Module Name: src
Committed By: rmind
Date: Sun Nov 30 01:37:53 UTC 2014
Modified Files:
src/sys/net/npf: npf_conf.c npf_impl.h npf_nat.c npf_ruleset.c
Log Message:
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conf.c
cvs rdiff -u -r1.59 -r1.60 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_conf.c
diff -u src/sys/net/npf/npf_conf.c:1.8 src/sys/net/npf/npf_conf.c:1.9
--- src/sys/net/npf/npf_conf.c:1.8 Mon Aug 11 01:54:12 2014
+++ src/sys/net/npf/npf_conf.c Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $ */
+/* $NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.9 2014/11/30 01:37:53 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -105,11 +105,13 @@ npf_config_destroy(npf_config_t *nc)
void
npf_config_fini(void)
{
+ npf_conndb_t *cd = npf_conndb_create();
+
/* Flush the connections. */
mutex_enter(&npf_config_lock);
npf_conn_tracking(false);
pserialize_perform(npf_config_psz);
- npf_conn_load(NULL, false);
+ npf_conn_load(cd, false);
npf_ifmap_flush();
mutex_exit(&npf_config_lock);
@@ -127,6 +129,7 @@ npf_config_load(npf_ruleset_t *rset, npf
npf_ruleset_t *nset, npf_rprocset_t *rpset,
npf_conndb_t *conns, bool flush)
{
+ const bool load = conns != NULL;
npf_config_t *nc, *onc;
nc = kmem_zalloc(sizeof(npf_config_t), KM_SLEEP);
@@ -143,9 +146,9 @@ npf_config_load(npf_ruleset_t *rset, npf
*/
mutex_enter(&npf_config_lock);
if ((onc = npf_config) != NULL) {
- npf_ruleset_reload(rset, onc->n_rules);
+ npf_ruleset_reload(rset, onc->n_rules, load);
npf_tableset_reload(tset, onc->n_tables);
- npf_ruleset_reload(nset, onc->n_nat_rules);
+ npf_ruleset_reload(nset, onc->n_nat_rules, load);
}
/*
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.59 src/sys/net/npf/npf_impl.h:1.60
--- src/sys/net/npf/npf_impl.h:1.59 Mon Aug 11 23:48:01 2014
+++ src/sys/net/npf/npf_impl.h Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $ */
+/* $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -254,7 +254,7 @@ int npf_table_flush(npf_table_t *);
npf_ruleset_t * npf_ruleset_create(size_t);
void npf_ruleset_destroy(npf_ruleset_t *);
void npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *);
-void npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *);
+void npf_ruleset_reload(npf_ruleset_t *, npf_ruleset_t *, bool);
npf_rule_t * npf_ruleset_sharepm(npf_ruleset_t *, npf_natpolicy_t *);
npf_natpolicy_t *npf_ruleset_findnat(npf_ruleset_t *, uint64_t);
void npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.36 src/sys/net/npf/npf_nat.c:1.37
--- src/sys/net/npf/npf_nat.c:1.36 Sun Nov 30 00:40:55 2014
+++ src/sys/net/npf/npf_nat.c Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $ */
+/* $NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
@@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.36 2014/11/30 00:40:55 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.37 2014/11/30 01:37:53 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -364,6 +364,8 @@ npf_nat_sharepm(npf_natpolicy_t *np, npf
npf_portmap_t *pm, *mpm;
KASSERT(np && mnp && np != mnp);
+ KASSERT(LIST_EMPTY(&mnp->n_nat_list));
+ KASSERT(mnp->n_refcnt == 0);
/* Using port map and having equal translation address? */
if ((np->n_flags & mnp->n_flags & NPF_NAT_PORTMAP) == 0) {
@@ -889,6 +891,7 @@ npf_nat_import(prop_dictionary_t natdict
pool_cache_put(nat_cache, nt);
return NULL;
}
+ npf_stats_inc(NPF_STAT_NAT_CREATE);
/*
* Associate, take a reference and insert. Unlocked since
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.39 src/sys/net/npf/npf_ruleset.c:1.40
--- src/sys/net/npf/npf_ruleset.c:1.39 Sun Nov 30 00:40:55 2014
+++ src/sys/net/npf/npf_ruleset.c Sun Nov 30 01:37:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.39 2014/11/30 00:40:55 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.39 2014/11/30 00:40:55 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -449,7 +449,7 @@ npf_ruleset_export(const npf_ruleset_t *
* => The active (old) ruleset should be exclusively locked.
*/
void
-npf_ruleset_reload(npf_ruleset_t *newset, npf_ruleset_t *oldset)
+npf_ruleset_reload(npf_ruleset_t *newset, npf_ruleset_t *oldset, bool load)
{
npf_rule_t *rg, *rl;
uint64_t nid = 0;
@@ -486,6 +486,14 @@ npf_ruleset_reload(npf_ruleset_t *newset
}
/*
+ * If performing the load of connections then NAT policies may
+ * already have translated connections associated with them and
+ * we should not share or inherit anything.
+ */
+ if (load)
+ return;
+
+ /*
* Scan all rules in the new ruleset and share NAT policies.
* Also, assign a unique ID for each policy here.
*/
