CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Tue Oct 30 19:52:57 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf_ctl.c Log Message: Pull up following revision(s) (requested by sborrill in ticket #1646): sys/net/npf/npf_ctl.c: revision 1.47 (partial, via patch) - Increase copyin buffer size to 4M To generate a diff of this commit: cvs rdiff -u -r1.38.2.3 -r1.38.2.4 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.38.2.3 src/sys/net/npf/npf_ctl.c:1.38.2.4 --- src/sys/net/npf/npf_ctl.c:1.38.2.3 Wed Jun 10 16:57:58 2015 +++ src/sys/net/npf/npf_ctl.c Tue Oct 30 19:52:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.38.2.3 2015/06/10 16:57:58 snj Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.38.2.4 2018/10/30 19:52:56 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38.2.3 2015/06/10 16:57:58 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38.2.4 2018/10/30 19:52:56 martin Exp $"); #include #include @@ -512,7 +512,8 @@ npfctl_load(u_long cmd, void *data) /* Retrieve the dictionary. */ #ifndef _NPF_TESTING - error = prop_dictionary_copyin_ioctl(pref, cmd, _dict); + error = prop_dictionary_copyin_ioctl_size(pref, cmd, _dict, + 4 * 1024 * 1024); if (error) return error; #else
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Tue Oct 30 19:52:57 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf_ctl.c Log Message: Pull up following revision(s) (requested by sborrill in ticket #1646): sys/net/npf/npf_ctl.c: revision 1.47 (partial, via patch) - Increase copyin buffer size to 4M To generate a diff of this commit: cvs rdiff -u -r1.38.2.3 -r1.38.2.4 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon May 14 16:16:04 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1605): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.2.1 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_alg_icmp.c diff -u src/sys/net/npf/npf_alg_icmp.c:1.23 src/sys/net/npf/npf_alg_icmp.c:1.23.2.1 --- src/sys/net/npf/npf_alg_icmp.c:1.23 Sun Jul 20 00:37:41 2014 +++ src/sys/net/npf/npf_alg_icmp.c Mon May 14 16:16:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $ */ +/* $NetBSD: npf_alg_icmp.c,v 1.23.2.1 2018/05/14 16:16:04 martin Exp $ */ /*- * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23.2.1 2018/05/14 16:16:04 martin Exp $"); #include #include @@ -118,13 +118,15 @@ npfa_icmp_match(npf_cache_t *npc, npf_na /* * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query * ID or TCP/UDP ports of the original packet, which is embedded. + * + * => Sets hasqid=true if the packet has a Query Id. In this case neither + *the nbuf nor npc is touched. */ static bool -npfa_icmp4_inspect(const int type, npf_cache_t *npc) +npfa_icmp4_inspect(const int type, npf_cache_t *npc, bool *hasqid) { nbuf_t *nbuf = npc->npc_nbuf; - u_int offby; /* Per RFC 792. */ switch (type) { @@ -148,12 +150,8 @@ npfa_icmp4_inspect(const int type, npf_c case ICMP_TSTAMPREPLY: case ICMP_IREQ: case ICMP_IREQREPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp, icmp_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -162,10 +160,9 @@ npfa_icmp4_inspect(const int type, npf_c } static bool -npfa_icmp6_inspect(const int type, npf_cache_t *npc) +npfa_icmp6_inspect(const int type, npf_cache_t *npc, bool *hasqid) { nbuf_t *nbuf = npc->npc_nbuf; - u_int offby; /* Per RFC 4443. */ switch (type) { @@ -184,12 +181,8 @@ npfa_icmp6_inspect(const int type, npf_c case ICMP6_ECHO_REQUEST: case ICMP6_ECHO_REPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp6_hdr, icmp6_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -200,13 +193,13 @@ npfa_icmp6_inspect(const int type, npf_c /* * npfa_icmp_inspect: ALG ICMP inspector. * - * => Returns true if "enpc" is filled. + * => Returns false if there is a problem with the format. */ static bool npfa_icmp_inspect(npf_cache_t *npc, npf_cache_t *enpc) { nbuf_t *nbuf = npc->npc_nbuf; - bool ret; + bool ret, hasqid = false; KASSERT(npf_iscached(npc, NPC_IP46)); KASSERT(npf_iscached(npc, NPC_ICMP)); @@ -225,10 +218,10 @@ npfa_icmp_inspect(npf_cache_t *npc, npf_ */ if (npf_iscached(npc, NPC_IP4)) {
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon May 14 16:16:04 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1605): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.2.1 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:41:28 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.2.1 --- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf.h Thu Apr 5 11:41:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.47.2.1 2018/04/05 11:41:28 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -150,7 +150,7 @@ typedef struct { uint8_t npc_alen; /* IP header length and L4 protocol. */ - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:41:28 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon May 22 18:56:35 UTC 2017 Modified Files: src/sys/net/npf [netbsd-7]: npf_inet.c Log Message: Pull up missing part of rev 1.33, partly pulled up in ticket #1394: make DDB print ipv6 addresses too To generate a diff of this commit: cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_inet.c diff -u src/sys/net/npf/npf_inet.c:1.32.2.1 src/sys/net/npf/npf_inet.c:1.32.2.2 --- src/sys/net/npf/npf_inet.c:1.32.2.1 Fri May 12 05:32:12 2017 +++ src/sys/net/npf/npf_inet.c Mon May 22 18:56:35 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $ */ +/* $NetBSD: npf_inet.c,v 1.32.2.2 2017/05/22 18:56:35 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32.2.2 2017/05/22 18:56:35 martin Exp $"); #include #include @@ -51,6 +51,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v #include #include +#include #include #include #include
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon May 22 18:56:35 UTC 2017 Modified Files: src/sys/net/npf [netbsd-7]: npf_inet.c Log Message: Pull up missing part of rev 1.33, partly pulled up in ticket #1394: make DDB print ipv6 addresses too To generate a diff of this commit: cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: [netbsd-7] src/sys/net/npf
On Sun, 21 May 2017 08:08:34 +0900 (JST), Takahiro Kambe wrote: > By comparing code with current, one line seems to missing. > > Index: sys/net/npf/npf_inet.c > === > RCS file: /cvsroot/src/sys/net/npf/npf_inet.c,v > retrieving revision 1.32.2.1 > diff -u -r1.32.2.1 npf_inet.c > --- sys/net/npf/npf_inet.c12 May 2017 05:32:12 - 1.32.2.1 > +++ sys/net/npf/npf_inet.c20 May 2017 23:06:17 - > @@ -51,6 +51,7 @@ > > #include > #include > +#include > #include > #include > #include Confirmed. hauke -- Hauke FathErnst-Ludwig-Straße 15 64625 Bensheim Germany
Re: CVS commit: [netbsd-7] src/sys/net/npf
In messageon Wed, 17 May 2017 13:22:39 +0200, Hauke Fath wrote: > [properly re-sent to source-changes-d -- it was cribbed from the web > list archive] > > > The pull-up > >> Pull up following revision(s) (requested by jnemeth in ticket #1394): >> sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch >> sys/net/npf/npf_mbuf.c: revision 1.16 >> sys/net/npf/npf_nat.c: revision 1.40 >> minimal changes necessary to link into an INET6-less kernel. >> -- >> fixup misplaced #endif > > leads to > > [...] > --- npf_nat.o --- > /u/netbsd-builds/7/amd64/tools/bin/x86_64--netbsd-gcc -mcmodel=kernel > -mno-red-zone -mno-mmx -mno-sse -mno-avx -msoft-float -ffreestanding > -fno-zero-initialized-in-bss -O2 -fno-omit-frame-pointer > -fstack-protector -Wstack-protector --param ssp-buffer-size=1 > -fno-strict-aliasing -fno-common -std=gnu99 -Werror -Wall -Wno-main > -Wno-format-zero-length -Wpointer-arith -Wmissing-prototypes > -Wstrict-prototypes -Wold-style-definition -Wswitch -Wshadow > -Wcast-qual -Wwrite-strings -Wno-unreachable-code -Wno-pointer-sign > -Wno-attributes -Wextra -Wno-unused-parameter -Wold-style-definition > -Wno-sign-compare --sysroot=/u/netbsd-builds/7/amd64/destdir -Damd64 > -Dx86_64 -I. -I/public/netbsd-7/sys/../common/include > -I/public/netbsd-7/sys/arch -I/public/netbsd-7/sys -nostdinc > -DCHILD_MAX=1024 -DOPEN_MAX=1024 -DIPSEC_ESP -DIPSEC_NAT_T > -DMAXUSERS=64 -D_KERNEL -D_KERNEL_OPT -std=gnu99 > -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/quad > -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/string > -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/arch/x86_64/string > -D_FORTIFY_SOURCE=2 -I/public/netbsd-7/sys/../common/include > -I/public/netbsd-7/sys/external/bsd/acpica/dist/include -c > /public/netbsd-7/sys/net/npf/npf_nat.c > --- npf_inet.o --- > /public/netbsd-7/sys/net/npf/npf_inet.c: In function 'npf_addr_dump': > /public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: implicit > declaration of function 'ip6_sprintf' > [-Werror=implicit-function-declaration] > return ip6_sprintf(addr); > ^ > /public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: return makes > pointer from integer without a cast [-Werror] > cc1: all warnings being treated as errors > *** [npf_inet.o] Error code 1 By comparing code with current, one line seems to missing. Index: sys/net/npf/npf_inet.c === RCS file: /cvsroot/src/sys/net/npf/npf_inet.c,v retrieving revision 1.32.2.1 diff -u -r1.32.2.1 npf_inet.c --- sys/net/npf/npf_inet.c 12 May 2017 05:32:12 - 1.32.2.1 +++ sys/net/npf/npf_inet.c 20 May 2017 23:06:17 - @@ -51,6 +51,7 @@ #include #include +#include #include #include #include -- Takahiro Kambe
Re: CVS commit: [netbsd-7] src/sys/net/npf
[properly re-sent to source-changes-d -- it was cribbed from the web list archive] The pull-up Pull up following revision(s) (requested by jnemeth in ticket #1394): sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch sys/net/npf/npf_mbuf.c: revision 1.16 sys/net/npf/npf_nat.c: revision 1.40 minimal changes necessary to link into an INET6-less kernel. -- fixup misplaced #endif leads to [...] --- npf_nat.o --- /u/netbsd-builds/7/amd64/tools/bin/x86_64--netbsd-gcc -mcmodel=kernel -mno-red-zone -mno-mmx -mno-sse -mno-avx -msoft-float -ffreestanding -fno-zero-initialized-in-bss -O2 -fno-omit-frame-pointer -fstack-protector -Wstack-protector --param ssp-buffer-size=1 -fno-strict-aliasing -fno-common -std=gnu99 -Werror -Wall -Wno-main -Wno-format-zero-length -Wpointer-arith -Wmissing-prototypes -Wstrict-prototypes -Wold-style-definition -Wswitch -Wshadow -Wcast-qual -Wwrite-strings -Wno-unreachable-code -Wno-pointer-sign -Wno-attributes -Wextra -Wno-unused-parameter -Wold-style-definition -Wno-sign-compare --sysroot=/u/netbsd-builds/7/amd64/destdir -Damd64 -Dx86_64 -I. -I/public/netbsd-7/sys/../common/include -I/public/netbsd-7/sys/arch -I/public/netbsd-7/sys -nostdinc -DCHILD_MAX=1024 -DOPEN_MAX=1024 -DIPSEC_ESP -DIPSEC_NAT_T -DMAXUSERS=64 -D_KERNEL -D_KERNEL_OPT -std=gnu99 -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/quad -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/string -I/public/netbsd-7/sys/lib/libkern/../../../common/lib/libc/arch/x86_64/string -D_FORTIFY_SOURCE=2 -I/public/netbsd-7/sys/../common/include -I/public/netbsd-7/sys/external/bsd/acpica/dist/include -c /public/netbsd-7/sys/net/npf/npf_nat.c --- npf_inet.o --- /public/netbsd-7/sys/net/npf/npf_inet.c: In function 'npf_addr_dump': /public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: implicit declaration of function 'ip6_sprintf' [-Werror=implicit-function-declaration] return ip6_sprintf(addr); ^ /public/netbsd-7/sys/net/npf/npf_inet.c:759:2: error: return makes pointer from integer without a cast [-Werror] cc1: all warnings being treated as errors *** [npf_inet.o] Error code 1 which, I guess, didn't show up in a build because we do not have a (standard) kernel config file that includes npf(4). Any reason why -current should not default GENERIC to npf? Cheerio, hauke -- The ASCII Ribbon CampaignHauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Fri May 12 05:32:12 UTC 2017 Modified Files: src/sys/net/npf [netbsd-7]: npf_inet.c npf_mbuf.c npf_nat.c Log Message: Pull up following revision(s) (requested by jnemeth in ticket #1394): sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch sys/net/npf/npf_mbuf.c: revision 1.16 sys/net/npf/npf_nat.c: revision 1.40 minimal changes necessary to link into an INET6-less kernel. -- fixup misplaced #endif To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.32.2.1 src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.13.2.2 -r1.13.2.3 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.32.2.5 -r1.32.2.6 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_inet.c diff -u src/sys/net/npf/npf_inet.c:1.32 src/sys/net/npf/npf_inet.c:1.32.2.1 --- src/sys/net/npf/npf_inet.c:1.32 Sun Jul 20 00:37:41 2014 +++ src/sys/net/npf/npf_inet.c Fri May 12 05:32:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_inet.c,v 1.32 2014/07/20 00:37:41 rmind Exp $ */ +/* $NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32 2014/07/20 00:37:41 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.32.2.1 2017/05/12 05:32:12 snj Exp $"); #include #include @@ -654,7 +654,9 @@ npf_napt_rwr(const npf_cache_t *npc, u_i } break; case IPPROTO_ICMP: +#ifdef INET6 case IPPROTO_ICMPV6: +#endif KASSERT(npf_iscached(npc, NPC_ICMP)); /* Nothing. */ break; @@ -668,6 +670,7 @@ npf_napt_rwr(const npf_cache_t *npc, u_i * IPv6-to-IPv6 Network Prefix Translation (NPTv6), as per RFC 6296. */ +#ifdef INET6 int npf_npt66_rwr(const npf_cache_t *npc, u_int which, const npf_addr_t *pref, npf_netmask_t len, uint16_t adj) @@ -736,18 +739,25 @@ npf_npt66_rwr(const npf_cache_t *npc, u_ addr->s6_addr16[word] = sum; return 0; } +#endif #if defined(DDB) || defined(_NPF_TESTING) const char * npf_addr_dump(const npf_addr_t *addr, int alen) { +#ifdef INET6 if (alen == sizeof(struct in_addr)) { +#else + KASSERT(alen == sizeof(struct in_addr)); +#endif struct in_addr ip; memcpy(, addr, alen); return inet_ntoa(ip); +#ifdef INET6 } - return "[IPv6]"; // XXX + return ip6_sprintf(addr); +#endif } #endif Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.13.2.2 src/sys/net/npf/npf_mbuf.c:1.13.2.3 --- src/sys/net/npf/npf_mbuf.c:1.13.2.2 Tue Jan 26 01:27:21 2016 +++ src/sys/net/npf/npf_mbuf.c Fri May 12 05:32:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $ */ +/* $NetBSD: npf_mbuf.c,v 1.13.2.3 2017/05/12 05:32:12 snj Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.3 2017/05/12 05:32:12 snj Exp $"); #include #include @@ -258,11 +258,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di) m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4 | M_CSUM_UDPv4); return true; } +#ifdef INET6 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv6 | M_CSUM_UDPv6)) { in6_delayed_cksum(m); m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv6 | M_CSUM_UDPv6); return true; } +#endif return false; } Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.32.2.5 src/sys/net/npf/npf_nat.c:1.32.2.6 --- src/sys/net/npf/npf_nat.c:1.32.2.5 Sun Jan 4 11:37:38 2015 +++ src/sys/net/npf/npf_nat.c Fri May 12 05:32:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $ */ +/* $NetBSD: npf_nat.c,v 1.32.2.6 2017/05/12 05:32:12 snj Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32.2.6 2017/05/12 05:32:12 snj Exp $"); #include #include @@ -657,10 +657,12 @@ npf_nat_algo(npf_cache_t *npc, const npf int error; switch (np->n_algo) { +#ifdef INET6 case NPF_ALGO_NPT66: error = npf_npt66_rwr(npc, which, >n_taddr, np->n_tmask, np->n_npt66_adj); break; +#endif default: error = npf_napt_rwr(npc, which, >n_taddr, np->n_tport); break;
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Fri May 12 05:32:12 UTC 2017 Modified Files: src/sys/net/npf [netbsd-7]: npf_inet.c npf_mbuf.c npf_nat.c Log Message: Pull up following revision(s) (requested by jnemeth in ticket #1394): sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch sys/net/npf/npf_mbuf.c: revision 1.16 sys/net/npf/npf_nat.c: revision 1.40 minimal changes necessary to link into an INET6-less kernel. -- fixup misplaced #endif To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.32.2.1 src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.13.2.2 -r1.13.2.3 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.32.2.5 -r1.32.2.6 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Tue Dec 27 07:03:53 UTC 2016 Modified Files: src/sys/net/npf [netbsd-7]: lpm.c Log Message: Pull up following revision(s) (requested by rmind in ticket #1340): sys/net/npf/lpm.c: revision 1.3 Fix kmem_free() in hashmap_remove(). To generate a diff of this commit: cvs rdiff -u -r1.1.2.3 -r1.1.2.4 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/lpm.c diff -u src/sys/net/npf/lpm.c:1.1.2.3 src/sys/net/npf/lpm.c:1.1.2.4 --- src/sys/net/npf/lpm.c:1.1.2.3 Mon Dec 26 18:55:08 2016 +++ src/sys/net/npf/lpm.c Tue Dec 27 07:03:52 2016 @@ -31,7 +31,7 @@ #if defined(_KERNEL) #include -__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.3 2016/12/26 18:55:08 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.4 2016/12/27 07:03:52 snj Exp $"); #include #include @@ -245,7 +245,7 @@ hashmap_remove(lpm_hmap_t *hmap, const v } else { hmap->bucket[i] = entry->next; } - free(entry, M_TEMP); + kmem_free(entry, offsetof(lpm_ent_t, key[len])); return 0; } prev = entry;
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Tue Dec 27 07:03:53 UTC 2016 Modified Files: src/sys/net/npf [netbsd-7]: lpm.c Log Message: Pull up following revision(s) (requested by rmind in ticket #1340): sys/net/npf/lpm.c: revision 1.3 Fix kmem_free() in hashmap_remove(). To generate a diff of this commit: cvs rdiff -u -r1.1.2.3 -r1.1.2.4 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Mon Dec 26 18:55:08 UTC 2016 Modified Files: src/sys/net/npf [netbsd-7]: lpm.c Log Message: Pull up following revision(s) (requested by rmind in ticket #1339): sys/net/npf/lpm.c: revision 1.2 Fix kmem_free() sizes in hashmap_rehash() and lpm_clear(). To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/lpm.c diff -u src/sys/net/npf/lpm.c:1.1.2.2 src/sys/net/npf/lpm.c:1.1.2.3 --- src/sys/net/npf/lpm.c:1.1.2.2 Sun Dec 18 07:40:50 2016 +++ src/sys/net/npf/lpm.c Mon Dec 26 18:55:08 2016 @@ -31,7 +31,7 @@ #if defined(_KERNEL) #include -__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.2 2016/12/18 07:40:50 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lpm.c,v 1.1.2.3 2016/12/26 18:55:08 snj Exp $"); #include #include @@ -117,7 +117,7 @@ lpm_clear(lpm_t *lpm, lpm_dtor_t dtor, v entry = next; } } - kmem_free(hmap->bucket, hmap->hashsize); + kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *)); hmap->bucket = NULL; hmap->hashsize = 0; hmap->nitems = 0; @@ -158,7 +158,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_ for (hashsize = 1; hashsize < size; hashsize <<= 1) { continue; } - bucket = kmem_zalloc(hashsize * sizeof(*bucket), KM_SLEEP); + bucket = kmem_zalloc(hashsize * sizeof(lpm_ent_t *), KM_SLEEP); if (bucket == NULL) return false; for (unsigned n = 0; n < hmap->hashsize; n++) { @@ -175,7 +175,7 @@ hashmap_rehash(lpm_hmap_t *hmap, uint32_ } } if (hmap->bucket) - kmem_free(hmap->bucket, hmap->hashsize); + kmem_free(hmap->bucket, hmap->hashsize * sizeof(lpm_ent_t *)); hmap->bucket = bucket; hmap->hashsize = hashsize; return true;
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Mon Dec 26 18:55:08 UTC 2016 Modified Files: src/sys/net/npf [netbsd-7]: lpm.c Log Message: Pull up following revision(s) (requested by rmind in ticket #1339): sys/net/npf/lpm.c: revision 1.2 Fix kmem_free() sizes in hashmap_rehash() and lpm_clear(). To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: riz Date: Tue Jan 26 01:27:21 UTC 2016 Modified Files: src/sys/net/npf [netbsd-7]: npf_mbuf.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1065): sys/net/npf/npf_mbuf.c: revision 1.15 handle delayed cksums also for ipv6 To generate a diff of this commit: cvs rdiff -u -r1.13.2.1 -r1.13.2.2 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.13.2.1 src/sys/net/npf/npf_mbuf.c:1.13.2.2 --- src/sys/net/npf/npf_mbuf.c:1.13.2.1 Fri Jul 17 04:37:22 2015 +++ src/sys/net/npf/npf_mbuf.c Tue Jan 26 01:27:21 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_mbuf.c,v 1.13.2.1 2015/07/17 04:37:22 snj Exp $ */ +/* $NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.1 2015/07/17 04:37:22 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.13.2.2 2016/01/26 01:27:21 riz Exp $"); #include #include @@ -258,6 +258,11 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di) m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4 | M_CSUM_UDPv4); return true; } + if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv6 | M_CSUM_UDPv6)) { + in6_delayed_cksum(m); + m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv6 | M_CSUM_UDPv6); + return true; + } return false; }
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: riz Date: Tue Jan 26 01:27:21 UTC 2016 Modified Files: src/sys/net/npf [netbsd-7]: npf_mbuf.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1065): sys/net/npf/npf_mbuf.c: revision 1.15 handle delayed cksums also for ipv6 To generate a diff of this commit: cvs rdiff -u -r1.13.2.1 -r1.13.2.2 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Sun Mar 15 22:41:24 UTC 2015 Modified Files: src/sys/net/npf [netbsd-7]: npf_conn.c Log Message: Pull up following revision(s) (requested by rmind in ticket #586): sys/net/npf/npf_conn.c: revision 1.16 npf_conn_establish: fix the previous change - drop the reference on error. To generate a diff of this commit: cvs rdiff -u -r1.10.2.4 -r1.10.2.5 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.10.2.4 src/sys/net/npf/npf_conn.c:1.10.2.5 --- src/sys/net/npf/npf_conn.c:1.10.2.4 Wed Feb 4 07:13:04 2015 +++ src/sys/net/npf/npf_conn.c Sun Mar 15 22:41:24 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.10.2.4 2015/02/04 07:13:04 snj Exp $ */ +/* $NetBSD: npf_conn.c,v 1.10.2.5 2015/03/15 22:41:24 snj Exp $ */ /*- * Copyright (c) 2014-2015 Mindaugas Rasiukevicius rmind at netbsd org @@ -99,7 +99,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.4 2015/02/04 07:13:04 snj Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.5 2015/03/15 22:41:24 snj Exp $); #include sys/param.h #include sys/types.h @@ -528,8 +528,8 @@ err: * here since there might be references acquired already. */ if (error) { - const u_int dflags = CONN_REMOVED | CONN_EXPIRE; - atomic_or_uint(con-c_flags, dflags); + atomic_or_uint(con-c_flags, CONN_REMOVED | CONN_EXPIRE); + atomic_dec_uint(con-c_refcnt); npf_stats_inc(NPF_STAT_RACE_CONN); } else { NPF_PRINTF((NPF: establish conn %p\n, con)); @@ -569,6 +569,8 @@ npf_conn_destroy(npf_conn_t *con) /* * npf_conn_setnat: associate NAT entry with the connection, update and * re-insert connection entry using the translation values. + * + * = The caller must be holding a reference. */ int npf_conn_setnat(const npf_cache_t *npc, npf_conn_t *con,
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: snj Date: Sun Mar 15 22:41:24 UTC 2015 Modified Files: src/sys/net/npf [netbsd-7]: npf_conn.c Log Message: Pull up following revision(s) (requested by rmind in ticket #586): sys/net/npf/npf_conn.c: revision 1.16 npf_conn_establish: fix the previous change - drop the reference on error. To generate a diff of this commit: cvs rdiff -u -r1.10.2.4 -r1.10.2.5 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Sun Jan 4 11:37:38 UTC 2015 Modified Files: src/sys/net/npf [netbsd-7]: npf_nat.c Log Message: Pull up following revision(s) (requested by rmind in ticket #374): sys/net/npf/npf_nat.c: revision 1.39 Don't forget to destroy the mutex before freeing the nat struct on a failed load. To generate a diff of this commit: cvs rdiff -u -r1.32.2.4 -r1.32.2.5 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Sun Jan 4 11:37:38 UTC 2015 Modified Files: src/sys/net/npf [netbsd-7]: npf_nat.c Log Message: Pull up following revision(s) (requested by rmind in ticket #374): sys/net/npf/npf_nat.c: revision 1.39 Don't forget to destroy the mutex before freeing the nat struct on a failed load. To generate a diff of this commit: cvs rdiff -u -r1.32.2.4 -r1.32.2.5 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.32.2.4 src/sys/net/npf/npf_nat.c:1.32.2.5 --- src/sys/net/npf/npf_nat.c:1.32.2.4 Mon Dec 22 02:10:30 2014 +++ src/sys/net/npf/npf_nat.c Sun Jan 4 11:37:38 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $ */ +/* $NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -71,7 +71,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.5 2015/01/04 11:37:38 martin Exp $); #include sys/param.h #include sys/types.h @@ -256,6 +256,7 @@ npf_nat_newpolicy(prop_dictionary_t natd } return np; err: + mutex_destroy(np-n_lock); kmem_free(np, sizeof(npf_natpolicy_t)); return NULL; }
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: msaitoh Date: Mon Dec 22 02:10:30 UTC 2014 Modified Files: src/sys/net/npf [netbsd-7]: npf_conn.c npf_conn.h npf_nat.c Log Message: Pull up following revision(s) (requested by rmind in ticket #347): sys/net/npf/npf_nat.c: revision 1.38 sys/net/npf/npf_conn.h: revision 1.8 sys/net/npf/npf_conn.c: revision 1.14 NPF: set the connection flags atomically in the post-creation logic and fix a tiny race condition window. Might fix PR/49488. To generate a diff of this commit: cvs rdiff -u -r1.10.2.2 -r1.10.2.3 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.32.2.3 -r1.32.2.4 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.10.2.2 src/sys/net/npf/npf_conn.c:1.10.2.3 --- src/sys/net/npf/npf_conn.c:1.10.2.2 Mon Dec 1 13:05:26 2014 +++ src/sys/net/npf/npf_conn.c Mon Dec 22 02:10:30 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $ */ +/* $NetBSD: npf_conn.c,v 1.10.2.3 2014/12/22 02:10:30 msaitoh Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -99,7 +99,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.3 2014/12/22 02:10:30 msaitoh Exp $); #include sys/param.h #include sys/types.h @@ -660,7 +660,7 @@ npf_conn_setpass(npf_conn_t *con, npf_rp * If rproc is set, the caller transfers its reference to us, * which will be released on npf_conn_destroy(). */ - con-c_flags |= CONN_PASS; + atomic_or_uint(con-c_flags, CONN_PASS); con-c_rproc = rp; } @@ -673,7 +673,7 @@ npf_conn_release(npf_conn_t *con) { if ((con-c_flags (CONN_ACTIVE | CONN_EXPIRE)) == 0) { /* Activate: after this, connection is globally visible. */ - con-c_flags |= CONN_ACTIVE; + atomic_or_uint(con-c_flags, CONN_ACTIVE); } KASSERT(con-c_refcnt 0); atomic_dec_uint(con-c_refcnt); Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.6.2.1 src/sys/net/npf/npf_conn.h:1.6.2.2 --- src/sys/net/npf/npf_conn.h:1.6.2.1 Mon Dec 1 13:05:26 2014 +++ src/sys/net/npf/npf_conn.h Mon Dec 22 02:10:30 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.6.2.1 2014/12/01 13:05:26 martin Exp $ */ +/* $NetBSD: npf_conn.h,v 1.6.2.2 2014/12/22 02:10:30 msaitoh Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -47,7 +47,7 @@ typedef struct npf_connkey npf_connkey_t #include sys/rbtree.h /* - * See npf_conn_key() function for the description key layout. + * See npf_conn_conkey() function for the key layout description. */ #define NPF_CONN_NKEYWORDS (2 + ((sizeof(npf_addr_t) * 2) 2)) #define NPF_CONN_MAXKEYLEN (NPF_CONN_NKEYWORDS * sizeof(uint32_t)) Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.32.2.3 src/sys/net/npf/npf_nat.c:1.32.2.4 --- src/sys/net/npf/npf_nat.c:1.32.2.3 Mon Dec 1 13:05:26 2014 +++ src/sys/net/npf/npf_nat.c Mon Dec 22 02:10:30 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.32.2.3 2014/12/01 13:05:26 martin Exp $ */ +/* $NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -71,7 +71,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.3 2014/12/01 13:05:26 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.4 2014/12/22 02:10:30 msaitoh Exp $); #include sys/param.h #include sys/types.h @@ -914,8 +914,8 @@ npf_nat_dump(const npf_nat_t *nt) np = nt-nt_natpolicy; memcpy(ip, np-n_taddr, sizeof(ip)); - printf(\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n, - np, np-n_type, np-n_flags, inet_ntoa(ip), np-n_tport); + printf(\tNATP(%p): type %d flags 0x%x taddr %s tport %d\n, np, + np-n_type, np-n_flags, inet_ntoa(ip), ntohs(np-n_tport)); memcpy(ip, nt-nt_oaddr, sizeof(ip)); printf(\tNAT: original address %s oport %d tport %d\n, inet_ntoa(ip), ntohs(nt-nt_oport), ntohs(nt-nt_tport));
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: msaitoh Date: Mon Dec 22 02:10:30 UTC 2014 Modified Files: src/sys/net/npf [netbsd-7]: npf_conn.c npf_conn.h npf_nat.c Log Message: Pull up following revision(s) (requested by rmind in ticket #347): sys/net/npf/npf_nat.c: revision 1.38 sys/net/npf/npf_conn.h: revision 1.8 sys/net/npf/npf_conn.c: revision 1.14 NPF: set the connection flags atomically in the post-creation logic and fix a tiny race condition window. Might fix PR/49488. To generate a diff of this commit: cvs rdiff -u -r1.10.2.2 -r1.10.2.3 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.32.2.3 -r1.32.2.4 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Dec 1 09:02:26 UTC 2014 Modified Files: src/sys/net/npf [netbsd-7]: npf_nat.c npf_ruleset.c Log Message: Pull up following revision(s) (requested by rmind in ticket #274): sys/net/npf/npf_nat.c: revision 1.35 sys/net/npf/npf_ruleset.c: revision 1.38 NPF: fix the reference counting and share the active NAT portmap correctly when performing the reload. Should fixes PR/49412, reported by kardel@. To generate a diff of this commit: cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.32.2.1 src/sys/net/npf/npf_nat.c:1.32.2.2 --- src/sys/net/npf/npf_nat.c:1.32.2.1 Fri Aug 29 11:14:14 2014 +++ src/sys/net/npf/npf_nat.c Mon Dec 1 09:02:26 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $ */ +/* $NetBSD: npf_nat.c,v 1.32.2.2 2014/12/01 09:02:26 martin Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -71,7 +71,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.32.2.2 2014/12/01 09:02:26 martin Exp $); #include sys/param.h #include sys/types.h @@ -313,9 +313,10 @@ npf_nat_freepolicy(npf_natpolicy_t *np) kpause(npfgcnat, false, 1, NULL); } KASSERT(LIST_EMPTY(np-n_nat_list)); + KASSERT(pm == NULL || pm-p_refcnt 0); /* Destroy the port map, on last reference. */ - if (pm --pm-p_refcnt == 0) { + if (pm atomic_dec_uint_nv(pm-p_refcnt) == 0) { KASSERT((np-n_flags NPF_NAT_PORTMAP) != 0); kmem_free(pm, PORTMAP_MEM_SIZE); } @@ -373,17 +374,21 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf if (memcmp(np-n_taddr, mnp-n_taddr, np-n_alen) != 0) { return false; } - /* If NAT policy has an old port map - drop the reference. */ mpm = mnp-n_portmap; - if (mpm) { - /* Note: at this point we cannot hold a last reference. */ - KASSERT(mpm-p_refcnt 1); - mpm-p_refcnt--; + KASSERT(mpm == NULL || mpm-p_refcnt 0); + + /* + * If NAT policy has an old port map - drop the reference + * and destroy the port map if it was the last. + */ + if (mpm atomic_dec_uint_nv(mpm-p_refcnt) == 0) { + kmem_free(mpm, PORTMAP_MEM_SIZE); } + /* Share the port map. */ pm = np-n_portmap; + atomic_inc_uint(pm-p_refcnt); mnp-n_portmap = pm; - pm-p_refcnt++; return true; } Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.37 src/sys/net/npf/npf_ruleset.c:1.37.2.1 --- src/sys/net/npf/npf_ruleset.c:1.37 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_ruleset.c Mon Dec 1 09:02:26 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.37.2.1 2014/12/01 09:02:26 martin Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_ruleset.c,v 1.37.2.1 2014/12/01 09:02:26 martin Exp $); #include sys/param.h #include sys/types.h @@ -421,22 +421,6 @@ npf_ruleset_gc(npf_ruleset_t *rlset) } /* - * npf_ruleset_cmpnat: find a matching NAT policy in the ruleset. - */ -static inline npf_rule_t * -npf_ruleset_cmpnat(npf_ruleset_t *rlset, npf_natpolicy_t *mnp) -{ - npf_rule_t *rl; - - /* Find a matching NAT policy in the old ruleset. */ - LIST_FOREACH(rl, rlset-rs_all, r_aentry) { - if (rl-r_natp npf_nat_cmppolicy(rl-r_natp, mnp)) - break; - } - return rl; -} - -/* * npf_ruleset_reload: prepare the new ruleset by scanning the active * ruleset and 1) sharing the dynamic rules 2) sharing NAT policies. * @@ -492,18 +476,30 @@ npf_ruleset_reload(npf_ruleset_t *newset continue; } + /* + * First, try to share the active port map. If this + * policy will be unused, npf_nat_freepolicy() will + * drop the reference. + */ + npf_ruleset_sharepm(oldset, np); + /* Does it match with any policy in the active ruleset? */ - if ((actrl = npf_ruleset_cmpnat(oldset, np)) == NULL) { + LIST_FOREACH(actrl, oldset-rs_all, r_aentry) { + if (!actrl-r_natp) +continue; + if ((actrl-r_attr NPF_RULE_KEEPNAT) != 0) +continue; + if (npf_nat_cmppolicy(actrl-r_natp, np)) +break; + } + if (!actrl) { + /* No: just set the ID and continue. */ npf_nat_setid(np, ++nid); continue; } - /* - * Inherit the matching NAT policy and check other ones - * in the new ruleset for sharing the portmap. - */ + /* Yes: inherit the matching NAT policy. */ rl-r_natp = actrl-r_natp; - npf_ruleset_sharepm(newset, rl-r_natp); npf_nat_setid(rl-r_natp, ++nid); /* @@ -525,13 +521,8 @@
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Dec 1 13:05:26 UTC 2014 Modified Files: src/sys/net/npf [netbsd-7]: npf_conf.c npf_conn.c npf_conn.h npf_impl.h npf_nat.c npf_ruleset.c Log Message: Pull up following revision(s) (requested by rmind in ticket #280): sys/net/npf/npf_ruleset.c: revision 1.40 sys/net/npf/npf_nat.c: revision 1.36 sys/net/npf/npf_nat.c: revision 1.37 sys/net/npf/npf_conn.h: revision 1.7 sys/net/npf/npf_conf.c: revision 1.9 sys/net/npf/npf_ruleset.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.13 sys/net/npf/npf_impl.h: revision 1.60 NPF: - npf_nat_import: take the port only if using the portmap. - Sprinkle some comments and asserts. - npf_config_load: if loading the connections, do not perform any actice NAT policy take over or or portmap sharing - just replace them all. - npf_config_fini: flush with the empty connection database. - npf_nat_import: fix the stat counter. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.8.2.1 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.10.2.1 -r1.10.2.2 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_conf.c diff -u src/sys/net/npf/npf_conf.c:1.8 src/sys/net/npf/npf_conf.c:1.8.2.1 --- src/sys/net/npf/npf_conf.c:1.8 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_conf.c Mon Dec 1 13:05:26 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_conf.c,v 1.8.2.1 2014/12/01 13:05:26 martin Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -48,7 +48,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_conf.c,v 1.8.2.1 2014/12/01 13:05:26 martin Exp $); #include sys/param.h #include sys/types.h @@ -105,11 +105,13 @@ npf_config_destroy(npf_config_t *nc) void npf_config_fini(void) { + npf_conndb_t *cd = npf_conndb_create(); + /* Flush the connections. */ mutex_enter(npf_config_lock); npf_conn_tracking(false); pserialize_perform(npf_config_psz); - npf_conn_load(NULL, false); + npf_conn_load(cd, false); npf_ifmap_flush(); mutex_exit(npf_config_lock); @@ -127,6 +129,7 @@ npf_config_load(npf_ruleset_t *rset, npf npf_ruleset_t *nset, npf_rprocset_t *rpset, npf_conndb_t *conns, bool flush) { + const bool load = conns != NULL; npf_config_t *nc, *onc; nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP); @@ -143,9 +146,9 @@ npf_config_load(npf_ruleset_t *rset, npf */ mutex_enter(npf_config_lock); if ((onc = npf_config) != NULL) { - npf_ruleset_reload(rset, onc-n_rules); + npf_ruleset_reload(rset, onc-n_rules, load); npf_tableset_reload(tset, onc-n_tables); - npf_ruleset_reload(nset, onc-n_nat_rules); + npf_ruleset_reload(nset, onc-n_nat_rules, load); } /* Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.10.2.1 src/sys/net/npf/npf_conn.c:1.10.2.2 --- src/sys/net/npf/npf_conn.c:1.10.2.1 Fri Aug 29 11:14:14 2014 +++ src/sys/net/npf/npf_conn.c Mon Dec 1 13:05:26 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.10.2.1 2014/08/29 11:14:14 martin Exp $ */ +/* $NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius rmind at netbsd org @@ -99,7 +99,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.1 2014/08/29 11:14:14 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: npf_conn.c,v 1.10.2.2 2014/12/01 13:05:26 martin Exp $); #include sys/param.h #include sys/types.h @@ -680,11 +680,11 @@ npf_conn_release(npf_conn_t *con) } /* - * npf_conn_retnat: return associated NAT data entry and indicate + * npf_conn_getnat: return associated NAT data entry and indicate * whether it is a forwards or backwards stream. */ npf_nat_t * -npf_conn_retnat(npf_conn_t *con, const int di, bool *forw) +npf_conn_getnat(npf_conn_t *con, const int di, bool *forw) { KASSERT(con-c_refcnt 0); *forw = (con-c_flags PFIL_ALL) == di; Index: src/sys/net/npf/npf_conn.h diff -u src/sys/net/npf/npf_conn.h:1.6 src/sys/net/npf/npf_conn.h:1.6.2.1 --- src/sys/net/npf/npf_conn.h:1.6 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_conn.h Mon Dec 1 13:05:26 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.h,v 1.6 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_conn.h,v 1.6.2.1 2014/12/01 13:05:26 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -113,7 +113,7 @@ bool npf_conn_pass(const npf_conn_t *, void npf_conn_setpass(npf_conn_t *, npf_rproc_t
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Dec 1 09:02:26 UTC 2014 Modified Files: src/sys/net/npf [netbsd-7]: npf_nat.c npf_ruleset.c Log Message: Pull up following revision(s) (requested by rmind in ticket #274): sys/net/npf/npf_nat.c: revision 1.35 sys/net/npf/npf_ruleset.c: revision 1.38 NPF: fix the reference counting and share the active NAT portmap correctly when performing the reload. Should fixes PR/49412, reported by kardel@. To generate a diff of this commit: cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Dec 1 13:05:26 UTC 2014 Modified Files: src/sys/net/npf [netbsd-7]: npf_conf.c npf_conn.c npf_conn.h npf_impl.h npf_nat.c npf_ruleset.c Log Message: Pull up following revision(s) (requested by rmind in ticket #280): sys/net/npf/npf_ruleset.c: revision 1.40 sys/net/npf/npf_nat.c: revision 1.36 sys/net/npf/npf_nat.c: revision 1.37 sys/net/npf/npf_conn.h: revision 1.7 sys/net/npf/npf_conf.c: revision 1.9 sys/net/npf/npf_ruleset.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.13 sys/net/npf/npf_impl.h: revision 1.60 NPF: - npf_nat_import: take the port only if using the portmap. - Sprinkle some comments and asserts. - npf_config_load: if loading the connections, do not perform any actice NAT policy take over or or portmap sharing - just replace them all. - npf_config_fini: flush with the empty connection database. - npf_nat_import: fix the stat counter. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.8.2.1 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.10.2.1 -r1.10.2.2 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.