sys/net/npf/npf_ncode.h
author riz <riz@NetBSD.org>
Tue, 26 Jun 2012 00:07:16 +0000
branchnetbsd-6
changeset 255901 477bbfa0efcd
parent 255621 ca9c658b117d
child 255953 128acf74a914
permissions -rw-r--r--
Pull up following revision(s) (requested by rmind in ticket #354): sys/net/npf/npf_state_tcp.c: revision 1.4 sys/net/npf/npf_state_tcp.c: revision 1.5 sys/net/npf/npf_state_tcp.c: revision 1.6 usr.sbin/npf/npftest/npftest.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1 usr.sbin/npf/npftest/npftest.c: revision 1.2 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2 usr.sbin/npf/npfctl/npf_data.c: revision 1.11 usr.sbin/npf/npftest/npftest.c: revision 1.3 usr.sbin/npf/npfctl/npf_data.c: revision 1.12 usr.sbin/npf/npftest/npftest.h: revision 1.1 usr.sbin/npf/npfctl/npf_parse.y: revision 1.5 usr.sbin/npf/npfctl/npf_data.c: revision 1.13 sys/net/npf/npf.h: revision 1.16 usr.sbin/npf/npftest/npftest.h: revision 1.2 usr.sbin/npf/npfctl/npf_parse.y: revision 1.6 usr.sbin/npf/npftest/npftest.h: revision 1.3 usr.sbin/npf/npfctl/npf_parse.y: revision 1.7 usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10 usr.sbin/npf/npfctl/npf_build.c: revision 1.6 usr.sbin/npf/npfctl/npf_parse.y: revision 1.8 usr.sbin/npf/npfctl/npf_build.c: revision 1.7 usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_build.c: revision 1.8 usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_build.c: revision 1.9 usr.sbin/npf/npfctl/npf.conf.5: revision 1.10 usr.sbin/npf/npfctl/npf.conf.5: revision 1.11 usr.sbin/npf/npfctl/npf.conf.5: revision 1.12 sys/net/npf/npf_state.c: revision 1.7 usr.sbin/npf/npfctl/npfctl.c: revision 1.11 usr.sbin/npf/npfctl/npfctl.c: revision 1.12 usr.sbin/npf/npfctl/Makefile: revision 1.7 sys/rump/net/lib/libnet/Makefile: revision 1.14 sys/net/npf/npf_mbuf.c: revision 1.7 usr.sbin/npf/npftest/Makefile: revision 1.1 usr.sbin/npf/npftest/Makefile: revision 1.2 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1 usr.sbin/npf/npfctl/npf_scan.l: revision 1.2 usr.sbin/npf/npftest/npfstream.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2 usr.sbin/npf/npfctl/npf_scan.l: revision 1.3 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3 usr.sbin/npf/npfctl/npfctl.h: revision 1.12 sys/rump/dev/lib/libnpf/Makefile: revision 1.2 usr.sbin/npf/npfctl/npfctl.h: revision 1.14 sys/rump/dev/lib/libnpf/Makefile: revision 1.3 usr.sbin/npf/npfctl/npfctl.h: revision 1.15 usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9 sys/net/npf/npf_ctl.c: revision 1.15 usr.sbin/npf/npfctl/npf_var.c: revision 1.4 usr.sbin/npf/npfctl/npf_var.h: revision 1.2 usr.sbin/npf/npfctl/npf_var.c: revision 1.5 sys/net/npf/npf_impl.h: revision 1.13 sys/net/npf/npf_sendpkt.c: revision 1.10 sys/net/npf/npf_impl.h: revision 1.14 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4 sys/net/npf/npf_impl.h: revision 1.15 sys/net/npf/npf_handler.c: revision 1.16 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5 sys/net/npf/npf_handler.c: revision 1.17 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2 sys/net/npf/npf_ncode.h: revision 1.7 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3 sys/net/npf/npf_ncode.h: revision 1.8 npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of SEQ+LEN in the receiver's side correctly (using ACK from the sender's side). PR/46265 from Changli Gao. rumpnet_net: add pfil.c Update rumpdev_npf; use WARNS=4. Add initial NPF regression tests integrated with RUMP framework (running the kernel part of NPF in userland). Other tests will be added once converted to RUMP framework. All tests are in the public domain. Some Makefile fixes from christos@. - Fix double-free case on ICMP return case. - npf_pfil_register: handle kernels without INET6 option correctly. - Reduce some #ifdefs. npfctl(8): add show-config command. Also, update syntax. npftest: add a stream processor, which prints out the TCP state information. A tool for debugging connection tracking from tcpdump -w captured data. npftest: add a module for TCP state tracking and add few test cases. npf_state_tcp: add an assert; fix some comments while here. - Rework NPF NAT syntax to be more structured and support future additions of different types and configurations of NAT. - npfctl: improve disassemble and show-config command functionality. - Fix custom ICMP code and type filtering. make this compile again. remove error(1) output Remove superfluous Pp - make each element of a variable hold a type - change get_type to take an index, so we can get the individual types of each element (since primitive elements can be in lists) - make port_range primitive - add a routine to convert a variable of primitives to a variable containing - only port ranges. remove extra rule that got merged...

/*	$NetBSD: npf_ncode.h,v 1.5.6.2 2012/06/26 00:07:16 riz Exp $	*/

/*-
 * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * This material is based upon work partially supported by The
 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * NPF n-code interface.
 *
 * WARNING: Backwards compatibilty is not _yet_ maintained and instructions
 * or their codes may (or may not) change.  Expect ABI breakage.
 */

#ifndef _NPF_NCODE_H_
#define _NPF_NCODE_H_

#include "npf.h"

#if defined(_KERNEL)
/*
 * N-code processing, validation & building.
 */
void *	npf_ncode_alloc(size_t);
void	npf_ncode_free(void *, size_t);

int	npf_ncode_process(npf_cache_t *, const void *, nbuf_t *, const int);
int	npf_ncode_validate(const void *, size_t, int *);

#endif

/* Error codes. */
#define	NPF_ERR_OPCODE		-1	/* Invalid instruction. */
#define	NPF_ERR_JUMP		-2	/* Invalid jump (e.g. out of range). */
#define	NPF_ERR_REG		-3	/* Invalid register. */
#define	NPF_ERR_INVAL		-4	/* Invalid argument value. */
#define	NPF_ERR_RANGE		-5	/* Processing out of range. */

/* Number of registers: [0..N] */
#define	NPF_NREGS		4

/* Maximum loop count. */
#define	NPF_LOOP_LIMIT		100

/* Shift to check if CISC-like instruction. */
#define	NPF_CISC_SHIFT		7
#define	NPF_CISC_OPCODE(insn)	(insn >> NPF_CISC_SHIFT)

/*
 * RISC-like n-code instructions.
 */

/* Return, advance, jump, tag and invalidate instructions. */
#define	NPF_OPCODE_RET			0x00
#define	NPF_OPCODE_ADVR			0x01
#define	NPF_OPCODE_J			0x02
#define	NPF_OPCODE_INVL			0x03
#define	NPF_OPCODE_TAG			0x04

/* Set and load instructions. */
#define	NPF_OPCODE_MOVE			0x10
#define	NPF_OPCODE_LW			0x11

/* Compare and jump instructions. */
#define	NPF_OPCODE_CMP			0x21
#define	NPF_OPCODE_CMPR			0x22
#define	NPF_OPCODE_BEQ			0x23
#define	NPF_OPCODE_BNE			0x24
#define	NPF_OPCODE_BGT			0x25
#define	NPF_OPCODE_BLT			0x26

/* Arithmetic instructions. */
#define	NPF_OPCODE_ADD			0x30
#define	NPF_OPCODE_SUB			0x31
#define	NPF_OPCODE_MULT			0x32
#define	NPF_OPCODE_DIV			0x33

/* Bitwise instructions. */
#define	NPF_OPCODE_NOT			0x40
#define	NPF_OPCODE_AND			0x41
#define	NPF_OPCODE_OR			0x42
#define	NPF_OPCODE_XOR			0x43
#define	NPF_OPCODE_SLL			0x44
#define	NPF_OPCODE_SRL			0x45

/*
 * CISC-like n-code instructions.
 */

#define	NPF_OPCODE_ETHER		0x80

#define	NPF_OPCODE_IP4MASK		0x90
#define	NPF_OPCODE_TABLE		0x91
#define	NPF_OPCODE_ICMP4		0x92
#define	NPF_OPCODE_IP6MASK		0x93

#define	NPF_OPCODE_TCP_PORTS		0xa0
#define	NPF_OPCODE_UDP_PORTS		0xa1
#define	NPF_OPCODE_TCP_FLAGS		0xa2

#ifdef NPF_OPCODES_STRINGS

# define	NPF_OPERAND_NONE		0
# define	NPF_OPERAND_REGISTER		1
# define	NPF_OPERAND_KEY			2
# define	NPF_OPERAND_VALUE		3
# define	NPF_OPERAND_SD			4
# define		NPF_OPERAND_SD_SRC		1
# define		NPF_OPERAND_SD_DST		0
# define	NPF_OPERAND_REL_ADDRESS		5
# define	NPF_OPERAND_NET_ADDRESS4	6
# define	NPF_OPERAND_NET_ADDRESS6	7
# define	NPF_OPERAND_ETHER_TYPE		8
# define	NPF_OPERAND_SUBNET		9
# define	NPF_OPERAND_LENGTH		10
# define	NPF_OPERAND_TABLE_ID		11
# define	NPF_OPERAND_ICMP4_TYPE_CODE	12
# define	NPF_OPERAND_TCP_FLAGS_MASK	13
# define	NPF_OPERAND_PORT_RANGE		14

static const struct npf_instruction {
	const char *	name;
	uint8_t		op[4];
} npf_instructions[] = {
	[NPF_OPCODE_RET] = {
		.name = "ret",
		.op = {
			[0] = NPF_OPERAND_VALUE,
		},
	},
	[NPF_OPCODE_ADVR] = {
		.name = "advr",
		.op = {
			[0] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_J] = {
		.name = "j",
		.op = {
			[0] = NPF_OPERAND_REL_ADDRESS,
		},
	},
	[NPF_OPCODE_INVL] = {
		.name = "invl",
	},
	[NPF_OPCODE_TAG] = {
		.name = "tag",
		.op = {
			[0] = NPF_OPERAND_KEY,
			[1] = NPF_OPERAND_VALUE,
		},
	},
	[NPF_OPCODE_MOVE] = {
		.name = "move",
		.op = {
			[0] = NPF_OPERAND_VALUE, 
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_LW] = {
		.name = "lw",
		.op = {
			[0] = NPF_OPERAND_LENGTH,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_CMP] = {
		.name = "cmp",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_CMPR] = {
		.name = "cmpr",
		.op = {
			[0] = NPF_OPERAND_REGISTER,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_BEQ] = {
		.name = "beq",
		.op = {
			[0] = NPF_OPERAND_REL_ADDRESS,
		},
	},
	[NPF_OPCODE_BNE] = {
		.name = "bne",
		.op = {
			[0] = NPF_OPERAND_REL_ADDRESS,
		},
	},
	[NPF_OPCODE_BGT] = {
		.name = "bge",
		.op = {
			[0] = NPF_OPERAND_REL_ADDRESS,
		},
	},
	[NPF_OPCODE_BLT] = {
		.name = "blt",
		.op = {
			[0] = NPF_OPERAND_REL_ADDRESS,
		},
	},
	[NPF_OPCODE_ADD] = {
		.name = "add",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_SUB] = {
		.name = "sub",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_MULT] = {
		.name = "mult",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_DIV] = {
		.name = "div",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_NOT] = {
		.name = "not",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_AND] = {
		.name = "and",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_OR] = {
		.name = "or",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_XOR] = {
		.name = "xor",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_SLL] = {
		.name = "sll",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_SRL] = {
		.name = "srl",
		.op = {
			[0] = NPF_OPERAND_VALUE,
			[1] = NPF_OPERAND_REGISTER,
		},
	},
	[NPF_OPCODE_ETHER] = {
		.name = "ether",
		.op = {
			[0] = NPF_OPERAND_SD,
			[1] = NPF_OPERAND_NET_ADDRESS4,
			[2] = NPF_OPERAND_ETHER_TYPE,
		},
	},
	[NPF_OPCODE_IP4MASK] = {
		.name = "ip4mask",
		.op = {
			[0] = NPF_OPERAND_SD,
			[1] = NPF_OPERAND_NET_ADDRESS4,
			[2] = NPF_OPERAND_SUBNET,
		},
	},
	[NPF_OPCODE_TABLE] = {
		.name = "table",
		.op = {
			[0] = NPF_OPERAND_SD,
			[1] = NPF_OPERAND_TABLE_ID,
		},
	},
	[NPF_OPCODE_ICMP4] = {
		.name = "icmp4",
		.op = {
			[0] = NPF_OPERAND_ICMP4_TYPE_CODE,
		},
	},
	[NPF_OPCODE_IP6MASK] = {
		.name = "ip6mask",
		.op = {
			[0] = NPF_OPERAND_SD,
			[1] = NPF_OPERAND_NET_ADDRESS6,
			[2] = NPF_OPERAND_SUBNET,
		},
	},
	[NPF_OPCODE_TCP_PORTS] = {
		.name = "tcp_ports",
		.op = {
			[0] = NPF_OPERAND_SD,
			[1] = NPF_OPERAND_PORT_RANGE,
		},
	},
	[NPF_OPCODE_UDP_PORTS] = {
		.name = "udp_ports",
		.op = {
			[0] = NPF_OPERAND_SD,
			[1] = NPF_OPERAND_PORT_RANGE,
		},
	},
	[NPF_OPCODE_TCP_FLAGS] = {
		.name = "tcp_flags",
		.op = {
			[0] = NPF_OPERAND_TCP_FLAGS_MASK,
		},
	},
};
#endif /* NPF_OPCODES_STRINGS */

#endif /* _NET_NPF_NCODE_H_ */