Module Name: src
Committed By: martin
Date: Fri Aug 29 11:14:14 UTC 2014
Modified Files:
src/lib/libnpf [netbsd-7]: npf.c
src/sys/net/npf [netbsd-7]: npf_alg.c npf_conn.c npf_ctl.c npf_impl.h
npf_nat.c
src/usr.sbin/npf/npfctl [netbsd-7]: npfctl.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.2.1 src/lib/libnpf/npf.c
cvs rdiff -u -r1.14 -r1.14.2.1 src/sys/net/npf/npf_alg.c
cvs rdiff -u -r1.10 -r1.10.2.1 src/sys/net/npf/npf_conn.c
cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.58 -r1.58.2.1 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.32 -r1.32.2.1 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.42 -r1.42.2.1 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libnpf/npf.c
diff -u src/lib/libnpf/npf.c:1.32 src/lib/libnpf/npf.c:1.32.2.1
--- src/lib/libnpf/npf.c:1.32 Sun Aug 10 19:09:43 2014
+++ src/lib/libnpf/npf.c Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $");
#include <sys/types.h>
#include <netinet/in_systm.h>
@@ -69,13 +69,14 @@ struct nl_ext {
};
struct nl_config {
- /* Rules, translations, tables, procedures. */
+ /* Rules, translations, procedures, tables, connections. */
prop_dictionary_t ncf_dict;
prop_array_t ncf_alg_list;
prop_array_t ncf_rules_list;
prop_array_t ncf_rproc_list;
prop_array_t ncf_table_list;
prop_array_t ncf_nat_list;
+ prop_array_t ncf_conn_list;
/* Iterators. */
prop_object_iterator_t ncf_rule_iter;
@@ -153,6 +154,10 @@ npf_config_submit(nl_config_t *ncf, int
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
prop_dictionary_set(npf_dict, "nat", ncf->ncf_nat_list);
+ if (ncf->ncf_conn_list) {
+ prop_dictionary_set(npf_dict, "conn-list",
+ ncf->ncf_conn_list);
+ }
prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
if (ncf->ncf_debug) {
prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
@@ -194,6 +199,7 @@ _npf_config_consdict(prop_dictionary_t n
ncf->ncf_rproc_list = prop_dictionary_get(npf_dict, "rprocs");
ncf->ncf_table_list = prop_dictionary_get(npf_dict, "tables");
ncf->ncf_nat_list = prop_dictionary_get(npf_dict, "nat");
+ ncf->ncf_conn_list = prop_dictionary_get(npf_dict, "conn-list");
return ncf;
}
@@ -237,11 +243,11 @@ npf_config_import(const char *path)
nl_config_t *ncf;
npf_dict = prop_dictionary_internalize_from_file(path);
- if (npf_dict) {
+ if (!npf_dict) {
return NULL;
}
ncf = _npf_config_consdict(npf_dict);
- if (ncf == NULL) {
+ if (!ncf) {
prop_object_release(npf_dict);
return NULL;
}
Index: src/sys/net/npf/npf_alg.c
diff -u src/sys/net/npf/npf_alg.c:1.14 src/sys/net/npf/npf_alg.c:1.14.2.1
--- src/sys/net/npf/npf_alg.c:1.14 Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_alg.c Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf_alg.c,v 1.14.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.14.2.1 2014/08/29 11:14:14 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -244,3 +244,24 @@ npf_alg_conn(npf_cache_t *npc, int di)
pserialize_read_exit(s);
return con;
}
+
+prop_array_t
+npf_alg_export(void)
+{
+ prop_array_t alglist = prop_array_create();
+
+ KASSERT(npf_config_locked_p());
+
+ for (u_int i = 0; i < alg_count; i++) {
+ const npf_alg_t *alg = &alg_list[i];
+
+ if (alg->na_name == NULL) {
+ continue;
+ }
+ prop_dictionary_t algdict = prop_dictionary_create();
+ prop_dictionary_set_cstring(algdict, "name", alg->na_name);
+ prop_array_add(alglist, algdict);
+ prop_object_release(algdict);
+ }
+ return alglist;
+}
Index: src/sys/net/npf/npf_conn.c
diff -u src/sys/net/npf/npf_conn.c:1.10 src/sys/net/npf/npf_conn.c:1.10.2.1
--- src/sys/net/npf/npf_conn.c:1.10 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_conn.c Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_conn.c,v 1.10.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -99,7 +99,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10.2.1 2014/08/29 11:14:14 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -899,6 +899,7 @@ npf_conn_import(npf_conndb_t *cd, prop_d
con = pool_cache_get(conn_cache, PR_WAITOK);
memset(con, 0, sizeof(npf_conn_t));
mutex_init(&con->c_lock, MUTEX_DEFAULT, IPL_SOFTNET);
+ npf_stats_inc(NPF_STAT_CONN_CREATE);
prop_dictionary_get_uint32(cdict, "proto", &con->c_proto);
prop_dictionary_get_uint32(cdict, "flags", &con->c_flags);
@@ -917,8 +918,11 @@ npf_conn_import(npf_conndb_t *cd, prop_d
}
memcpy(&con->c_state, d, sizeof(npf_state_t));
- /* Reconstruct NAT association, if any, or return NULL. */
- con->c_nat = npf_nat_import(cdict, natlist, con);
+ /* Reconstruct NAT association, if any. */
+ if ((obj = prop_dictionary_get(cdict, "nat")) != NULL &&
+ (con->c_nat = npf_nat_import(obj, natlist, con)) == NULL) {
+ goto err;
+ }
/*
* Fetch and copy the keys for each direction.
@@ -949,6 +953,8 @@ npf_conn_import(npf_conndb_t *cd, prop_d
npf_conndb_remove(cd, fw);
goto err;
}
+
+ NPF_PRINTF(("NPF: imported conn %p\n", con));
npf_conndb_enqueue(cd, con);
return 0;
err:
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.38 src/sys/net/npf/npf_ctl.c:1.38.2.1
--- src/sys/net/npf/npf_ctl.c:1.38 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_ctl.c Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.38.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38.2.1 2014/08/29 11:14:14 martin Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -84,7 +84,9 @@ npf_mk_table_entries(npf_table_t *t, pro
prop_dictionary_t ent;
int error = 0;
- /* Fill all the entries. */
+ if (prop_object_type(entries) != PROP_TYPE_ARRAY) {
+ return EINVAL;
+ }
eit = prop_array_iterator(entries);
while ((ent = prop_object_iterator_next(eit)) != NULL) {
const npf_addr_t *addr;
@@ -148,12 +150,7 @@ npf_mk_tables(npf_tableset_t *tblset, pr
}
/* Get the entries or binary data. */
- prop_array_t entries = prop_dictionary_get(tbldict, "entries");
- if (prop_object_type(entries) != PROP_TYPE_ARRAY) {
- NPF_ERR_DEBUG(errdict);
- error = EINVAL;
- break;
- }
+ prop_array_t ents = prop_dictionary_get(tbldict, "entries");
prop_object_t obj = prop_dictionary_get(tbldict, "data");
void *blob = prop_data_data(obj);
size_t size = prop_data_size(obj);
@@ -177,7 +174,7 @@ npf_mk_tables(npf_tableset_t *tblset, pr
error = npf_tableset_insert(tblset, t);
KASSERT(error == 0);
- if ((error = npf_mk_table_entries(t, entries)) != 0) {
+ if (ents && (error = npf_mk_table_entries(t, ents)) != 0) {
NPF_ERR_DEBUG(errdict);
break;
}
@@ -462,7 +459,7 @@ npf_mk_connlist(prop_array_t conlist, np
prop_dictionary_t condict;
prop_object_iterator_t it;
npf_conndb_t *cd;
- int error;
+ int error = 0;
/* Connection list - array */
if (prop_object_type(conlist) != PROP_TYPE_ARRAY) {
@@ -472,8 +469,6 @@ npf_mk_connlist(prop_array_t conlist, np
/* Create a connection database. */
cd = npf_conndb_create();
-
- error = 0;
it = prop_array_iterator(conlist);
while ((condict = prop_object_iterator_next(it)) != NULL) {
/* Connection - dictionary. */
@@ -482,7 +477,7 @@ npf_mk_connlist(prop_array_t conlist, np
error = EINVAL;
break;
}
- /* Construct and insert real connection structure. */
+ /* Construct and insert the connection. */
error = npf_conn_import(cd, condict, natlist);
if (error) {
NPF_ERR_DEBUG(errdict);
@@ -546,6 +541,7 @@ npfctl_load(u_long cmd, void *data)
/* NAT policies. */
natlist = prop_dictionary_get(npf_dict, "nat");
if ((nitems = prop_array_count(natlist)) > NPF_MAX_RULES) {
+ error = E2BIG;
goto fail;
}
@@ -558,6 +554,7 @@ npfctl_load(u_long cmd, void *data)
/* Tables. */
tables = prop_dictionary_get(npf_dict, "tables");
if ((nitems = prop_array_count(tables)) > NPF_MAX_TABLES) {
+ error = E2BIG;
goto fail;
}
tblset = npf_tableset_create(nitems);
@@ -569,6 +566,7 @@ npfctl_load(u_long cmd, void *data)
/* Rule procedures. */
rprocs = prop_dictionary_get(npf_dict, "rprocs");
if ((nitems = prop_array_count(rprocs)) > NPF_MAX_RPROCS) {
+ error = E2BIG;
goto fail;
}
rpset = npf_rprocset_create();
@@ -580,6 +578,7 @@ npfctl_load(u_long cmd, void *data)
/* Rules. */
rules = prop_dictionary_get(npf_dict, "rules");
if ((nitems = prop_array_count(rules)) > NPF_MAX_RULES) {
+ error = E2BIG;
goto fail;
}
@@ -682,8 +681,11 @@ npfctl_save(u_long cmd, void *data)
if (error) {
goto out;
}
+ prop_array_t alglist = npf_alg_export();
+
npf_dict = prop_dictionary_create();
prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
+ prop_dictionary_set_and_rel(npf_dict, "algs", alglist);
prop_dictionary_set_and_rel(npf_dict, "rules", rulelist);
prop_dictionary_set_and_rel(npf_dict, "nat", natlist);
prop_dictionary_set_and_rel(npf_dict, "tables", tables);
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.58 src/sys/net/npf/npf_impl.h:1.58.2.1
--- src/sys/net/npf/npf_impl.h:1.58 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_impl.h Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.58 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.58.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -338,6 +338,7 @@ npf_alg_t * npf_alg_construct(const char
bool npf_alg_match(npf_cache_t *, npf_nat_t *, int);
void npf_alg_exec(npf_cache_t *, npf_nat_t *, bool);
npf_conn_t * npf_alg_conn(npf_cache_t *, int);
+prop_array_t npf_alg_export(void);
/* Debugging routines. */
const char * npf_addr_dump(const npf_addr_t *, int);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.32 src/sys/net/npf/npf_nat.c:1.32.2.1
--- src/sys/net/npf/npf_nat.c:1.32 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf_nat.c Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32.2.1 2014/08/29 11:14:14 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -199,9 +199,10 @@ npf_nat_newpolicy(prop_dictionary_t natd
np = kmem_zalloc(sizeof(npf_natpolicy_t), KM_SLEEP);
- /* Translation type and flags. */
+ /* The translation type, flags and policy ID. */
prop_dictionary_get_int32(natdict, "type", &np->n_type);
prop_dictionary_get_uint32(natdict, "flags", &np->n_flags);
+ prop_dictionary_get_uint64(natdict, "nat-policy", &np->n_id);
/* Should be exclusively either inbound or outbound NAT. */
if (((np->n_type == NPF_NATIN) ^ (np->n_type == NPF_NATOUT)) == 0) {
@@ -811,6 +812,7 @@ npf_nat_destroy(npf_nat_t *nt)
mutex_enter(&np->n_lock);
LIST_REMOVE(nt, nt_entry);
+ KASSERT(np->n_refcnt > 0);
atomic_dec_uint(&np->n_refcnt);
mutex_exit(&np->n_lock);
@@ -872,9 +874,14 @@ npf_nat_import(prop_dictionary_t natdict
return NULL;
}
- LIST_INSERT_HEAD(&np->n_nat_list, nt, nt_entry);
+ /*
+ * Associate, take a reference and insert. Unlocked since
+ * the policy is not yet visible.
+ */
nt->nt_natpolicy = np;
nt->nt_conn = con;
+ np->n_refcnt++;
+ LIST_INSERT_HEAD(&np->n_nat_list, nt, nt_entry);
return nt;
}
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.42 src/usr.sbin/npf/npfctl/npfctl.c:1.42.2.1
--- src/usr.sbin/npf/npfctl/npfctl.c:1.42 Wed Jul 23 05:00:38 2014
+++ src/usr.sbin/npf/npfctl/npfctl.c Fri Aug 29 11:14:14 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $ */
+/* $NetBSD: npfctl.c,v 1.42.2.1 2014/08/29 11:14:14 martin Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.42.2.1 2014/08/29 11:14:14 martin Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -506,7 +506,12 @@ npfctl_load(int fd)
if (ncf == NULL) {
return errno;
}
- error = npf_config_submit(ncf, fd);
+ errno = error = npf_config_submit(ncf, fd);
+ if (error) {
+ nl_error_t ne;
+ _npf_config_error(ncf, &ne);
+ npfctl_print_error(&ne);
+ }
npf_config_destroy(ncf);
return error;
}
