![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / net / npf
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
npf(9): Update comment to reduce diff from upstream. No functional change.
npf(4): Use atomic_store_release and atomic_load_consume for conn_db. ...or atomic_load_relaxed, when npf->conn_lock is held, for the sake of C11. No need for store-before-load implied by membar_sync.
Sync with HEAD.
s/npf_config_lock/npf->config_lock/ in the comments
Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
Pull up following revision(s) (requested by rmind in ticket #930):
usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31
Backport selected NPF fixes from the upstream (to be pulled up):
- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).
- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.
- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.
- npf_nat_{export,import}: fix a regression since dynamic NAT rules.
- npfctl: fix a regression and restore the default group behaviour.
- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
Backport selected NPF fixes from the upstream (to be pulled up):
- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).
- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.
- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.
- npf_nat_{export,import}: fix a regression since dynamic NAT rules.
- npfctl: fix a regression and restore the default group behaviour.
- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
Mostly merge changes from HEAD upto 20200411
Pull up following revision(s) (requested by rmind in ticket #282): usr.sbin/npf/npfctl/npf_build.c: revision 1.53 lib/libnpf/npf.c: revision 1.48 usr.sbin/npf/npfctl/npfctl.h: revision 1.50 sys/net/npf/npf_impl.h: revision 1.80 usr.sbin/npf/npfctl/npfctl.h: revision 1.51 sys/net/npf/npf_ruleset.c: revision 1.49 usr.sbin/npf/npfctl/npf.conf.5: revision 1.90 sys/net/npf/npf_ctl.c: revision 1.59 lib/libnpf/libnpf.3: revision 1.11 usr.sbin/npf/npfctl/npf_parse.y: revision 1.50 usr.sbin/npf/npftest/npftest.conf: revision 1.8 usr.sbin/npf/npfctl/npfctl.c: revision 1.62 usr.sbin/npf/npfctl/npfctl.c: revision 1.63 usr.sbin/npf/npfctl/npf_scan.l: revision 1.30 usr.sbin/npf/npfctl/npfctl.8: revision 1.22 lib/libnpf/npf.h: revision 1.38 usr.sbin/npf/npfctl/npfctl.8: revision 1.23 usr.sbin/npf/npfctl/npfctl.8: revision 1.24 sys/net/npf/npf_if.c: revision 1.11 sys/net/npf/npf_if.c: revision 1.12 usr.sbin/npf/npfctl/npf.conf.5: revision 1.89 sys/net/npf/npf_conn.c: revision 1.30 usr.sbin/npf/npfctl/npf_build.c: revision 1.52 npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. NPF ifmap: rework and fix a few small bugs. npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. (missed a file in previous commit; cvs is so helpful..) libnpf/npfctl: support dynamic NAT rulesets using a name prefix. Use -width Pa for FILES. Fix pasto in table replace -t type Use -width Pa for FILES. npf_ifmap_copylogname: be more defensive.
NPF ifmap: rework and fix a few small bugs.
Pull up following revision(s) (requested by rmind in ticket #25): sys/net/npf/npf_conn.h: revision 1.17 sys/net/npf/npf.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.28 sys/net/npf/npf_conn.c: revision 1.29 Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures. - npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@)
- npf_conn_init(): fix a race when initialising the G/C thread. - Fix a bug when partially initialised connection is destroyed on error. (from rmind@)
Introduce an npf_conn_destroy_idx() that can handle partially constructed conn structures.
NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy.
Sync with HEAD
Sync with HEAD
Major NPF improvements: - Convert NPF connection table to thmap. State lookup is now lock-free. - Improve connection state G/C: it is now incremental and tunable. - Add support for dynamic NAT address. Translation addresses can now be selected from a pool of addresses. There are two selection algorithms, "ip-hash" and "round-robin" (see the man page). - Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf to dynamically choose an IP from the interface address(es). - Add support for the NETMAP algorithm with static NAT for net-to-net translation (it is equivalent to iptables NETMAP logic). - Convert 'ipset' tables to use thmap; the table lookup is now lock-free. - Misc improvements, bug fixes and more unit tests. - Bump NPF_VERSION (will also bump libnpf).
Ssync with HEAD
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either. Thanks to christos@ for extra testing.
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290). - npfa_icmp_nat: do not recompute the checksum if no port translation. - npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT. - npflog: report the packet direction correctly.
update from HEAD
Sync with HEAD
Sync with HEAD
Sync with HEAD
- Increase copyin buffer size to 4M - Change log output format to be like the OpenBSD's pf including in the header the matching rule etc, and fill in the matching info.
Sync with HEAD. (Note that most of these changes are simply $NetBSD$ tag issues.)
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
revert dir hack.
Welcome to version 18: - Connection state keys are not stored and loaded using the logical key contents. - connection finder key is stored in a map that contains the key and the direction.
Remove what looks like remnant (partly removed already) debug code, which could not possibly compile as it was.
add functionality to lookup a nat entry from the connection list.
NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus pass-through them on other interfaces. Per discussion with christos@.
Sync with HEAD
Pull up following revision(s) (requested by rmind in ticket #586): sys/net/npf/npf_conn.c: revision 1.16 npf_conn_establish: fix the previous change - drop the reference on error.
npf_conn_establish: fix the previous change - drop the reference on error.
Pull up following revision(s) (requested by rmind in ticket #479): lib/libnpf/npf.c: revision 1.35 lib/libnpf/npf.h: revision 1.28 sys/net/npf/npf_conn.c: revision 1.15 sys/net/npf/npf_impl.h: revision 1.61 sys/net/npf/npf_ruleset.c: revision 1.41 usr.sbin/npf/npfctl/npf.conf.5: revision 1.44 usr.sbin/npf/npfctl/npf_parse.y: revision 1.37 usr.sbin/npf/npfctl/npf_show.c: revisions 1.16, 1.17 usr.sbin/npf/npfctl/npfctl.c: revision 1.46 load the config file before bpfjit so that we can disable the warning. -- Don't depend on yacc to include stdlib.h or string.h. -- - npf_conn_establish: remove a rare race condition when we might destroy a connection when it is still referenced by another thread. - npf_conn_destroy: remove the backwards entry using the saved key, PR/49488. - Sprinkle some asserts. -- npf.conf(5): mention alg, include in the example, minor fix. -- npfctl(8): report dynamic rule ID in a comment, print the case when libpcap is used correctly. Also, add npf_ruleset_dump() helper in the kernel. -- libnpf: add npf_rule_getid() and npf_rule_getcode(). Missed in the previous commit. -- npfctl_print_rule: print the ID in hex, not decimal.
- npf_conn_establish: remove a rare race condition when we might destroy a connection when it is still referenced by another thread. - npf_conn_destroy: remove the backwards entry using the saved key, PR/49488. - Sprinkle some asserts.
Pull up following revision(s) (requested by rmind in ticket #347): sys/net/npf/npf_nat.c: revision 1.38 sys/net/npf/npf_conn.h: revision 1.8 sys/net/npf/npf_conn.c: revision 1.14 NPF: set the connection flags atomically in the post-creation logic and fix a tiny race condition window. Might fix PR/49488.
NPF: set the connection flags atomically in the post-creation logic and fix a tiny race condition window. Might fix PR/49488.
Pull up following revision(s) (requested by rmind in ticket #280): sys/net/npf/npf_ruleset.c: revision 1.40 sys/net/npf/npf_nat.c: revision 1.36 sys/net/npf/npf_nat.c: revision 1.37 sys/net/npf/npf_conn.h: revision 1.7 sys/net/npf/npf_conf.c: revision 1.9 sys/net/npf/npf_ruleset.c: revision 1.39 sys/net/npf/npf_conn.c: revision 1.13 sys/net/npf/npf_impl.h: revision 1.60 NPF: - npf_nat_import: take the port only if using the portmap. - Sprinkle some comments and asserts. - npf_config_load: if loading the connections, do not perform any actice NAT policy take over or or portmap sharing - just replace them all. - npf_config_fini: flush with the empty connection database. - npf_nat_import: fix the stat counter.
NPF: - npf_nat_import: take the port only if using the portmap. - Sprinkle some comments and asserts.
Pull up following revision(s) (requested by rmind in ticket #56): sys/net/npf/npf_ctl.c: revision 1.39 usr.sbin/npf/npfctl/npfctl.c: revision 1.43 lib/libnpf/npf.c: revision 1.33 lib/libnpf/npf.c: revision 1.34 sys/net/npf/npf_impl.h: revision 1.59 sys/net/npf/npf_ctl.c: revision 1.40 sys/net/npf/npf_conn.c: revision 1.11 sys/net/npf/npf_alg.c: revision 1.15 sys/net/npf/npf_conn.c: revision 1.12 sys/net/npf/npf_nat.c: revision 1.33 sys/net/npf/npf_nat.c: revision 1.34 Add and use npf_alg_export(). npf_conn_import: handle NAT metadata correctly. npf_nat_newpolicy: restore the policy ID. npfctl_load: fix error code handling for the limit cases. npf_config_import: fix the inverted logic. npfctl_load: improve error handling. npf_conn_import: add a missing stat counter increment. npf_nat_import: add a missing reference and make a comment. npf_config_submit: finally, include the saved connections.
- npf_conn_import: add a missing stat counter increment. - npf_nat_import: add a missing reference and make a comment.
Rebase to HEAD as of a few days ago.
file npf_conn.c was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
- Add and use npf_alg_export(). - npf_conn_import: handle NAT metadata correctly. - npf_nat_newpolicy: restore the policy ID. - npfctl_load: fix error code handling for the limit cases. - npf_config_import: fix the inverted logic. - npfctl_load: improve error handling.
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport(). - Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save the interface name; pick it up on npf_conn_import(). - Misc fixes. Bump NPF_VERSION.
Rebase.
file npf_conn.c was added on branch tls-earlyentropy on 2014-08-10 06:56:16 +0000
npf_conn_conkey: fix a comment.
npf_conn_conkey: adjust to return the key length and add a comment describing the key layout.
npf_mk_connlist: destroy the connections on error path.
NPF: rework of the connection saving and restoring: - Add support for saving a snapshot of the current connections together with a full configuration. Support a reverse load operation. Eliminate the old 'sess-save' and 'sess-load' in favour of the new mechanism. - Share code between load and reload operations: the latter performs load from npf.conf without affecting the connections. - Simplify and fix races with connection loading. - Bump NPF_VERSION.
Drop variable only used in return.
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
gcc-4.8 complains about not being able to inline
Fix gcc warnings.
NPF: partially rewrite the connection tracking mechanism: - Separate the tracking interface from the storage (state table) and thus prepare to use a new data structure for the storage. - Fix some race conditions in NAT association logic.