subject:"CVS commit\: \[netbsd\-7\] src\/sys\/net\/npf"

CVS commit: [netbsd-7] src/sys/net/npf

2018-10-30 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Tue Oct 30 19:52:57 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf_ctl.c

Log Message:
Pull up following revision(s) (requested by sborrill in ticket #1646):

sys/net/npf/npf_ctl.c: revision 1.47 (partial, via patch)

- Increase copyin buffer size to 4M


To generate a diff of this commit:
cvs rdiff -u -r1.38.2.3 -r1.38.2.4 src/sys/net/npf/npf_ctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.38.2.3 src/sys/net/npf/npf_ctl.c:1.38.2.4
--- src/sys/net/npf/npf_ctl.c:1.38.2.3	Wed Jun 10 16:57:58 2015
+++ src/sys/net/npf/npf_ctl.c	Tue Oct 30 19:52:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ctl.c,v 1.38.2.3 2015/06/10 16:57:58 snj Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.38.2.4 2018/10/30 19:52:56 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38.2.3 2015/06/10 16:57:58 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38.2.4 2018/10/30 19:52:56 martin Exp $");
 
 #include 
 #include 
@@ -512,7 +512,8 @@ npfctl_load(u_long cmd, void *data)
 
 	/* Retrieve the dictionary. */
 #ifndef _NPF_TESTING
-	error = prop_dictionary_copyin_ioctl(pref, cmd, _dict);
+	error = prop_dictionary_copyin_ioctl_size(pref, cmd, _dict,
+	4 * 1024 * 1024);
 	if (error)
 		return error;
 #else

CVS commit: [netbsd-7] src/sys/net/npf

2018-10-30 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Tue Oct 30 19:52:57 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf_ctl.c

Log Message:
Pull up following revision(s) (requested by sborrill in ticket #1646):

sys/net/npf/npf_ctl.c: revision 1.47 (partial, via patch)

- Increase copyin buffer size to 4M


To generate a diff of this commit:
cvs rdiff -u -r1.38.2.3 -r1.38.2.4 src/sys/net/npf/npf_ctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2018-05-14 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon May 14 16:16:04 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf_alg_icmp.c npf_inet.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.2.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.23 src/sys/net/npf/npf_alg_icmp.c:1.23.2.1
--- src/sys/net/npf/npf_alg_icmp.c:1.23	Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_alg_icmp.c	Mon May 14 16:16:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $	*/
+/*	$NetBSD: npf_alg_icmp.c,v 1.23.2.1 2018/05/14 16:16:04 martin Exp $	*/
 
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23.2.1 2018/05/14 16:16:04 martin Exp $");
 
 #include 
 #include 
@@ -118,13 +118,15 @@ npfa_icmp_match(npf_cache_t *npc, npf_na
 /*
  * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query
  * ID or TCP/UDP ports of the original packet, which is embedded.
+ *
+ * => Sets hasqid=true if the packet has a Query Id. In this case neither
+ *the nbuf nor npc is touched.
  */
 
 static bool
-npfa_icmp4_inspect(const int type, npf_cache_t *npc)
+npfa_icmp4_inspect(const int type, npf_cache_t *npc, bool *hasqid)
 {
 	nbuf_t *nbuf = npc->npc_nbuf;
-	u_int offby;
 
 	/* Per RFC 792. */
 	switch (type) {
@@ -148,12 +150,8 @@ npfa_icmp4_inspect(const int type, npf_c
 	case ICMP_TSTAMPREPLY:
 	case ICMP_IREQ:
 	case ICMP_IREQREPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp, icmp_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -162,10 +160,9 @@ npfa_icmp4_inspect(const int type, npf_c
 }
 
 static bool
-npfa_icmp6_inspect(const int type, npf_cache_t *npc)
+npfa_icmp6_inspect(const int type, npf_cache_t *npc, bool *hasqid)
 {
 	nbuf_t *nbuf = npc->npc_nbuf;
-	u_int offby;
 
 	/* Per RFC 4443. */
 	switch (type) {
@@ -184,12 +181,8 @@ npfa_icmp6_inspect(const int type, npf_c
 
 	case ICMP6_ECHO_REQUEST:
 	case ICMP6_ECHO_REPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp6_hdr, icmp6_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -200,13 +193,13 @@ npfa_icmp6_inspect(const int type, npf_c
 /*
  * npfa_icmp_inspect: ALG ICMP inspector.
  *
- * => Returns true if "enpc" is filled.
+ * => Returns false if there is a problem with the format.
  */
 static bool
 npfa_icmp_inspect(npf_cache_t *npc, npf_cache_t *enpc)
 {
 	nbuf_t *nbuf = npc->npc_nbuf;
-	bool ret;
+	bool ret, hasqid = false;
 
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	KASSERT(npf_iscached(npc, NPC_ICMP));
@@ -225,10 +218,10 @@ npfa_icmp_inspect(npf_cache_t *npc, npf_
 	 */
 	if (npf_iscached(npc, NPC_IP4)) {

CVS commit: [netbsd-7] src/sys/net/npf

2018-05-14 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon May 14 16:16:04 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf_alg_icmp.c npf_inet.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.2.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:41:28 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.2.1
--- src/sys/net/npf/npf.h:1.47	Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:41:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.47.2.1 2018/04/05 11:41:28 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -150,7 +150,7 @@ typedef struct {
 	uint8_t			npc_alen;
 
 	/* IP header length and L4 protocol. */
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 
 	/* IPv4, IPv6. */

CVS commit: [netbsd-7] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:41:28 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2017-05-22 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon May 22 18:56:35 UTC 2017

Modified Files:
src/sys/net/npf [netbsd-7]: npf_inet.c

Log Message:
Pull up missing part of rev 1.33, partly pulled up in ticket #1394:
make DDB print ipv6 addresses too


To generate a diff of this commit:
cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_inet.c
diff -u src/sys/net/npf/npf_inet.c:1.32.2.1 src/sys/net/npf/npf_inet.c:1.32.2.2
--- src/sys/net/npf/npf_inet.c:1.32.2.1	Fri May 12 05:32:12 2017
+++ src/sys/net/npf/npf_inet.c	Mon May 22 18:56:35 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $	*/
+/*	$NetBSD: npf_inet.c,v 1.32.2.2 2017/05/22 18:56:35 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32.2.2 2017/05/22 18:56:35 martin Exp $");
 
 #include 
 #include 
@@ -51,6 +51,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v
 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include

CVS commit: [netbsd-7] src/sys/net/npf

2017-05-22 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon May 22 18:56:35 UTC 2017

Modified Files:
src/sys/net/npf [netbsd-7]: npf_inet.c

Log Message:
Pull up missing part of rev 1.33, partly pulled up in ticket #1394:
make DDB print ipv6 addresses too


To generate a diff of this commit:
cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Re: CVS commit: [netbsd-7] src/sys/net/npf

2017-05-21 Thread Hauke Fath

On Sun, 21 May 2017 08:08:34 +0900 (JST), Takahiro Kambe wrote:
> By comparing code with current, one line seems to missing.
> 
> Index: sys/net/npf/npf_inet.c
> ===
> RCS file: /cvsroot/src/sys/net/npf/npf_inet.c,v
> retrieving revision 1.32.2.1
> diff -u -r1.32.2.1 npf_inet.c
> --- sys/net/npf/npf_inet.c12 May 2017 05:32:12 -  1.32.2.1
> +++ sys/net/npf/npf_inet.c20 May 2017 23:06:17 -
> @@ -51,6 +51,7 @@
>  
>  #include 
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 

Confirmed.

hauke

-- 
Hauke Fath
Ernst-Ludwig-Straße 15
64625 Bensheim
Germany

Re: CVS commit: [netbsd-7] src/sys/net/npf

2017-05-20 Thread Takahiro Kambe

In message 
on Wed, 17 May 2017 13:22:39 +0200,
Hauke Fath  wrote:
> [properly re-sent to source-changes-d -- it was cribbed from the web
> list archive]
> 
> 
> The pull-up
> 
>> Pull up following revision(s) (requested by jnemeth in ticket #1394):
>> sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
>> sys/net/npf/npf_mbuf.c: revision 1.16
>> sys/net/npf/npf_nat.c: revision 1.40
>> minimal changes necessary to link into an INET6-less kernel.
>> --
>> fixup misplaced #endif
> 
> leads to
> 
> [...]
> --- npf_nat.o ---
> /u/netbsd-builds/7/amd64/tools/bin/x86_64--netbsd-gcc -mcmodel=kernel
> -mno-red-zone -mno-mmx -mno-sse -mno-avx -msoft-float -ffreestanding
> -fno-zero-initialized-in-bss -O2 -fno-omit-frame-pointer
> -fstack-protector -Wstack-protector --param ssp-buffer-size=1
> -fno-strict-aliasing -fno-common -std=gnu99 -Werror -Wall -Wno-main
> -Wno-format-zero-length -Wpointer-arith -Wmissing-prototypes
> -Wstrict-prototypes -Wold-style-definition -Wswitch -Wshadow
> -Wcast-qual -Wwrite-strings -Wno-unreachable-code -Wno-pointer-sign
> -Wno-attributes -Wextra -Wno-unused-parameter -Wold-style-definition
> -Wno-sign-compare --sysroot=/u/netbsd-builds/7/amd64/destdir -Damd64
> -Dx86_64 -I. -I/public/netbsd-7/sys/../common/include
> -I/public/netbsd-7/sys/arch -I/public/netbsd-7/sys -nostdinc
> -DCHILD_MAX=1024 -DOPEN_MAX=1024 -DIPSEC_ESP -DIPSEC_NAT_T
> -DMAXUSERS=64 -D_KERNEL -D_KERNEL_OPT -std=gnu99
> -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/quad
> -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/string
> -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/arch/x86_64/string
> -D_FORTIFY_SOURCE=2 -I/public/netbsd-7/sys/../common/include
> -I/public/netbsd-7/sys/external/bsd/acpica/dist/include -c
> /public/netbsd-7/sys/net/npf/npf_nat.c
> --- npf_inet.o ---
> /public/netbsd-7/sys/net/npf/npf_inet.c: In function 'npf_addr_dump':
> /public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: implicit
> declaration of function 'ip6_sprintf'
> [-Werror=implicit-function-declaration]
>   return ip6_sprintf(addr);
>   ^
> /public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: return makes
> pointer from integer without a cast [-Werror]
> cc1: all warnings being treated as errors
> *** [npf_inet.o] Error code 1
By comparing code with current, one line seems to missing.

Index: sys/net/npf/npf_inet.c
===
RCS file: /cvsroot/src/sys/net/npf/npf_inet.c,v
retrieving revision 1.32.2.1
diff -u -r1.32.2.1 npf_inet.c
--- sys/net/npf/npf_inet.c  12 May 2017 05:32:12 -  1.32.2.1
+++ sys/net/npf/npf_inet.c  20 May 2017 23:06:17 -
@@ -51,6 +51,7 @@
 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 

-- 
Takahiro Kambe

Re: CVS commit: [netbsd-7] src/sys/net/npf

2017-05-17 Thread Hauke Fath

[properly re-sent to source-changes-d -- it was cribbed from the web 
list archive]



The pull-up


Pull up following revision(s) (requested by jnemeth in ticket #1394):
sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
sys/net/npf/npf_mbuf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.40
minimal changes necessary to link into an INET6-less kernel.
--
fixup misplaced #endif


leads to

[...]
--- npf_nat.o ---
/u/netbsd-builds/7/amd64/tools/bin/x86_64--netbsd-gcc -mcmodel=kernel 
-mno-red-zone -mno-mmx -mno-sse -mno-avx -msoft-float -ffreestanding 
-fno-zero-initialized-in-bss -O2 -fno-omit-frame-pointer 
-fstack-protector -Wstack-protector --param ssp-buffer-size=1 
-fno-strict-aliasing -fno-common -std=gnu99 -Werror -Wall -Wno-main 
-Wno-format-zero-length -Wpointer-arith -Wmissing-prototypes 
-Wstrict-prototypes -Wold-style-definition -Wswitch -Wshadow -Wcast-qual 
-Wwrite-strings -Wno-unreachable-code -Wno-pointer-sign -Wno-attributes 
-Wextra -Wno-unused-parameter -Wold-style-definition -Wno-sign-compare 
--sysroot=/u/netbsd-builds/7/amd64/destdir -Damd64 -Dx86_64 -I. 
-I/public/netbsd-7/sys/../common/include -I/public/netbsd-7/sys/arch 
-I/public/netbsd-7/sys -nostdinc -DCHILD_MAX=1024 -DOPEN_MAX=1024 
-DIPSEC_ESP -DIPSEC_NAT_T -DMAXUSERS=64 -D_KERNEL -D_KERNEL_OPT 
-std=gnu99 
-I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/quad 
-I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/string 
-I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/arch/x86_64/string 
-D_FORTIFY_SOURCE=2 -I/public/netbsd-7/sys/../common/include 
-I/public/netbsd-7/sys/external/bsd/acpica/dist/include -c 
/public/netbsd-7/sys/net/npf/npf_nat.c

--- npf_inet.o ---
/public/netbsd-7/sys/net/npf/npf_inet.c: In function 'npf_addr_dump':
/public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: implicit 
declaration of function 'ip6_sprintf' 
[-Werror=implicit-function-declaration]

  return ip6_sprintf(addr);
  ^
/public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: return makes 
pointer from integer without a cast [-Werror]

cc1: all warnings being treated as errors
*** [npf_inet.o] Error code 1


which, I guess, didn't show up in a build because we do not have a 
(standard) kernel config file that includes npf(4).


Any reason why -current should not default GENERIC to npf?

Cheerio,
hauke

--
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

CVS commit: [netbsd-7] src/sys/net/npf

2017-05-11 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Fri May 12 05:32:12 UTC 2017

Modified Files:
src/sys/net/npf [netbsd-7]: npf_inet.c npf_mbuf.c npf_nat.c

Log Message:
Pull up following revision(s) (requested by jnemeth in ticket #1394):
sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
sys/net/npf/npf_mbuf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.40
minimal changes necessary to link into an INET6-less kernel.
--
fixup misplaced #endif


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.2.1 src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.13.2.2 -r1.13.2.3 src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.32.2.5 -r1.32.2.6 src/sys/net/npf/npf_nat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_inet.c
diff -u src/sys/net/npf/npf_inet.c:1.32 src/sys/net/npf/npf_inet.c:1.32.2.1
--- src/sys/net/npf/npf_inet.c:1.32	Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_inet.c	Fri May 12 05:32:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_inet.c,v 1.32 2014/07/20 00:37:41 rmind Exp $	*/
+/*	$NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32 2014/07/20 00:37:41 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $");
 
 #include 
 #include 
@@ -654,7 +654,9 @@ npf_napt_rwr(const npf_cache_t *npc, u_i
 		}
 		break;
 	case IPPROTO_ICMP:
+#ifdef INET6
 	case IPPROTO_ICMPV6:
+#endif
 		KASSERT(npf_iscached(npc, NPC_ICMP));
 		/* Nothing. */
 		break;
@@ -668,6 +670,7 @@ npf_napt_rwr(const npf_cache_t *npc, u_i
  * IPv6-to-IPv6 Network Prefix Translation (NPTv6), as per RFC 6296.
  */
 
+#ifdef INET6
 int
 npf_npt66_rwr(const npf_cache_t *npc, u_int which, const npf_addr_t *pref,
 npf_netmask_t len, uint16_t adj)
@@ -736,18 +739,25 @@ npf_npt66_rwr(const npf_cache_t *npc, u_
 	addr->s6_addr16[word] = sum;
 	return 0;
 }
+#endif
 
 #if defined(DDB) || defined(_NPF_TESTING)
 
 const char *
 npf_addr_dump(const npf_addr_t *addr, int alen)
 {
+#ifdef INET6
 	if (alen == sizeof(struct in_addr)) {
+#else
+		KASSERT(alen == sizeof(struct in_addr));
+#endif
 		struct in_addr ip;
 		memcpy(, addr, alen);
 		return inet_ntoa(ip);
+#ifdef INET6
 	}
-	return "[IPv6]"; // XXX
+	return ip6_sprintf(addr);
+#endif
 }
 
 #endif

Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.13.2.2 src/sys/net/npf/npf_mbuf.c:1.13.2.3
--- src/sys/net/npf/npf_mbuf.c:1.13.2.2	Tue Jan 26 01:27:21 2016
+++ src/sys/net/npf/npf_mbuf.c	Fri May 12 05:32:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $	*/
+/*	$NetBSD: npf_mbuf.c,v 1.13.2.3 2017/05/12 05:32:12 snj Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.3 2017/05/12 05:32:12 snj Exp $");
 
 #include 
 #include 
@@ -258,11 +258,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di)
 		m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4 | M_CSUM_UDPv4);
 		return true;
 	}
+#ifdef INET6
 	if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv6 | M_CSUM_UDPv6)) {
 		in6_delayed_cksum(m);
 		m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv6 | M_CSUM_UDPv6);
 		return true;
 	}
+#endif
 	return false;
 }
 

Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.32.2.5 src/sys/net/npf/npf_nat.c:1.32.2.6
--- src/sys/net/npf/npf_nat.c:1.32.2.5	Sun Jan  4 11:37:38 2015
+++ src/sys/net/npf/npf_nat.c	Fri May 12 05:32:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.32.2.6 2017/05/12 05:32:12 snj Exp $	*/
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius 
@@ -71,7 +71,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32.2.6 2017/05/12 05:32:12 snj Exp $");
 
 #include 
 #include 
@@ -657,10 +657,12 @@ npf_nat_algo(npf_cache_t *npc, const npf
 	int error;
 
 	switch (np->n_algo) {
+#ifdef INET6
 	case NPF_ALGO_NPT66:
 		error = npf_npt66_rwr(npc, which, >n_taddr,
 		np->n_tmask, np->n_npt66_adj);
 		break;
+#endif
 	default:
 		error = npf_napt_rwr(npc, which, >n_taddr, np->n_tport);
 		break;

CVS commit: [netbsd-7] src/sys/net/npf

2017-05-11 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Fri May 12 05:32:12 UTC 2017

Modified Files:
src/sys/net/npf [netbsd-7]: npf_inet.c npf_mbuf.c npf_nat.c

Log Message:
Pull up following revision(s) (requested by jnemeth in ticket #1394):
sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
sys/net/npf/npf_mbuf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.40
minimal changes necessary to link into an INET6-less kernel.
--
fixup misplaced #endif


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.2.1 src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.13.2.2 -r1.13.2.3 src/sys/net/npf/npf_mbuf.c
cvs rdiff -u -r1.32.2.5 -r1.32.2.6 src/sys/net/npf/npf_nat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2016-12-26 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Tue Dec 27 07:03:53 UTC 2016

Modified Files:
src/sys/net/npf [netbsd-7]: lpm.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #1340):
sys/net/npf/lpm.c: revision 1.3
Fix kmem_free() in hashmap_remove().


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.3 -r1.1.2.4 src/sys/net/npf/lpm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/lpm.c
diff -u src/sys/net/npf/lpm.c:1.1.2.3 src/sys/net/npf/lpm.c:1.1.2.4
--- src/sys/net/npf/lpm.c:1.1.2.3	Mon Dec 26 18:55:08 2016
+++ src/sys/net/npf/lpm.c	Tue Dec 27 07:03:52 2016
@@ -31,7 +31,7 @@
 
 #if defined(_KERNEL)
 #include 
-__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.3 2016/12/26 18:55:08 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.4 2016/12/27 07:03:52 snj Exp $");
 
 #include 
 #include 
@@ -245,7 +245,7 @@ hashmap_remove(lpm_hmap_t *hmap, const v
 			} else {
 hmap->bucket[i] = entry->next;
 			}
-			free(entry, M_TEMP);
+			kmem_free(entry, offsetof(lpm_ent_t, key[len]));
 			return 0;
 		}
 		prev = entry;

CVS commit: [netbsd-7] src/sys/net/npf

2016-12-26 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Tue Dec 27 07:03:53 UTC 2016

Modified Files:
src/sys/net/npf [netbsd-7]: lpm.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #1340):
sys/net/npf/lpm.c: revision 1.3
Fix kmem_free() in hashmap_remove().


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.3 -r1.1.2.4 src/sys/net/npf/lpm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2016-12-26 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Mon Dec 26 18:55:08 UTC 2016

Modified Files:
src/sys/net/npf [netbsd-7]: lpm.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #1339):
sys/net/npf/lpm.c: revision 1.2
Fix kmem_free() sizes in hashmap_rehash() and lpm_clear().


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/net/npf/lpm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/lpm.c
diff -u src/sys/net/npf/lpm.c:1.1.2.2 src/sys/net/npf/lpm.c:1.1.2.3
--- src/sys/net/npf/lpm.c:1.1.2.2	Sun Dec 18 07:40:50 2016
+++ src/sys/net/npf/lpm.c	Mon Dec 26 18:55:08 2016
@@ -31,7 +31,7 @@
 
 #if defined(_KERNEL)
 #include 
-__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.2 2016/12/18 07:40:50 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.3 2016/12/26 18:55:08 snj Exp $");
 
 #include 
 #include 
@@ -117,7 +117,7 @@ lpm_clear(lpm_t *lpm, lpm_dtor_t dtor, v
 entry = next;
 			}
 		}
-		kmem_free(hmap->bucket, hmap->hashsize);
+		kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *));
 		hmap->bucket = NULL;
 		hmap->hashsize = 0;
 		hmap->nitems = 0;
@@ -158,7 +158,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_
 	for (hashsize = 1; hashsize < size; hashsize <<= 1) {
 		continue;
 	}
-	bucket = kmem_zalloc(hashsize * sizeof(*bucket), KM_SLEEP);
+	bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), KM_SLEEP);
 	if (bucket == NULL)
 		return false;
 	for (unsigned n = 0; n < hmap->hashsize; n++) {
@@ -175,7 +175,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_
 		}
 	}
 	if (hmap->bucket)
-		kmem_free(hmap->bucket, hmap->hashsize);
+		kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *));
 	hmap->bucket = bucket;
 	hmap->hashsize = hashsize;
 	return true;

CVS commit: [netbsd-7] src/sys/net/npf

2016-12-26 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Mon Dec 26 18:55:08 UTC 2016

Modified Files:
src/sys/net/npf [netbsd-7]: lpm.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #1339):
sys/net/npf/lpm.c: revision 1.2
Fix kmem_free() sizes in hashmap_rehash() and lpm_clear().


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/net/npf/lpm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2016-01-25 Thread Jeff Rizzo

Module Name:src
Committed By:   riz
Date:   Tue Jan 26 01:27:21 UTC 2016

Modified Files:
src/sys/net/npf [netbsd-7]: npf_mbuf.c

Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1065):
sys/net/npf/npf_mbuf.c: revision 1.15
handle delayed cksums also for ipv6


To generate a diff of this commit:
cvs rdiff -u -r1.13.2.1 -r1.13.2.2 src/sys/net/npf/npf_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_mbuf.c
diff -u src/sys/net/npf/npf_mbuf.c:1.13.2.1 src/sys/net/npf/npf_mbuf.c:1.13.2.2
--- src/sys/net/npf/npf_mbuf.c:1.13.2.1	Fri Jul 17 04:37:22 2015
+++ src/sys/net/npf/npf_mbuf.c	Tue Jan 26 01:27:21 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_mbuf.c,v 1.13.2.1 2015/07/17 04:37:22 snj Exp $	*/
+/*	$NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.1 2015/07/17 04:37:22 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $");
 
 #include 
 #include 
@@ -258,6 +258,11 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di)
 		m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4 | M_CSUM_UDPv4);
 		return true;
 	}
+	if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv6 | M_CSUM_UDPv6)) {
+		in6_delayed_cksum(m);
+		m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv6 | M_CSUM_UDPv6);
+		return true;
+	}
 	return false;
 }

CVS commit: [netbsd-7] src/sys/net/npf

2016-01-25 Thread Jeff Rizzo

Module Name:src
Committed By:   riz
Date:   Tue Jan 26 01:27:21 UTC 2016

Modified Files:
src/sys/net/npf [netbsd-7]: npf_mbuf.c

Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1065):
sys/net/npf/npf_mbuf.c: revision 1.15
handle delayed cksums also for ipv6


To generate a diff of this commit:
cvs rdiff -u -r1.13.2.1 -r1.13.2.2 src/sys/net/npf/npf_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2015-03-15 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Sun Mar 15 22:41:24 UTC 2015

Modified Files:
src/sys/net/npf [netbsd-7]: npf_conn.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #586):
sys/net/npf/npf_conn.c: revision 1.16
npf_conn_establish: fix the previous change - drop the reference on error.


To generate a diff of this commit:
cvs rdiff -u -r1.10.2.4 -r1.10.2.5 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.10.2.4 src/sys/net/npf/npf_conn.c:1.10.2.5
--- src/sys/net/npf/npf_conn.c:1.10.2.4	Wed Feb  4 07:13:04 2015
+++ src/sys/net/npf/npf_conn.c	Sun Mar 15 22:41:24 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.c,v 1.10.2.4 2015/02/04 07:13:04 snj Exp $	*/
+/*	$NetBSD: npf_conn.c,v 1.10.2.5 2015/03/15 22:41:24 snj Exp $	*/
 
 /*-
  * Copyright (c) 2014-2015 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.4 2015/02/04 07:13:04 snj Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.5 2015/03/15 22:41:24 snj Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -528,8 +528,8 @@ err:
 	 * here since there might be references acquired already.
 	 */
 	if (error) {
-		const u_int dflags = CONN_REMOVED | CONN_EXPIRE;
-		atomic_or_uint(con-c_flags, dflags);
+		atomic_or_uint(con-c_flags, CONN_REMOVED | CONN_EXPIRE);
+		atomic_dec_uint(con-c_refcnt);
 		npf_stats_inc(NPF_STAT_RACE_CONN);
 	} else {
 		NPF_PRINTF((NPF: establish conn %p\n, con));
@@ -569,6 +569,8 @@ npf_conn_destroy(npf_conn_t *con)
 /*
  * npf_conn_setnat: associate NAT entry with the connection, update and
  * re-insert connection entry using the translation values.
+ *
+ * = The caller must be holding a reference.
  */
 int
 npf_conn_setnat(const npf_cache_t *npc, npf_conn_t *con,

CVS commit: [netbsd-7] src/sys/net/npf

2015-03-15 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Sun Mar 15 22:41:24 UTC 2015

Modified Files:
src/sys/net/npf [netbsd-7]: npf_conn.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #586):
sys/net/npf/npf_conn.c: revision 1.16
npf_conn_establish: fix the previous change - drop the reference on error.


To generate a diff of this commit:
cvs rdiff -u -r1.10.2.4 -r1.10.2.5 src/sys/net/npf/npf_conn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2015-01-04 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Sun Jan  4 11:37:38 UTC 2015

Modified Files:
src/sys/net/npf [netbsd-7]: npf_nat.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #374):
sys/net/npf/npf_nat.c: revision 1.39
Don't forget to destroy the mutex before freeing the nat struct on a failed
load.


To generate a diff of this commit:
cvs rdiff -u -r1.32.2.4 -r1.32.2.5 src/sys/net/npf/npf_nat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2015-01-04 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Sun Jan  4 11:37:38 UTC 2015

Modified Files:
src/sys/net/npf [netbsd-7]: npf_nat.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #374):
sys/net/npf/npf_nat.c: revision 1.39
Don't forget to destroy the mutex before freeing the nat struct on a failed
load.


To generate a diff of this commit:
cvs rdiff -u -r1.32.2.4 -r1.32.2.5 src/sys/net/npf/npf_nat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.32.2.4 src/sys/net/npf/npf_nat.c:1.32.2.5
--- src/sys/net/npf/npf_nat.c:1.32.2.4	Mon Dec 22 02:10:30 2014
+++ src/sys/net/npf/npf_nat.c	Sun Jan  4 11:37:38 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $	*/
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -256,6 +256,7 @@ npf_nat_newpolicy(prop_dictionary_t natd
 	}
 	return np;
 err:
+	mutex_destroy(np-n_lock);
 	kmem_free(np, sizeof(npf_natpolicy_t));
 	return NULL;
 }

CVS commit: [netbsd-7] src/sys/net/npf

2014-12-21 Thread SAITOH Masanobu

Module Name:src
Committed By:   msaitoh
Date:   Mon Dec 22 02:10:30 UTC 2014

Modified Files:
src/sys/net/npf [netbsd-7]: npf_conn.c npf_conn.h npf_nat.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #347):
sys/net/npf/npf_nat.c: revision 1.38
sys/net/npf/npf_conn.h: revision 1.8
sys/net/npf/npf_conn.c: revision 1.14
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window.  Might fix PR/49488.


To generate a diff of this commit:
cvs rdiff -u -r1.10.2.2 -r1.10.2.3 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.32.2.3 -r1.32.2.4 src/sys/net/npf/npf_nat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.10.2.2 src/sys/net/npf/npf_conn.c:1.10.2.3
--- src/sys/net/npf/npf_conn.c:1.10.2.2	Mon Dec  1 13:05:26 2014
+++ src/sys/net/npf/npf_conn.c	Mon Dec 22 02:10:30 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $	*/
+/*	$NetBSD: npf_conn.c,v 1.10.2.3 2014/12/22 02:10:30 msaitoh Exp $	*/
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.3 2014/12/22 02:10:30 msaitoh Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -660,7 +660,7 @@ npf_conn_setpass(npf_conn_t *con, npf_rp
 	 * If rproc is set, the caller transfers its reference to us,
 	 * which will be released on npf_conn_destroy().
 	 */
-	con-c_flags |= CONN_PASS;
+	atomic_or_uint(con-c_flags, CONN_PASS);
 	con-c_rproc = rp;
 }
 
@@ -673,7 +673,7 @@ npf_conn_release(npf_conn_t *con)
 {
 	if ((con-c_flags  (CONN_ACTIVE | CONN_EXPIRE)) == 0) {
 		/* Activate: after this, connection is globally visible. */
-		con-c_flags |= CONN_ACTIVE;
+		atomic_or_uint(con-c_flags, CONN_ACTIVE);
 	}
 	KASSERT(con-c_refcnt  0);
 	atomic_dec_uint(con-c_refcnt);

Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.6.2.1 src/sys/net/npf/npf_conn.h:1.6.2.2
--- src/sys/net/npf/npf_conn.h:1.6.2.1	Mon Dec  1 13:05:26 2014
+++ src/sys/net/npf/npf_conn.h	Mon Dec 22 02:10:30 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.h,v 1.6.2.1 2014/12/01 13:05:26 martin Exp $	*/
+/*	$NetBSD: npf_conn.h,v 1.6.2.2 2014/12/22 02:10:30 msaitoh Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -47,7 +47,7 @@ typedef struct npf_connkey npf_connkey_t
 #include sys/rbtree.h
 
 /*
- * See npf_conn_key() function for the description key layout.
+ * See npf_conn_conkey() function for the key layout description.
  */
 #define	NPF_CONN_NKEYWORDS	(2 + ((sizeof(npf_addr_t) * 2)  2))
 #define	NPF_CONN_MAXKEYLEN	(NPF_CONN_NKEYWORDS * sizeof(uint32_t))

Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.32.2.3 src/sys/net/npf/npf_nat.c:1.32.2.4
--- src/sys/net/npf/npf_nat.c:1.32.2.3	Mon Dec  1 13:05:26 2014
+++ src/sys/net/npf/npf_nat.c	Mon Dec 22 02:10:30 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.32.2.3 2014/12/01 13:05:26 martin Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $	*/
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.3 2014/12/01 13:05:26 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -914,8 +914,8 @@ npf_nat_dump(const npf_nat_t *nt)
 
 	np = nt-nt_natpolicy;
 	memcpy(ip, np-n_taddr, sizeof(ip));
-	printf(\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n,
-	np, np-n_type, np-n_flags, inet_ntoa(ip), np-n_tport);
+	printf(\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n, np,
+	np-n_type, np-n_flags, inet_ntoa(ip), ntohs(np-n_tport));
 	memcpy(ip, nt-nt_oaddr, sizeof(ip));
 	printf(\tNAT: original address %s oport %d tport %d\n,
 	inet_ntoa(ip), ntohs(nt-nt_oport), ntohs(nt-nt_tport));

CVS commit: [netbsd-7] src/sys/net/npf

2014-12-21 Thread SAITOH Masanobu

Module Name:src
Committed By:   msaitoh
Date:   Mon Dec 22 02:10:30 UTC 2014

Modified Files:
src/sys/net/npf [netbsd-7]: npf_conn.c npf_conn.h npf_nat.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #347):
sys/net/npf/npf_nat.c: revision 1.38
sys/net/npf/npf_conn.h: revision 1.8
sys/net/npf/npf_conn.c: revision 1.14
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window.  Might fix PR/49488.


To generate a diff of this commit:
cvs rdiff -u -r1.10.2.2 -r1.10.2.3 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.32.2.3 -r1.32.2.4 src/sys/net/npf/npf_nat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2014-12-01 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon Dec  1 09:02:26 UTC 2014

Modified Files:
src/sys/net/npf [netbsd-7]: npf_nat.c npf_ruleset.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #274):
sys/net/npf/npf_nat.c: revision 1.35
sys/net/npf/npf_ruleset.c: revision 1.38
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload.  Should fixes PR/49412, reported by kardel@.


To generate a diff of this commit:
cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.32.2.1 src/sys/net/npf/npf_nat.c:1.32.2.2
--- src/sys/net/npf/npf_nat.c:1.32.2.1	Fri Aug 29 11:14:14 2014
+++ src/sys/net/npf/npf_nat.c	Mon Dec  1 09:02:26 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.32.2.2 2014/12/01 09:02:26 martin Exp $	*/
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -71,7 +71,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.2 2014/12/01 09:02:26 martin Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -313,9 +313,10 @@ npf_nat_freepolicy(npf_natpolicy_t *np)
 		kpause(npfgcnat, false, 1, NULL);
 	}
 	KASSERT(LIST_EMPTY(np-n_nat_list));
+	KASSERT(pm == NULL || pm-p_refcnt  0);
 
 	/* Destroy the port map, on last reference. */
-	if (pm  --pm-p_refcnt == 0) {
+	if (pm  atomic_dec_uint_nv(pm-p_refcnt) == 0) {
 		KASSERT((np-n_flags  NPF_NAT_PORTMAP) != 0);
 		kmem_free(pm, PORTMAP_MEM_SIZE);
 	}
@@ -373,17 +374,21 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf
 	if (memcmp(np-n_taddr, mnp-n_taddr, np-n_alen) != 0) {
 		return false;
 	}
-	/* If NAT policy has an old port map - drop the reference. */
 	mpm = mnp-n_portmap;
-	if (mpm) {
-		/* Note: at this point we cannot hold a last reference. */
-		KASSERT(mpm-p_refcnt  1);
-		mpm-p_refcnt--;
+	KASSERT(mpm == NULL || mpm-p_refcnt  0);
+
+	/*
+	 * If NAT policy has an old port map - drop the reference
+	 * and destroy the port map if it was the last.
+	 */
+	if (mpm  atomic_dec_uint_nv(mpm-p_refcnt) == 0) {
+		kmem_free(mpm, PORTMAP_MEM_SIZE);
 	}
+
 	/* Share the port map. */
 	pm = np-n_portmap;
+	atomic_inc_uint(pm-p_refcnt);
 	mnp-n_portmap = pm;
-	pm-p_refcnt++;
 	return true;
 }
 

Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.37 src/sys/net/npf/npf_ruleset.c:1.37.2.1
--- src/sys/net/npf/npf_ruleset.c:1.37	Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_ruleset.c	Mon Dec  1 09:02:26 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.37.2.1 2014/12/01 09:02:26 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.37.2.1 2014/12/01 09:02:26 martin Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -421,22 +421,6 @@ npf_ruleset_gc(npf_ruleset_t *rlset)
 }
 
 /*
- * npf_ruleset_cmpnat: find a matching NAT policy in the ruleset.
- */
-static inline npf_rule_t *
-npf_ruleset_cmpnat(npf_ruleset_t *rlset, npf_natpolicy_t *mnp)
-{
-	npf_rule_t *rl;
-
-	/* Find a matching NAT policy in the old ruleset. */
-	LIST_FOREACH(rl, rlset-rs_all, r_aentry) {
-		if (rl-r_natp  npf_nat_cmppolicy(rl-r_natp, mnp))
-			break;
-	}
-	return rl;
-}
-
-/*
  * npf_ruleset_reload: prepare the new ruleset by scanning the active
  * ruleset and 1) sharing the dynamic rules 2) sharing NAT policies.
  *
@@ -492,18 +476,30 @@ npf_ruleset_reload(npf_ruleset_t *newset
 			continue;
 		}
 
+		/*
+		 * First, try to share the active port map.  If this
+		 * policy will be unused, npf_nat_freepolicy() will
+		 * drop the reference.
+		 */
+		npf_ruleset_sharepm(oldset, np);
+
 		/* Does it match with any policy in the active ruleset? */
-		if ((actrl = npf_ruleset_cmpnat(oldset, np)) == NULL) {
+		LIST_FOREACH(actrl, oldset-rs_all, r_aentry) {
+			if (!actrl-r_natp)
+continue;
+			if ((actrl-r_attr  NPF_RULE_KEEPNAT) != 0)
+continue;
+			if (npf_nat_cmppolicy(actrl-r_natp, np))
+break;
+		}
+		if (!actrl) {
+			/* No: just set the ID and continue. */
 			npf_nat_setid(np, ++nid);
 			continue;
 		}
 
-		/*
-		 * Inherit the matching NAT policy and check other ones
-		 * in the new ruleset for sharing the portmap.
-		 */
+		/* Yes: inherit the matching NAT policy. */
 		rl-r_natp = actrl-r_natp;
-		npf_ruleset_sharepm(newset, rl-r_natp);
 		npf_nat_setid(rl-r_natp, ++nid);
 
 		/*
@@ -525,13 +521,8 @@

CVS commit: [netbsd-7] src/sys/net/npf

2014-12-01 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon Dec  1 13:05:26 UTC 2014

Modified Files:
src/sys/net/npf [netbsd-7]: npf_conf.c npf_conn.c npf_conn.h npf_impl.h
npf_nat.c npf_ruleset.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
  NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.8.2.1 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.10.2.1 -r1.10.2.2 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.8 src/sys/net/npf/npf_conf.c:1.8.2.1
--- src/sys/net/npf/npf_conf.c:1.8	Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_conf.c	Mon Dec  1 13:05:26 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $	*/
+/*	$NetBSD: npf_conf.c,v 1.8.2.1 2014/12/01 13:05:26 martin Exp $	*/
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.8.2.1 2014/12/01 13:05:26 martin Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -105,11 +105,13 @@ npf_config_destroy(npf_config_t *nc)
 void
 npf_config_fini(void)
 {
+	npf_conndb_t *cd = npf_conndb_create();
+
 	/* Flush the connections. */
 	mutex_enter(npf_config_lock);
 	npf_conn_tracking(false);
 	pserialize_perform(npf_config_psz);
-	npf_conn_load(NULL, false);
+	npf_conn_load(cd, false);
 	npf_ifmap_flush();
 	mutex_exit(npf_config_lock);
 
@@ -127,6 +129,7 @@ npf_config_load(npf_ruleset_t *rset, npf
 npf_ruleset_t *nset, npf_rprocset_t *rpset,
 npf_conndb_t *conns, bool flush)
 {
+	const bool load = conns != NULL;
 	npf_config_t *nc, *onc;
 
 	nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
@@ -143,9 +146,9 @@ npf_config_load(npf_ruleset_t *rset, npf
 	 */
 	mutex_enter(npf_config_lock);
 	if ((onc = npf_config) != NULL) {
-		npf_ruleset_reload(rset, onc-n_rules);
+		npf_ruleset_reload(rset, onc-n_rules, load);
 		npf_tableset_reload(tset, onc-n_tables);
-		npf_ruleset_reload(nset, onc-n_nat_rules);
+		npf_ruleset_reload(nset, onc-n_nat_rules, load);
 	}
 
 	/*

Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.10.2.1 src/sys/net/npf/npf_conn.c:1.10.2.2
--- src/sys/net/npf/npf_conn.c:1.10.2.1	Fri Aug 29 11:14:14 2014
+++ src/sys/net/npf/npf_conn.c	Mon Dec  1 13:05:26 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.c,v 1.10.2.1 2014/08/29 11:14:14 martin Exp $	*/
+/*	$NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $	*/
 
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org
@@ -99,7 +99,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.1 2014/08/29 11:14:14 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $);
 
 #include sys/param.h
 #include sys/types.h
@@ -680,11 +680,11 @@ npf_conn_release(npf_conn_t *con)
 }
 
 /*
- * npf_conn_retnat: return associated NAT data entry and indicate
+ * npf_conn_getnat: return associated NAT data entry and indicate
  * whether it is a forwards or backwards stream.
  */
 npf_nat_t *
-npf_conn_retnat(npf_conn_t *con, const int di, bool *forw)
+npf_conn_getnat(npf_conn_t *con, const int di, bool *forw)
 {
 	KASSERT(con-c_refcnt  0);
 	*forw = (con-c_flags  PFIL_ALL) == di;

Index: src/sys/net/npf/npf_conn.h
diff -u src/sys/net/npf/npf_conn.h:1.6 src/sys/net/npf/npf_conn.h:1.6.2.1
--- src/sys/net/npf/npf_conn.h:1.6	Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_conn.h	Mon Dec  1 13:05:26 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conn.h,v 1.6 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf_conn.h,v 1.6.2.1 2014/12/01 13:05:26 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -113,7 +113,7 @@ bool		npf_conn_pass(const npf_conn_t *, 
 void		npf_conn_setpass(npf_conn_t *, npf_rproc_t

CVS commit: [netbsd-7] src/sys/net/npf

2014-12-01 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon Dec  1 09:02:26 UTC 2014

Modified Files:
src/sys/net/npf [netbsd-7]: npf_nat.c npf_ruleset.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #274):
sys/net/npf/npf_nat.c: revision 1.35
sys/net/npf/npf_ruleset.c: revision 1.38
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload.  Should fixes PR/49412, reported by kardel@.


To generate a diff of this commit:
cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

2014-12-01 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Mon Dec  1 13:05:26 UTC 2014

Modified Files:
src/sys/net/npf [netbsd-7]: npf_conf.c npf_conn.c npf_conn.h npf_impl.h
npf_nat.c npf_ruleset.c

Log Message:
Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
  NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.8.2.1 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.10.2.1 -r1.10.2.2 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/net/npf/npf_conn.h
cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/net/npf/npf_ruleset.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

Re: CVS commit: [netbsd-7] src/sys/net/npf

Re: CVS commit: [netbsd-7] src/sys/net/npf

Re: CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

CVS commit: [netbsd-7] src/sys/net/npf

29 matches

Site Navigation

Mail list logo

Footer information