Sun Oct 27 16:22:08 2013 UTC ()
Add NPF_MAX_RULES, an artificial limit (set it to 1M).


(rmind)
diff -r1.29 -r1.30 src/sys/net/npf/npf_ctl.c
diff -r1.33 -r1.34 src/sys/net/npf/npf_impl.h
cvs diff -r1.29 -r1.30 src/sys/net/npf/npf_ctl.c (expand / switch to unified diff)

--- src/sys/net/npf/npf_ctl.c 2013/09/19 01:49:07 1.29
+++ src/sys/net/npf/npf_ctl.c 2013/10/27 16:22:08 1.30
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: npf_ctl.c,v 1.29 2013/09/19 01:49:07 rmind Exp $ */ 1/* $NetBSD: npf_ctl.c,v 1.30 2013/10/27 16:22:08 rmind Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. 4 * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This material is based upon work partially supported by The 7 * This material is based upon work partially supported by The
8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 11 * modification, are permitted provided that the following conditions
12 * are met: 12 * are met:
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
@@ -27,27 +27,27 @@ @@ -27,27 +27,27 @@
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE. 29 * POSSIBILITY OF SUCH DAMAGE.
30 */ 30 */
31 31
32/* 32/*
33 * NPF device control. 33 * NPF device control.
34 * 34 *
35 * Implementation of (re)loading, construction of tables and rules. 35 * Implementation of (re)loading, construction of tables and rules.
36 * NPF proplib(9) dictionary consumer. 36 * NPF proplib(9) dictionary consumer.
37 */ 37 */
38 38
39#include <sys/cdefs.h> 39#include <sys/cdefs.h>
40__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.29 2013/09/19 01:49:07 rmind Exp $"); 40__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.30 2013/10/27 16:22:08 rmind Exp $");
41 41
42#include <sys/param.h> 42#include <sys/param.h>
43#include <sys/conf.h> 43#include <sys/conf.h>
44#include <sys/kmem.h> 44#include <sys/kmem.h>
45#include <net/bpf.h> 45#include <net/bpf.h>
46 46
47#include <prop/proplib.h> 47#include <prop/proplib.h>
48 48
49#include "npf_impl.h" 49#include "npf_impl.h"
50 50
51#if defined(DEBUG) || defined(DIAGNOSTIC) 51#if defined(DEBUG) || defined(DIAGNOSTIC)
52#define NPF_ERR_DEBUG(e) \ 52#define NPF_ERR_DEBUG(e) \
53 prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \ 53 prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \
@@ -457,53 +457,57 @@ npfctl_reload(u_long cmd, void *data) @@ -457,53 +457,57 @@ npfctl_reload(u_long cmd, void *data)
457 error = EPROGMISMATCH; 457 error = EPROGMISMATCH;
458 goto fail; 458 goto fail;
459 } 459 }
460 460
461 /* ALGs. */ 461 /* ALGs. */
462 alglist = prop_dictionary_get(npf_dict, "algs"); 462 alglist = prop_dictionary_get(npf_dict, "algs");
463 error = npf_mk_algs(alglist, errdict); 463 error = npf_mk_algs(alglist, errdict);
464 if (error) { 464 if (error) {
465 goto fail; 465 goto fail;
466 } 466 }
467 467
468 /* NAT policies. */ 468 /* NAT policies. */
469 natlist = prop_dictionary_get(npf_dict, "translation"); 469 natlist = prop_dictionary_get(npf_dict, "translation");
470 nitems = prop_array_count(natlist); 470 if ((nitems = prop_array_count(natlist)) > NPF_MAX_RULES) {
 471 goto fail;
 472 }
471 473
472 nset = npf_ruleset_create(nitems); 474 nset = npf_ruleset_create(nitems);
473 error = npf_mk_natlist(nset, natlist, errdict); 475 error = npf_mk_natlist(nset, natlist, errdict);
474 if (error) { 476 if (error) {
475 goto fail; 477 goto fail;
476 } 478 }
477 479
478 /* Tables. */ 480 /* Tables. */
479 tblset = npf_tableset_create(); 481 tblset = npf_tableset_create();
480 tables = prop_dictionary_get(npf_dict, "tables"); 482 tables = prop_dictionary_get(npf_dict, "tables");
481 error = npf_mk_tables(tblset, tables, errdict); 483 error = npf_mk_tables(tblset, tables, errdict);
482 if (error) { 484 if (error) {
483 goto fail; 485 goto fail;
484 } 486 }
485 487
486 /* Rule procedures. */ 488 /* Rule procedures. */
487 rpset = npf_rprocset_create(); 489 rpset = npf_rprocset_create();
488 rprocs = prop_dictionary_get(npf_dict, "rprocs"); 490 rprocs = prop_dictionary_get(npf_dict, "rprocs");
489 error = npf_mk_rprocs(rpset, rprocs, errdict); 491 error = npf_mk_rprocs(rpset, rprocs, errdict);
490 if (error) { 492 if (error) {
491 goto fail; 493 goto fail;
492 } 494 }
493 495
494 /* Rules. */ 496 /* Rules. */
495 rules = prop_dictionary_get(npf_dict, "rules"); 497 rules = prop_dictionary_get(npf_dict, "rules");
496 nitems = prop_array_count(rules); 498 if ((nitems = prop_array_count(rules)) > NPF_MAX_RULES) {
 499 goto fail;
 500 }
497 501
498 rlset = npf_ruleset_create(nitems); 502 rlset = npf_ruleset_create(nitems);
499 error = npf_mk_rules(rlset, rules, rpset, errdict); 503 error = npf_mk_rules(rlset, rules, rpset, errdict);
500 if (error) { 504 if (error) {
501 goto fail; 505 goto fail;
502 } 506 }
503 507
504 flush = false; 508 flush = false;
505 prop_dictionary_get_bool(npf_dict, "flush", &flush); 509 prop_dictionary_get_bool(npf_dict, "flush", &flush);
506 510
507 /* 511 /*
508 * Finally - perform the reload. 512 * Finally - perform the reload.
509 */ 513 */
cvs diff -r1.33 -r1.34 src/sys/net/npf/npf_impl.h (expand / switch to unified diff)

--- src/sys/net/npf/npf_impl.h 2013/09/19 01:49:07 1.33
+++ src/sys/net/npf/npf_impl.h 2013/10/27 16:22:08 1.34
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: npf_impl.h,v 1.33 2013/09/19 01:49:07 rmind Exp $ */ 1/* $NetBSD: npf_impl.h,v 1.34 2013/10/27 16:22:08 rmind Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. 4 * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This material is based upon work partially supported by The 7 * This material is based upon work partially supported by The
8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 11 * modification, are permitted provided that the following conditions
12 * are met: 12 * are met:
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
@@ -90,27 +90,29 @@ struct npf_table; @@ -90,27 +90,29 @@ struct npf_table;
90typedef struct npf_sehash npf_sehash_t; 90typedef struct npf_sehash npf_sehash_t;
91typedef struct npf_table npf_table_t; 91typedef struct npf_table npf_table_t;
92 92
93typedef npf_table_t * npf_tableset_t; 93typedef npf_table_t * npf_tableset_t;
94 94
95/* 95/*
96 * DEFINITIONS. 96 * DEFINITIONS.
97 */ 97 */
98 98
99typedef bool (*npf_alg_func_t)(npf_cache_t *, nbuf_t *, npf_nat_t *, int); 99typedef bool (*npf_alg_func_t)(npf_cache_t *, nbuf_t *, npf_nat_t *, int);
100typedef npf_session_t *(*npf_alg_sfunc_t)(npf_cache_t *, nbuf_t *, int); 100typedef npf_session_t *(*npf_alg_sfunc_t)(npf_cache_t *, nbuf_t *, int);
101typedef void (*npf_workfunc_t)(void); 101typedef void (*npf_workfunc_t)(void);
102 102
 103/* Some artificial limits. */
103#define NPF_TABLE_SLOTS 32 104#define NPF_TABLE_SLOTS 32
 105#define NPF_MAX_RULES (1024 * 1024)
104 106
105/* 107/*
106 * SESSION STATE STRUCTURES 108 * SESSION STATE STRUCTURES
107 */ 109 */
108 110
109#define NPF_FLOW_FORW 0 111#define NPF_FLOW_FORW 0
110#define NPF_FLOW_BACK 1 112#define NPF_FLOW_BACK 1
111 113
112typedef struct { 114typedef struct {
113 uint32_t nst_end; 115 uint32_t nst_end;
114 uint32_t nst_maxend; 116 uint32_t nst_maxend;
115 uint32_t nst_maxwin; 117 uint32_t nst_maxwin;
116 int nst_wscale; 118 int nst_wscale;