Module Name: src
Committed By: rmind
Date: Mon Aug 11 23:48:01 UTC 2014
Modified Files:
src/lib/libnpf: npf.c
src/sys/net/npf: npf_alg.c npf_conn.c npf_ctl.c npf_impl.h npf_nat.c
src/usr.sbin/npf/npfctl: npfctl.c
Log Message:
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/lib/libnpf/npf.c
cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_alg.c
cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.32 src/lib/libnpf/npf.c:1.33
--- src/lib/libnpf/npf.c:1.32 Sun Aug 10 19:09:43 2014
+++ src/lib/libnpf/npf.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -237,11 +237,11 @@ npf_config_import(const char *path)
nl_config_t *ncf;
npf_dict = prop_dictionary_internalize_from_file(path);
- if (npf_dict) {
+ if (!npf_dict) {
return NULL;
}
ncf = _npf_config_consdict(npf_dict);
- if (ncf == NULL) {
+ if (!ncf) {
prop_object_release(npf_dict);
return NULL;
}
Index: src/sys/net/npf/npf_alg.c
diff -u src/sys/net/npf/npf_alg.c:1.14 src/sys/net/npf/npf_alg.c:1.15
--- src/sys/net/npf/npf_alg.c:1.14 Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_alg.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -244,3 +244,24 @@ npf_alg_conn(npf_cache_t *npc, int di)
pserialize_read_exit(s);
return con;
}
+
+prop_array_t
+npf_alg_export(void)
+{
+ prop_array_t alglist = prop_array_create();
+
+ KASSERT(npf_config_locked_p());
+
+ for (u_int i = 0; i < alg_count; i++) {
+ const npf_alg_t *alg = &alg_list[i];
+
+ if (alg->na_name == NULL) {
+ continue;
+ }
+ prop_dictionary_t algdict = prop_dictionary_create();
+ prop_dictionary_set_cstring(algdict, "name", alg->na_name);
+ prop_array_add(alglist, algdict);
+ prop_object_release(algdict);
+ }
+ return alglist;
+}
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.10 src/sys/net/npf/npf_conn.c:1.11
--- src/sys/net/npf/npf_conn.c:1.10 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_conn.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -99,7 +99,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -917,8 +917,11 @@ npf_conn_import(npf_conndb_t *cd, prop_d
}
memcpy(&con->c_state, d, sizeof(npf_state_t));
- /* Reconstruct NAT association, if any, or return NULL. */
- con->c_nat = npf_nat_import(cdict, natlist, con);
+ /* Reconstruct NAT association, if any. */
+ if ((obj = prop_dictionary_get(cdict, "nat")) != NULL &&
+ (con->c_nat = npf_nat_import(obj, natlist, con)) == NULL) {
+ goto err;
+ }
/*
* Fetch and copy the keys for each direction.
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.38 src/sys/net/npf/npf_ctl.c:1.39
--- src/sys/net/npf/npf_ctl.c:1.38 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_ctl.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -84,7 +84,9 @@ npf_mk_table_entries(npf_table_t *t, pro
prop_dictionary_t ent;
int error = 0;
- /* Fill all the entries. */
+ if (prop_object_type(entries) != PROP_TYPE_ARRAY) {
+ return EINVAL;
+ }
eit = prop_array_iterator(entries);
while ((ent = prop_object_iterator_next(eit)) != NULL) {
const npf_addr_t *addr;
@@ -148,12 +150,7 @@ npf_mk_tables(npf_tableset_t *tblset, pr
}
/* Get the entries or binary data. */
- prop_array_t entries = prop_dictionary_get(tbldict, "entries");
- if (prop_object_type(entries) != PROP_TYPE_ARRAY) {
- NPF_ERR_DEBUG(errdict);
- error = EINVAL;
- break;
- }
+ prop_array_t ents = prop_dictionary_get(tbldict, "entries");
prop_object_t obj = prop_dictionary_get(tbldict, "data");
void *blob = prop_data_data(obj);
size_t size = prop_data_size(obj);
@@ -177,7 +174,7 @@ npf_mk_tables(npf_tableset_t *tblset, pr
error = npf_tableset_insert(tblset, t);
KASSERT(error == 0);
- if ((error = npf_mk_table_entries(t, entries)) != 0) {
+ if (ents && (error = npf_mk_table_entries(t, ents)) != 0) {
NPF_ERR_DEBUG(errdict);
break;
}
@@ -546,6 +543,7 @@ npfctl_load(u_long cmd, void *data)
/* NAT policies. */
natlist = prop_dictionary_get(npf_dict, "nat");
if ((nitems = prop_array_count(natlist)) > NPF_MAX_RULES) {
+ error = E2BIG;
goto fail;
}
@@ -558,6 +556,7 @@ npfctl_load(u_long cmd, void *data)
/* Tables. */
tables = prop_dictionary_get(npf_dict, "tables");
if ((nitems = prop_array_count(tables)) > NPF_MAX_TABLES) {
+ error = E2BIG;
goto fail;
}
tblset = npf_tableset_create(nitems);
@@ -569,6 +568,7 @@ npfctl_load(u_long cmd, void *data)
/* Rule procedures. */
rprocs = prop_dictionary_get(npf_dict, "rprocs");
if ((nitems = prop_array_count(rprocs)) > NPF_MAX_RPROCS) {
+ error = E2BIG;
goto fail;
}
rpset = npf_rprocset_create();
@@ -580,6 +580,7 @@ npfctl_load(u_long cmd, void *data)
/* Rules. */
rules = prop_dictionary_get(npf_dict, "rules");
if ((nitems = prop_array_count(rules)) > NPF_MAX_RULES) {
+ error = E2BIG;
goto fail;
}
@@ -682,8 +683,11 @@ npfctl_save(u_long cmd, void *data)
if (error) {
goto out;
}
+ prop_array_t alglist = npf_alg_export();
+
npf_dict = prop_dictionary_create();
prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
+ prop_dictionary_set_and_rel(npf_dict, "algs", alglist);
prop_dictionary_set_and_rel(npf_dict, "rules", rulelist);
prop_dictionary_set_and_rel(npf_dict, "nat", natlist);
prop_dictionary_set_and_rel(npf_dict, "tables", tables);
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.58 src/sys/net/npf/npf_impl.h:1.59
--- src/sys/net/npf/npf_impl.h:1.58 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_impl.h Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.58 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -338,6 +338,7 @@ npf_alg_t * npf_alg_construct(const char
bool npf_alg_match(npf_cache_t *, npf_nat_t *, int);
void npf_alg_exec(npf_cache_t *, npf_nat_t *, bool);
npf_conn_t * npf_alg_conn(npf_cache_t *, int);
+prop_array_t npf_alg_export(void);
/* Debugging routines. */
const char * npf_addr_dump(const npf_addr_t *, int);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.32 src/sys/net/npf/npf_nat.c:1.33
--- src/sys/net/npf/npf_nat.c:1.32 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_nat.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -199,9 +199,10 @@ npf_nat_newpolicy(prop_dictionary_t natd
np = kmem_zalloc(sizeof(npf_natpolicy_t), KM_SLEEP);
- /* Translation type and flags. */
+ /* The translation type, flags and policy ID. */
prop_dictionary_get_int32(natdict, "type", &np->n_type);
prop_dictionary_get_uint32(natdict, "flags", &np->n_flags);
+ prop_dictionary_get_uint64(natdict, "nat-policy", &np->n_id);
/* Should be exclusively either inbound or outbound NAT. */
if (((np->n_type == NPF_NATIN) ^ (np->n_type == NPF_NATOUT)) == 0) {
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.42 src/usr.sbin/npf/npfctl/npfctl.c:1.43
--- src/usr.sbin/npf/npfctl/npfctl.c:1.42 Wed Jul 23 05:00:38 2014
+++ src/usr.sbin/npf/npfctl/npfctl.c Mon Aug 11 23:48:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $ */
+/* $NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -506,7 +506,12 @@ npfctl_load(int fd)
if (ncf == NULL) {
return errno;
}
- error = npf_config_submit(ncf, fd);
+ errno = error = npf_config_submit(ncf, fd);
+ if (error) {
+ nl_error_t ne;
+ _npf_config_error(ncf, &ne);
+ npfctl_print_error(&ne);
+ }
npf_config_destroy(ncf);
return error;
}
