![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / net / npf
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: MAIN
Revision 1.30 / (download) - annotate - [select for diffs], Sun May 19 20:45:34 2013 UTC (2 days ago) by rmind
Branch: MAIN
CVS Tags: HEAD
Changes since 1.29: +2 -1
lines
Diff to previous 1.29 (colored)
- Add NPF table flushing functionality. - Fix line numbering for npfctl debug command.
Revision 1.29 / (download) - annotate - [select for diffs], Wed Mar 20 00:29:47 2013 UTC (2 months ago) by christos
Branch: MAIN
CVS Tags: khorben-n900,
agc-symver-base,
agc-symver
Changes since 1.28: +3 -2
lines
Diff to previous 1.28 (colored)
Make ALG's autoloadable by providing in the config file: alg "algname"
Revision 1.28 / (download) - annotate - [select for diffs], Sat Feb 16 21:11:12 2013 UTC (3 months ago) by rmind
Branch: MAIN
CVS Tags: tls-maxphys-nbase,
tls-maxphys-base
Changes since 1.27: +3 -2
lines
Diff to previous 1.27 (colored)
- Convert NPF dynamic rule ID to just incremented 64-bit counter. - Fix multiple bugs. Also, update the man page.
Revision 1.27 / (download) - annotate - [select for diffs], Sun Feb 10 23:47:37 2013 UTC (3 months, 1 week ago) by rmind
Branch: MAIN
Changes since 1.26: +7 -3
lines
Diff to previous 1.26 (colored)
- Fix NPF config reload with dynamic rules present. - Implement list and flush commands on a dynamic ruleset.
Revision 1.26 / (download) - annotate - [select for diffs], Sat Feb 9 03:35:32 2013 UTC (3 months, 1 week ago) by rmind
Branch: MAIN
Changes since 1.25: +37 -19
lines
Diff to previous 1.25 (colored)
NPF: - Implement dynamic NPF rules. Controlled through npf(3) library of via npfctl rule command. A rule can be removed using a unique identifier, returned on addition, or using a key which is SHA1 hash of the rule. Adjust npftest and add a regression test. - Improvements to rule inspection mechanism. - Initial BPF support as an alternative to n-code. - Minor fixes; bump the version.
Revision 1.25 / (download) - annotate - [select for diffs], Mon Dec 24 19:05:43 2012 UTC (4 months, 3 weeks ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base8
Changes since 1.24: +38 -44
lines
Diff to previous 1.24 (colored)
- Rework NPF's nbuf interface: use advancing and ensuring as a main method. Eliminate unnecessary copy and simplify. Adapt regression tests. - Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute. - Minor fixes, misc cleanup.
Revision 1.24 / (download) - annotate - [select for diffs], Mon Oct 29 02:27:12 2012 UTC (6 months, 3 weeks ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base7,
yamt-pagecache-base6
Changes since 1.23: +3 -8
lines
Diff to previous 1.23 (colored)
Implement NPF table listing and preservation of entries on reload. Bump the version.
Revision 1.23 / (download) - annotate - [select for diffs], Sun Sep 16 13:47:41 2012 UTC (8 months ago) by rmind
Branch: MAIN
Changes since 1.22: +7 -7
lines
Diff to previous 1.22 (colored)
Implement dynamic NPF extensions interface. An extension consists of dynamically loaded module (.so) supplementing npfctl(8) and a kernel module. Move normalisation and logging functionality into their own extensions. More improvements to come.
Revision 1.22 / (download) - annotate - [select for diffs], Wed Aug 15 19:47:38 2012 UTC (9 months ago) by rmind
Branch: MAIN
Branch point for: tls-maxphys
Changes since 1.21: +2 -8
lines
Diff to previous 1.21 (colored)
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
Revision 1.21 / (download) - annotate - [select for diffs], Sun Aug 12 03:35:14 2012 UTC (9 months, 1 week ago) by rmind
Branch: MAIN
Changes since 1.20: +9 -7
lines
Diff to previous 1.20 (colored)
- Extend npftest: add ruleset inspection testing from the config generated by npfctl debug functionality. Auto-create npftest interfaces for this. - NPF sessions: combine protocol and interface into a separate substructure, share between the entries and thus fix the handling of them. Constify. - npftest: add regression tests for NAT policies. - npf_build_nat: simplify and fix bi-NAT regression. - Bump yacc stack size for npfctl.
Revision 1.20 / (download) - annotate - [select for diffs], Sat Jul 28 00:43:24 2012 UTC (9 months, 3 weeks ago) by matt
Branch: MAIN
Changes since 1.19: +2 -2
lines
Diff to previous 1.19 (colored)
Fix -fno-common found by building i386/conf/ALL
Revision 1.19 / (download) - annotate - [select for diffs], Thu Jul 19 21:52:29 2012 UTC (10 months ago) by spz
Branch: MAIN
Changes since 1.18: +2 -1
lines
Diff to previous 1.18 (colored)
teach npf ipv6-icmp reviewed by rmind@
Revision 1.18 / (download) - annotate - [select for diffs], Sun Jul 15 00:23:00 2012 UTC (10 months ago) by rmind
Branch: MAIN
Changes since 1.17: +13 -9
lines
Diff to previous 1.17 (colored)
- Rework NPF tables and fix support for IPv6. Implement tree table type using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3) was contributed by Matt Thomas. - NPF tables: update regression tests, improve npfctl(8) error messages. - Fix few bugs when using kernel modules and handle module autounloader. - Few other fixes and misc cleanups. - Bump the version.
Revision 1.17 / (download) - annotate - [select for diffs], Sun Jul 1 23:21:06 2012 UTC (10 months, 2 weeks ago) by rmind
Branch: MAIN
Changes since 1.16: +14 -6
lines
Diff to previous 1.16 (colored)
NPF improvements: - Add NPF_OPCODE_PROTO to match the address and/or protocol only. - Update parser to support arbitrary "pass proto <name/number>". - Fix IPv6 address and protocol handling (add a regression test). - Fix few theorethical races in session handling module. - Misc fixes, simplifications and some clean up.
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jun 22 13:43:17 2012 UTC (10 months, 4 weeks ago) by rmind
Branch: MAIN
Changes since 1.15: +9 -2
lines
Diff to previous 1.15 (colored)
NPF: - Rename some functions for consistency and de-inline them. - Fix few invalid asserts (add regressoin test). - Use pserialize(9) for ALG interface. - Minor fixes, sprinkle many comments.
Revision 1.15 / (download) - annotate - [select for diffs], Wed May 30 21:38:03 2012 UTC (11 months, 3 weeks ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-base10
Changes since 1.14: +9 -1
lines
Diff to previous 1.14 (colored)
npftest: add a stream processor, which prints out the TCP state information. A tool for debugging connection tracking from tcpdump -w captured data.
Revision 1.14 / (download) - annotate - [select for diffs], Sun May 6 02:45:25 2012 UTC (12 months, 2 weeks ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base5
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored)
- Fix double-free case on ICMP return case. - npf_pfil_register: handle kernels without INET6 option correctly. - Reduce some #ifdefs.
Revision 1.13 / (download) - annotate - [select for diffs], Sat Apr 14 19:01:21 2012 UTC (13 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base4,
jmcneill-usbmp-base9
Changes since 1.12: +2 -6
lines
Diff to previous 1.12 (colored)
Update rumpdev_npf; use WARNS=4.
Revision 1.12 / (download) - annotate - [select for diffs], Sun Mar 11 18:27:59 2012 UTC (14 months, 1 week ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-base8
Changes since 1.11: +9 -5
lines
Diff to previous 1.11 (colored)
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve. - Few fixes. Improve some comments.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Feb 20 00:18:19 2012 UTC (15 months ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-base7,
jmcneill-usbmp-base6,
jmcneill-usbmp-base5,
jmcneill-usbmp-base4,
jmcneill-usbmp-base3
Changes since 1.10: +8 -3
lines
Diff to previous 1.10 (colored)
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Revision 1.10 / (download) - annotate - [select for diffs], Mon Feb 6 23:30:14 2012 UTC (15 months, 1 week ago) by rmind
Branch: MAIN
CVS Tags: netbsd-6-base,
jmcneill-usbmp-base2
Branch point for: netbsd-6
Changes since 1.9: +3 -2
lines
Diff to previous 1.9 (colored)
- Split NPF rule procedure code into a separate module (no functional changes). - Simplify some code, add more comments, some asserts. - G/C unused rule hook code.
Revision 1.9 / (download) - annotate - [select for diffs], Tue Nov 29 20:05:30 2011 UTC (17 months, 3 weeks ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-pre-base2,
jmcneill-usbmp-base
Branch point for: jmcneill-usbmp
Changes since 1.8: +16 -9
lines
Diff to previous 1.8 (colored)
- Rework and improve TCP state tracking. - Fix regressions after IPv6 patch merge. Note: npfctl(8) rework will come soon.
Revision 1.8 / (download) - annotate - [select for diffs], Fri Nov 4 01:00:27 2011 UTC (18 months, 2 weeks ago) by zoltan
Branch: MAIN
CVS Tags: yamt-pagecache-base3,
yamt-pagecache-base2,
jmcneill-audiomp3-base,
jmcneill-audiomp3
Changes since 1.7: +10 -10
lines
Diff to previous 1.7 (colored)
Add IPv6 support for NPF.
Revision 1.7 / (download) - annotate - [select for diffs], Wed Feb 2 02:20:25 2011 UTC (2 years, 3 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base,
rmind-uvmplock-nbase,
rmind-uvmplock-base,
cherry-xenmp-base,
cherry-xenmp,
bouyer-quota2-nbase,
bouyer-quota2-base
Branch point for: yamt-pagecache,
rmind-uvmplock
Changes since 1.6: +17 -9
lines
Diff to previous 1.6 (colored)
NPF checkpoint: - Add libnpf(3) - a library to control NPF (configuration, ruleset, etc). - Add NPF support for ftp-proxy(8). - Add rc.d script for NPF. - Convert npfctl(8) to use libnpf(3) and thus make it less depressive. Note: next clean-up step should be a parser, once dholland@ will finish it. - Add more documentation. - Various fixes.
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 18 20:33:45 2011 UTC (2 years, 4 months ago) by rmind
Branch: MAIN
Branch point for: bouyer-quota2
Changes since 1.5: +15 -13
lines
Diff to previous 1.5 (colored)
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
Revision 1.5 / (download) - annotate - [select for diffs], Sat Dec 18 01:07:25 2010 UTC (2 years, 5 months ago) by rmind
Branch: MAIN
CVS Tags: matt-mips64-premerge-20101231,
jruoho-x86intr-base
Branch point for: jruoho-x86intr
Changes since 1.4: +55 -23
lines
Diff to previous 1.4 (colored)
NPF checkpoint: - Add support for session saving/restoring. - Add packet logging support (can tcpdump a pseudo-interface). - Support reload without flushing of sessions; rework some locking. - Revisit session mangement, replace linking with npf_sentry_t entries. - Add some counters for statistics, using percpu(9). - Add IP_DF flag cleansing. - Fix various bugs; misc clean-up.
Revision 1.4 / (download) - annotate - [select for diffs], Thu Nov 11 06:30:39 2010 UTC (2 years, 6 months ago) by rmind
Branch: MAIN
Changes since 1.3: +60 -22
lines
Diff to previous 1.3 (colored)
NPF checkpoint: - Add proper TCP state tracking as described in Guido van Rooij paper, plus handle TCP Window Scaling option. - Completely rework npf_cache_t, reduce granularity, simplify code. - Add npf_addr_t as an abstraction, amend session handling code, as well as NAT code et al, to use it. Now design is prepared for IPv6 support. - Handle IPv4 fragments i.e. perform packet reassembly. - Add support for IPv4 ID randomization and minimum TTL enforcement. - Add support for TCP MSS "clamping". - Random bits for IPv6. Various fixes and clean-up.
Revision 1.3 / (download) - annotate - [select for diffs], Sat Sep 25 01:42:39 2010 UTC (2 years, 7 months ago) by matt
Branch: MAIN
CVS Tags: yamt-nfs-mp-base11,
uebayasi-xip-base4,
uebayasi-xip-base3
Branch point for: yamt-nfs-mp,
uebayasi-xip
Changes since 1.2: +2 -2
lines
Diff to previous 1.2 (colored)
Rename rb.h to rbtree.h, as it is more appropriate (c.f. ptree.h). Also helps find code that hasn't been updated to use the new rbtree API.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Sep 16 04:53:27 2010 UTC (2 years, 8 months ago) by rmind
Branch: MAIN
Changes since 1.1: +14 -15
lines
Diff to previous 1.1 (colored)
NPF checkpoint: - Add support for bi-directional NAT and redirection / port forwarding. - Finish filtering on ICMP type/code and add filtering on TCP flags. - Add support for TCP reset (RST) or ICMP destination unreachable on block. - Fix a bunch of bugs; misc cleanup.
Revision 1.1 / (download) - annotate - [select for diffs], Sun Aug 22 18:56:22 2010 UTC (2 years, 8 months ago) by rmind
Branch: MAIN
Import NPF - a packet filter. Some features: - Designed to be fully MP-safe and highly efficient. - Tables/IP sets (hash or red-black tree) for high performance lookups. - Stateful filtering and Network Address Port Translation (NAPT). Framework for application level gateways (ALGs). - Packet inspection engine called n-code processor - inspired by BPF - supporting generic RISC-like and specific CISC-like instructions for common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual. - Convenient userland utility npfctl(8) with npf.conf(8). NOTE: This is not yet a fully capable alternative to PF or IPFilter. Further work (support for binat/rdr, return-rst/return-icmp, common ALGs, state saving/restoring, logging, etc) is in progress. Thanks a lot to Matt Thomas for various useful comments and code review. Aye by: board@