Module Name: src Committed By: rmind Date: Mon Aug 11 23:48:01 UTC 2014
Modified Files: src/lib/libnpf: npf.c src/sys/net/npf: npf_alg.c npf_conn.c npf_ctl.c npf_impl.h npf_nat.c src/usr.sbin/npf/npfctl: npfctl.c Log Message: - Add and use npf_alg_export(). - npf_conn_import: handle NAT metadata correctly. - npf_nat_newpolicy: restore the policy ID. - npfctl_load: fix error code handling for the limit cases. - npf_config_import: fix the inverted logic. - npfctl_load: improve error handling. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/lib/libnpf/npf.c cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_alg.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.58 -r1.59 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libnpf/npf.c diff -u src/lib/libnpf/npf.c:1.32 src/lib/libnpf/npf.c:1.33 --- src/lib/libnpf/npf.c:1.32 Sun Aug 10 19:09:43 2014 +++ src/lib/libnpf/npf.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $"); #include <sys/types.h> #include <netinet/in_systm.h> @@ -237,11 +237,11 @@ npf_config_import(const char *path) nl_config_t *ncf; npf_dict = prop_dictionary_internalize_from_file(path); - if (npf_dict) { + if (!npf_dict) { return NULL; } ncf = _npf_config_consdict(npf_dict); - if (ncf == NULL) { + if (!ncf) { prop_object_release(npf_dict); return NULL; } Index: src/sys/net/npf/npf_alg.c diff -u src/sys/net/npf/npf_alg.c:1.14 src/sys/net/npf/npf_alg.c:1.15 --- src/sys/net/npf/npf_alg.c:1.14 Sun Jul 20 00:37:41 2014 +++ src/sys/net/npf/npf_alg.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $ */ +/* $NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2010-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -244,3 +244,24 @@ npf_alg_conn(npf_cache_t *npc, int di) pserialize_read_exit(s); return con; } + +prop_array_t +npf_alg_export(void) +{ + prop_array_t alglist = prop_array_create(); + + KASSERT(npf_config_locked_p()); + + for (u_int i = 0; i < alg_count; i++) { + const npf_alg_t *alg = &alg_list[i]; + + if (alg->na_name == NULL) { + continue; + } + prop_dictionary_t algdict = prop_dictionary_create(); + prop_dictionary_set_cstring(algdict, "name", alg->na_name); + prop_array_add(alglist, algdict); + prop_object_release(algdict); + } + return alglist; +} Index: src/sys/net/npf/npf_conn.c diff -u src/sys/net/npf/npf_conn.c:1.10 src/sys/net/npf/npf_conn.c:1.11 --- src/sys/net/npf/npf_conn.c:1.10 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_conn.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org> @@ -99,7 +99,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -917,8 +917,11 @@ npf_conn_import(npf_conndb_t *cd, prop_d } memcpy(&con->c_state, d, sizeof(npf_state_t)); - /* Reconstruct NAT association, if any, or return NULL. */ - con->c_nat = npf_nat_import(cdict, natlist, con); + /* Reconstruct NAT association, if any. */ + if ((obj = prop_dictionary_get(cdict, "nat")) != NULL && + (con->c_nat = npf_nat_import(obj, natlist, con)) == NULL) { + goto err; + } /* * Fetch and copy the keys for each direction. Index: src/sys/net/npf/npf_ctl.c diff -u src/sys/net/npf/npf_ctl.c:1.38 src/sys/net/npf/npf_ctl.c:1.39 --- src/sys/net/npf/npf_ctl.c:1.38 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_ctl.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $"); #include <sys/param.h> #include <sys/conf.h> @@ -84,7 +84,9 @@ npf_mk_table_entries(npf_table_t *t, pro prop_dictionary_t ent; int error = 0; - /* Fill all the entries. */ + if (prop_object_type(entries) != PROP_TYPE_ARRAY) { + return EINVAL; + } eit = prop_array_iterator(entries); while ((ent = prop_object_iterator_next(eit)) != NULL) { const npf_addr_t *addr; @@ -148,12 +150,7 @@ npf_mk_tables(npf_tableset_t *tblset, pr } /* Get the entries or binary data. */ - prop_array_t entries = prop_dictionary_get(tbldict, "entries"); - if (prop_object_type(entries) != PROP_TYPE_ARRAY) { - NPF_ERR_DEBUG(errdict); - error = EINVAL; - break; - } + prop_array_t ents = prop_dictionary_get(tbldict, "entries"); prop_object_t obj = prop_dictionary_get(tbldict, "data"); void *blob = prop_data_data(obj); size_t size = prop_data_size(obj); @@ -177,7 +174,7 @@ npf_mk_tables(npf_tableset_t *tblset, pr error = npf_tableset_insert(tblset, t); KASSERT(error == 0); - if ((error = npf_mk_table_entries(t, entries)) != 0) { + if (ents && (error = npf_mk_table_entries(t, ents)) != 0) { NPF_ERR_DEBUG(errdict); break; } @@ -546,6 +543,7 @@ npfctl_load(u_long cmd, void *data) /* NAT policies. */ natlist = prop_dictionary_get(npf_dict, "nat"); if ((nitems = prop_array_count(natlist)) > NPF_MAX_RULES) { + error = E2BIG; goto fail; } @@ -558,6 +556,7 @@ npfctl_load(u_long cmd, void *data) /* Tables. */ tables = prop_dictionary_get(npf_dict, "tables"); if ((nitems = prop_array_count(tables)) > NPF_MAX_TABLES) { + error = E2BIG; goto fail; } tblset = npf_tableset_create(nitems); @@ -569,6 +568,7 @@ npfctl_load(u_long cmd, void *data) /* Rule procedures. */ rprocs = prop_dictionary_get(npf_dict, "rprocs"); if ((nitems = prop_array_count(rprocs)) > NPF_MAX_RPROCS) { + error = E2BIG; goto fail; } rpset = npf_rprocset_create(); @@ -580,6 +580,7 @@ npfctl_load(u_long cmd, void *data) /* Rules. */ rules = prop_dictionary_get(npf_dict, "rules"); if ((nitems = prop_array_count(rules)) > NPF_MAX_RULES) { + error = E2BIG; goto fail; } @@ -682,8 +683,11 @@ npfctl_save(u_long cmd, void *data) if (error) { goto out; } + prop_array_t alglist = npf_alg_export(); + npf_dict = prop_dictionary_create(); prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION); + prop_dictionary_set_and_rel(npf_dict, "algs", alglist); prop_dictionary_set_and_rel(npf_dict, "rules", rulelist); prop_dictionary_set_and_rel(npf_dict, "nat", natlist); prop_dictionary_set_and_rel(npf_dict, "tables", tables); Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.58 src/sys/net/npf/npf_impl.h:1.59 --- src/sys/net/npf/npf_impl.h:1.58 Mon Aug 11 01:54:12 2014 +++ src/sys/net/npf/npf_impl.h Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.58 2014/08/11 01:54:12 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -338,6 +338,7 @@ npf_alg_t * npf_alg_construct(const char bool npf_alg_match(npf_cache_t *, npf_nat_t *, int); void npf_alg_exec(npf_cache_t *, npf_nat_t *, bool); npf_conn_t * npf_alg_conn(npf_cache_t *, int); +prop_array_t npf_alg_export(void); /* Debugging routines. */ const char * npf_addr_dump(const npf_addr_t *, int); Index: src/sys/net/npf/npf_nat.c diff -u src/sys/net/npf/npf_nat.c:1.32 src/sys/net/npf/npf_nat.c:1.33 --- src/sys/net/npf/npf_nat.c:1.32 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf_nat.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org> @@ -71,7 +71,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -199,9 +199,10 @@ npf_nat_newpolicy(prop_dictionary_t natd np = kmem_zalloc(sizeof(npf_natpolicy_t), KM_SLEEP); - /* Translation type and flags. */ + /* The translation type, flags and policy ID. */ prop_dictionary_get_int32(natdict, "type", &np->n_type); prop_dictionary_get_uint32(natdict, "flags", &np->n_flags); + prop_dictionary_get_uint64(natdict, "nat-policy", &np->n_id); /* Should be exclusively either inbound or outbound NAT. */ if (((np->n_type == NPF_NATIN) ^ (np->n_type == NPF_NATOUT)) == 0) { Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.42 src/usr.sbin/npf/npfctl/npfctl.c:1.43 --- src/usr.sbin/npf/npfctl/npfctl.c:1.42 Wed Jul 23 05:00:38 2014 +++ src/usr.sbin/npf/npfctl/npfctl.c Mon Aug 11 23:48:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $ */ +/* $NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $"); #include <sys/ioctl.h> #include <sys/stat.h> @@ -506,7 +506,12 @@ npfctl_load(int fd) if (ncf == NULL) { return errno; } - error = npf_config_submit(ncf, fd); + errno = error = npf_config_submit(ncf, fd); + if (error) { + nl_error_t ne; + _npf_config_error(ncf, &ne); + npfctl_print_error(&ne); + } npf_config_destroy(ncf); return error; }