Module Name: src
Committed By: riz
Date: Mon Jan 7 16:51:08 UTC 2013
Modified Files:
src/dist/pf/usr.sbin/ftp-proxy [netbsd-6]: npf.c
src/lib/libnpf [netbsd-6]: npf.3 npf.c npf.h
src/sys/net/npf [netbsd-6]: npf.h npf_ctl.c
src/usr.sbin/npf/npfctl [netbsd-6]: npf.conf.5 npf_build.c npfctl.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #776):
usr.sbin/npf/npfctl/npf.conf.5: revision 1.26
usr.sbin/npf/npfctl/npfctl.c: revision 1.26
dist/pf/usr.sbin/ftp-proxy/npf.c: revision 1.2
lib/libnpf/npf.c: revision 1.15
sys/net/npf/npf_ctl.c: revision 1.20
lib/libnpf/npf.h: revision 1.12
lib/libnpf/npf.3: revision 1.6
lib/libnpf/npf.3: revision 1.7
usr.sbin/npf/npfctl/npf_build.c: revision 1.17
sys/net/npf/npf.h: revision 1.24
- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
Remove a superfluous quote and fix a recurring typo.
ftp-proxy: disable NPF bits for now; it will be re-done.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.1.8.1 src/dist/pf/usr.sbin/ftp-proxy/npf.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.2 src/lib/libnpf/npf.3
cvs rdiff -u -r1.7.2.7 -r1.7.2.8 src/lib/libnpf/npf.c
cvs rdiff -u -r1.6.2.5 -r1.6.2.6 src/lib/libnpf/npf.h
cvs rdiff -u -r1.14.2.9 -r1.14.2.10 src/sys/net/npf/npf.h
cvs rdiff -u -r1.12.2.6 -r1.12.2.7 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.9.2.6 -r1.9.2.7 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.4.2.9 -r1.4.2.10 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.10.2.10 -r1.10.2.11 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/dist/pf/usr.sbin/ftp-proxy/npf.c
diff -u src/dist/pf/usr.sbin/ftp-proxy/npf.c:1.1 src/dist/pf/usr.sbin/ftp-proxy/npf.c:1.1.8.1
--- src/dist/pf/usr.sbin/ftp-proxy/npf.c:1.1 Wed Feb 2 02:20:26 2011
+++ src/dist/pf/usr.sbin/ftp-proxy/npf.c Mon Jan 7 16:51:07 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.1 2011/02/02 02:20:26 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.1.8.1 2013/01/07 16:51:07 riz Exp $ */
/*
* Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -311,6 +311,7 @@ npf_server_lookup(struct sockaddr *c, st
static int
npf_do_commit(void)
{
+#if 0
nl_rule_t *group;
fp_ent_t *fpe;
pri_t pri;
@@ -327,6 +328,10 @@ npf_do_commit(void)
npf_update_rule(npf_fd, NPF_FP_RULE_TAG, group);
npf_rule_destroy(group);
return 0;
+#else
+ errno = ENOTSUP;
+ return -1;
+#endif
}
static int
Index: src/lib/libnpf/npf.3
diff -u src/lib/libnpf/npf.3:1.4.2.1 src/lib/libnpf/npf.3:1.4.2.2
--- src/lib/libnpf/npf.3:1.4.2.1 Thu Jul 5 17:48:44 2012
+++ src/lib/libnpf/npf.3 Mon Jan 7 16:51:08 2013
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.3,v 1.4.2.1 2012/07/05 17:48:44 riz Exp $
+.\" $NetBSD: npf.3,v 1.4.2.2 2013/01/07 16:51:08 riz Exp $
.\"
.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd July 1, 2012
+.Dd December 23, 2012
.Dt NPF 3
.Os
.Sh NAME
@@ -77,20 +77,14 @@
.Ft nl_table_t *
.Fn npf_table_create "u_int id" "int type"
.Ft int
-.Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
+.Fn npf_table_add_entry "nl_table_t *tl" "int af" \
+"in_addr_t addr" "in_addr_t mask"
.Ft bool
.Fn npf_table_exists_p "nl_config_t *ncf" "u_int tid"
.Ft int
.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl"
.Ft void
.Fn npf_table_destroy "nl_table_t *tl"
-.\" ---
-.Ft int
-.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
-.Ft int
-.Fn npf_sessions_send "int fd" "const char *fpath"
-.Ft int
-.Fn npf_sessions_recv "int fd" "const char *fpath"
.\" -----
.Sh DESCRIPTION
The
@@ -236,7 +230,7 @@ is used.
Translation address is specified by
.Fa addr ,
and its family by
-.Fa fa .
+.Fa af .
Family must be either
.Dv AF_INET
for IPv4 or
@@ -261,13 +255,20 @@ Table is identified by
which should be in the range between 1 and
.Dv NPF_MAX_TABLE_ID .
.El
-.It Fn npf_table_add_entry "tl" "addr" "mask"
-Add an entry of IPv4 address and mask, specified by
+.It Fn npf_table_add_entry "tl" "af" "addr" "mask"
+Add an entry of IP address and mask, specified by
.Fa addr
and
.Fa mask ,
to the table specified by
.Fa tl .
+Family, specified by
+.Fa af ,
+must be either
+.Dv AF_INET
+for IPv4 or
+.Dv AF_INET6
+for IPv6 address.
.It Fn npf_table_exists_p "ncf" "name"
Determine whether table with ID
.Fa tid
@@ -285,19 +286,6 @@ Routine performs a check for duplicate t
Destroy the specified table.
.El
.\" -----
-.Ss Session interface
-.Bl -tag -width 4n
-.It Fn npf_update_rule "fd" "rname" "rl"
-.It Fn npf_sessions_send "fd" "fpath"
-Read the file specified by
-.Fa fpath ,
-and send sessions saved in it to the kernel.
-.It Fn npf_sessions_recv "fd" "fpath"
-Receive currently loaded session from the kernel, and save them to a file
-specified by
-.Fa fpath .
-.El
-.\" -----
.Sh SEE ALSO
.Xr npfctl 8 ,
.Xr npf_ncode 9
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.7.2.7 src/lib/libnpf/npf.c:1.7.2.8
--- src/lib/libnpf/npf.c:1.7.2.7 Mon Nov 19 18:16:17 2012
+++ src/lib/libnpf/npf.c Mon Jan 7 16:51:08 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.7.2.7 2012/11/19 18:16:17 riz Exp $ */
+/* $NetBSD: npf.c,v 1.7.2.8 2013/01/07 16:51:08 riz Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.7 2012/11/19 18:16:17 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7.2.8 2013/01/07 16:51:08 riz Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -121,14 +121,15 @@ npf_config_submit(nl_config_t *ncf, int
if (npf_dict == NULL) {
return ENOMEM;
}
- if (ncf->ncf_debug) {
- prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
- }
+ prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
+ if (ncf->ncf_debug) {
+ prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
+ }
if (plist) {
if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
@@ -664,24 +665,36 @@ npf_table_create(u_int id, int type)
}
int
-npf_table_add_entry(nl_table_t *tl, const int alen,
- const npf_addr_t *addr, const npf_netmask_t mask)
+npf_table_add_entry(nl_table_t *tl, int af, const npf_addr_t *addr,
+ const npf_netmask_t mask)
{
prop_dictionary_t tldict = tl->ntl_dict, entdict;
prop_array_t tblents;
prop_data_t addrdata;
+ unsigned alen;
/* Create the table entry. */
entdict = prop_dictionary_create();
if (entdict == NULL) {
return ENOMEM;
}
+
+ switch (af) {
+ case AF_INET:
+ alen = sizeof(struct in_addr);
+ break;
+ case AF_INET6:
+ alen = sizeof(struct in6_addr);
+ break;
+ default:
+ return EINVAL;
+ }
+
addrdata = prop_data_create_data(addr, alen);
prop_dictionary_set(entdict, "addr", addrdata);
prop_dictionary_set_uint8(entdict, "mask", mask);
prop_object_release(addrdata);
- /* Insert the entry. */
tblents = prop_dictionary_get(tldict, "entries");
prop_array_add(tblents, entdict);
prop_object_release(entdict);
Index: src/lib/libnpf/npf.h
diff -u src/lib/libnpf/npf.h:1.6.2.5 src/lib/libnpf/npf.h:1.6.2.6
--- src/lib/libnpf/npf.h:1.6.2.5 Sun Nov 18 22:38:25 2012
+++ src/lib/libnpf/npf.h Mon Jan 7 16:51:08 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.6.2.5 2012/11/18 22:38:25 riz Exp $ */
+/* $NetBSD: npf.h,v 1.6.2.6 2013/01/07 16:51:08 riz Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -103,20 +103,20 @@ nl_nat_t * npf_nat_create(int, u_int, u_
int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
nl_table_t * npf_table_create(u_int, int);
-int npf_table_add_entry(nl_table_t *, const int,
+int npf_table_add_entry(nl_table_t *, int,
const npf_addr_t *, const npf_netmask_t);
bool npf_table_exists_p(nl_config_t *, u_int);
int npf_table_insert(nl_config_t *, nl_table_t *);
void npf_table_destroy(nl_table_t *);
-int npf_update_rule(int, const char *, nl_rule_t *);
-int npf_sessions_send(int, const char *);
-int npf_sessions_recv(int, const char *);
-
#ifdef _NPF_PRIVATE
#include <ifaddrs.h>
+int npf_update_rule(int, const char *, nl_rule_t *);
+int npf_sessions_send(int, const char *);
+int npf_sessions_recv(int, const char *);
+
void _npf_config_error(nl_config_t *, nl_error_t *);
void _npf_config_setsubmit(nl_config_t *, const char *);
int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.9 src/sys/net/npf/npf.h:1.14.2.10
--- src/sys/net/npf/npf.h:1.14.2.9 Sun Dec 16 18:19:52 2012
+++ src/sys/net/npf/npf.h Mon Jan 7 16:51:08 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.14.2.9 2012/12/16 18:19:52 riz Exp $ */
+/* $NetBSD: npf.h,v 1.14.2.10 2013/01/07 16:51:08 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#define NPF_VERSION 7
+#define NPF_VERSION 8
/*
* Public declarations and definitions.
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.12.2.6 src/sys/net/npf/npf_ctl.c:1.12.2.7
--- src/sys/net/npf/npf_ctl.c:1.12.2.6 Sat Nov 24 04:34:42 2012
+++ src/sys/net/npf/npf_ctl.c Mon Jan 7 16:51:08 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.12.2.6 2012/11/24 04:34:42 riz Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.12.2.7 2013/01/07 16:51:08 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.6 2012/11/24 04:34:42 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.7 2013/01/07 16:51:08 riz Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -458,6 +458,7 @@ npfctl_reload(u_long cmd, void *data)
npf_tableset_t *tblset = NULL;
npf_ruleset_t *rlset = NULL;
npf_ruleset_t *nset = NULL;
+ uint32_t ver = 0;
bool flush;
int error;
@@ -470,8 +471,13 @@ npfctl_reload(u_long cmd, void *data)
npf_dict = (prop_dictionary_t)pref;
#endif
- /* Dictionary for error reporting. */
+ /* Dictionary for error reporting and version check. */
errdict = prop_dictionary_create();
+ prop_dictionary_get_uint32(npf_dict, "version", &ver);
+ if (ver != NPF_VERSION) {
+ error = EPROGMISMATCH;
+ goto fail;
+ }
/* NAT policies. */
nset = npf_ruleset_create();
@@ -720,6 +726,7 @@ npfctl_table(void *data)
case NPF_IOCTL_TBLENT_LOOKUP:
error = npf_table_lookup(tblset, nct->nct_tid,
nct->nct_data.ent.alen, &nct->nct_data.ent.addr);
+ break;
case NPF_IOCTL_TBLENT_ADD:
error = npf_table_insert(tblset, nct->nct_tid,
nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.9.2.6 src/usr.sbin/npf/npfctl/npf.conf.5:1.9.2.7
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.9.2.6 Sat Dec 15 23:31:07 2012
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Jan 7 16:51:07 2013
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.9.2.6 2012/12/15 23:31:07 riz Exp $
+.\" $NetBSD: npf.conf.5,v 1.9.2.7 2013/01/07 16:51:07 riz Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 6, 2012
+.Dd December 23, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -98,9 +98,11 @@ The file should contain a list of IP add
Tables of type "hash" can only contain IP addresses.
.Ss Interfaces
Interfaces can be specified as the values of the variables:
+.Pp
.Bd -literal
$pub_if_list = { ifnet(wm0), ifnet(wm1) }
.Ed
+.Pp
In the context of filtering, an interface provides a list of its
all IP addresses, including IPv4 and IPv6.
Specific interface addresses can be selected by the family, e.g.:
@@ -285,6 +287,7 @@ map $ext_if dynamic 10.1.1.2 port 22 <-
procedure "log" {
# Note: npf_ext_log kernel module should be loaded, if not built-in.
+ # Also, the interface created, e.g.: ifconfig npflog0 create
log: npflog0
}
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.4.2.9 src/usr.sbin/npf/npfctl/npf_build.c:1.4.2.10
--- src/usr.sbin/npf/npfctl/npf_build.c:1.4.2.9 Sun Dec 16 19:41:37 2012
+++ src/usr.sbin/npf/npfctl/npf_build.c Mon Jan 7 16:51:07 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.4.2.9 2012/12/16 19:41:37 riz Exp $ */
+/* $NetBSD: npf_build.c,v 1.4.2.10 2013/01/07 16:51:07 riz Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.4.2.9 2012/12/16 19:41:37 riz Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.4.2.10 2013/01/07 16:51:07 riz Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -617,7 +617,8 @@ npfctl_fill_table(nl_table_t *tl, u_int
}
/* Create and add a table entry. */
- npf_table_add_entry(tl, alen, &fam.fam_addr, fam.fam_mask);
+ npf_table_add_entry(tl, fam.fam_family,
+ &fam.fam_addr, fam.fam_mask);
}
if (buf != NULL) {
free(buf);
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.10.2.10 src/usr.sbin/npf/npfctl/npfctl.c:1.10.2.11
--- src/usr.sbin/npf/npfctl/npfctl.c:1.10.2.10 Sun Dec 16 19:41:37 2012
+++ src/usr.sbin/npf/npfctl/npfctl.c Mon Jan 7 16:51:07 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.10.2.10 2012/12/16 19:41:37 riz Exp $ */
+/* $NetBSD: npfctl.c,v 1.10.2.11 2013/01/07 16:51:07 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.10.2.10 2012/12/16 19:41:37 riz Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.10.2.11 2013/01/07 16:51:07 riz Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -147,6 +147,10 @@ npfctl_print_stats(int fd)
{ NPF_STAT_NAT_CREATE, "NAT entry allocations" },
{ NPF_STAT_NAT_DESTROY, "NAT entry destructions"},
+ { -1, "Network buffers" },
+ { NPF_STAT_NBUF_NONCONTIG, "non-contiguous cases" },
+ { NPF_STAT_NBUF_CONTIG_FAIL, "contig alloc failures" },
+
{ -1, "Invalid packet state cases" },
{ NPF_STAT_INVALID_STATE, "cases in total" },
{ NPF_STAT_INVALID_STATE_TCP1, "TCP case I" },
@@ -294,7 +298,7 @@ again:
errx(EXIT_FAILURE, "invalid CIDR '%s'", arg);
}
nct.nct_data.ent.alen = alen;
- memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, sizeof(npf_addr_t));
+ memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, alen);
nct.nct_data.ent.mask = fam.fam_mask;
}
