = 0; i < __arraycount(params); i++) {
const char *name = params[i].name;
if (strcmp(name, param) != 0) {
continue;
}
if (val == NULL && params[i].reqval) {
return EINVAL;
}
switch (params[i].type) {
case PARAM_BOOL:
npf_ext_param_bool(ext, name, true);
break;
case PARAM_U32:
npf_ext_param_u32(ext, name, atol(val));
break;
default:
assert(false);
}
return 0;
}
/* Invalid parameter, if not found. */
return EINVAL;
}
# $NetBSD: shlib_version,v 1.1 2012/09/16 13:47:42 rmind Exp $
major=0
minor=0
--- src/sys/modules/Makefile 2012/08/06 10:31:41 1.110
+++ src/sys/modules/Makefile 2012/09/16 13:47:41 1.111
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: Makefile,v 1.110 2012/08/06 10:31:41 martin Exp $ | | 1 | # $NetBSD: Makefile,v 1.111 2012/09/16 13:47:41 rmind Exp $ |
2 | | | 2 | |
3 | .include <bsd.own.mk> | | 3 | .include <bsd.own.mk> |
4 | | | 4 | |
5 | # For all platforms | | 5 | # For all platforms |
6 | | | 6 | |
7 | SUBDIR= accf_dataready | | 7 | SUBDIR= accf_dataready |
8 | SUBDIR+= accf_httpready | | 8 | SUBDIR+= accf_httpready |
9 | SUBDIR+= adosfs | | 9 | SUBDIR+= adosfs |
10 | SUBDIR+= aio | | 10 | SUBDIR+= aio |
11 | SUBDIR+= bpf | | 11 | SUBDIR+= bpf |
12 | SUBDIR+= cd9660 | | 12 | SUBDIR+= cd9660 |
13 | SUBDIR+= coda | | 13 | SUBDIR+= coda |
14 | SUBDIR+= coda5 | | 14 | SUBDIR+= coda5 |
| @@ -38,26 +38,28 @@ SUBDIR+= layerfs | | | @@ -38,26 +38,28 @@ SUBDIR+= layerfs |
38 | SUBDIR+= lfs | | 38 | SUBDIR+= lfs |
39 | SUBDIR+= mfs | | 39 | SUBDIR+= mfs |
40 | SUBDIR+= miiverbose | | 40 | SUBDIR+= miiverbose |
41 | SUBDIR+= miniroot | | 41 | SUBDIR+= miniroot |
42 | SUBDIR+= mqueue | | 42 | SUBDIR+= mqueue |
43 | SUBDIR+= msdos | | 43 | SUBDIR+= msdos |
44 | SUBDIR+= nand | | 44 | SUBDIR+= nand |
45 | SUBDIR+= nandemulator | | 45 | SUBDIR+= nandemulator |
46 | SUBDIR+= nfs | | 46 | SUBDIR+= nfs |
47 | SUBDIR+= nfsserver | | 47 | SUBDIR+= nfsserver |
48 | SUBDIR+= nilfs | | 48 | SUBDIR+= nilfs |
49 | SUBDIR+= npf | | 49 | SUBDIR+= npf |
50 | SUBDIR+= npf_alg_icmp | | 50 | SUBDIR+= npf_alg_icmp |
| | | 51 | SUBDIR+= npf_ext_log |
| | | 52 | SUBDIR+= npf_ext_normalise |
51 | SUBDIR+= ntfs | | 53 | SUBDIR+= ntfs |
52 | SUBDIR+= null | | 54 | SUBDIR+= null |
53 | SUBDIR+= onewire | | 55 | SUBDIR+= onewire |
54 | SUBDIR+= overlay | | 56 | SUBDIR+= overlay |
55 | SUBDIR+= pciverbose | | 57 | SUBDIR+= pciverbose |
56 | SUBDIR+= pf | | 58 | SUBDIR+= pf |
57 | SUBDIR+= ppp_bsdcomp | | 59 | SUBDIR+= ppp_bsdcomp |
58 | SUBDIR+= ppp_deflate | | 60 | SUBDIR+= ppp_deflate |
59 | SUBDIR+= procfs | | 61 | SUBDIR+= procfs |
60 | SUBDIR+= ptyfs | | 62 | SUBDIR+= ptyfs |
61 | SUBDIR+= puffs | | 63 | SUBDIR+= puffs |
62 | SUBDIR+= putter | | 64 | SUBDIR+= putter |
63 | SUBDIR+= scsiverbose | | 65 | SUBDIR+= scsiverbose |
--- src/sys/modules/npf/Makefile 2012/08/12 03:35:14 1.10
+++ src/sys/modules/npf/Makefile 2012/09/16 13:47:42 1.11
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.10 2012/08/12 03:35:14 rmind Exp $ | | 1 | # $NetBSD: Makefile,v 1.11 2012/09/16 13:47:42 rmind Exp $ |
2 | | | 2 | |
3 | .include "../Makefile.inc" | | 3 | .include "../Makefile.inc" |
4 | | | 4 | |
5 | .PATH: ${S}/net/npf | | 5 | .PATH: ${S}/net/npf |
6 | | | 6 | |
7 | KMOD= npf | | 7 | KMOD= npf |
8 | | | 8 | |
9 | SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c | | 9 | SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c |
10 | SRCS+= npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c | | 10 | SRCS+= npf_inet.c npf_instr.c npf_mbuf.c npf_nat.c |
11 | SRCS+= npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c | | 11 | SRCS+= npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c |
12 | SRCS+= npf_session.c npf_state.c npf_state_tcp.c | | 12 | SRCS+= npf_session.c npf_state.c npf_state_tcp.c |
13 | SRCS+= npf_tableset.c npf_tableset_ptree.c | | 13 | SRCS+= npf_tableset.c npf_tableset_ptree.c |
14 | | | 14 | |
15 | CPPFLAGS+= -DINET6 | | 15 | CPPFLAGS+= -DINET6 |
16 | | | 16 | |
17 | .include <bsd.kmodule.mk> | | 17 | .include <bsd.kmodule.mk> |
# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:42 rmind Exp $
.include "../Makefile.inc"
.PATH: ${S}/net/npf
KMOD= npf_ext_log
SRCS= npf_ext_log.c
.include <bsd.kmodule.mk>
# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:43 rmind Exp $
.include "../Makefile.inc"
.PATH: ${S}/net/npf
KMOD= npf_ext_normalise
SRCS= npf_ext_normalise.c
.include <bsd.kmodule.mk>
--- src/sys/net/npf/files.npf 2012/07/15 00:22:59 1.7
+++ src/sys/net/npf/files.npf 2012/09/16 13:47:41 1.8
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: files.npf,v 1.7 2012/07/15 00:22:59 rmind Exp $ | | 1 | # $NetBSD: files.npf,v 1.8 2012/09/16 13:47:41 rmind Exp $ |
2 | # | | 2 | # |
3 | # Public Domain. | | 3 | # Public Domain. |
4 | # | | 4 | # |
5 | | | 5 | |
6 | # | | 6 | # |
7 | # NPF pseudo device and modules. | | 7 | # NPF pseudo device and modules. |
8 | # | | 8 | # |
9 | | | 9 | |
10 | defpseudo npf: ifnet | | 10 | defpseudo npf: ifnet |
11 | | | 11 | |
12 | # Core | | 12 | # Core |
13 | file net/npf/npf.c npf | | 13 | file net/npf/npf.c npf |
14 | file net/npf/npf_ctl.c npf | | 14 | file net/npf/npf_ctl.c npf |
| @@ -17,17 +17,20 @@ file net/npf/npf_instr.c npf | | | @@ -17,17 +17,20 @@ file net/npf/npf_instr.c npf |
17 | file net/npf/npf_mbuf.c npf | | 17 | file net/npf/npf_mbuf.c npf |
18 | file net/npf/npf_processor.c npf | | 18 | file net/npf/npf_processor.c npf |
19 | file net/npf/npf_ruleset.c npf | | 19 | file net/npf/npf_ruleset.c npf |
20 | file net/npf/npf_rproc.c npf | | 20 | file net/npf/npf_rproc.c npf |
21 | file net/npf/npf_tableset.c npf | | 21 | file net/npf/npf_tableset.c npf |
22 | file net/npf/npf_tableset_ptree.c npf | | 22 | file net/npf/npf_tableset_ptree.c npf |
23 | file net/npf/npf_inet.c npf | | 23 | file net/npf/npf_inet.c npf |
24 | file net/npf/npf_session.c npf | | 24 | file net/npf/npf_session.c npf |
25 | file net/npf/npf_state.c npf | | 25 | file net/npf/npf_state.c npf |
26 | file net/npf/npf_state_tcp.c npf | | 26 | file net/npf/npf_state_tcp.c npf |
27 | file net/npf/npf_nat.c npf | | 27 | file net/npf/npf_nat.c npf |
28 | file net/npf/npf_alg.c npf | | 28 | file net/npf/npf_alg.c npf |
29 | file net/npf/npf_sendpkt.c npf | | 29 | file net/npf/npf_sendpkt.c npf |
30 | file net/npf/npf_log.c npf | | 30 | |
| | | 31 | # Built-in extensions. |
| | | 32 | file net/npf/npf_ext_log.c npf |
| | | 33 | file net/npf/npf_ext_normalise.c npf |
31 | | | 34 | |
32 | # ALGs | | 35 | # ALGs |
33 | file net/npf/npf_alg_icmp.c npf | | 36 | file net/npf/npf_alg_icmp.c npf |
--- src/sys/net/npf/npf.c 2012/07/15 00:23:00 1.12
+++ src/sys/net/npf/npf.c 2012/09/16 13:47:41 1.13
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
1 | /* $NetBSD: npf.c,v 1.12 2012/07/15 00:23:00 rmind Exp $ */ | | 1 | /* $NetBSD: npf.c,v 1.13 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2010 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
15 | * 2. Redistributions in binary form must reproduce the above copyright | | 15 | * 2. Redistributions in binary form must reproduce the above copyright |
16 | * notice, this list of conditions and the following disclaimer in the | | 16 | * notice, this list of conditions and the following disclaimer in the |
17 | * documentation and/or other materials provided with the distribution. | | 17 | * documentation and/or other materials provided with the distribution. |
| @@ -24,27 +24,27 @@ | | | @@ -24,27 +24,27 @@ |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * NPF main: dynamic load/initialisation and unload routines. | | 33 | * NPF main: dynamic load/initialisation and unload routines. |
34 | */ | | 34 | */ |
35 | | | 35 | |
36 | #include <sys/cdefs.h> | | 36 | #include <sys/cdefs.h> |
37 | __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.12 2012/07/15 00:23:00 rmind Exp $"); | | 37 | __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.13 2012/09/16 13:47:41 rmind Exp $"); |
38 | | | 38 | |
39 | #include <sys/param.h> | | 39 | #include <sys/param.h> |
40 | #include <sys/types.h> | | 40 | #include <sys/types.h> |
41 | | | 41 | |
42 | #include <sys/atomic.h> | | 42 | #include <sys/atomic.h> |
43 | #include <sys/conf.h> | | 43 | #include <sys/conf.h> |
44 | #include <sys/kauth.h> | | 44 | #include <sys/kauth.h> |
45 | #include <sys/kmem.h> | | 45 | #include <sys/kmem.h> |
46 | #include <sys/lwp.h> | | 46 | #include <sys/lwp.h> |
47 | #include <sys/module.h> | | 47 | #include <sys/module.h> |
48 | #include <sys/percpu.h> | | 48 | #include <sys/percpu.h> |
49 | #include <sys/rwlock.h> | | 49 | #include <sys/rwlock.h> |
50 | #include <sys/socketvar.h> | | 50 | #include <sys/socketvar.h> |
| @@ -97,27 +97,27 @@ npf_init(void) | | | @@ -97,27 +97,27 @@ npf_init(void) |
97 | npf_ruleset_t *rset, *nset; | | 97 | npf_ruleset_t *rset, *nset; |
98 | npf_tableset_t *tset; | | 98 | npf_tableset_t *tset; |
99 | prop_dictionary_t dict; | | 99 | prop_dictionary_t dict; |
100 | int error = 0; | | 100 | int error = 0; |
101 | | | 101 | |
102 | rw_init(&npf_lock); | | 102 | rw_init(&npf_lock); |
103 | npf_stats_percpu = percpu_alloc(NPF_STATS_SIZE); | | 103 | npf_stats_percpu = percpu_alloc(NPF_STATS_SIZE); |
104 | npf_sysctl = NULL; | | 104 | npf_sysctl = NULL; |
105 | | | 105 | |
106 | npf_tableset_sysinit(); | | 106 | npf_tableset_sysinit(); |
107 | npf_session_sysinit(); | | 107 | npf_session_sysinit(); |
108 | npf_nat_sysinit(); | | 108 | npf_nat_sysinit(); |
109 | npf_alg_sysinit(); | | 109 | npf_alg_sysinit(); |
110 | npflogattach(1); | | 110 | npf_ext_sysinit(); |
111 | | | 111 | |
112 | /* Load empty configuration. */ | | 112 | /* Load empty configuration. */ |
113 | dict = prop_dictionary_create(); | | 113 | dict = prop_dictionary_create(); |
114 | rset = npf_ruleset_create(); | | 114 | rset = npf_ruleset_create(); |
115 | tset = npf_tableset_create(); | | 115 | tset = npf_tableset_create(); |
116 | nset = npf_ruleset_create(); | | 116 | nset = npf_ruleset_create(); |
117 | npf_reload(dict, rset, tset, nset, true); | | 117 | npf_reload(dict, rset, tset, nset, true); |
118 | KASSERT(npf_core != NULL); | | 118 | KASSERT(npf_core != NULL); |
119 | | | 119 | |
120 | #ifdef _MODULE | | 120 | #ifdef _MODULE |
121 | /* Attach /dev/npf device. */ | | 121 | /* Attach /dev/npf device. */ |
122 | error = devsw_attach("npf", NULL, &bmajor, &npf_cdevsw, &cmajor); | | 122 | error = devsw_attach("npf", NULL, &bmajor, &npf_cdevsw, &cmajor); |
123 | if (error) { | | 123 | if (error) { |
| @@ -126,34 +126,34 @@ npf_init(void) | | | @@ -126,34 +126,34 @@ npf_init(void) |
126 | } | | 126 | } |
127 | #endif | | 127 | #endif |
128 | return error; | | 128 | return error; |
129 | } | | 129 | } |
130 | | | 130 | |
131 | static int | | 131 | static int |
132 | npf_fini(void) | | 132 | npf_fini(void) |
133 | { | | 133 | { |
134 | | | 134 | |
135 | /* At first, detach device and remove pfil hooks. */ | | 135 | /* At first, detach device and remove pfil hooks. */ |
136 | #ifdef _MODULE | | 136 | #ifdef _MODULE |
137 | devsw_detach(NULL, &npf_cdevsw); | | 137 | devsw_detach(NULL, &npf_cdevsw); |
138 | #endif | | 138 | #endif |
139 | npflogdetach(); | | | |
140 | npf_pfil_unregister(); | | 139 | npf_pfil_unregister(); |
141 | | | 140 | |
142 | /* Flush all sessions, destroy configuration (ruleset, etc). */ | | 141 | /* Flush all sessions, destroy configuration (ruleset, etc). */ |
143 | npf_session_tracking(false); | | 142 | npf_session_tracking(false); |
144 | npf_core_destroy(npf_core); | | 143 | npf_core_destroy(npf_core); |
145 | | | 144 | |
146 | /* Finally, safe to destroy the subsystems. */ | | 145 | /* Finally, safe to destroy the subsystems. */ |
| | | 146 | npf_ext_sysfini(); |
147 | npf_alg_sysfini(); | | 147 | npf_alg_sysfini(); |
148 | npf_nat_sysfini(); | | 148 | npf_nat_sysfini(); |
149 | npf_session_sysfini(); | | 149 | npf_session_sysfini(); |
150 | npf_tableset_sysfini(); | | 150 | npf_tableset_sysfini(); |
151 | | | 151 | |
152 | if (npf_sysctl) { | | 152 | if (npf_sysctl) { |
153 | sysctl_teardown(&npf_sysctl); | | 153 | sysctl_teardown(&npf_sysctl); |
154 | } | | 154 | } |
155 | percpu_free(npf_stats_percpu, NPF_STATS_SIZE); | | 155 | percpu_free(npf_stats_percpu, NPF_STATS_SIZE); |
156 | rw_destroy(&npf_lock); | | 156 | rw_destroy(&npf_lock); |
157 | | | 157 | |
158 | return 0; | | 158 | return 0; |
159 | } | | 159 | } |
| @@ -161,27 +161,27 @@ npf_fini(void) | | | @@ -161,27 +161,27 @@ npf_fini(void) |
161 | /* | | 161 | /* |
162 | * Module interface. | | 162 | * Module interface. |
163 | */ | | 163 | */ |
164 | static int | | 164 | static int |
165 | npf_modcmd(modcmd_t cmd, void *arg) | | 165 | npf_modcmd(modcmd_t cmd, void *arg) |
166 | { | | 166 | { |
167 | | | 167 | |
168 | switch (cmd) { | | 168 | switch (cmd) { |
169 | case MODULE_CMD_INIT: | | 169 | case MODULE_CMD_INIT: |
170 | return npf_init(); | | 170 | return npf_init(); |
171 | case MODULE_CMD_FINI: | | 171 | case MODULE_CMD_FINI: |
172 | return npf_fini(); | | 172 | return npf_fini(); |
173 | case MODULE_CMD_AUTOUNLOAD: | | 173 | case MODULE_CMD_AUTOUNLOAD: |
174 | if (npf_pfil_registered_p() || !npf_default_pass()) { | | 174 | if (npf_autounload_p()) { |
175 | return EBUSY; | | 175 | return EBUSY; |
176 | } | | 176 | } |
177 | break; | | 177 | break; |
178 | default: | | 178 | default: |
179 | return ENOTTY; | | 179 | return ENOTTY; |
180 | } | | 180 | } |
181 | return 0; | | 181 | return 0; |
182 | } | | 182 | } |
183 | | | 183 | |
184 | void | | 184 | void |
185 | npfattach(int nunits) | | 185 | npfattach(int nunits) |
186 | { | | 186 | { |
187 | | | 187 | |
| @@ -360,26 +360,32 @@ prop_dictionary_t | | | @@ -360,26 +360,32 @@ prop_dictionary_t |
360 | npf_core_dict(void) | | 360 | npf_core_dict(void) |
361 | { | | 361 | { |
362 | KASSERT(rw_lock_held(&npf_lock)); | | 362 | KASSERT(rw_lock_held(&npf_lock)); |
363 | return npf_core->n_dict; | | 363 | return npf_core->n_dict; |
364 | } | | 364 | } |
365 | | | 365 | |
366 | bool | | 366 | bool |
367 | npf_default_pass(void) | | 367 | npf_default_pass(void) |
368 | { | | 368 | { |
369 | KASSERT(rw_lock_held(&npf_lock)); | | 369 | KASSERT(rw_lock_held(&npf_lock)); |
370 | return npf_core->n_default_pass; | | 370 | return npf_core->n_default_pass; |
371 | } | | 371 | } |
372 | | | 372 | |
| | | 373 | bool |
| | | 374 | npf_autounload_p(void) |
| | | 375 | { |
| | | 376 | return !npf_pfil_registered_p() && npf_default_pass(); |
| | | 377 | } |
| | | 378 | |
373 | /* | | 379 | /* |
374 | * NPF statistics interface. | | 380 | * NPF statistics interface. |
375 | */ | | 381 | */ |
376 | | | 382 | |
377 | void | | 383 | void |
378 | npf_stats_inc(npf_stats_t st) | | 384 | npf_stats_inc(npf_stats_t st) |
379 | { | | 385 | { |
380 | uint64_t *stats = percpu_getref(npf_stats_percpu); | | 386 | uint64_t *stats = percpu_getref(npf_stats_percpu); |
381 | stats[st]++; | | 387 | stats[st]++; |
382 | percpu_putref(npf_stats_percpu); | | 388 | percpu_putref(npf_stats_percpu); |
383 | } | | 389 | } |
384 | | | 390 | |
385 | void | | 391 | void |
--- src/sys/net/npf/npf.h 2012/07/19 21:52:29 1.20
+++ src/sys/net/npf/npf.h 2012/09/16 13:47:41 1.21
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf.h,v 1.20 2012/07/19 21:52:29 spz Exp $ */ | | 1 | /* $NetBSD: npf.h,v 1.21 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -35,46 +35,46 @@ | | | @@ -35,46 +35,46 @@ |
35 | | | 35 | |
36 | #ifndef _NPF_NET_H_ | | 36 | #ifndef _NPF_NET_H_ |
37 | #define _NPF_NET_H_ | | 37 | #define _NPF_NET_H_ |
38 | | | 38 | |
39 | #include <sys/param.h> | | 39 | #include <sys/param.h> |
40 | #include <sys/types.h> | | 40 | #include <sys/types.h> |
41 | | | 41 | |
42 | #include <sys/ioctl.h> | | 42 | #include <sys/ioctl.h> |
43 | #include <prop/proplib.h> | | 43 | #include <prop/proplib.h> |
44 | | | 44 | |
45 | #include <netinet/in_systm.h> | | 45 | #include <netinet/in_systm.h> |
46 | #include <netinet/in.h> | | 46 | #include <netinet/in.h> |
47 | | | 47 | |
48 | #define NPF_VERSION 5 | | 48 | #define NPF_VERSION 6 |
49 | | | 49 | |
50 | /* | | 50 | /* |
51 | * Public declarations and definitions. | | 51 | * Public declarations and definitions. |
52 | */ | | 52 | */ |
53 | | | 53 | |
54 | /* Storage of address (both for IPv4 and IPv6) and netmask */ | | 54 | /* Storage of address (both for IPv4 and IPv6) and netmask */ |
55 | typedef struct in6_addr npf_addr_t; | | 55 | typedef struct in6_addr npf_addr_t; |
56 | typedef uint8_t npf_netmask_t; | | 56 | typedef uint8_t npf_netmask_t; |
57 | | | 57 | |
58 | #define NPF_MAX_NETMASK (128) | | 58 | #define NPF_MAX_NETMASK (128) |
59 | #define NPF_NO_NETMASK ((npf_netmask_t)~0) | | 59 | #define NPF_NO_NETMASK ((npf_netmask_t)~0) |
60 | | | 60 | |
61 | #if defined(_KERNEL) | | 61 | #if defined(_KERNEL) |
62 | | | 62 | |
63 | /* Network buffer. */ | | 63 | #define NPF_DECISION_BLOCK 0 |
64 | typedef void nbuf_t; | | 64 | #define NPF_DECISION_PASS 1 |
65 | | | 65 | |
66 | struct npf_rproc; | | 66 | #define NPF_EXT_MODULE(name, req) \ |
67 | typedef struct npf_rproc npf_rproc_t; | | 67 | MODULE(MODULE_CLASS_MISC, name, "npf," req) |
68 | | | 68 | |
69 | /* | | 69 | /* |
70 | * Packet information cache. | | 70 | * Packet information cache. |
71 | */ | | 71 | */ |
72 | #include <netinet/ip.h> | | 72 | #include <netinet/ip.h> |
73 | #include <netinet/ip6.h> | | 73 | #include <netinet/ip6.h> |
74 | #include <netinet/tcp.h> | | 74 | #include <netinet/tcp.h> |
75 | #include <netinet/udp.h> | | 75 | #include <netinet/udp.h> |
76 | #include <netinet/ip_icmp.h> | | 76 | #include <netinet/ip_icmp.h> |
77 | #include <netinet/icmp6.h> | | 77 | #include <netinet/icmp6.h> |
78 | | | 78 | |
79 | #define NPC_IP4 0x01 /* Indicates fetched IPv4 header. */ | | 79 | #define NPC_IP4 0x01 /* Indicates fetched IPv4 header. */ |
80 | #define NPC_IP6 0x02 /* Indicates IPv6 header. */ | | 80 | #define NPC_IP6 0x02 /* Indicates IPv6 header. */ |
| @@ -123,55 +123,82 @@ static inline int | | | @@ -123,55 +123,82 @@ static inline int |
123 | npf_cache_ipproto(const npf_cache_t *npc) | | 123 | npf_cache_ipproto(const npf_cache_t *npc) |
124 | { | | 124 | { |
125 | KASSERT(npf_iscached(npc, NPC_IP46)); | | 125 | KASSERT(npf_iscached(npc, NPC_IP46)); |
126 | return npc->npc_next_proto; | | 126 | return npc->npc_next_proto; |
127 | } | | 127 | } |
128 | | | 128 | |
129 | static inline u_int | | 129 | static inline u_int |
130 | npf_cache_hlen(const npf_cache_t *npc) | | 130 | npf_cache_hlen(const npf_cache_t *npc) |
131 | { | | 131 | { |
132 | KASSERT(npf_iscached(npc, NPC_IP46)); | | 132 | KASSERT(npf_iscached(npc, NPC_IP46)); |
133 | return npc->npc_hlen; | | 133 | return npc->npc_hlen; |
134 | } | | 134 | } |
135 | | | 135 | |
136 | /* Network buffer interface. */ | | 136 | /* |
| | | 137 | * Network buffer interface. |
| | | 138 | */ |
| | | 139 | |
| | | 140 | typedef void nbuf_t; |
| | | 141 | |
137 | void * nbuf_dataptr(void *); | | 142 | void * nbuf_dataptr(void *); |
138 | void * nbuf_advance(nbuf_t **, void *, u_int); | | 143 | void * nbuf_advance(nbuf_t **, void *, u_int); |
139 | int nbuf_advfetch(nbuf_t **, void **, u_int, size_t, void *); | | 144 | int nbuf_advfetch(nbuf_t **, void **, u_int, size_t, void *); |
140 | int nbuf_advstore(nbuf_t **, void **, u_int, size_t, void *); | | 145 | int nbuf_advstore(nbuf_t **, void **, u_int, size_t, void *); |
141 | int nbuf_fetch_datum(nbuf_t *, void *, size_t, void *); | | 146 | int nbuf_fetch_datum(nbuf_t *, void *, size_t, void *); |
142 | int nbuf_store_datum(nbuf_t *, void *, size_t, void *); | | 147 | int nbuf_store_datum(nbuf_t *, void *, size_t, void *); |
143 | | | 148 | |
144 | int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t); | | 149 | int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t); |
145 | int nbuf_find_tag(nbuf_t *, uint32_t, void **); | | 150 | int nbuf_find_tag(nbuf_t *, uint32_t, void **); |
146 | | | 151 | |
| | | 152 | /* |
| | | 153 | * NPF extensions and rule procedure interface. |
| | | 154 | */ |
| | | 155 | |
| | | 156 | struct npf_rproc; |
| | | 157 | typedef struct npf_rproc npf_rproc_t; |
| | | 158 | |
| | | 159 | void npf_rproc_assign(npf_rproc_t *, void *); |
| | | 160 | |
| | | 161 | typedef struct { |
| | | 162 | unsigned int version; |
| | | 163 | void * ctx; |
| | | 164 | int (*ctor)(npf_rproc_t *, prop_dictionary_t); |
| | | 165 | void (*dtor)(npf_rproc_t *, void *); |
| | | 166 | void (*proc)(npf_cache_t *, nbuf_t *, void *, int *); |
| | | 167 | } npf_ext_ops_t; |
| | | 168 | |
| | | 169 | void * npf_ext_register(const char *, const npf_ext_ops_t *); |
| | | 170 | int npf_ext_unregister(void *); |
| | | 171 | |
| | | 172 | /* |
| | | 173 | * Misc. |
| | | 174 | */ |
| | | 175 | |
| | | 176 | bool npf_autounload_p(void); |
| | | 177 | |
147 | #endif /* _KERNEL */ | | 178 | #endif /* _KERNEL */ |
148 | | | 179 | |
149 | /* Rule attributes. */ | | 180 | /* Rule attributes. */ |
150 | #define NPF_RULE_PASS 0x0001 | | 181 | #define NPF_RULE_PASS 0x0001 |
151 | #define NPF_RULE_DEFAULT 0x0002 | | 182 | #define NPF_RULE_DEFAULT 0x0002 |
152 | #define NPF_RULE_FINAL 0x0004 | | 183 | #define NPF_RULE_FINAL 0x0004 |
153 | #define NPF_RULE_STATEFUL 0x0008 | | 184 | #define NPF_RULE_STATEFUL 0x0008 |
154 | #define NPF_RULE_RETRST 0x0010 | | 185 | #define NPF_RULE_RETRST 0x0010 |
155 | #define NPF_RULE_RETICMP 0x0020 | | 186 | #define NPF_RULE_RETICMP 0x0020 |
156 | | | 187 | |
157 | #define NPF_RULE_IN 0x10000000 | | 188 | #define NPF_RULE_IN 0x10000000 |
158 | #define NPF_RULE_OUT 0x20000000 | | 189 | #define NPF_RULE_OUT 0x20000000 |
159 | #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) | | 190 | #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) |
160 | | | 191 | |
161 | /* Rule procedure flags. */ | | | |
162 | #define NPF_RPROC_LOG 0x0001 | | | |
163 | #define NPF_RPROC_NORMALIZE 0x0002 | | | |
164 | | | | |
165 | /* Address translation types and flags. */ | | 192 | /* Address translation types and flags. */ |
166 | #define NPF_NATIN 1 | | 193 | #define NPF_NATIN 1 |
167 | #define NPF_NATOUT 2 | | 194 | #define NPF_NATOUT 2 |
168 | | | 195 | |
169 | #define NPF_NAT_PORTS 0x01 | | 196 | #define NPF_NAT_PORTS 0x01 |
170 | #define NPF_NAT_PORTMAP 0x02 | | 197 | #define NPF_NAT_PORTMAP 0x02 |
171 | | | 198 | |
172 | /* Table types. */ | | 199 | /* Table types. */ |
173 | #define NPF_TABLE_HASH 1 | | 200 | #define NPF_TABLE_HASH 1 |
174 | #define NPF_TABLE_TREE 2 | | 201 | #define NPF_TABLE_TREE 2 |
175 | | | 202 | |
176 | /* Layers. */ | | 203 | /* Layers. */ |
177 | #define NPF_LAYER_2 2 | | 204 | #define NPF_LAYER_2 2 |
| @@ -206,29 +233,26 @@ typedef enum { | | | @@ -206,29 +233,26 @@ typedef enum { |
206 | /* Session and NAT entries. */ | | 233 | /* Session and NAT entries. */ |
207 | NPF_STAT_SESSION_CREATE, | | 234 | NPF_STAT_SESSION_CREATE, |
208 | NPF_STAT_SESSION_DESTROY, | | 235 | NPF_STAT_SESSION_DESTROY, |
209 | NPF_STAT_NAT_CREATE, | | 236 | NPF_STAT_NAT_CREATE, |
210 | NPF_STAT_NAT_DESTROY, | | 237 | NPF_STAT_NAT_DESTROY, |
211 | /* Invalid state cases. */ | | 238 | /* Invalid state cases. */ |
212 | NPF_STAT_INVALID_STATE, | | 239 | NPF_STAT_INVALID_STATE, |
213 | NPF_STAT_INVALID_STATE_TCP1, | | 240 | NPF_STAT_INVALID_STATE_TCP1, |
214 | NPF_STAT_INVALID_STATE_TCP2, | | 241 | NPF_STAT_INVALID_STATE_TCP2, |
215 | NPF_STAT_INVALID_STATE_TCP3, | | 242 | NPF_STAT_INVALID_STATE_TCP3, |
216 | /* Raced packets. */ | | 243 | /* Raced packets. */ |
217 | NPF_STAT_RACE_SESSION, | | 244 | NPF_STAT_RACE_SESSION, |
218 | NPF_STAT_RACE_NAT, | | 245 | NPF_STAT_RACE_NAT, |
219 | /* Rule procedure cases. */ | | | |
220 | NPF_STAT_RPROC_LOG, | | | |
221 | NPF_STAT_RPROC_NORM, | | | |
222 | /* Fragments. */ | | 246 | /* Fragments. */ |
223 | NPF_STAT_FRAGMENTS, | | 247 | NPF_STAT_FRAGMENTS, |
224 | NPF_STAT_REASSEMBLY, | | 248 | NPF_STAT_REASSEMBLY, |
225 | NPF_STAT_REASSFAIL, | | 249 | NPF_STAT_REASSFAIL, |
226 | /* Other errors. */ | | 250 | /* Other errors. */ |
227 | NPF_STAT_ERROR, | | 251 | NPF_STAT_ERROR, |
228 | /* Count (last). */ | | 252 | /* Count (last). */ |
229 | NPF_STATS_COUNT | | 253 | NPF_STATS_COUNT |
230 | } npf_stats_t; | | 254 | } npf_stats_t; |
231 | | | 255 | |
232 | #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) | | 256 | #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) |
233 | | | 257 | |
234 | /* | | 258 | /* |
--- src/sys/net/npf/npf_ctl.c 2012/08/15 18:44:56 1.17
+++ src/sys/net/npf/npf_ctl.c 2012/09/16 13:47:41 1.18
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_ctl.c,v 1.17 2012/08/15 18:44:56 rmind Exp $ */ | | 1 | /* $NetBSD: npf_ctl.c,v 1.18 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -27,27 +27,27 @@ | | | @@ -27,27 +27,27 @@ |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * NPF device control. | | 33 | * NPF device control. |
34 | * | | 34 | * |
35 | * Implementation of (re)loading, construction of tables and rules. | | 35 | * Implementation of (re)loading, construction of tables and rules. |
36 | * NPF proplib(9) dictionary consumer. | | 36 | * NPF proplib(9) dictionary consumer. |
37 | */ | | 37 | */ |
38 | | | 38 | |
39 | #include <sys/cdefs.h> | | 39 | #include <sys/cdefs.h> |
40 | __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.17 2012/08/15 18:44:56 rmind Exp $"); | | 40 | __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.18 2012/09/16 13:47:41 rmind Exp $"); |
41 | | | 41 | |
42 | #include <sys/param.h> | | 42 | #include <sys/param.h> |
43 | #include <sys/conf.h> | | 43 | #include <sys/conf.h> |
44 | | | 44 | |
45 | #include <prop/proplib.h> | | 45 | #include <prop/proplib.h> |
46 | | | 46 | |
47 | #include "npf_ncode.h" | | 47 | #include "npf_ncode.h" |
48 | #include "npf_impl.h" | | 48 | #include "npf_impl.h" |
49 | | | 49 | |
50 | #if defined(DEBUG) || defined(DIAGNOSTIC) | | 50 | #if defined(DEBUG) || defined(DIAGNOSTIC) |
51 | #define NPF_ERR_DEBUG(e) \ | | 51 | #define NPF_ERR_DEBUG(e) \ |
52 | prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \ | | 52 | prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \ |
53 | prop_dictionary_set_uint32((e), "source-line", __LINE__); | | 53 | prop_dictionary_set_uint32((e), "source-line", __LINE__); |
| @@ -152,49 +152,71 @@ npf_mk_tables(npf_tableset_t *tblset, pr | | | @@ -152,49 +152,71 @@ npf_mk_tables(npf_tableset_t *tblset, pr |
152 | break; | | 152 | break; |
153 | } | | 153 | } |
154 | prop_object_iterator_release(it); | | 154 | prop_object_iterator_release(it); |
155 | /* | | 155 | /* |
156 | * Note: in a case of error, caller will free the tableset. | | 156 | * Note: in a case of error, caller will free the tableset. |
157 | */ | | 157 | */ |
158 | return error; | | 158 | return error; |
159 | } | | 159 | } |
160 | | | 160 | |
161 | static npf_rproc_t * | | 161 | static npf_rproc_t * |
162 | npf_mk_rproc(prop_array_t rprocs, const char *rpname) | | 162 | npf_mk_rproc(prop_array_t rprocs, const char *rpname) |
163 | { | | 163 | { |
164 | prop_object_iterator_t it; | | 164 | prop_object_iterator_t it; |
165 | prop_dictionary_t rpdict; | | 165 | prop_dictionary_t rpdict, extdict; |
| | | 166 | prop_array_t extlist; |
166 | npf_rproc_t *rp; | | 167 | npf_rproc_t *rp; |
| | | 168 | const char *name; |
167 | uint64_t rpval; | | 169 | uint64_t rpval; |
168 | | | 170 | |
169 | it = prop_array_iterator(rprocs); | | 171 | it = prop_array_iterator(rprocs); |
170 | while ((rpdict = prop_object_iterator_next(it)) != NULL) { | | 172 | while ((rpdict = prop_object_iterator_next(it)) != NULL) { |
171 | const char *iname; | | 173 | prop_dictionary_get_cstring_nocopy(rpdict, "name", &name); |
172 | prop_dictionary_get_cstring_nocopy(rpdict, "name", &iname); | | 174 | KASSERT(name != NULL); |
173 | KASSERT(iname != NULL); | | 175 | if (strcmp(rpname, name) == 0) |
174 | if (strcmp(rpname, iname) == 0) | | | |
175 | break; | | 176 | break; |
176 | } | | 177 | } |
177 | prop_object_iterator_release(it); | | 178 | prop_object_iterator_release(it); |
178 | if (rpdict == NULL) { | | 179 | if (!rpdict) { |
179 | return NULL; | | 180 | return NULL; |
180 | } | | 181 | } |
181 | CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t)); | | 182 | CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t)); |
182 | if (!prop_dictionary_get_uint64(rpdict, "rproc-ptr", &rpval)) { | | 183 | if (prop_dictionary_get_uint64(rpdict, "rproc-ptr", &rpval)) { |
183 | rp = npf_rproc_create(rpdict); | | 184 | return (npf_rproc_t *)(uintptr_t)rpval; |
| | | 185 | } |
| | | 186 | |
| | | 187 | extlist = prop_dictionary_get(rpdict, "extcalls"); |
| | | 188 | if (prop_object_type(extlist) != PROP_TYPE_ARRAY) { |
| | | 189 | return NULL; |
| | | 190 | } |
| | | 191 | |
| | | 192 | rp = npf_rproc_create(rpdict); |
| | | 193 | if (!rp) { |
| | | 194 | return NULL; |
| | | 195 | } |
| | | 196 | it = prop_array_iterator(extlist); |
| | | 197 | while ((extdict = prop_object_iterator_next(it)) != NULL) { |
| | | 198 | if (!prop_dictionary_get_cstring_nocopy(extdict, |
| | | 199 | "name", &name) || npf_ext_construct(name, rp, extdict)) { |
| | | 200 | npf_rproc_release(rp); |
| | | 201 | rp = NULL; |
| | | 202 | break; |
| | | 203 | } |
| | | 204 | } |
| | | 205 | prop_object_iterator_release(it); |
| | | 206 | |
| | | 207 | if (rp) { |
184 | rpval = (uint64_t)(uintptr_t)rp; | | 208 | rpval = (uint64_t)(uintptr_t)rp; |
185 | prop_dictionary_set_uint64(rpdict, "rproc-ptr", rpval); | | 209 | prop_dictionary_set_uint64(rpdict, "rproc-ptr", rpval); |
186 | } else { | | | |
187 | rp = (npf_rproc_t *)(uintptr_t)rpval; | | | |
188 | } | | 210 | } |
189 | return rp; | | 211 | return rp; |
190 | } | | 212 | } |
191 | | | 213 | |
192 | static int __noinline | | 214 | static int __noinline |
193 | npf_mk_ncode(prop_object_t obj, void **code, size_t *csize, | | 215 | npf_mk_ncode(prop_object_t obj, void **code, size_t *csize, |
194 | prop_dictionary_t errdict) | | 216 | prop_dictionary_t errdict) |
195 | { | | 217 | { |
196 | const void *ncptr; | | 218 | const void *ncptr; |
197 | int nc_err, errat; | | 219 | int nc_err, errat; |
198 | size_t nc_size; | | 220 | size_t nc_size; |
199 | void *nc; | | 221 | void *nc; |
200 | | | 222 | |
| @@ -232,60 +254,60 @@ npf_mk_singlerule(prop_dictionary_t rldi | | | @@ -232,60 +254,60 @@ npf_mk_singlerule(prop_dictionary_t rldi |
232 | const char *rnm; | | 254 | const char *rnm; |
233 | npf_rproc_t *rp; | | 255 | npf_rproc_t *rp; |
234 | prop_object_t obj; | | 256 | prop_object_t obj; |
235 | size_t nc_size; | | 257 | size_t nc_size; |
236 | void *nc; | | 258 | void *nc; |
237 | int p, error; | | 259 | int p, error; |
238 | | | 260 | |
239 | /* Rule - dictionary. */ | | 261 | /* Rule - dictionary. */ |
240 | if (prop_object_type(rldict) != PROP_TYPE_DICTIONARY) { | | 262 | if (prop_object_type(rldict) != PROP_TYPE_DICTIONARY) { |
241 | NPF_ERR_DEBUG(errdict); | | 263 | NPF_ERR_DEBUG(errdict); |
242 | return EINVAL; | | 264 | return EINVAL; |
243 | } | | 265 | } |
244 | | | 266 | |
| | | 267 | /* Make the rule procedure, if any. */ |
| | | 268 | if (rps && prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rnm)) { |
| | | 269 | rp = npf_mk_rproc(rps, rnm); |
| | | 270 | if (rp == NULL) { |
| | | 271 | NPF_ERR_DEBUG(errdict); |
| | | 272 | error = EINVAL; |
| | | 273 | goto err; |
| | | 274 | } |
| | | 275 | } else { |
| | | 276 | rp = NULL; |
| | | 277 | } |
| | | 278 | |
245 | error = 0; | | 279 | error = 0; |
246 | obj = prop_dictionary_get(rldict, "ncode"); | | 280 | obj = prop_dictionary_get(rldict, "ncode"); |
247 | if (obj) { | | 281 | if (obj) { |
248 | /* N-code (binary data). */ | | 282 | /* N-code (binary data). */ |
249 | error = npf_mk_ncode(obj, &nc, &nc_size, errdict); | | 283 | error = npf_mk_ncode(obj, &nc, &nc_size, errdict); |
250 | if (error) { | | 284 | if (error) { |
251 | goto err; | | 285 | goto err; |
252 | } | | 286 | } |
253 | } else { | | 287 | } else { |
254 | /* No n-code. */ | | 288 | /* No n-code. */ |
255 | nc = NULL; | | 289 | nc = NULL; |
256 | nc_size = 0; | | 290 | nc_size = 0; |
257 | } | | 291 | } |
258 | | | 292 | |
259 | /* Check for rule procedure. */ | | | |
260 | if (rps && prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rnm)) { | | | |
261 | rp = npf_mk_rproc(rps, rnm); | | | |
262 | if (rp == NULL) { | | | |
263 | if (nc) { | | | |
264 | npf_ncode_free(nc, nc_size); /* XXX */ | | | |
265 | } | | | |
266 | NPF_ERR_DEBUG(errdict); | | | |
267 | error = EINVAL; | | | |
268 | goto err; | | | |
269 | } | | | |
270 | } else { | | | |
271 | rp = NULL; | | | |
272 | } | | | |
273 | | | | |
274 | /* Finally, allocate and return the rule. */ | | 293 | /* Finally, allocate and return the rule. */ |
275 | *rl = npf_rule_alloc(rldict, rp, nc, nc_size); | | 294 | *rl = npf_rule_alloc(rldict, rp, nc, nc_size); |
276 | KASSERT(*rl != NULL); | | 295 | KASSERT(*rl != NULL); |
277 | return 0; | | 296 | return 0; |
278 | err: | | 297 | err: |
| | | 298 | if (rp) { |
| | | 299 | npf_rproc_release(rp); |
| | | 300 | } |
279 | prop_dictionary_get_int32(rldict, "priority", &p); /* XXX */ | | 301 | prop_dictionary_get_int32(rldict, "priority", &p); /* XXX */ |
280 | prop_dictionary_set_int32(errdict, "id", p); | | 302 | prop_dictionary_set_int32(errdict, "id", p); |
281 | return error; | | 303 | return error; |
282 | } | | 304 | } |
283 | | | 305 | |
284 | static int __noinline | | 306 | static int __noinline |
285 | npf_mk_subrules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs, | | 307 | npf_mk_subrules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs, |
286 | prop_dictionary_t errdict) | | 308 | prop_dictionary_t errdict) |
287 | { | | 309 | { |
288 | prop_object_iterator_t it; | | 310 | prop_object_iterator_t it; |
289 | prop_dictionary_t rldict; | | 311 | prop_dictionary_t rldict; |
290 | int error = 0; | | 312 | int error = 0; |
291 | | | 313 | |
| @@ -501,32 +523,33 @@ fail: | | | @@ -501,32 +523,33 @@ fail: |
501 | npf_ruleset_destroy(nset); | | 523 | npf_ruleset_destroy(nset); |
502 | } | | 524 | } |
503 | if (rlset) { | | 525 | if (rlset) { |
504 | npf_ruleset_destroy(rlset); | | 526 | npf_ruleset_destroy(rlset); |
505 | } | | 527 | } |
506 | if (tblset) { | | 528 | if (tblset) { |
507 | npf_tableset_destroy(tblset); | | 529 | npf_tableset_destroy(tblset); |
508 | } | | 530 | } |
509 | if (error) { | | 531 | if (error) { |
510 | prop_object_release(npf_dict); | | 532 | prop_object_release(npf_dict); |
511 | } | | 533 | } |
512 | | | 534 | |
513 | /* Error report. */ | | 535 | /* Error report. */ |
514 | prop_dictionary_set_int32(errdict, "errno", error); | | | |
515 | #ifndef _NPF_TESTING | | 536 | #ifndef _NPF_TESTING |
| | | 537 | prop_dictionary_set_int32(errdict, "errno", error); |
516 | prop_dictionary_copyout_ioctl(pref, cmd, errdict); | | 538 | prop_dictionary_copyout_ioctl(pref, cmd, errdict); |
517 | #endif | | | |
518 | prop_object_release(errdict); | | 539 | prop_object_release(errdict); |
519 | return 0; | | 540 | error = 0; |
| | | 541 | #endif |
| | | 542 | return error; |
520 | } | | 543 | } |
521 | | | 544 | |
522 | int | | 545 | int |
523 | npfctl_getconf(u_long cmd, void *data) | | 546 | npfctl_getconf(u_long cmd, void *data) |
524 | { | | 547 | { |
525 | struct plistref *pref = data; | | 548 | struct plistref *pref = data; |
526 | prop_dictionary_t npf_dict; | | 549 | prop_dictionary_t npf_dict; |
527 | int error; | | 550 | int error; |
528 | | | 551 | |
529 | npf_core_enter(); | | 552 | npf_core_enter(); |
530 | npf_dict = npf_core_dict(); | | 553 | npf_dict = npf_core_dict(); |
531 | prop_dictionary_set_bool(npf_dict, "active", npf_pfil_registered_p()); | | 554 | prop_dictionary_set_bool(npf_dict, "active", npf_pfil_registered_p()); |
532 | error = prop_dictionary_copyout_ioctl(pref, cmd, npf_dict); | | 555 | error = prop_dictionary_copyout_ioctl(pref, cmd, npf_dict); |
/* $NetBSD: npf_ext_log.c,v 1.1 2012/09/16 13:47:41 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
* NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* NPF logging extension.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.1 2012/09/16 13:47:41 rmind Exp $");
#include <sys/types.h>
#include <sys/module.h>
#include <sys/conf.h>
#include <sys/kmem.h>
#include <sys/mbuf.h>
#include <sys/mutex.h>
#include <sys/queue.h>
#include <net/if.h>
#include <net/if_types.h>
#include <net/bpf.h>
#include "npf_impl.h"
NPF_EXT_MODULE(npf_ext_log, "");
#define NPFEXT_LOG_VER 1
static void * npf_ext_log_id;
typedef struct {
unsigned int if_idx;
} npf_ext_log_t;
typedef struct npflog_softc {
LIST_ENTRY(npflog_softc) sc_entry;
kmutex_t sc_lock;
ifnet_t sc_if;
int sc_unit;
} npflog_softc_t;
static int npflog_clone_create(struct if_clone *, int);
static int npflog_clone_destroy(ifnet_t *);
static LIST_HEAD(, npflog_softc) npflog_if_list __cacheline_aligned;
static struct if_clone npflog_cloner =
IF_CLONE_INITIALIZER("npflog", npflog_clone_create, npflog_clone_destroy);
void
npflogattach(int nunits)
{
LIST_INIT(&npflog_if_list);
if_clone_attach(&npflog_cloner);
}
void
npflogdetach(void)
{
npflog_softc_t *sc;
while ((sc = LIST_FIRST(&npflog_if_list)) != NULL) {
npflog_clone_destroy(&sc->sc_if);
}
if_clone_detach(&npflog_cloner);
}
static int
npflog_ioctl(ifnet_t *ifp, u_long cmd, void *data)
{
npflog_softc_t *sc = ifp->if_softc;
int error = 0;
mutex_enter(&sc->sc_lock);
switch (cmd) {
case SIOCINITIFADDR:
ifp->if_flags |= (IFF_UP | IFF_RUNNING);
break;
default:
error = ifioctl_common(ifp, cmd, data);
break;
}
mutex_exit(&sc->sc_lock);
return error;
}
static int
npflog_clone_create(struct if_clone *ifc, int unit)
{
npflog_softc_t *sc;
ifnet_t *ifp;
sc = kmem_zalloc(sizeof(npflog_softc_t), KM_SLEEP);
mutex_init(&sc->sc_lock, MUTEX_DEFAULT, IPL_SOFTNET);
ifp = &sc->sc_if;
ifp->if_softc = sc;
if_initname(ifp, "npflog", unit);
ifp->if_type = IFT_OTHER;
ifp->if_dlt = DLT_NULL;
ifp->if_ioctl = npflog_ioctl;
KERNEL_LOCK(1, NULL);
if_attach(ifp);
if_alloc_sadl(ifp);
bpf_attach(ifp, DLT_NULL, 0);
LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
KERNEL_UNLOCK_ONE(NULL);
return 0;
}
static int
npflog_clone_destroy(ifnet_t *ifp)
{
npflog_softc_t *sc = ifp->if_softc;
KERNEL_LOCK(1, NULL);
LIST_REMOVE(sc, sc_entry);
bpf_detach(ifp);
if_detach(ifp);
KERNEL_UNLOCK_ONE(NULL);
mutex_destroy(&sc->sc_lock);
kmem_free(sc, sizeof(npflog_softc_t));
return 0;
}
static int
npf_log_ctor(npf_rproc_t *rp, prop_dictionary_t params)
{
npf_ext_log_t *meta;
meta = kmem_zalloc(sizeof(npf_ext_log_t), KM_SLEEP);
prop_dictionary_get_uint32(params, "log-interface", &meta->if_idx);
npf_rproc_assign(rp, meta);
return 0;
}
static void
npf_log_dtor(npf_rproc_t *rp, void *meta)
{
kmem_free(meta, sizeof(npf_ext_log_t));
}
static void
npf_log(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
{
const npf_ext_log_t *log = meta;
struct mbuf *m = nbuf;
ifnet_t *ifp;
int family;
/* Set the address family. */
if (npf_iscached(npc, NPC_IP4)) {
family = AF_INET;
} else if (npf_iscached(npc, NPC_IP6)) {
family = AF_INET6;
} else {
family = AF_UNSPEC;
}
KERNEL_LOCK(1, NULL);
/* Find a pseudo-interface to log. */
ifp = if_byindex(log->if_idx);
if (ifp == NULL) {
/* No interface. */
KERNEL_UNLOCK_ONE(NULL);
return;
}
/* Pass through BPF. */
ifp->if_opackets++;
ifp->if_obytes += m->m_pkthdr.len;
bpf_mtap_af(ifp, family, m);
KERNEL_UNLOCK_ONE(NULL);
}
/*
* Module interface.
*/
static int
npf_ext_log_modcmd(modcmd_t cmd, void *arg)
{
static const npf_ext_ops_t npf_log_ops = {
.version = NPFEXT_LOG_VER,
.ctx = NULL,
.ctor = npf_log_ctor,
.dtor = npf_log_dtor,
.proc = npf_log
};
int error;
switch (cmd) {
case MODULE_CMD_INIT:
/*
* Initialise the NPF logging extension.
*/
npflogattach(1);
npf_ext_log_id = npf_ext_register("log", &npf_log_ops);
if (!npf_ext_log_id) {
npflogdetach();
return EEXIST;
}
break;
case MODULE_CMD_FINI:
error = npf_ext_unregister(npf_ext_log_id);
if (error) {
return error;
}
npflogdetach();
break;
case MODULE_CMD_AUTOUNLOAD:
/* Allow auto-unload only if NPF permits it. */
return npf_autounload_p() ? 0 : EBUSY;
default:
return ENOTTY;
}
return 0;
}
/* $NetBSD: npf_ext_normalise.c,v 1.1 2012/09/16 13:47:41 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalise.c,v 1.1 2012/09/16 13:47:41 rmind Exp $");
#include <sys/types.h>
#include <sys/module.h>
#include <sys/kmem.h>
#include <net/if.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include "npf.h"
#include "npf_impl.h"
/*
* NPF extension module definition and the identifier.
*/
NPF_EXT_MODULE(npf_ext_normalise, "");
#define NPFEXT_NORMALISE_VER 1
static void * npf_ext_normalise_id;
/*
* Normalisation parameters.
*/
typedef struct {
u_int n_minttl;
u_int n_maxmss;
bool n_random_id;
bool n_no_df;
} npf_normalise_t;
/*
* npf_normalise_ctor: a constructor for the normalisation rule procedure
* with the given parameters.
*/
static int
npf_normalise_ctor(npf_rproc_t *rp, prop_dictionary_t params)
{
npf_normalise_t *np;
/* Create a structure for normalisation parameters. */
np = kmem_zalloc(sizeof(npf_normalise_t), KM_SLEEP);
/* IP ID randomisation and IP_DF flag cleansing. */
prop_dictionary_get_bool(params, "random-id", &np->n_random_id);
prop_dictionary_get_bool(params, "no-df", &np->n_no_df);
/* Minimum IP TTL and maximum TCP MSS. */
prop_dictionary_get_uint32(params, "min-ttl", &np->n_minttl);
prop_dictionary_get_uint32(params, "max-mss", &np->n_maxmss);
/* Assign the parameters for this rule procedure. */
npf_rproc_assign(rp, np);
return 0;
}
/*
* npf_normalise_dtor: a destructor for a normalisation rule procedure.
*/
static void
npf_normalise_dtor(npf_rproc_t *rp, void *params)
{
/* Free our meta-data, associated with the procedure. */
kmem_free(params, sizeof(npf_normalise_t));
}
/*
* npf_normalise_ip4: routine to normalise IPv4 header (randomise ID,
* clear "don't fragment" and/or enforce minimum TTL).
*/
static inline bool
npf_normalise_ip4(npf_cache_t *npc, nbuf_t *nbuf, npf_normalise_t *np)
{
void *n_ptr = nbuf_dataptr(nbuf);
struct ip *ip = &npc->npc_ip.v4;
uint16_t cksum = ip->ip_sum;
uint16_t ip_off = ip->ip_off;
uint8_t ttl = ip->ip_ttl;
u_int minttl = np->n_minttl;
u_int offby = 0;
KASSERT(np->n_random_id || np->n_no_df || minttl);
/* Randomise IPv4 ID. */
if (np->n_random_id) {
uint16_t oid = ip->ip_id, nid;
nid = htons(ip_randomid(ip_ids, 0));
offby = offsetof(struct ip, ip_id);
if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(nid), &nid)) {
return false;
}
cksum = npf_fixup16_cksum(cksum, oid, nid);
ip->ip_id = nid;
}
/* IP_DF flag cleansing. */
if (np->n_no_df && (ip_off & htons(IP_DF)) != 0) {
uint16_t nip_off = ip_off & ~htons(IP_DF);
if (nbuf_advstore(&nbuf, &n_ptr,
offsetof(struct ip, ip_off) - offby,
sizeof(uint16_t), &nip_off)) {
return false;
}
cksum = npf_fixup16_cksum(cksum, ip_off, nip_off);
ip->ip_off = nip_off;
offby = offsetof(struct ip, ip_off);
}
/* Enforce minimum TTL. */
if (minttl && ttl < minttl) {
if (nbuf_advstore(&nbuf, &n_ptr,
offsetof(struct ip, ip_ttl) - offby,
sizeof(uint8_t), &minttl)) {
return false;
}
cksum = npf_fixup16_cksum(cksum, ttl, minttl);
ip->ip_ttl = minttl;
offby = offsetof(struct ip, ip_ttl);
}
/* Update IPv4 checksum. */
offby = offsetof(struct ip, ip_sum) - offby;
if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) {
return false;
}
ip->ip_sum = cksum;
return true;
}
/*
* npf_normalise: the main routine to normalise IPv4 and/or TCP headers.
*/
static void
npf_normalise(npf_cache_t *npc, nbuf_t *nbuf, void *params, int *decision)
{
npf_normalise_t *np = params;
void *n_ptr = nbuf_dataptr(nbuf);
struct tcphdr *th = &npc->npc_l4.tcp;
u_int offby, maxmss = np->n_maxmss;
uint16_t cksum, mss;
int wscale;
/* Skip, if already blocking. */
if (*decision == NPF_DECISION_BLOCK) {
return;
}
/* Normalise IPv4. */
if (npf_iscached(npc, NPC_IP4) && (np->n_random_id || np->n_minttl)) {
if (!npf_normalise_ip4(npc, nbuf, np)) {
return;
}
} else if (!npf_iscached(npc, NPC_IP6)) {
/* If not IPv6, then nothing to do. */
return;
}
/*
* TCP Maximum Segment Size (MSS) "clamping". Only if SYN packet.
* Fetch MSS and check whether rewrite to lower is needed.
*/
if (maxmss == 0 || !npf_iscached(npc, NPC_TCP) ||
(th->th_flags & TH_SYN) == 0) {
/* Not required; done. */
return;
}
mss = 0;
if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
return;
}
if (ntohs(mss) <= maxmss) {
/* Nothing else to do. */
return;
}
/* Calculate TCP checksum, then rewrite MSS and the checksum. */
maxmss = htons(maxmss);
cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
th->th_sum = cksum;
mss = maxmss;
if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
return;
}
offby = npf_cache_hlen(npc) + offsetof(struct tcphdr, th_sum);
if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) {
return;
}
}
static int
npf_ext_normalise_modcmd(modcmd_t cmd, void *arg)
{
static const npf_ext_ops_t npf_normalise_ops = {
.version = NPFEXT_NORMALISE_VER,
.ctx = NULL,
.ctor = npf_normalise_ctor,
.dtor = npf_normalise_dtor,
.proc = npf_normalise
};
switch (cmd) {
case MODULE_CMD_INIT:
/*
* Initialise normalisation module. Register the "normalise"
* extension and its calls.
*/
npf_ext_normalise_id =
npf_ext_register("normalise", &npf_normalise_ops);
return npf_ext_normalise_id ? 0 : EEXIST;
case MODULE_CMD_FINI:
/* Unregister the normalisation rule procedure. */
return npf_ext_unregister(npf_ext_normalise_id);
case MODULE_CMD_AUTOUNLOAD:
return npf_autounload_p() ? 0 : EBUSY;
default:
return ENOTTY;
}
return 0;
}
--- src/sys/net/npf/npf_handler.c 2012/08/12 03:35:14 1.21
+++ src/sys/net/npf/npf_handler.c 2012/09/16 13:47:41 1.22
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $ */ | | 1 | /* $NetBSD: npf_handler.c,v 1.22 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -24,27 +24,27 @@ | | | @@ -24,27 +24,27 @@ |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * NPF packet handler. | | 33 | * NPF packet handler. |
34 | */ | | 34 | */ |
35 | | | 35 | |
36 | #include <sys/cdefs.h> | | 36 | #include <sys/cdefs.h> |
37 | __KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $"); | | 37 | __KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.22 2012/09/16 13:47:41 rmind Exp $"); |
38 | | | 38 | |
39 | #include <sys/types.h> | | 39 | #include <sys/types.h> |
40 | #include <sys/param.h> | | 40 | #include <sys/param.h> |
41 | | | 41 | |
42 | #include <sys/mbuf.h> | | 42 | #include <sys/mbuf.h> |
43 | #include <sys/mutex.h> | | 43 | #include <sys/mutex.h> |
44 | #include <net/if.h> | | 44 | #include <net/if.h> |
45 | #include <net/pfil.h> | | 45 | #include <net/pfil.h> |
46 | #include <sys/socketvar.h> | | 46 | #include <sys/socketvar.h> |
47 | | | 47 | |
48 | #include <netinet/in_systm.h> | | 48 | #include <netinet/in_systm.h> |
49 | #include <netinet/in.h> | | 49 | #include <netinet/in.h> |
50 | #include <netinet/ip_var.h> | | 50 | #include <netinet/ip_var.h> |
| @@ -197,30 +197,31 @@ npf_packet_handler(void *arg, struct mbu | | | @@ -197,30 +197,31 @@ npf_packet_handler(void *arg, struct mbu |
197 | if (se) { | | 197 | if (se) { |
198 | npf_session_setpass(se, rp); | | 198 | npf_session_setpass(se, rp); |
199 | } | | 199 | } |
200 | } | | 200 | } |
201 | pass: | | 201 | pass: |
202 | decision = NPF_DECISION_PASS; | | 202 | decision = NPF_DECISION_PASS; |
203 | KASSERT(error == 0); | | 203 | KASSERT(error == 0); |
204 | /* | | 204 | /* |
205 | * Perform NAT. | | 205 | * Perform NAT. |
206 | */ | | 206 | */ |
207 | error = npf_do_nat(&npc, se, nbuf, ifp, di); | | 207 | error = npf_do_nat(&npc, se, nbuf, ifp, di); |
208 | block: | | 208 | block: |
209 | /* | | 209 | /* |
210 | * Execute rule procedure, if any. | | 210 | * Execute the rule procedure, if any is associated. |
| | | 211 | * It may reverse the decision from pass to block. |
211 | */ | | 212 | */ |
212 | if (rp) { | | 213 | if (rp) { |
213 | npf_rproc_run(&npc, nbuf, rp, error); | | 214 | npf_rproc_run(&npc, nbuf, rp, &decision); |
214 | } | | 215 | } |
215 | out: | | 216 | out: |
216 | /* | | 217 | /* |
217 | * Release the reference on a session. Release the reference on a | | 218 | * Release the reference on a session. Release the reference on a |
218 | * rule procedure only if there was no association. | | 219 | * rule procedure only if there was no association. |
219 | */ | | 220 | */ |
220 | if (se) { | | 221 | if (se) { |
221 | npf_session_release(se); | | 222 | npf_session_release(se); |
222 | } else if (rp) { | | 223 | } else if (rp) { |
223 | npf_rproc_release(rp); | | 224 | npf_rproc_release(rp); |
224 | } | | 225 | } |
225 | | | 226 | |
226 | /* Pass the packet if decided and there is no error. */ | | 227 | /* Pass the packet if decided and there is no error. */ |
--- src/sys/net/npf/npf_impl.h 2012/08/15 19:47:38 1.22
+++ src/sys/net/npf/npf_impl.h 2012/09/16 13:47:41 1.23
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_impl.h,v 1.22 2012/08/15 19:47:38 rmind Exp $ */ | | 1 | /* $NetBSD: npf_impl.h,v 1.23 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -84,29 +84,26 @@ struct npf_sehash; | | | @@ -84,29 +84,26 @@ struct npf_sehash; |
84 | struct npf_tblent; | | 84 | struct npf_tblent; |
85 | struct npf_table; | | 85 | struct npf_table; |
86 | | | 86 | |
87 | typedef struct npf_sehash npf_sehash_t; | | 87 | typedef struct npf_sehash npf_sehash_t; |
88 | typedef struct npf_tblent npf_tblent_t; | | 88 | typedef struct npf_tblent npf_tblent_t; |
89 | typedef struct npf_table npf_table_t; | | 89 | typedef struct npf_table npf_table_t; |
90 | | | 90 | |
91 | typedef npf_table_t * npf_tableset_t; | | 91 | typedef npf_table_t * npf_tableset_t; |
92 | | | 92 | |
93 | /* | | 93 | /* |
94 | * DEFINITIONS. | | 94 | * DEFINITIONS. |
95 | */ | | 95 | */ |
96 | | | 96 | |
97 | #define NPF_DECISION_BLOCK 0 | | | |
98 | #define NPF_DECISION_PASS 1 | | | |
99 | | | | |
100 | typedef bool (*npf_algfunc_t)(npf_cache_t *, nbuf_t *, void *); | | 97 | typedef bool (*npf_algfunc_t)(npf_cache_t *, nbuf_t *, void *); |
101 | | | 98 | |
102 | #define NPF_NCODE_LIMIT 1024 | | 99 | #define NPF_NCODE_LIMIT 1024 |
103 | #define NPF_TABLE_SLOTS 32 | | 100 | #define NPF_TABLE_SLOTS 32 |
104 | | | 101 | |
105 | /* | | 102 | /* |
106 | * SESSION STATE STRUCTURES | | 103 | * SESSION STATE STRUCTURES |
107 | */ | | 104 | */ |
108 | | | 105 | |
109 | #define NPF_FLOW_FORW 0 | | 106 | #define NPF_FLOW_FORW 0 |
110 | #define NPF_FLOW_BACK 1 | | 107 | #define NPF_FLOW_BACK 1 |
111 | | | 108 | |
112 | typedef struct { | | 109 | typedef struct { |
| @@ -147,27 +144,26 @@ int npfctl_getconf(u_long, void *); | | | @@ -147,27 +144,26 @@ int npfctl_getconf(u_long, void *); |
147 | int npfctl_sessions_save(u_long, void *); | | 144 | int npfctl_sessions_save(u_long, void *); |
148 | int npfctl_sessions_load(u_long, void *); | | 145 | int npfctl_sessions_load(u_long, void *); |
149 | int npfctl_update_rule(u_long, void *); | | 146 | int npfctl_update_rule(u_long, void *); |
150 | int npfctl_table(void *); | | 147 | int npfctl_table(void *); |
151 | | | 148 | |
152 | void npf_stats_inc(npf_stats_t); | | 149 | void npf_stats_inc(npf_stats_t); |
153 | void npf_stats_dec(npf_stats_t); | | 150 | void npf_stats_dec(npf_stats_t); |
154 | | | 151 | |
155 | /* Packet filter hooks. */ | | 152 | /* Packet filter hooks. */ |
156 | int npf_pfil_register(void); | | 153 | int npf_pfil_register(void); |
157 | void npf_pfil_unregister(void); | | 154 | void npf_pfil_unregister(void); |
158 | bool npf_pfil_registered_p(void); | | 155 | bool npf_pfil_registered_p(void); |
159 | int npf_packet_handler(void *, struct mbuf **, ifnet_t *, int); | | 156 | int npf_packet_handler(void *, struct mbuf **, ifnet_t *, int); |
160 | void npf_log_packet(npf_cache_t *, nbuf_t *, int); | | | |
161 | | | 157 | |
162 | /* Protocol helpers. */ | | 158 | /* Protocol helpers. */ |
163 | bool npf_fetch_ip(npf_cache_t *, nbuf_t *, void *); | | 159 | bool npf_fetch_ip(npf_cache_t *, nbuf_t *, void *); |
164 | bool npf_fetch_tcp(npf_cache_t *, nbuf_t *, void *); | | 160 | bool npf_fetch_tcp(npf_cache_t *, nbuf_t *, void *); |
165 | bool npf_fetch_udp(npf_cache_t *, nbuf_t *, void *); | | 161 | bool npf_fetch_udp(npf_cache_t *, nbuf_t *, void *); |
166 | bool npf_fetch_icmp(npf_cache_t *, nbuf_t *, void *); | | 162 | bool npf_fetch_icmp(npf_cache_t *, nbuf_t *, void *); |
167 | int npf_cache_all(npf_cache_t *, nbuf_t *); | | 163 | int npf_cache_all(npf_cache_t *, nbuf_t *); |
168 | | | 164 | |
169 | bool npf_rwrip(npf_cache_t *, nbuf_t *, void *, const int, | | 165 | bool npf_rwrip(npf_cache_t *, nbuf_t *, void *, const int, |
170 | npf_addr_t *); | | 166 | npf_addr_t *); |
171 | bool npf_rwrport(npf_cache_t *, nbuf_t *, void *, const int, | | 167 | bool npf_rwrport(npf_cache_t *, nbuf_t *, void *, const int, |
172 | in_port_t); | | 168 | in_port_t); |
173 | bool npf_rwrcksum(npf_cache_t *, nbuf_t *, void *, const int, | | 169 | bool npf_rwrcksum(npf_cache_t *, nbuf_t *, void *, const int, |
| @@ -176,27 +172,26 @@ bool npf_rwrcksum(npf_cache_t *, nbuf_t | | | @@ -176,27 +172,26 @@ bool npf_rwrcksum(npf_cache_t *, nbuf_t |
176 | uint16_t npf_fixup16_cksum(uint16_t, uint16_t, uint16_t); | | 172 | uint16_t npf_fixup16_cksum(uint16_t, uint16_t, uint16_t); |
177 | uint16_t npf_fixup32_cksum(uint16_t, uint32_t, uint32_t); | | 173 | uint16_t npf_fixup32_cksum(uint16_t, uint32_t, uint32_t); |
178 | uint16_t npf_addr_cksum(uint16_t, int, npf_addr_t *, npf_addr_t *); | | 174 | uint16_t npf_addr_cksum(uint16_t, int, npf_addr_t *, npf_addr_t *); |
179 | uint32_t npf_addr_sum(const int, const npf_addr_t *, const npf_addr_t *); | | 175 | uint32_t npf_addr_sum(const int, const npf_addr_t *, const npf_addr_t *); |
180 | int npf_addr_cmp(const npf_addr_t *, const npf_netmask_t, | | 176 | int npf_addr_cmp(const npf_addr_t *, const npf_netmask_t, |
181 | const npf_addr_t *, const npf_netmask_t, const int); | | 177 | const npf_addr_t *, const npf_netmask_t, const int); |
182 | void npf_addr_mask(const npf_addr_t *, const npf_netmask_t, | | 178 | void npf_addr_mask(const npf_addr_t *, const npf_netmask_t, |
183 | const int, npf_addr_t *); | | 179 | const int, npf_addr_t *); |
184 | | | 180 | |
185 | int npf_tcpsaw(const npf_cache_t *, tcp_seq *, tcp_seq *, | | 181 | int npf_tcpsaw(const npf_cache_t *, tcp_seq *, tcp_seq *, |
186 | uint32_t *); | | 182 | uint32_t *); |
187 | bool npf_fetch_tcpopts(const npf_cache_t *, nbuf_t *, | | 183 | bool npf_fetch_tcpopts(const npf_cache_t *, nbuf_t *, |
188 | uint16_t *, int *); | | 184 | uint16_t *, int *); |
189 | bool npf_normalize(npf_cache_t *, nbuf_t *, bool, bool, u_int, u_int); | | | |
190 | bool npf_return_block(npf_cache_t *, nbuf_t *, const int); | | 185 | bool npf_return_block(npf_cache_t *, nbuf_t *, const int); |
191 | | | 186 | |
192 | /* Complex instructions. */ | | 187 | /* Complex instructions. */ |
193 | int npf_match_ether(nbuf_t *, int, int, uint16_t, uint32_t *); | | 188 | int npf_match_ether(nbuf_t *, int, int, uint16_t, uint32_t *); |
194 | int npf_match_proto(npf_cache_t *, nbuf_t *, void *, uint32_t); | | 189 | int npf_match_proto(npf_cache_t *, nbuf_t *, void *, uint32_t); |
195 | int npf_match_table(npf_cache_t *, nbuf_t *, void *, | | 190 | int npf_match_table(npf_cache_t *, nbuf_t *, void *, |
196 | const int, const u_int); | | 191 | const int, const u_int); |
197 | int npf_match_ipmask(npf_cache_t *, nbuf_t *, void *, | | 192 | int npf_match_ipmask(npf_cache_t *, nbuf_t *, void *, |
198 | const int, const npf_addr_t *, const npf_netmask_t); | | 193 | const int, const npf_addr_t *, const npf_netmask_t); |
199 | int npf_match_tcp_ports(npf_cache_t *, nbuf_t *, void *, | | 194 | int npf_match_tcp_ports(npf_cache_t *, nbuf_t *, void *, |
200 | const int, const uint32_t); | | 195 | const int, const uint32_t); |
201 | int npf_match_udp_ports(npf_cache_t *, nbuf_t *, void *, | | 196 | int npf_match_udp_ports(npf_cache_t *, nbuf_t *, void *, |
202 | const int, const uint32_t); | | 197 | const int, const uint32_t); |
| @@ -242,30 +237,35 @@ void npf_ruleset_freealg(npf_ruleset_t | | | @@ -242,30 +237,35 @@ void npf_ruleset_freealg(npf_ruleset_t |
242 | | | 237 | |
243 | npf_rule_t * npf_ruleset_inspect(npf_cache_t *, nbuf_t *, npf_ruleset_t *, | | 238 | npf_rule_t * npf_ruleset_inspect(npf_cache_t *, nbuf_t *, npf_ruleset_t *, |
244 | const ifnet_t *, const int, const int); | | 239 | const ifnet_t *, const int, const int); |
245 | int npf_rule_apply(npf_cache_t *, nbuf_t *, npf_rule_t *, int *); | | 240 | int npf_rule_apply(npf_cache_t *, nbuf_t *, npf_rule_t *, int *); |
246 | | | 241 | |
247 | /* Rule interface. */ | | 242 | /* Rule interface. */ |
248 | npf_rule_t * npf_rule_alloc(prop_dictionary_t, npf_rproc_t *, void *, size_t); | | 243 | npf_rule_t * npf_rule_alloc(prop_dictionary_t, npf_rproc_t *, void *, size_t); |
249 | void npf_rule_free(npf_rule_t *); | | 244 | void npf_rule_free(npf_rule_t *); |
250 | npf_ruleset_t * npf_rule_subset(npf_rule_t *); | | 245 | npf_ruleset_t * npf_rule_subset(npf_rule_t *); |
251 | npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *); | | 246 | npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *); |
252 | void npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *); | | 247 | void npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *); |
253 | npf_rproc_t * npf_rule_getrproc(npf_rule_t *); | | 248 | npf_rproc_t * npf_rule_getrproc(npf_rule_t *); |
254 | | | 249 | |
| | | 250 | void npf_ext_sysinit(void); |
| | | 251 | void npf_ext_sysfini(void); |
| | | 252 | int npf_ext_construct(const char *, |
| | | 253 | npf_rproc_t *, prop_dictionary_t); |
| | | 254 | |
255 | npf_rproc_t * npf_rproc_create(prop_dictionary_t); | | 255 | npf_rproc_t * npf_rproc_create(prop_dictionary_t); |
256 | void npf_rproc_acquire(npf_rproc_t *); | | 256 | void npf_rproc_acquire(npf_rproc_t *); |
257 | void npf_rproc_release(npf_rproc_t *); | | 257 | void npf_rproc_release(npf_rproc_t *); |
258 | void npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int); | | 258 | void npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int *); |
259 | | | 259 | |
260 | /* Session handling interface. */ | | 260 | /* Session handling interface. */ |
261 | void npf_session_sysinit(void); | | 261 | void npf_session_sysinit(void); |
262 | void npf_session_sysfini(void); | | 262 | void npf_session_sysfini(void); |
263 | int npf_session_tracking(bool); | | 263 | int npf_session_tracking(bool); |
264 | | | 264 | |
265 | npf_sehash_t * sess_htable_create(void); | | 265 | npf_sehash_t * sess_htable_create(void); |
266 | void sess_htable_destroy(npf_sehash_t *); | | 266 | void sess_htable_destroy(npf_sehash_t *); |
267 | void sess_htable_reload(npf_sehash_t *); | | 267 | void sess_htable_reload(npf_sehash_t *); |
268 | | | 268 | |
269 | npf_session_t * npf_session_inspect(npf_cache_t *, nbuf_t *, | | 269 | npf_session_t * npf_session_inspect(npf_cache_t *, nbuf_t *, |
270 | const ifnet_t *, const int, int *); | | 270 | const ifnet_t *, const int, int *); |
271 | npf_session_t * npf_session_establish(const npf_cache_t *, nbuf_t *, | | 271 | npf_session_t * npf_session_establish(const npf_cache_t *, nbuf_t *, |
--- src/sys/net/npf/npf_inet.c 2012/07/21 17:11:01 1.16
+++ src/sys/net/npf/npf_inet.c 2012/09/16 13:47:41 1.17
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_inet.c,v 1.16 2012/07/21 17:11:01 rmind Exp $ */ | | 1 | /* $NetBSD: npf_inet.c,v 1.17 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -29,39 +29,38 @@ | | | @@ -29,39 +29,38 @@ |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * Various procotol related helper routines. | | 33 | * Various procotol related helper routines. |
34 | * | | 34 | * |
35 | * This layer manipulates npf_cache_t structure i.e. caches requested headers | | 35 | * This layer manipulates npf_cache_t structure i.e. caches requested headers |
36 | * and stores which information was cached in the information bit field. | | 36 | * and stores which information was cached in the information bit field. |
37 | * It is also responsibility of this layer to update or invalidate the cache | | 37 | * It is also responsibility of this layer to update or invalidate the cache |
38 | * on rewrites (e.g. by translation routines). | | 38 | * on rewrites (e.g. by translation routines). |
39 | */ | | 39 | */ |
40 | | | 40 | |
41 | #include <sys/cdefs.h> | | 41 | #include <sys/cdefs.h> |
42 | __KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.16 2012/07/21 17:11:01 rmind Exp $"); | | 42 | __KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.17 2012/09/16 13:47:41 rmind Exp $"); |
43 | | | 43 | |
44 | #include <sys/param.h> | | 44 | #include <sys/param.h> |
45 | #include <sys/types.h> | | 45 | #include <sys/types.h> |
46 | | | 46 | |
47 | #include <net/pfil.h> | | 47 | #include <net/pfil.h> |
48 | #include <net/if.h> | | 48 | #include <net/if.h> |
49 | #include <net/ethertypes.h> | | 49 | #include <net/ethertypes.h> |
50 | #include <net/if_ether.h> | | 50 | #include <net/if_ether.h> |
51 | | | 51 | |
52 | #include <netinet/in_systm.h> | | 52 | #include <netinet/in_systm.h> |
53 | #include <netinet/in.h> | | 53 | #include <netinet/in.h> |
54 | #include <netinet/in_var.h> | | | |
55 | #include <netinet/ip.h> | | 54 | #include <netinet/ip.h> |
56 | #include <netinet/ip6.h> | | 55 | #include <netinet/ip6.h> |
57 | #include <netinet/tcp.h> | | 56 | #include <netinet/tcp.h> |
58 | #include <netinet/udp.h> | | 57 | #include <netinet/udp.h> |
59 | #include <netinet/ip_icmp.h> | | 58 | #include <netinet/ip_icmp.h> |
60 | | | 59 | |
61 | #include "npf_impl.h" | | 60 | #include "npf_impl.h" |
62 | | | 61 | |
63 | /* | | 62 | /* |
64 | * npf_fixup{16,32}_cksum: update IPv4 checksum. | | 63 | * npf_fixup{16,32}_cksum: update IPv4 checksum. |
65 | */ | | 64 | */ |
66 | | | 65 | |
67 | uint16_t | | 66 | uint16_t |
| @@ -650,137 +649,24 @@ npf_rwrcksum(npf_cache_t *npc, nbuf_t *n | | | @@ -650,137 +649,24 @@ npf_rwrcksum(npf_cache_t *npc, nbuf_t *n |
650 | offby += offsetof(struct udphdr, uh_sum); | | 649 | offby += offsetof(struct udphdr, uh_sum); |
651 | oport = (di == PFIL_OUT) ? &uh->uh_sport : &uh->uh_dport; | | 650 | oport = (di == PFIL_OUT) ? &uh->uh_sport : &uh->uh_dport; |
652 | } | | 651 | } |
653 | *cksum = npf_addr_cksum(*cksum, npc->npc_alen, oaddr, addr); | | 652 | *cksum = npf_addr_cksum(*cksum, npc->npc_alen, oaddr, addr); |
654 | *cksum = npf_fixup16_cksum(*cksum, *oport, port); | | 653 | *cksum = npf_fixup16_cksum(*cksum, *oport, port); |
655 | | | 654 | |
656 | /* Advance to TCP/UDP checksum and rewrite it. */ | | 655 | /* Advance to TCP/UDP checksum and rewrite it. */ |
657 | if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(uint16_t), cksum)) { | | 656 | if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(uint16_t), cksum)) { |
658 | return false; | | 657 | return false; |
659 | } | | 658 | } |
660 | return true; | | 659 | return true; |
661 | } | | 660 | } |
662 | | | 661 | |
663 | static inline bool | | | |
664 | npf_normalize_ip4(npf_cache_t *npc, nbuf_t *nbuf, | | | |
665 | bool rnd, bool no_df, int minttl) | | | |
666 | { | | | |
667 | void *n_ptr = nbuf_dataptr(nbuf); | | | |
668 | struct ip *ip = &npc->npc_ip.v4; | | | |
669 | uint16_t cksum = ip->ip_sum; | | | |
670 | uint16_t ip_off = ip->ip_off; | | | |
671 | uint8_t ttl = ip->ip_ttl; | | | |
672 | u_int offby = 0; | | | |
673 | | | | |
674 | KASSERT(rnd || minttl || no_df); | | | |
675 | | | | |
676 | /* Randomize IPv4 ID. */ | | | |
677 | if (rnd) { | | | |
678 | uint16_t oid = ip->ip_id, nid; | | | |
679 | | | | |
680 | nid = htons(ip_randomid(ip_ids, 0)); | | | |
681 | offby = offsetof(struct ip, ip_id); | | | |
682 | if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(nid), &nid)) { | | | |
683 | return false; | | | |
684 | } | | | |
685 | cksum = npf_fixup16_cksum(cksum, oid, nid); | | | |
686 | ip->ip_id = nid; | | | |
687 | } | | | |
688 | | | | |
689 | /* IP_DF flag cleansing. */ | | | |
690 | if (no_df && (ip_off & htons(IP_DF)) != 0) { | | | |
691 | uint16_t nip_off = ip_off & ~htons(IP_DF); | | | |
692 | | | | |
693 | if (nbuf_advstore(&nbuf, &n_ptr, | | | |
694 | offsetof(struct ip, ip_off) - offby, | | | |
695 | sizeof(uint16_t), &nip_off)) { | | | |
696 | return false; | | | |
697 | } | | | |
698 | cksum = npf_fixup16_cksum(cksum, ip_off, nip_off); | | | |
699 | ip->ip_off = nip_off; | | | |
700 | offby = offsetof(struct ip, ip_off); | | | |
701 | } | | | |
702 | | | | |
703 | /* Enforce minimum TTL. */ | | | |
704 | if (minttl && ttl < minttl) { | | | |
705 | if (nbuf_advstore(&nbuf, &n_ptr, | | | |
706 | offsetof(struct ip, ip_ttl) - offby, | | | |
707 | sizeof(uint8_t), &minttl)) { | | | |
708 | return false; | | | |
709 | } | | | |
710 | cksum = npf_fixup16_cksum(cksum, ttl, minttl); | | | |
711 | ip->ip_ttl = minttl; | | | |
712 | offby = offsetof(struct ip, ip_ttl); | | | |
713 | } | | | |
714 | | | | |
715 | /* Update IP checksum. */ | | | |
716 | offby = offsetof(struct ip, ip_sum) - offby; | | | |
717 | if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) { | | | |
718 | return false; | | | |
719 | } | | | |
720 | ip->ip_sum = cksum; | | | |
721 | return true; | | | |
722 | } | | | |
723 | | | | |
724 | bool | | | |
725 | npf_normalize(npf_cache_t *npc, nbuf_t *nbuf, | | | |
726 | bool no_df, bool rnd, u_int minttl, u_int maxmss) | | | |
727 | { | | | |
728 | void *n_ptr = nbuf_dataptr(nbuf); | | | |
729 | struct tcphdr *th = &npc->npc_l4.tcp; | | | |
730 | uint16_t cksum, mss; | | | |
731 | u_int offby; | | | |
732 | int wscale; | | | |
733 | | | | |
734 | /* Normalize IPv4. */ | | | |
735 | if (npf_iscached(npc, NPC_IP4) && (rnd || minttl)) { | | | |
736 | if (!npf_normalize_ip4(npc, nbuf, rnd, no_df, minttl)) { | | | |
737 | return false; | | | |
738 | } | | | |
739 | } else if (!npf_iscached(npc, NPC_IP4)) { | | | |
740 | /* XXX: no IPv6 */ | | | |
741 | return false; | | | |
742 | } | | | |
743 | | | | |
744 | /* | | | |
745 | * TCP Maximum Segment Size (MSS) "clamping". Only if SYN packet. | | | |
746 | * Fetch MSS and check whether rewrite to lower is needed. | | | |
747 | */ | | | |
748 | if (maxmss == 0 || !npf_iscached(npc, NPC_TCP) || | | | |
749 | (th->th_flags & TH_SYN) == 0) { | | | |
750 | /* Not required; done. */ | | | |
751 | return true; | | | |
752 | } | | | |
753 | mss = 0; | | | |
754 | if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) { | | | |
755 | return false; | | | |
756 | } | | | |
757 | if (ntohs(mss) <= maxmss) { | | | |
758 | return true; | | | |
759 | } | | | |
760 | | | | |
761 | /* Calculate TCP checksum, then rewrite MSS and the checksum. */ | | | |
762 | maxmss = htons(maxmss); | | | |
763 | cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss); | | | |
764 | th->th_sum = cksum; | | | |
765 | mss = maxmss; | | | |
766 | if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) { | | | |
767 | return false; | | | |
768 | } | | | |
769 | offby = npf_cache_hlen(npc) + offsetof(struct tcphdr, th_sum); | | | |
770 | if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) { | | | |
771 | return false; | | | |
772 | } | | | |
773 | return true; | | | |
774 | } | | | |
775 | | | | |
776 | #if defined(DDB) || defined(_NPF_TESTING) | | 662 | #if defined(DDB) || defined(_NPF_TESTING) |
777 | | | 663 | |
778 | void | | 664 | void |
779 | npf_addr_dump(const npf_addr_t *addr) | | 665 | npf_addr_dump(const npf_addr_t *addr) |
780 | { | | 666 | { |
781 | printf("IP[%x:%x:%x:%x]\n", | | 667 | printf("IP[%x:%x:%x:%x]\n", |
782 | addr->s6_addr32[0], addr->s6_addr32[1], | | 668 | addr->s6_addr32[0], addr->s6_addr32[1], |
783 | addr->s6_addr32[2], addr->s6_addr32[3]); | | 669 | addr->s6_addr32[2], addr->s6_addr32[3]); |
784 | } | | 670 | } |
785 | | | 671 | |
786 | #endif | | 672 | #endif |
--- src/sys/net/npf/npf_rproc.c 2012/02/20 00:18:20 1.2
+++ src/sys/net/npf/npf_rproc.c 2012/09/16 13:47:41 1.3
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_rproc.c,v 1.2 2012/02/20 00:18:20 rmind Exp $ */ | | 1 | /* $NetBSD: npf_rproc.c,v 1.3 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -20,113 +20,254 @@ | | | @@ -20,113 +20,254 @@ |
20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * NPF rule procedure interface. | | 33 | * NPF extension and rule procedure interface. |
34 | */ | | 34 | */ |
35 | | | 35 | |
36 | #include <sys/cdefs.h> | | 36 | #include <sys/cdefs.h> |
37 | __KERNEL_RCSID(0, "$NetBSD"); | | 37 | __KERNEL_RCSID(0, "$NetBSD"); |
38 | | | 38 | |
39 | #include <sys/param.h> | | 39 | #include <sys/param.h> |
40 | #include <sys/types.h> | | 40 | #include <sys/types.h> |
41 | | | 41 | |
42 | #include <sys/atomic.h> | | 42 | #include <sys/atomic.h> |
43 | #include <sys/kmem.h> | | 43 | #include <sys/kmem.h> |
| | | 44 | #include <sys/mutex.h> |
44 | | | 45 | |
45 | #include "npf_impl.h" | | 46 | #include "npf_impl.h" |
46 | | | 47 | |
47 | #define NPF_RNAME_LEN 16 | | 48 | #define EXT_NAME_LEN 32 |
| | | 49 | |
| | | 50 | typedef struct npf_ext { |
| | | 51 | char ext_callname[EXT_NAME_LEN]; |
| | | 52 | LIST_ENTRY(npf_ext) ext_entry; |
| | | 53 | const npf_ext_ops_t * ext_ops; |
| | | 54 | unsigned ext_refcnt; |
| | | 55 | } npf_ext_t; |
| | | 56 | |
| | | 57 | #define RPROC_NAME_LEN 32 |
| | | 58 | #define RPROC_EXT_COUNT 16 |
48 | | | 59 | |
49 | /* Rule procedure structure. */ | | | |
50 | struct npf_rproc { | | 60 | struct npf_rproc { |
51 | /* Name. */ | | 61 | /* Name, reference count and flags. */ |
52 | char rp_name[NPF_RNAME_LEN]; | | 62 | char rp_name[RPROC_NAME_LEN]; |
53 | /* Reference count. */ | | | |
54 | u_int rp_refcnt; | | 63 | u_int rp_refcnt; |
55 | uint32_t rp_flags; | | 64 | uint32_t rp_flags; |
56 | /* Normalisation options. */ | | 65 | /* Associated extensions and their metadata . */ |
57 | bool rp_rnd_ipid; | | 66 | unsigned rp_ext_count; |
58 | bool rp_no_df; | | 67 | npf_ext_t * rp_ext[RPROC_EXT_COUNT]; |
59 | u_int rp_minttl; | | 68 | void * rp_ext_meta[RPROC_EXT_COUNT]; |
60 | u_int rp_maxmss; | | | |
61 | /* Logging interface. */ | | | |
62 | u_int rp_log_ifid; | | | |
63 | }; | | 69 | }; |
64 | | | 70 | |
| | | 71 | static LIST_HEAD(, npf_ext) ext_list __cacheline_aligned; |
| | | 72 | static kmutex_t ext_lock __cacheline_aligned; |
| | | 73 | |
| | | 74 | void |
| | | 75 | npf_ext_sysinit(void) |
| | | 76 | { |
| | | 77 | mutex_init(&ext_lock, MUTEX_DEFAULT, IPL_NONE); |
| | | 78 | LIST_INIT(&ext_list); |
| | | 79 | } |
| | | 80 | |
| | | 81 | void |
| | | 82 | npf_ext_sysfini(void) |
| | | 83 | { |
| | | 84 | KASSERT(LIST_EMPTY(&ext_list)); |
| | | 85 | mutex_destroy(&ext_lock); |
| | | 86 | } |
| | | 87 | |
| | | 88 | /* |
| | | 89 | * NPF extension management for the rule procedures. |
| | | 90 | */ |
| | | 91 | |
| | | 92 | static npf_ext_t * |
| | | 93 | npf_ext_lookup(const char *name) |
| | | 94 | { |
| | | 95 | npf_ext_t *ext = NULL; |
| | | 96 | |
| | | 97 | KASSERT(mutex_owned(&ext_lock)); |
| | | 98 | |
| | | 99 | LIST_FOREACH(ext, &ext_list, ext_entry) |
| | | 100 | if (strcmp(ext->ext_callname, name) == 0) |
| | | 101 | break; |
| | | 102 | return ext; |
| | | 103 | } |
| | | 104 | |
| | | 105 | void * |
| | | 106 | npf_ext_register(const char *name, const npf_ext_ops_t *ops) |
| | | 107 | { |
| | | 108 | npf_ext_t *ext; |
| | | 109 | |
| | | 110 | ext = kmem_zalloc(sizeof(npf_ext_t), KM_SLEEP); |
| | | 111 | strlcpy(ext->ext_callname, name, EXT_NAME_LEN); |
| | | 112 | ext->ext_ops = ops; |
| | | 113 | |
| | | 114 | mutex_enter(&ext_lock); |
| | | 115 | if (npf_ext_lookup(name)) { |
| | | 116 | mutex_exit(&ext_lock); |
| | | 117 | kmem_free(ext, sizeof(npf_ext_t)); |
| | | 118 | return NULL; |
| | | 119 | } |
| | | 120 | LIST_INSERT_HEAD(&ext_list, ext, ext_entry); |
| | | 121 | mutex_exit(&ext_lock); |
| | | 122 | |
| | | 123 | return (void *)ext; |
| | | 124 | } |
| | | 125 | |
| | | 126 | int |
| | | 127 | npf_ext_unregister(void *extid) |
| | | 128 | { |
| | | 129 | npf_ext_t *ext = extid; |
| | | 130 | |
| | | 131 | /* |
| | | 132 | * Check if in-use first (re-check with the lock held). |
| | | 133 | */ |
| | | 134 | if (ext->ext_refcnt) { |
| | | 135 | return EBUSY; |
| | | 136 | } |
| | | 137 | |
| | | 138 | mutex_enter(&ext_lock); |
| | | 139 | if (ext->ext_refcnt) { |
| | | 140 | mutex_exit(&ext_lock); |
| | | 141 | return EBUSY; |
| | | 142 | } |
| | | 143 | KASSERT(npf_ext_lookup(ext->ext_callname)); |
| | | 144 | LIST_REMOVE(ext, ext_entry); |
| | | 145 | mutex_exit(&ext_lock); |
| | | 146 | |
| | | 147 | kmem_free(ext, sizeof(npf_ext_t)); |
| | | 148 | return 0; |
| | | 149 | } |
| | | 150 | |
| | | 151 | int |
| | | 152 | npf_ext_construct(const char *name, npf_rproc_t *rp, prop_dictionary_t params) |
| | | 153 | { |
| | | 154 | const npf_ext_ops_t *extops; |
| | | 155 | npf_ext_t *ext; |
| | | 156 | unsigned i; |
| | | 157 | int error; |
| | | 158 | |
| | | 159 | if (rp->rp_ext_count >= RPROC_EXT_COUNT) { |
| | | 160 | return ENOSPC; |
| | | 161 | } |
| | | 162 | |
| | | 163 | mutex_enter(&ext_lock); |
| | | 164 | ext = npf_ext_lookup(name); |
| | | 165 | if (ext) { |
| | | 166 | atomic_inc_uint(&ext->ext_refcnt); |
| | | 167 | extops = ext->ext_ops; |
| | | 168 | KASSERT(extops != NULL); |
| | | 169 | } |
| | | 170 | mutex_exit(&ext_lock); |
| | | 171 | if (!ext) { |
| | | 172 | return ENOENT; |
| | | 173 | } |
| | | 174 | |
| | | 175 | error = extops->ctor(rp, params); |
| | | 176 | if (error) { |
| | | 177 | atomic_dec_uint(&ext->ext_refcnt); |
| | | 178 | return error; |
| | | 179 | } |
| | | 180 | i = rp->rp_ext_count++; |
| | | 181 | rp->rp_ext[i] = ext; |
| | | 182 | return 0; |
| | | 183 | } |
| | | 184 | |
| | | 185 | /* |
| | | 186 | * Rule procedure management. |
| | | 187 | */ |
| | | 188 | |
| | | 189 | /* |
| | | 190 | * npf_rproc_create: construct a new rule procedure, lookup and associate |
| | | 191 | * the extension calls with it. |
| | | 192 | */ |
65 | npf_rproc_t * | | 193 | npf_rproc_t * |
66 | npf_rproc_create(prop_dictionary_t rpdict) | | 194 | npf_rproc_create(prop_dictionary_t rpdict) |
67 | { | | 195 | { |
| | | 196 | const char *name; |
68 | npf_rproc_t *rp; | | 197 | npf_rproc_t *rp; |
69 | const char *rname; | | 198 | |
| | | 199 | if (!prop_dictionary_get_cstring_nocopy(rpdict, "name", &name)) { |
| | | 200 | return NULL; |
| | | 201 | } |
70 | | | 202 | |
71 | rp = kmem_intr_zalloc(sizeof(npf_rproc_t), KM_SLEEP); | | 203 | rp = kmem_intr_zalloc(sizeof(npf_rproc_t), KM_SLEEP); |
72 | rp->rp_refcnt = 1; | | 204 | rp->rp_refcnt = 1; |
73 | | | 205 | |
74 | /* Name and flags. */ | | 206 | strlcpy(rp->rp_name, name, RPROC_NAME_LEN); |
75 | prop_dictionary_get_cstring_nocopy(rpdict, "name", &rname); | | | |
76 | strlcpy(rp->rp_name, rname, NPF_RNAME_LEN); | | | |
77 | prop_dictionary_get_uint32(rpdict, "flags", &rp->rp_flags); | | 207 | prop_dictionary_get_uint32(rpdict, "flags", &rp->rp_flags); |
78 | | | | |
79 | /* Logging interface ID (integer). */ | | | |
80 | prop_dictionary_get_uint32(rpdict, "log-interface", &rp->rp_log_ifid); | | | |
81 | | | | |
82 | /* IP ID randomisation and IP_DF flag cleansing. */ | | | |
83 | prop_dictionary_get_bool(rpdict, "randomize-id", &rp->rp_rnd_ipid); | | | |
84 | prop_dictionary_get_bool(rpdict, "no-df", &rp->rp_no_df); | | | |
85 | | | | |
86 | /* Minimum IP TTL and maximum TCP MSS. */ | | | |
87 | prop_dictionary_get_uint32(rpdict, "min-ttl", &rp->rp_minttl); | | | |
88 | prop_dictionary_get_uint32(rpdict, "max-mss", &rp->rp_maxmss); | | | |
89 | | | | |
90 | return rp; | | 208 | return rp; |
91 | } | | 209 | } |
92 | | | 210 | |
| | | 211 | /* |
| | | 212 | * npf_rproc_acquire: acquire the reference on the rule procedure. |
| | | 213 | */ |
93 | void | | 214 | void |
94 | npf_rproc_acquire(npf_rproc_t *rp) | | 215 | npf_rproc_acquire(npf_rproc_t *rp) |
95 | { | | 216 | { |
96 | | | 217 | |
97 | atomic_inc_uint(&rp->rp_refcnt); | | 218 | atomic_inc_uint(&rp->rp_refcnt); |
98 | } | | 219 | } |
99 | | | 220 | |
| | | 221 | /* |
| | | 222 | * npf_rproc_release: drop the reference count and destroy the rule |
| | | 223 | * procedure on the last reference. |
| | | 224 | */ |
100 | void | | 225 | void |
101 | npf_rproc_release(npf_rproc_t *rp) | | 226 | npf_rproc_release(npf_rproc_t *rp) |
102 | { | | 227 | { |
103 | | | 228 | |
104 | /* Destroy on last reference. */ | | | |
105 | KASSERT(rp->rp_refcnt > 0); | | 229 | KASSERT(rp->rp_refcnt > 0); |
106 | if (atomic_dec_uint_nv(&rp->rp_refcnt) != 0) { | | 230 | if (atomic_dec_uint_nv(&rp->rp_refcnt) != 0) { |
107 | return; | | 231 | return; |
108 | } | | 232 | } |
| | | 233 | /* XXXintr */ |
| | | 234 | for (unsigned i = 0; i < rp->rp_ext_count; i++) { |
| | | 235 | npf_ext_t *ext = rp->rp_ext[i]; |
| | | 236 | const npf_ext_ops_t *extops = ext->ext_ops; |
| | | 237 | |
| | | 238 | extops->dtor(rp, rp->rp_ext_meta[i]); |
| | | 239 | atomic_dec_uint(&ext->ext_refcnt); |
| | | 240 | } |
109 | kmem_intr_free(rp, sizeof(npf_rproc_t)); | | 241 | kmem_intr_free(rp, sizeof(npf_rproc_t)); |
110 | } | | 242 | } |
111 | | | 243 | |
112 | void | | 244 | void |
113 | npf_rproc_run(npf_cache_t *npc, nbuf_t *nbuf, npf_rproc_t *rp, int error) | | 245 | npf_rproc_assign(npf_rproc_t *rp, void *params) |
114 | { | | 246 | { |
115 | const uint32_t flags = rp->rp_flags; | | 247 | unsigned i = rp->rp_ext_count; |
| | | 248 | |
| | | 249 | /* Note: params may be NULL. */ |
| | | 250 | KASSERT(i < RPROC_EXT_COUNT); |
| | | 251 | rp->rp_ext_meta[i] = params; |
| | | 252 | } |
| | | 253 | |
| | | 254 | /* |
| | | 255 | * npf_rproc_run: run the rule procedure by executing each extension call. |
| | | 256 | * |
| | | 257 | * => Reference on the rule procedure must be held. |
| | | 258 | */ |
| | | 259 | void |
| | | 260 | npf_rproc_run(npf_cache_t *npc, nbuf_t *nbuf, npf_rproc_t *rp, int *decision) |
| | | 261 | { |
| | | 262 | const unsigned extcount = rp->rp_ext_count; |
116 | | | 263 | |
117 | KASSERT(rp->rp_refcnt > 0); | | 264 | KASSERT(rp->rp_refcnt > 0); |
118 | | | 265 | |
119 | /* Normalise the packet, if required. */ | | 266 | for (unsigned i = 0; i < extcount; i++) { |
120 | if ((flags & NPF_RPROC_NORMALIZE) != 0 && !error) { | | 267 | const npf_ext_t *ext = rp->rp_ext[i]; |
121 | (void)npf_normalize(npc, nbuf, | | 268 | const npf_ext_ops_t *extops = ext->ext_ops; |
122 | rp->rp_rnd_ipid, rp->rp_no_df, | | | |
123 | rp->rp_minttl, rp->rp_maxmss); | | | |
124 | npf_stats_inc(NPF_STAT_RPROC_NORM); | | | |
125 | } | | | |
126 | | | 269 | |
127 | /* Log packet, if required. */ | | 270 | KASSERT(ext->ext_refcnt > 0); |
128 | if ((flags & NPF_RPROC_LOG) != 0) { | | 271 | extops->proc(npc, nbuf, rp->rp_ext_meta[i], decision); |
129 | npf_log_packet(npc, nbuf, rp->rp_log_ifid); | | | |
130 | npf_stats_inc(NPF_STAT_RPROC_LOG); | | | |
131 | } | | 272 | } |
132 | } | | 273 | } |
--- src/sys/rump/net/lib/libnpf/Makefile 2012/08/14 22:31:44 1.1
+++ src/sys/rump/net/lib/libnpf/Makefile 2012/09/16 13:47:42 1.2
| @@ -1,24 +1,28 @@ | | | @@ -1,24 +1,28 @@ |
1 | # $NetBSD: Makefile,v 1.1 2012/08/14 22:31:44 rmind Exp $ | | 1 | # $NetBSD: Makefile,v 1.2 2012/09/16 13:47:42 rmind Exp $ |
2 | # | | 2 | # |
3 | # Public Domain. | | 3 | # Public Domain. |
4 | # | | 4 | # |
5 | | | 5 | |
6 | .PATH: ${.CURDIR}/../../../../net/npf | | 6 | .PATH: ${.CURDIR}/../../../../net/npf |
7 | | | 7 | |
8 | LIB= rumpnet_npf | | 8 | LIB= rumpnet_npf |
9 | | | 9 | |
10 | SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c | | 10 | SRCS= npf.c npf_alg.c npf_ctl.c npf_handler.c |
11 | SRCS+= npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c | | 11 | SRCS+= npf_inet.c npf_instr.c npf_mbuf.c npf_nat.c |
12 | SRCS+= npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c | | 12 | SRCS+= npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c |
13 | SRCS+= npf_session.c npf_state.c npf_state_tcp.c | | 13 | SRCS+= npf_session.c npf_state.c npf_state_tcp.c |
14 | SRCS+= npf_tableset.c npf_tableset_ptree.c | | 14 | SRCS+= npf_tableset.c npf_tableset_ptree.c |
15 | | | 15 | |
| | | 16 | SRCS+= npf_alg_icmp.c |
| | | 17 | |
| | | 18 | SRCS+= npf_ext_log.c npf_ext_normalise.c |
| | | 19 | |
16 | SRCS+= component.c | | 20 | SRCS+= component.c |
17 | | | 21 | |
18 | WARNS= 4 | | 22 | WARNS= 5 |
19 | | | 23 | |
20 | CPPFLAGS+= -D_NPF_TESTING | | 24 | CPPFLAGS+= -D_NPF_TESTING |
21 | CPPFLAGS+= -I${.CURDIR}/../../../librump/rumpvfs | | 25 | CPPFLAGS+= -I${.CURDIR}/../../../librump/rumpvfs |
22 | | | 26 | |
23 | .include <bsd.lib.mk> | | 27 | .include <bsd.lib.mk> |
24 | .include <bsd.klinks.mk> | | 28 | .include <bsd.klinks.mk> |
--- src/usr.sbin/npf/npfctl/Makefile 2012/05/30 21:30:07 1.7
+++ src/usr.sbin/npf/npfctl/Makefile 2012/09/16 13:47:41 1.8
| @@ -1,19 +1,19 @@ | | | @@ -1,19 +1,19 @@ |
1 | # $NetBSD: Makefile,v 1.7 2012/05/30 21:30:07 rmind Exp $ | | 1 | # $NetBSD: Makefile,v 1.8 2012/09/16 13:47:41 rmind Exp $ |
2 | | | 2 | |
3 | PROG= npfctl | | 3 | PROG= npfctl |
4 | MAN= npfctl.8 npf.conf.5 | | 4 | MAN= npfctl.8 npf.conf.5 |
5 | | | 5 | |
6 | SRCS= npfctl.c npf_var.c npf_data.c npf_ncgen.c npf_build.c \ | | 6 | SRCS= npfctl.c npf_var.c npf_data.c npf_ncgen.c npf_build.c \ |
7 | npf_disassemble.c | | 7 | npf_extmod.c npf_disassemble.c |
8 | | | 8 | |
9 | CPPFLAGS+= -I${.CURDIR} | | 9 | CPPFLAGS+= -I${.CURDIR} |
10 | SRCS+= npf_scan.l npf_parse.y | | 10 | SRCS+= npf_scan.l npf_parse.y |
11 | YHEADER= 1 | | 11 | YHEADER= 1 |
12 | | | 12 | |
13 | LDADD+= -lnpf -lprop -lutil -ly | | 13 | LDADD+= -lnpf -lprop -lutil -ly |
14 | DPADD+= ${LIBNPF} ${LIBPROP} ${LIBUTIL} | | 14 | DPADD+= ${LIBNPF} ${LIBPROP} ${LIBUTIL} |
15 | | | 15 | |
16 | WARNS?= 4 | | 16 | WARNS= 5 |
17 | NOLINT= # disabled (note: deliberately) | | 17 | NOLINT= # disabled deliberately |
18 | | | 18 | |
19 | .include <bsd.prog.mk> | | 19 | .include <bsd.prog.mk> |
--- src/usr.sbin/npf/npfctl/npf_build.c 2012/08/12 03:35:13 1.13
+++ src/usr.sbin/npf/npfctl/npf_build.c 2012/09/16 13:47:41 1.14
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_build.c,v 1.13 2012/08/12 03:35:13 rmind Exp $ */ | | 1 | /* $NetBSD: npf_build.c,v 1.14 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -24,34 +24,35 @@ | | | @@ -24,34 +24,35 @@ |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * npfctl(8) building of the configuration. | | 33 | * npfctl(8) building of the configuration. |
34 | */ | | 34 | */ |
35 | | | 35 | |
36 | #include <sys/cdefs.h> | | 36 | #include <sys/cdefs.h> |
37 | __RCSID("$NetBSD: npf_build.c,v 1.13 2012/08/12 03:35:13 rmind Exp $"); | | 37 | __RCSID("$NetBSD: npf_build.c,v 1.14 2012/09/16 13:47:41 rmind Exp $"); |
38 | | | 38 | |
39 | #include <sys/types.h> | | 39 | #include <sys/types.h> |
40 | #include <sys/ioctl.h> | | 40 | #include <sys/ioctl.h> |
41 | | | 41 | |
42 | #include <stdlib.h> | | 42 | #include <stdlib.h> |
43 | #include <inttypes.h> | | 43 | #include <inttypes.h> |
44 | #include <string.h> | | 44 | #include <string.h> |
| | | 45 | #include <errno.h> |
45 | #include <err.h> | | 46 | #include <err.h> |
46 | | | 47 | |
47 | #include "npfctl.h" | | 48 | #include "npfctl.h" |
48 | | | 49 | |
49 | static nl_config_t * npf_conf = NULL; | | 50 | static nl_config_t * npf_conf = NULL; |
50 | static nl_rule_t * current_group = NULL; | | 51 | static nl_rule_t * current_group = NULL; |
51 | static bool npf_debug = false; | | 52 | static bool npf_debug = false; |
52 | static bool defgroup_set = false; | | 53 | static bool defgroup_set = false; |
53 | | | 54 | |
54 | void | | 55 | void |
55 | npfctl_config_init(bool debug) | | 56 | npfctl_config_init(bool debug) |
56 | { | | 57 | { |
57 | | | 58 | |
| @@ -367,98 +368,76 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam | | | @@ -367,98 +368,76 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam |
367 | } | | 368 | } |
368 | assert(code && len > 0); | | 369 | assert(code && len > 0); |
369 | | | 370 | |
370 | if (npf_rule_setcode(rl, NPF_CODE_NCODE, code, len) == -1) { | | 371 | if (npf_rule_setcode(rl, NPF_CODE_NCODE, code, len) == -1) { |
371 | errx(EXIT_FAILURE, "npf_rule_setcode failed"); | | 372 | errx(EXIT_FAILURE, "npf_rule_setcode failed"); |
372 | } | | 373 | } |
373 | free(code); | | 374 | free(code); |
374 | return true; | | 375 | return true; |
375 | } | | 376 | } |
376 | | | 377 | |
377 | static void | | 378 | static void |
378 | npfctl_build_rpcall(nl_rproc_t *rp, const char *name, npfvar_t *args) | | 379 | npfctl_build_rpcall(nl_rproc_t *rp, const char *name, npfvar_t *args) |
379 | { | | 380 | { |
380 | /* | | 381 | npf_extmod_t *extmod; |
381 | * XXX/TODO: Hardcoded for the first release. However, | | 382 | nl_ext_t *extcall; |
382 | * rule procedures will become fully dynamic modules. | | 383 | int error; |
383 | */ | | | |
384 | | | 384 | |
385 | bool log = false, norm = false; | | 385 | extmod = npf_extmod_get(name, &extcall); |
386 | bool rnd = false, no_df = false; | | 386 | if (extmod == NULL) { |
387 | int minttl = 0, maxmss = 0; | | | |
388 | | | | |
389 | if (strcmp(name, "log") == 0) { | | | |
390 | log = true; | | | |
391 | } else if (strcmp(name, "normalise") == 0) { | | | |
392 | norm = true; | | | |
393 | } else { | | | |
394 | yyerror("unknown rule procedure '%s'", name); | | 387 | yyerror("unknown rule procedure '%s'", name); |
395 | } | | 388 | } |
396 | | | 389 | |
397 | for (size_t i = 0; i < npfvar_get_count(args); i++) { | | 390 | for (size_t i = 0; i < npfvar_get_count(args); i++) { |
398 | module_arg_t *arg; | | 391 | const char *param, *value; |
399 | const char *aval; | | 392 | proc_param_t *p; |
400 | | | | |
401 | arg = npfvar_get_data(args, NPFVAR_MODULE_ARG, i); | | | |
402 | aval = arg->ma_name; | | | |
403 | | | 393 | |
404 | if (log) { | | 394 | p = npfvar_get_data(args, NPFVAR_PROC_PARAM, i); |
405 | u_int if_idx = npfctl_find_ifindex(aval); | | 395 | param = p->pp_param; |
406 | _npf_rproc_setlog(rp, if_idx); | | 396 | value = p->pp_value; |
407 | return; | | 397 | |
408 | } | | 398 | error = npf_extmod_param(extmod, extcall, param, value); |
409 | | | 399 | switch (error) { |
410 | const int type = npfvar_get_type(arg->ma_opts, 0); | | 400 | case EINVAL: |
411 | if (type != -1 && type != NPFVAR_NUM) { | | 401 | yyerror("invalid parameter '%s'", param); |
412 | yyerror("option '%s' is not numeric", aval); | | 402 | default: |
413 | } | | 403 | break; |
414 | unsigned long *opt; | | | |
415 | | | | |
416 | if (strcmp(aval, "random-id") == 0) { | | | |
417 | rnd = true; | | | |
418 | } else if (strcmp(aval, "min-ttl") == 0) { | | | |
419 | opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0); | | | |
420 | minttl = *opt; | | | |
421 | } else if (strcmp(aval, "max-mss") == 0) { | | | |
422 | opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0); | | | |
423 | maxmss = *opt; | | | |
424 | } else if (strcmp(aval, "no-df") == 0) { | | | |
425 | no_df = true; | | | |
426 | } else { | | | |
427 | yyerror("unknown argument '%s'", aval); | | | |
428 | } | | 404 | } |
429 | } | | 405 | } |
430 | assert(norm == true); | | 406 | error = npf_rproc_extcall(rp, extcall); |
431 | _npf_rproc_setnorm(rp, rnd, no_df, minttl, maxmss); | | 407 | if (error) { |
| | | 408 | yyerror(error == EEXIST ? |
| | | 409 | "duplicate procedure call" : "unexpected error"); |
| | | 410 | } |
432 | } | | 411 | } |
433 | | | 412 | |
434 | /* | | 413 | /* |
435 | * npfctl_build_rproc: create and insert a rule procedure. | | 414 | * npfctl_build_rproc: create and insert a rule procedure. |
436 | */ | | 415 | */ |
437 | void | | 416 | void |
438 | npfctl_build_rproc(const char *name, npfvar_t *procs) | | 417 | npfctl_build_rproc(const char *name, npfvar_t *procs) |
439 | { | | 418 | { |
440 | nl_rproc_t *rp; | | 419 | nl_rproc_t *rp; |
441 | size_t i; | | 420 | size_t i; |
442 | | | 421 | |
443 | rp = npf_rproc_create(name); | | 422 | rp = npf_rproc_create(name); |
444 | if (rp == NULL) { | | 423 | if (rp == NULL) { |
445 | errx(EXIT_FAILURE, "npf_rproc_create failed"); | | 424 | errx(EXIT_FAILURE, "npf_rproc_create failed"); |
446 | } | | 425 | } |
447 | npf_rproc_insert(npf_conf, rp); | | 426 | npf_rproc_insert(npf_conf, rp); |
448 | | | 427 | |
449 | for (i = 0; i < npfvar_get_count(procs); i++) { | | 428 | for (i = 0; i < npfvar_get_count(procs); i++) { |
450 | proc_op_t *po = npfvar_get_data(procs, NPFVAR_PROC_OP, i); | | 429 | proc_call_t *pc = npfvar_get_data(procs, NPFVAR_PROC, i); |
451 | npfctl_build_rpcall(rp, po->po_name, po->po_opts); | | 430 | npfctl_build_rpcall(rp, pc->pc_name, pc->pc_opts); |
452 | } | | 431 | } |
453 | } | | 432 | } |
454 | | | 433 | |
455 | /* | | 434 | /* |
456 | * npfctl_build_group: create a group, insert into the global ruleset | | 435 | * npfctl_build_group: create a group, insert into the global ruleset |
457 | * and update the current group pointer. | | 436 | * and update the current group pointer. |
458 | */ | | 437 | */ |
459 | void | | 438 | void |
460 | npfctl_build_group(const char *name, int attr, u_int if_idx) | | 439 | npfctl_build_group(const char *name, int attr, u_int if_idx) |
461 | { | | 440 | { |
462 | const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT); | | 441 | const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT); |
463 | nl_rule_t *rl; | | 442 | nl_rule_t *rl; |
464 | | | 443 | |
| @@ -488,27 +467,27 @@ npfctl_build_rule(int attr, u_int if_idx | | | @@ -488,27 +467,27 @@ npfctl_build_rule(int attr, u_int if_idx |
488 | { | | 467 | { |
489 | nl_rule_t *rl; | | 468 | nl_rule_t *rl; |
490 | | | 469 | |
491 | rl = npf_rule_create(NULL, attr, if_idx); | | 470 | rl = npf_rule_create(NULL, attr, if_idx); |
492 | npfctl_build_ncode(rl, family, op, fopts, false); | | 471 | npfctl_build_ncode(rl, family, op, fopts, false); |
493 | if (rproc && npf_rule_setproc(npf_conf, rl, rproc) != 0) { | | 472 | if (rproc && npf_rule_setproc(npf_conf, rl, rproc) != 0) { |
494 | yyerror("rule procedure '%s' is not defined", rproc); | | 473 | yyerror("rule procedure '%s' is not defined", rproc); |
495 | } | | 474 | } |
496 | assert(current_group != NULL); | | 475 | assert(current_group != NULL); |
497 | npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT); | | 476 | npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT); |
498 | } | | 477 | } |
499 | | | 478 | |
500 | /* | | 479 | /* |
501 | * npfctl_build_onenat: create a single NAT policy of a specified | | 480 | * npfctl_build_nat: create a single NAT policy of a specified |
502 | * type with a given filter options. | | 481 | * type with a given filter options. |
503 | */ | | 482 | */ |
504 | static void | | 483 | static void |
505 | npfctl_build_nat(int type, u_int if_idx, sa_family_t family, | | 484 | npfctl_build_nat(int type, u_int if_idx, sa_family_t family, |
506 | const addr_port_t *ap, const filt_opts_t *fopts, bool binat) | | 485 | const addr_port_t *ap, const filt_opts_t *fopts, bool binat) |
507 | { | | 486 | { |
508 | const opt_proto_t op = { .op_proto = -1, .op_opts = NULL }; | | 487 | const opt_proto_t op = { .op_proto = -1, .op_opts = NULL }; |
509 | fam_addr_mask_t *am; | | 488 | fam_addr_mask_t *am; |
510 | in_port_t port; | | 489 | in_port_t port; |
511 | nl_nat_t *nat; | | 490 | nl_nat_t *nat; |
512 | | | 491 | |
513 | if (!ap->ap_netaddr) { | | 492 | if (!ap->ap_netaddr) { |
514 | yyerror("%s network segment is not specified", | | 493 | yyerror("%s network segment is not specified", |
| @@ -544,56 +523,56 @@ npfctl_build_nat(int type, u_int if_idx, | | | @@ -544,56 +523,56 @@ npfctl_build_nat(int type, u_int if_idx, |
544 | } | | 523 | } |
545 | nat = npf_nat_create(NPF_NATIN, !binat ? NPF_NAT_PORTS : 0, | | 524 | nat = npf_nat_create(NPF_NATIN, !binat ? NPF_NAT_PORTS : 0, |
546 | if_idx, &am->fam_addr, am->fam_family, port); | | 525 | if_idx, &am->fam_addr, am->fam_family, port); |
547 | break; | | 526 | break; |
548 | default: | | 527 | default: |
549 | assert(false); | | 528 | assert(false); |
550 | } | | 529 | } |
551 | | | 530 | |
552 | npfctl_build_ncode(nat, family, &op, fopts, false); | | 531 | npfctl_build_ncode(nat, family, &op, fopts, false); |
553 | npf_nat_insert(npf_conf, nat, NPF_PRI_NEXT); | | 532 | npf_nat_insert(npf_conf, nat, NPF_PRI_NEXT); |
554 | } | | 533 | } |
555 | | | 534 | |
556 | /* | | 535 | /* |
557 | * npfctl_build_nat: validate and create NAT policies. | | 536 | * npfctl_build_natseg: validate and create NAT policies. |
558 | */ | | 537 | */ |
559 | void | | 538 | void |
560 | npfctl_build_natseg(int sd, int type, u_int if_idx, const addr_port_t *ap1, | | 539 | npfctl_build_natseg(int sd, int type, u_int if_idx, const addr_port_t *ap1, |
561 | const addr_port_t *ap2, const filt_opts_t *fopts) | | 540 | const addr_port_t *ap2, const filt_opts_t *fopts) |
562 | { | | 541 | { |
563 | sa_family_t af = AF_INET; | | 542 | sa_family_t af = AF_INET; |
564 | filt_opts_t imfopts; | | 543 | filt_opts_t imfopts; |
565 | bool binat; | | 544 | bool binat; |
566 | | | 545 | |
567 | if (sd == NPFCTL_NAT_STATIC) { | | 546 | if (sd == NPFCTL_NAT_STATIC) { |
568 | yyerror("static NAT is not yet supported"); | | 547 | yyerror("static NAT is not yet supported"); |
569 | } | | 548 | } |
570 | assert(sd == NPFCTL_NAT_DYNAMIC); | | 549 | assert(sd == NPFCTL_NAT_DYNAMIC); |
571 | assert(if_idx != 0); | | 550 | assert(if_idx != 0); |
572 | | | 551 | |
573 | /* | | 552 | /* |
574 | * Bi-directional NAT is a combination of inbound NAT and outbound | | 553 | * Bi-directional NAT is a combination of inbound NAT and outbound |
575 | * NAT policies. Note that the translation address is local IP and | | 554 | * NAT policies. Note that the translation address is local IP and |
576 | * the filter criteria is inverted accordingly. | | 555 | * the filter criteria is inverted accordingly. |
577 | */ | | 556 | */ |
578 | binat = (NPF_NATIN | NPF_NATOUT) == type; | | 557 | binat = (NPF_NATIN | NPF_NATOUT) == type; |
579 | | | 558 | |
580 | /* | | 559 | /* |
581 | * If the filter criteria is not specified explicitly, apply implicit | | 560 | * If the filter criteria is not specified explicitly, apply implicit |
582 | * filtering according to the given network segements. | | 561 | * filtering according to the given network segments. |
583 | * | | 562 | * |
584 | * Note: filled below, depending on the type. | | 563 | * Note: filled below, depending on the type. |
585 | */ | | 564 | */ |
586 | if (!fopts) { | | 565 | if (__predict_true(!fopts)) { |
587 | fopts = &imfopts; | | 566 | fopts = &imfopts; |
588 | } | | 567 | } |
589 | | | 568 | |
590 | if (type & NPF_NATIN) { | | 569 | if (type & NPF_NATIN) { |
591 | memset(&imfopts, 0, sizeof(filt_opts_t)); | | 570 | memset(&imfopts, 0, sizeof(filt_opts_t)); |
592 | memcpy(&imfopts.fo_to, ap2, sizeof(addr_port_t)); | | 571 | memcpy(&imfopts.fo_to, ap2, sizeof(addr_port_t)); |
593 | npfctl_build_nat(NPF_NATIN, if_idx, af, ap1, fopts, binat); | | 572 | npfctl_build_nat(NPF_NATIN, if_idx, af, ap1, fopts, binat); |
594 | } | | 573 | } |
595 | if (type & NPF_NATOUT) { | | 574 | if (type & NPF_NATOUT) { |
596 | memset(&imfopts, 0, sizeof(filt_opts_t)); | | 575 | memset(&imfopts, 0, sizeof(filt_opts_t)); |
597 | memcpy(&imfopts.fo_from, ap1, sizeof(addr_port_t)); | | 576 | memcpy(&imfopts.fo_from, ap1, sizeof(addr_port_t)); |
598 | npfctl_build_nat(NPF_NATOUT, if_idx, af, ap2, fopts, binat); | | 577 | npfctl_build_nat(NPF_NATOUT, if_idx, af, ap2, fopts, binat); |
599 | } | | 578 | } |
/* $NetBSD: npf_extmod.c,v 1.1 2012/09/16 13:47:41 rmind Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Mindaugas Rasiukevicius.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* npfctl(8) extension loading interface.
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: npf_extmod.c,v 1.1 2012/09/16 13:47:41 rmind Exp $");
#include <stdlib.h>
#include <inttypes.h>
#include <string.h>
#include <err.h>
#include <dlfcn.h>
#include "npfctl.h"
struct npf_extmod {
char * name;
npfext_initfunc_t init;
npfext_consfunc_t cons;
npfext_paramfunc_t param;
struct npf_extmod * next;
};
static npf_extmod_t * npf_extmod_list;
static void *
npf_extmod_sym(void *handle, const char *name, const char *func)
{
char buf[64];
void *sym;
snprintf(buf, sizeof(buf), "npfext_%s_%s", name, func);
sym = dlsym(handle, buf);
if (sym == NULL) {
errx(EXIT_FAILURE, "dlsym: %s", dlerror());
}
return sym;
}
static npf_extmod_t *
npf_extmod_load(const char *name)
{
npf_extmod_t *ext;
void *handle;
char extlib[PATH_MAX];
snprintf(extlib, sizeof(extlib), "/usr/lib/npf/ext_%s.so", name);
handle = dlopen(extlib, RTLD_LAZY | RTLD_LOCAL);
if (handle == NULL) {
errx(EXIT_FAILURE, "dlopen: %s", dlerror());
}
ext = zalloc(sizeof(npf_extmod_t));
ext->name = xstrdup(name);
ext->init = npf_extmod_sym(handle, name, "init");
ext->cons = npf_extmod_sym(handle, name, "construct");
ext->param = npf_extmod_sym(handle, name, "param");
/* Initialise the module. */
if (ext->init() != 0) {
free(ext);
return NULL;
}
ext->next = npf_extmod_list;
npf_extmod_list = ext;
return ext;
}
npf_extmod_t *
npf_extmod_get(const char *name, nl_ext_t **extcall)
{
npf_extmod_t *extmod = npf_extmod_list;
while (extmod) {
if ((strcmp(extmod->name, name) == 0) &&
(*extcall = extmod->cons(name)) != NULL) {
return extmod;
}
extmod = extmod->next;
}
extmod = npf_extmod_load(name);
if (extmod && (*extcall = extmod->cons(name)) != NULL) {
return extmod;
}
return NULL;
}
int
npf_extmod_param(npf_extmod_t *extmod, nl_ext_t *ext,
const char *param, const char *val)
{
return extmod->param(ext, param, val);
}
--- src/usr.sbin/npf/npfctl/npf_parse.y 2012/08/12 03:35:13 1.12
+++ src/usr.sbin/npf/npfctl/npf_parse.y 2012/09/16 13:47:41 1.13
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_parse.y,v 1.12 2012/08/12 03:35:13 rmind Exp $ */ | | 1 | /* $NetBSD: npf_parse.y,v 1.13 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This code is derived from software contributed to The NetBSD Foundation | | 7 | * This code is derived from software contributed to The NetBSD Foundation |
8 | * by Martin Husemann and Christos Zoulas. | | 8 | * by Martin Husemann and Christos Zoulas. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -120,46 +120,48 @@ yyerror(const char *fmt, ...) | | | @@ -120,46 +120,48 @@ yyerror(const char *fmt, ...) |
120 | %token TABLE | | 120 | %token TABLE |
121 | %token TCP | | 121 | %token TCP |
122 | %token TO | | 122 | %token TO |
123 | %token TREE | | 123 | %token TREE |
124 | %token TYPE | | 124 | %token TYPE |
125 | %token <num> ICMP | | 125 | %token <num> ICMP |
126 | %token <num> ICMP6 | | 126 | %token <num> ICMP6 |
127 | | | 127 | |
128 | %token <num> HEX | | 128 | %token <num> HEX |
129 | %token <str> IDENTIFIER | | 129 | %token <str> IDENTIFIER |
130 | %token <str> IPV4ADDR | | 130 | %token <str> IPV4ADDR |
131 | %token <str> IPV6ADDR | | 131 | %token <str> IPV6ADDR |
132 | %token <num> NUM | | 132 | %token <num> NUM |
| | | 133 | %token <fpnum> FPNUM |
133 | %token <str> STRING | | 134 | %token <str> STRING |
134 | %token <str> TABLE_ID | | 135 | %token <str> TABLE_ID |
135 | %token <str> VAR_ID | | 136 | %token <str> VAR_ID |
136 | | | 137 | |
137 | %type <str> addr, some_name, list_elem, table_store | | 138 | %type <str> addr, some_name, list_elem, table_store |
138 | %type <str> opt_apply | | 139 | %type <str> proc_param_val, opt_apply |
139 | %type <num> ifindex, port, opt_final, on_iface | | 140 | %type <num> ifindex, port, opt_final, on_iface |
140 | %type <num> block_or_pass, rule_dir, block_opts, opt_family | | 141 | %type <num> block_or_pass, rule_dir, block_opts, opt_family |
141 | %type <num> opt_stateful, icmp_type, table_type, map_sd, map_type | | 142 | %type <num> opt_stateful, icmp_type, table_type, map_sd, map_type |
142 | %type <var> addr_or_iface, port_range, icmp_type_and_code | | 143 | %type <var> addr_or_iface, port_range, icmp_type_and_code |
143 | %type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask | | 144 | %type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask |
144 | %type <var> modulearg_opts, procs, proc_op, modulearg, moduleargs | | 145 | %type <var> procs, proc_call, proc_param_list, proc_param |
145 | %type <addrport> mapseg | | 146 | %type <addrport> mapseg |
146 | %type <filtopts> filt_opts, all_or_filt_opts | | 147 | %type <filtopts> filt_opts, all_or_filt_opts |
147 | %type <optproto> opt_proto | | 148 | %type <optproto> opt_proto |
148 | %type <rulegroup> group_attr, group_opt | | 149 | %type <rulegroup> group_attr, group_opt |
149 | | | 150 | |
150 | %union { | | 151 | %union { |
151 | char * str; | | 152 | char * str; |
152 | unsigned long num; | | 153 | unsigned long num; |
| | | 154 | double fpnum; |
153 | addr_port_t addrport; | | 155 | addr_port_t addrport; |
154 | filt_opts_t filtopts; | | 156 | filt_opts_t filtopts; |
155 | npfvar_t * var; | | 157 | npfvar_t * var; |
156 | opt_proto_t optproto; | | 158 | opt_proto_t optproto; |
157 | rule_group_t rulegroup; | | 159 | rule_group_t rulegroup; |
158 | } | | 160 | } |
159 | | | 161 | |
160 | %% | | 162 | %% |
161 | | | 163 | |
162 | input | | 164 | input |
163 | : lines | | 165 | : lines |
164 | ; | | 166 | ; |
165 | | | 167 | |
| @@ -285,84 +287,73 @@ map | | | @@ -285,84 +287,73 @@ map |
285 | { | | 287 | { |
286 | npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL); | | 288 | npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL); |
287 | } | | 289 | } |
288 | ; | | 290 | ; |
289 | | | 291 | |
290 | rproc | | 292 | rproc |
291 | : PROCEDURE STRING CURLY_OPEN procs CURLY_CLOSE | | 293 | : PROCEDURE STRING CURLY_OPEN procs CURLY_CLOSE |
292 | { | | 294 | { |
293 | npfctl_build_rproc($2, $4); | | 295 | npfctl_build_rproc($2, $4); |
294 | } | | 296 | } |
295 | ; | | 297 | ; |
296 | | | 298 | |
297 | procs | | 299 | procs |
298 | : proc_op SEPLINE procs { $$ = npfvar_add_elements($1, $3); } | | 300 | : proc_call SEPLINE procs |
299 | | proc_op { $$ = $1; } | | 301 | { |
| | | 302 | $$ = npfvar_add_elements($1, $3); |
| | | 303 | } |
| | | 304 | | proc_call { $$ = $1; } |
300 | ; | | 305 | ; |
301 | | | 306 | |
302 | proc_op | | 307 | proc_call |
303 | : IDENTIFIER COLON moduleargs | | 308 | : IDENTIFIER COLON proc_param_list |
304 | { | | 309 | { |
305 | proc_op_t po; | | 310 | proc_call_t pc; |
306 | | | 311 | |
307 | po.po_name = xstrdup($1); | | 312 | pc.pc_name = xstrdup($1); |
308 | po.po_opts = $3; | | 313 | pc.pc_opts = $3; |
309 | $$ = npfvar_create(".proc_ops"); | | 314 | $$ = npfvar_create(".proc_call"); |
310 | npfvar_add_element($$, NPFVAR_PROC_OP, &po, sizeof(po)); | | 315 | npfvar_add_element($$, NPFVAR_PROC, &pc, sizeof(pc)); |
311 | } | | 316 | } |
312 | | { $$ = NULL; } | | 317 | | { $$ = NULL; } |
313 | ; | | 318 | ; |
314 | | | 319 | |
315 | moduleargs | | 320 | proc_param_list |
316 | : modulearg COMMA moduleargs | | 321 | : proc_param COMMA proc_param_list |
317 | { | | 322 | { |
318 | $$ = npfvar_add_elements($1, $3); | | 323 | $$ = npfvar_add_elements($1, $3); |
319 | } | | 324 | } |
320 | | modulearg { $$ = $1; } | | 325 | | proc_param { $$ = $1; } |
321 | | { $$ = NULL; } | | 326 | | { $$ = NULL; } |
322 | ; | | 327 | ; |
323 | | | 328 | |
324 | modulearg | | 329 | proc_param |
325 | : some_name modulearg_opts | | 330 | /* Key and value pair. */ |
| | | 331 | : some_name proc_param_val |
326 | { | | 332 | { |
327 | module_arg_t ma; | | 333 | proc_param_t pp; |
328 | | | 334 | |
329 | ma.ma_name = xstrdup($1); | | 335 | pp.pp_param = xstrdup($1); |
330 | ma.ma_opts = $2; | | 336 | pp.pp_value = $2 ? xstrdup($2) : NULL; |
331 | $$ = npfvar_create(".module_arg"); | | 337 | $$ = npfvar_create(".proc_param"); |
332 | npfvar_add_element($$, NPFVAR_MODULE_ARG, &ma, sizeof(ma)); | | 338 | npfvar_add_element($$, NPFVAR_PROC_PARAM, &pp, sizeof(pp)); |
333 | } | | 339 | } |
334 | ; | | 340 | ; |
335 | | | 341 | |
336 | modulearg_opts | | 342 | proc_param_val |
337 | : STRING modulearg_opts | | 343 | : some_name { $$ = $1; } |
338 | { | | 344 | | NUM { (void)asprintf(&$$, "%ld", $1); } |
339 | npfvar_t *vp = npfvar_create(".modstring"); | | 345 | | FPNUM { (void)asprintf(&$$, "%lf", $1); } |
340 | npfvar_add_element(vp, NPFVAR_STRING, $1, strlen($1) + 1); | | 346 | | { $$ = NULL; } |
341 | $$ = $2 ? npfvar_add_elements($2, vp) : vp; | | | |
342 | } | | | |
343 | | IDENTIFIER modulearg_opts | | | |
344 | { | | | |
345 | npfvar_t *vp = npfvar_create(".modident"); | | | |
346 | npfvar_add_element(vp, NPFVAR_IDENTIFIER, $1, strlen($1) + 1); | | | |
347 | $$ = $2 ? npfvar_add_elements($2, vp) : vp; | | | |
348 | } | | | |
349 | | NUM modulearg_opts | | | |
350 | { | | | |
351 | npfvar_t *vp = npfvar_create(".modnum"); | | | |
352 | npfvar_add_element(vp, NPFVAR_NUM, &$1, sizeof($1)); | | | |
353 | $$ = $2 ? npfvar_add_elements($2, vp) : vp; | | | |
354 | } | | | |
355 | | { $$ = NULL; } | | | |
356 | ; | | 347 | ; |
357 | | | 348 | |
358 | group | | 349 | group |
359 | : GROUP PAR_OPEN group_attr PAR_CLOSE | | 350 | : GROUP PAR_OPEN group_attr PAR_CLOSE |
360 | { | | 351 | { |
361 | npfctl_build_group($3.rg_name, $3.rg_attr, $3.rg_ifnum); | | 352 | npfctl_build_group($3.rg_name, $3.rg_attr, $3.rg_ifnum); |
362 | } | | 353 | } |
363 | ruleset | | 354 | ruleset |
364 | ; | | 355 | ; |
365 | | | 356 | |
366 | group_attr | | 357 | group_attr |
367 | : group_opt COMMA group_attr | | 358 | : group_opt COMMA group_attr |
368 | { | | 359 | { |
--- src/usr.sbin/npf/npfctl/npf_scan.l 2012/07/19 21:52:29 1.5
+++ src/usr.sbin/npf/npfctl/npf_scan.l 2012/09/16 13:47:41 1.6
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_scan.l,v 1.5 2012/07/19 21:52:29 spz Exp $ */ | | 1 | /* $NetBSD: npf_scan.l,v 1.6 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This code is derived from software contributed to The NetBSD Foundation | | 7 | * This code is derived from software contributed to The NetBSD Foundation |
8 | * by Martin Husemann. | | 8 | * by Martin Husemann. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -21,26 +21,27 @@ | | | @@ -21,26 +21,27 @@ |
21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | %{ | | 32 | %{ |
33 | #include <stdio.h> | | 33 | #include <stdio.h> |
| | | 34 | #include <stdlib.h> |
34 | #include <err.h> | | 35 | #include <err.h> |
35 | | | 36 | |
36 | #include "npfctl.h" | | 37 | #include "npfctl.h" |
37 | #include "npf_parse.h" | | 38 | #include "npf_parse.h" |
38 | | | 39 | |
39 | int yycolumn; | | 40 | int yycolumn; |
40 | | | 41 | |
41 | #define YY_USER_ACTION yycolumn += yyleng; | | 42 | #define YY_USER_ACTION yycolumn += yyleng; |
42 | | | 43 | |
43 | %} | | 44 | %} |
44 | | | 45 | |
45 | %option noyywrap nounput noinput | | 46 | %option noyywrap nounput noinput |
46 | | | 47 | |
| @@ -105,26 +106,33 @@ any return ANY; | | | @@ -105,26 +106,33 @@ any return ANY; |
105 | "(" return PAR_OPEN; | | 106 | "(" return PAR_OPEN; |
106 | ")" return PAR_CLOSE; | | 107 | ")" return PAR_CLOSE; |
107 | "," return COMMA; | | 108 | "," return COMMA; |
108 | "=" return EQ; | | 109 | "=" return EQ; |
109 | | | 110 | |
110 | "0x"[0-9a-fA-F]+ { | | 111 | "0x"[0-9a-fA-F]+ { |
111 | char *endp, *buf = zalloc(yyleng + 1); | | 112 | char *endp, *buf = zalloc(yyleng + 1); |
112 | buf[yyleng] = 0; | | 113 | buf[yyleng] = 0; |
113 | yylval.num = strtoul(buf+2, &endp, 16); | | 114 | yylval.num = strtoul(buf+2, &endp, 16); |
114 | free(buf); | | 115 | free(buf); |
115 | return HEX; | | 116 | return HEX; |
116 | } | | 117 | } |
117 | | | 118 | |
| | | 119 | {NUMBER}"."{NUMBER} { |
| | | 120 | char *endp, *buf = xstrndup(yytext, yyleng); |
| | | 121 | yylval.fpnum = strtod(buf, &endp); |
| | | 122 | free(buf); |
| | | 123 | return FPNUM; |
| | | 124 | } |
| | | 125 | |
118 | [0-9a-fA-F]+":"[0-9a-fA-F:]* { | | 126 | [0-9a-fA-F]+":"[0-9a-fA-F:]* { |
119 | yylval.str = xstrndup(yytext, yyleng); | | 127 | yylval.str = xstrndup(yytext, yyleng); |
120 | return IPV6ADDR; | | 128 | return IPV6ADDR; |
121 | } | | 129 | } |
122 | | | 130 | |
123 | {NUMBER}"."[0-9][0-9.]* { | | 131 | {NUMBER}"."[0-9][0-9.]* { |
124 | yylval.str = xstrndup(yytext, yyleng); | | 132 | yylval.str = xstrndup(yytext, yyleng); |
125 | return IPV4ADDR; | | 133 | return IPV4ADDR; |
126 | } | | 134 | } |
127 | | | 135 | |
128 | {NUMBER} { | | 136 | {NUMBER} { |
129 | char *endp, *buf = xstrndup(yytext, yyleng); | | 137 | char *endp, *buf = xstrndup(yytext, yyleng); |
130 | yylval.num = strtoul(buf, &endp, 10); | | 138 | yylval.num = strtoul(buf, &endp, 10); |
--- src/usr.sbin/npf/npfctl/npf_var.h 2012/07/19 21:52:29 1.3
+++ src/usr.sbin/npf/npfctl/npf_var.h 2012/09/16 13:47:41 1.4
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npf_var.h,v 1.3 2012/07/19 21:52:29 spz Exp $ */ | | 1 | /* $NetBSD: npf_var.h,v 1.4 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This code is derived from software contributed to The NetBSD Foundation | | 7 | * This code is derived from software contributed to The NetBSD Foundation |
8 | * by Christos Zoulas. | | 8 | * by Christos Zoulas. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -25,45 +25,55 @@ | | | @@ -25,45 +25,55 @@ |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | #ifndef _NPF_VAR_H_ | | 32 | #ifndef _NPF_VAR_H_ |
33 | #define _NPF_VAR_H_ | | 33 | #define _NPF_VAR_H_ |
34 | | | 34 | |
35 | #define NPFVAR_STRING 0 | | 35 | #define NPFVAR_STRING 0 |
36 | #define NPFVAR_IDENTIFIER 1 | | 36 | #define NPFVAR_IDENTIFIER 1 |
37 | #define NPFVAR_VAR_ID 2 | | 37 | #define NPFVAR_VAR_ID 2 |
38 | #define NPFVAR_NUM 3 | | 38 | #define NPFVAR_NUM 3 |
39 | #define NPFVAR_PORT_RANGE 4 | | 39 | #define NPFVAR_PORT_RANGE 4 |
40 | | | 40 | |
41 | /* Note: primitive types are equivalent. */ | | 41 | /* Note: primitive types are equivalent. */ |
42 | #define NPFVAR_PRIM NPFVAR_PORT_RANGE | | 42 | #define NPFVAR_PRIM NPFVAR_PORT_RANGE |
43 | #define NPFVAR_TYPE(x) (((x) > NPFVAR_PRIM) ? (x) : 0) | | 43 | #define NPFVAR_TYPE(x) (((x) > NPFVAR_PRIM) ? (x) : 0) |
44 | | | 44 | |
45 | #define NPFVAR_TABLE 5 | | 45 | #define NPFVAR_TABLE 5 |
46 | #define NPFVAR_FAM 6 | | 46 | #define NPFVAR_FAM 6 |
47 | #define NPFVAR_TCPFLAG 7 | | 47 | #define NPFVAR_PROC 7 |
48 | #define NPFVAR_ICMP 8 | | 48 | #define NPFVAR_PROC_PARAM 8 |
49 | #define NPFVAR_PROC_OP 9 | | 49 | #define NPFVAR_TCPFLAG 9 |
50 | #define NPFVAR_MODULE_ARG 10 | | 50 | #define NPFVAR_ICMP 10 |
51 | #define NPFVAR_ICMP6 11 | | 51 | #define NPFVAR_ICMP6 11 |
52 | | | 52 | |
53 | #ifdef _NPFVAR_PRIVATE | | 53 | #ifdef _NPFVAR_PRIVATE |
54 | static const char *npfvar_types[ ] = { | | 54 | static const char *npfvar_types[ ] = { |
55 | "string", "identifier", "var_id", "num", "table", "fam", "port_range", | | 55 | [NPFVAR_STRING] = "string", |
56 | "tcpflag", "icmp", "proc_op", "module_arg", "icmp6" | | 56 | [NPFVAR_IDENTIFIER] = "identifier", |
| | | 57 | [NPFVAR_VAR_ID] = "var_id", |
| | | 58 | [NPFVAR_NUM] = "num", |
| | | 59 | [NPFVAR_PORT_RANGE] = "port-range", |
| | | 60 | [NPFVAR_TABLE] = "table", |
| | | 61 | [NPFVAR_FAM] = "fam", |
| | | 62 | [NPFVAR_PROC] = "proc", |
| | | 63 | [NPFVAR_PROC_PARAM] = "proc_param", |
| | | 64 | [NPFVAR_TCPFLAG] = "tcpflag", |
| | | 65 | [NPFVAR_ICMP] = "icmp", |
| | | 66 | [NPFVAR_ICMP6] = "icmp6" |
57 | }; | | 67 | }; |
58 | #endif | | 68 | #endif |
59 | | | 69 | |
60 | struct npfvar; | | 70 | struct npfvar; |
61 | typedef struct npfvar npfvar_t; | | 71 | typedef struct npfvar npfvar_t; |
62 | | | 72 | |
63 | npfvar_t * npfvar_create(const char *); | | 73 | npfvar_t * npfvar_create(const char *); |
64 | npfvar_t * npfvar_lookup(const char *); | | 74 | npfvar_t * npfvar_lookup(const char *); |
65 | const char * npfvar_type(size_t); | | 75 | const char * npfvar_type(size_t); |
66 | void npfvar_add(npfvar_t *); | | 76 | void npfvar_add(npfvar_t *); |
67 | npfvar_t * npfvar_add_element(npfvar_t *, int, const void *, size_t); | | 77 | npfvar_t * npfvar_add_element(npfvar_t *, int, const void *, size_t); |
68 | npfvar_t * npfvar_add_elements(npfvar_t *, npfvar_t *); | | 78 | npfvar_t * npfvar_add_elements(npfvar_t *, npfvar_t *); |
69 | void npfvar_destroy(npfvar_t *); | | 79 | void npfvar_destroy(npfvar_t *); |
--- src/usr.sbin/npf/npfctl/npfctl.c 2012/09/01 19:08:01 1.19
+++ src/usr.sbin/npf/npfctl/npfctl.c 2012/09/16 13:47:41 1.20
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npfctl.c,v 1.19 2012/09/01 19:08:01 rmind Exp $ */ | | 1 | /* $NetBSD: npfctl.c,v 1.20 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This material is based upon work partially supported by The | | 7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -20,27 +20,27 @@ | | | @@ -20,27 +20,27 @@ |
20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. | | 29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | #include <sys/cdefs.h> | | 32 | #include <sys/cdefs.h> |
33 | __RCSID("$NetBSD: npfctl.c,v 1.19 2012/09/01 19:08:01 rmind Exp $"); | | 33 | __RCSID("$NetBSD: npfctl.c,v 1.20 2012/09/16 13:47:41 rmind Exp $"); |
34 | | | 34 | |
35 | #include <sys/ioctl.h> | | 35 | #include <sys/ioctl.h> |
36 | #include <sys/stat.h> | | 36 | #include <sys/stat.h> |
37 | #include <sys/types.h> | | 37 | #include <sys/types.h> |
38 | | | 38 | |
39 | #include <stdio.h> | | 39 | #include <stdio.h> |
40 | #include <stdlib.h> | | 40 | #include <stdlib.h> |
41 | #include <string.h> | | 41 | #include <string.h> |
42 | #include <err.h> | | 42 | #include <err.h> |
43 | #include <fcntl.h> | | 43 | #include <fcntl.h> |
44 | #include <unistd.h> | | 44 | #include <unistd.h> |
45 | #include <errno.h> | | 45 | #include <errno.h> |
46 | | | 46 | |
| @@ -191,30 +191,26 @@ npfctl_print_stats(int fd) | | | @@ -191,30 +191,26 @@ npfctl_print_stats(int fd) |
191 | { NPF_STAT_NAT_CREATE, "NAT entry allocations" }, | | 191 | { NPF_STAT_NAT_CREATE, "NAT entry allocations" }, |
192 | { NPF_STAT_NAT_DESTROY, "NAT entry destructions"}, | | 192 | { NPF_STAT_NAT_DESTROY, "NAT entry destructions"}, |
193 | | | 193 | |
194 | { -1, "Invalid packet state cases" }, | | 194 | { -1, "Invalid packet state cases" }, |
195 | { NPF_STAT_INVALID_STATE, "cases in total" }, | | 195 | { NPF_STAT_INVALID_STATE, "cases in total" }, |
196 | { NPF_STAT_INVALID_STATE_TCP1, "TCP case I" }, | | 196 | { NPF_STAT_INVALID_STATE_TCP1, "TCP case I" }, |
197 | { NPF_STAT_INVALID_STATE_TCP2, "TCP case II" }, | | 197 | { NPF_STAT_INVALID_STATE_TCP2, "TCP case II" }, |
198 | { NPF_STAT_INVALID_STATE_TCP3, "TCP case III" }, | | 198 | { NPF_STAT_INVALID_STATE_TCP3, "TCP case III" }, |
199 | | | 199 | |
200 | { -1, "Packet race cases" }, | | 200 | { -1, "Packet race cases" }, |
201 | { NPF_STAT_RACE_NAT, "NAT association race" }, | | 201 | { NPF_STAT_RACE_NAT, "NAT association race" }, |
202 | { NPF_STAT_RACE_SESSION, "duplicate session race"}, | | 202 | { NPF_STAT_RACE_SESSION, "duplicate session race"}, |
203 | | | 203 | |
204 | { -1, "Rule procedure cases" }, | | | |
205 | { NPF_STAT_RPROC_LOG, "packets logged" }, | | | |
206 | { NPF_STAT_RPROC_NORM, "packets normalised" }, | | | |
207 | | | | |
208 | { -1, "Fragmentation" }, | | 204 | { -1, "Fragmentation" }, |
209 | { NPF_STAT_FRAGMENTS, "fragments" }, | | 205 | { NPF_STAT_FRAGMENTS, "fragments" }, |
210 | { NPF_STAT_REASSEMBLY, "reassembled" }, | | 206 | { NPF_STAT_REASSEMBLY, "reassembled" }, |
211 | { NPF_STAT_REASSFAIL, "failed reassembly" }, | | 207 | { NPF_STAT_REASSFAIL, "failed reassembly" }, |
212 | | | 208 | |
213 | { -1, "Other" }, | | 209 | { -1, "Other" }, |
214 | { NPF_STAT_ERROR, "unexpected errors" }, | | 210 | { NPF_STAT_ERROR, "unexpected errors" }, |
215 | }; | | 211 | }; |
216 | uint64_t *st = zalloc(NPF_STATS_SIZE); | | 212 | uint64_t *st = zalloc(NPF_STATS_SIZE); |
217 | | | 213 | |
218 | if (ioctl(fd, IOC_NPF_STATS, &st) != 0) { | | 214 | if (ioctl(fd, IOC_NPF_STATS, &st) != 0) { |
219 | err(EXIT_FAILURE, "ioctl(IOC_NPF_STATS)"); | | 215 | err(EXIT_FAILURE, "ioctl(IOC_NPF_STATS)"); |
220 | } | | 216 | } |
--- src/usr.sbin/npf/npfctl/npfctl.h 2012/08/12 03:35:13 1.19
+++ src/usr.sbin/npf/npfctl/npfctl.h 2012/09/16 13:47:41 1.20
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: npfctl.h,v 1.19 2012/08/12 03:35:13 rmind Exp $ */ | | 1 | /* $NetBSD: npfctl.h,v 1.20 2012/09/16 13:47:41 rmind Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
9 | * are met: | | 9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
| @@ -69,60 +69,70 @@ typedef struct filt_opts { | | | @@ -69,60 +69,70 @@ typedef struct filt_opts { |
69 | } filt_opts_t; | | 69 | } filt_opts_t; |
70 | | | 70 | |
71 | typedef struct opt_proto { | | 71 | typedef struct opt_proto { |
72 | int op_proto; | | 72 | int op_proto; |
73 | npfvar_t * op_opts; | | 73 | npfvar_t * op_opts; |
74 | } opt_proto_t; | | 74 | } opt_proto_t; |
75 | | | 75 | |
76 | typedef struct rule_group { | | 76 | typedef struct rule_group { |
77 | const char * rg_name; | | 77 | const char * rg_name; |
78 | uint32_t rg_attr; | | 78 | uint32_t rg_attr; |
79 | u_int rg_ifnum; | | 79 | u_int rg_ifnum; |
80 | } rule_group_t; | | 80 | } rule_group_t; |
81 | | | 81 | |
82 | typedef struct proc_op { | | 82 | typedef struct proc_call { |
83 | const char * po_name; | | 83 | const char * pc_name; |
84 | npfvar_t * po_opts; | | 84 | npfvar_t * pc_opts; |
85 | } proc_op_t; | | 85 | } proc_call_t; |
86 | | | 86 | |
87 | typedef struct module_arg { | | 87 | typedef struct proc_param { |
88 | const char * ma_name; | | 88 | const char * pp_param; |
89 | npfvar_t * ma_opts; | | 89 | const char * pp_value; |
90 | } module_arg_t; | | 90 | } proc_param_t; |
91 | | | 91 | |
92 | void yyerror(const char *, ...) __printflike(1, 2) __dead; | | 92 | void yyerror(const char *, ...) __printflike(1, 2) __dead; |
93 | void * zalloc(size_t); | | 93 | void * zalloc(size_t); |
94 | void * xrealloc(void *, size_t); | | 94 | void * xrealloc(void *, size_t); |
95 | char * xstrdup(const char *); | | 95 | char * xstrdup(const char *); |
96 | char * xstrndup(const char *, size_t); | | 96 | char * xstrndup(const char *, size_t); |
97 | | | 97 | |
98 | void npfctl_print_error(const nl_error_t *); | | 98 | void npfctl_print_error(const nl_error_t *); |
99 | bool npfctl_table_exists_p(const char *); | | 99 | bool npfctl_table_exists_p(const char *); |
100 | int npfctl_protono(const char *); | | 100 | int npfctl_protono(const char *); |
101 | in_port_t npfctl_portno(const char *); | | 101 | in_port_t npfctl_portno(const char *); |
102 | uint8_t npfctl_icmpcode(int, uint8_t, const char *); | | 102 | uint8_t npfctl_icmpcode(int, uint8_t, const char *); |
103 | uint8_t npfctl_icmptype(int, const char *); | | 103 | uint8_t npfctl_icmptype(int, const char *); |
104 | unsigned long npfctl_find_ifindex(const char *); | | 104 | unsigned long npfctl_find_ifindex(const char *); |
105 | npfvar_t * npfctl_parse_tcpflag(const char *); | | 105 | npfvar_t * npfctl_parse_tcpflag(const char *); |
106 | npfvar_t * npfctl_parse_table_id(const char *); | | 106 | npfvar_t * npfctl_parse_table_id(const char *); |
107 | npfvar_t * npfctl_parse_icmp(int, int, int); | | 107 | npfvar_t * npfctl_parse_icmp(int, int, int); |
108 | npfvar_t * npfctl_parse_iface(const char *); | | 108 | npfvar_t * npfctl_parse_iface(const char *); |
109 | npfvar_t * npfctl_parse_port_range(in_port_t, in_port_t); | | 109 | npfvar_t * npfctl_parse_port_range(in_port_t, in_port_t); |
110 | npfvar_t * npfctl_parse_port_range_variable(const char *); | | 110 | npfvar_t * npfctl_parse_port_range_variable(const char *); |
111 | npfvar_t * npfctl_parse_fam_addr_mask(const char *, const char *, | | 111 | npfvar_t * npfctl_parse_fam_addr_mask(const char *, const char *, |
112 | unsigned long *); | | 112 | unsigned long *); |
113 | bool npfctl_parse_cidr(char *, fam_addr_mask_t *, int *); | | 113 | bool npfctl_parse_cidr(char *, fam_addr_mask_t *, int *); |
114 | | | 114 | |
115 | /* | | 115 | /* |
| | | 116 | * NPF extension loading. |
| | | 117 | */ |
| | | 118 | |
| | | 119 | typedef struct npf_extmod npf_extmod_t; |
| | | 120 | |
| | | 121 | npf_extmod_t * npf_extmod_get(const char *, nl_ext_t **); |
| | | 122 | int npf_extmod_param(npf_extmod_t *, nl_ext_t *, |
| | | 123 | const char *, const char *); |
| | | 124 | |
| | | 125 | /* |
116 | * N-code generation interface. | | 126 | * N-code generation interface. |
117 | */ | | 127 | */ |
118 | | | 128 | |
119 | typedef struct nc_ctx nc_ctx_t; | | 129 | typedef struct nc_ctx nc_ctx_t; |
120 | | | 130 | |
121 | #define NC_MATCH_DST 0x01 | | 131 | #define NC_MATCH_DST 0x01 |
122 | #define NC_MATCH_SRC 0x02 | | 132 | #define NC_MATCH_SRC 0x02 |
123 | | | 133 | |
124 | #define NC_MATCH_TCP 0x04 | | 134 | #define NC_MATCH_TCP 0x04 |
125 | #define NC_MATCH_UDP 0x08 | | 135 | #define NC_MATCH_UDP 0x08 |
126 | #define NC_MATCH_ICMP 0x10 | | 136 | #define NC_MATCH_ICMP 0x10 |
127 | #define NC_MATCH_ICMP6 0x20 | | 137 | #define NC_MATCH_ICMP6 0x20 |
128 | | | 138 | |