Module Name: src Committed By: rmind Date: Sat May 31 22:41:37 UTC 2014
Modified Files: src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npf_show.c Log Message: npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.37 -r1.38 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.5 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.6 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.5 Thu May 15 02:34:29 2014 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Sat May 31 22:41:37 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf_comp.c,v 1.5 2014/05/15 02:34:29 rmind Exp $ */ +/* $NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.5 2014/05/15 02:34:29 rmind Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.6 2014/05/31 22:41:37 rmind Exp $"); #include <stdlib.h> #include <stdbool.h> @@ -62,7 +62,8 @@ __RCSID("$NetBSD: npf_bpf_comp.c,v 1.5 2 * something other than L4 header offset. Generally, when BPF_LDX is used. */ #define FETCHED_L3 0x01 -#define X_EQ_L4OFF 0x02 +#define CHECKED_L4 0x02 +#define X_EQ_L4OFF 0x04 struct npf_bpf { /* @@ -283,8 +284,8 @@ fetch_l3(npf_bpf_t *ctx, sa_family_t af, } /* - * Fetch L3 information. The coprocessor populates the following - * words in the scratch memory store: + * Call NPF_COP_L3 to fetch L3 information. The coprocessor + * populates the following words in the scratch memory store: * - BPF_MW_IPVER: IP version (4 or 6). * - BPF_MW_L4OFF: L4 header offset. * - BPF_MW_L4PROTO: L4 protocol. @@ -369,6 +370,7 @@ npfctl_bpf_proto(npf_bpf_t *ctx, sa_fami uint32_t mwords[] = { BM_PROTO, 1, proto }; done_block(ctx, mwords, sizeof(mwords)); + ctx->flags |= CHECKED_L4; } /* @@ -471,6 +473,7 @@ npfctl_bpf_ports(npf_bpf_t *ctx, u_int o /* TCP and UDP port offsets are the same. */ assert(sport_off == offsetof(struct tcphdr, th_sport)); assert(dport_off == offsetof(struct tcphdr, th_dport)); + assert(ctx->flags & CHECKED_L4); assert(((opts & MATCH_SRC) != 0) ^ ((opts & MATCH_DST) != 0)); off = (opts & MATCH_SRC) ? sport_off : dport_off; @@ -516,11 +519,12 @@ void npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp) { const u_int tcpfl_off = offsetof(struct tcphdr, th_flags); + const bool usingmask = tf_mask != tf; /* X <- IP header length */ fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF); if (checktcp) { - const u_int jf = (tf_mask != tf) ? 3 : 2; + const u_int jf = usingmask ? 3 : 2; assert(ctx->ingroup == false); /* A <- L4 protocol; A == TCP? If not, jump out. */ @@ -529,6 +533,8 @@ npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, jf), }; add_insns(ctx, insns_tcp, __arraycount(insns_tcp)); + } else { + assert(ctx->flags & CHECKED_L4); } struct bpf_insn insns_tf[] = { @@ -537,7 +543,7 @@ npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t }; add_insns(ctx, insns_tf, __arraycount(insns_tf)); - if (tf_mask != tf) { + if (usingmask) { /* A <- (A & mask) */ struct bpf_insn insns_mask[] = { BPF_STMT(BPF_ALU+BPF_AND+BPF_K, tf_mask), @@ -567,6 +573,7 @@ npfctl_bpf_icmp(npf_bpf_t *ctx, int type const u_int type_off = offsetof(struct icmp, icmp_type); const u_int code_off = offsetof(struct icmp, icmp_code); + assert(ctx->flags & CHECKED_L4); assert(offsetof(struct icmp6_hdr, icmp6_type) == type_off); assert(offsetof(struct icmp6_hdr, icmp6_code) == code_off); assert(type != -1 || code != -1); Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.37 src/usr.sbin/npf/npfctl/npf_build.c:1.38 --- src/usr.sbin/npf/npfctl/npf_build.c:1.37 Thu May 15 02:34:29 2014 +++ src/usr.sbin/npf/npfctl/npf_build.c Sat May 31 22:41:37 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.37 2014/05/15 02:34:29 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_build.c,v 1.37 2014/05/15 02:34:29 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $"); #include <sys/types.h> #include <sys/mman.h> @@ -293,10 +293,10 @@ static bool npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op, const filt_opts_t *fopts) { + bool noproto, noaddrs, noports, need_tcpudp = false; const addr_port_t *apfrom = &fopts->fo_from; const addr_port_t *apto = &fopts->fo_to; const int proto = op->op_proto; - bool noproto, noaddrs, noports; npf_bpf_t *bc; size_t len; @@ -317,7 +317,9 @@ npfctl_build_code(nl_rule_t *rl, sa_fami switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: + break; case -1: + need_tcpudp = true; break; default: yyerror("invalid filter options for protocol %d", proto); @@ -344,6 +346,13 @@ npfctl_build_code(nl_rule_t *rl, sa_fami npfctl_build_vars(bc, family, apto->ap_netaddr, MATCH_DST); /* Build port-range blocks. */ + if (need_tcpudp) { + /* TCP/UDP check for the ports. */ + npfctl_bpf_group(bc); + npfctl_bpf_proto(bc, AF_UNSPEC, IPPROTO_TCP); + npfctl_bpf_proto(bc, AF_UNSPEC, IPPROTO_UDP); + npfctl_bpf_endgroup(bc); + } npfctl_build_vars(bc, family, apfrom->ap_portrange, MATCH_SRC); npfctl_build_vars(bc, family, apto->ap_portrange, MATCH_DST); Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.13 src/usr.sbin/npf/npfctl/npf_show.c:1.14 --- src/usr.sbin/npf/npfctl/npf_show.c:1.13 Fri Mar 14 11:29:45 2014 +++ src/usr.sbin/npf/npfctl/npf_show.c Sat May 31 22:41:37 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.13 2014/03/14 11:29:45 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_show.c,v 1.13 2014/03/14 11:29:45 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.14 2014/05/31 22:41:37 rmind Exp $"); #include <sys/socket.h> #include <netinet/in.h> @@ -248,7 +248,7 @@ static const struct mark_keyword_mapent u_int fwords; } mark_keyword_map[] = { { BM_IPVER, "family %s", NULL, print_family, 1 }, - { BM_PROTO, "proto %s", NULL, print_proto, 1 }, + { BM_PROTO, "proto %s", ", ", print_proto, 1 }, { BM_TCPFL, "flags %s", NULL, print_tcpflags, 2 }, { BM_ICMP_TYPE, "icmp-type %s", NULL, print_number, 1 }, { BM_ICMP_CODE, "code %s", NULL, print_number, 1 },