NPF: trunk
authorrmind <rmind@NetBSD.org>
Fri, 22 Jun 2012 13:43:17 +0000
branchtrunk
changeset 211664 f56fa27b3937
parent 211663 7d40edcaf121
child 211665 66af2236928a
NPF: - Rename some functions for consistency and de-inline them. - Fix few invalid asserts (add regressoin test). - Use pserialize(9) for ALG interface. - Minor fixes, sprinkle many comments.
sys/net/npf/npf.c
sys/net/npf/npf.h
sys/net/npf/npf_alg.c
sys/net/npf/npf_impl.h
sys/net/npf/npf_inet.c
sys/net/npf/npf_instr.c
sys/net/npf/npf_log.c
sys/net/npf/npf_nat.c
sys/net/npf/npf_sendpkt.c
sys/net/npf/npf_session.c
sys/net/npf/npf_state.c
sys/net/npf/npf_state_tcp.c
sys/net/npf/npf_tableset.c
usr.sbin/npf/npftest/libnpftest/npf_table_test.c
--- a/sys/net/npf/npf.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.c,v 1.10 2012/03/13 18:40:59 elad Exp $	*/
+/*	$NetBSD: npf.c,v 1.11 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.10 2012/03/13 18:40:59 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.11 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -48,6 +48,7 @@
 #include <sys/percpu.h>
 #include <sys/rwlock.h>
 #include <sys/socketvar.h>
+#include <sys/sysctl.h>
 #include <sys/uio.h>
 
 #include "npf_impl.h"
@@ -80,6 +81,7 @@
 static krwlock_t		npf_lock		__cacheline_aligned;
 static npf_core_t *		npf_core		__cacheline_aligned;
 static percpu_t *		npf_stats_percpu	__read_mostly;
+static struct sysctllog *	npf_sysctl		__read_mostly;
 
 const struct cdevsw npf_cdevsw = {
 	npf_dev_open, npf_dev_close, npf_dev_read, nowrite, npf_dev_ioctl,
@@ -99,6 +101,8 @@
 
 	rw_init(&npf_lock);
 	npf_stats_percpu = percpu_alloc(NPF_STATS_SIZE);
+	npf_sysctl = NULL;
+
 	npf_tableset_sysinit();
 	npf_session_sysinit();
 	npf_nat_sysinit();
@@ -144,6 +148,10 @@
 	npf_nat_sysfini();
 	npf_session_sysfini();
 	npf_tableset_sysfini();
+
+	if (npf_sysctl) {
+		sysctl_teardown(&npf_sysctl);
+	}
 	percpu_free(npf_stats_percpu, NPF_STATS_SIZE);
 	rw_destroy(&npf_lock);
 
--- a/sys/net/npf/npf.h	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf.h	Fri Jun 22 13:43:17 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: npf.h,v 1.16 2012/04/14 19:01:21 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.17 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -110,72 +110,6 @@
 	} npc_l4;
 } npf_cache_t;
 
-static inline void
-npf_generate_mask(npf_addr_t *dst, const npf_netmask_t omask)
-{
-	uint_fast8_t length = omask;
-
-	/* Note: maximum length is 32 for IPv4 and 128 for IPv6. */
-	KASSERT(length <= NPF_MAX_NETMASK);
-
-	for (int i = 0; i < 4; i++) {
-		if (length >= 32) {
-			dst->s6_addr32[i] = htonl(0xffffffff);
-			length -= 32;
-		} else {
-			dst->s6_addr32[i] = htonl(0xffffffff << (32 - length));
-			length = 0;
-		}
-	}
-}
-
-static inline void
-npf_calculate_masked_addr(npf_addr_t *dst, const npf_addr_t *src,
-    const npf_netmask_t omask)
-{
-	npf_addr_t mask;
-
-	npf_generate_mask(&mask, omask);
-	for (int i = 0; i < 4; i++) {
-		dst->s6_addr32[i] = src->s6_addr32[i] & mask.s6_addr32[i];
-	}
-}
-
-/*
- * npf_compare_cidr: compare two addresses, either IPv4 or IPv6.
- *
- * => If the mask is NULL, ignore it.
- */
-static inline int
-npf_compare_cidr(const npf_addr_t *addr1, const npf_netmask_t mask1,
-    const npf_addr_t *addr2, const npf_netmask_t mask2)
-{
-	npf_addr_t realmask1, realmask2;
-
-	if (mask1 != NPF_NO_NETMASK) {
-		npf_generate_mask(&realmask1, mask1);
-	}
-	if (mask2 != NPF_NO_NETMASK) {
-		npf_generate_mask(&realmask2, mask2);
-	}
-	for (int i = 0; i < 4; i++) {
-		const uint32_t x = mask1 != NPF_NO_NETMASK ?
-		    addr1->s6_addr32[i] & realmask1.s6_addr32[i] :
-		    addr1->s6_addr32[i];
-		const uint32_t y = mask2 != NPF_NO_NETMASK ?
-		    addr2->s6_addr32[i] & realmask2.s6_addr32[i] :
-		    addr2->s6_addr32[i];
-		if (x < y) {
-			return -1;
-		}
-		if (x > y) {
-			return 1;
-		}
-	}
-
-	return 0;
-}
-
 static inline bool
 npf_iscached(const npf_cache_t *npc, const int inf)
 {
--- a/sys/net/npf/npf_alg.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_alg.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_alg.c,v 1.3 2012/02/20 00:18:19 rmind Exp $	*/
+/*	$NetBSD: npf_alg.c,v 1.4 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -31,16 +31,17 @@
 
 /*
  * NPF interface for application level gateways (ALGs).
- *
- * XXX: locking
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.3 2012/02/20 00:18:19 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.4 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
+#include <sys/types.h>
+
 #include <sys/kmem.h>
-#include <sys/pool.h>
+#include <sys/pserialize.h>
+#include <sys/mutex.h>
 #include <net/pfil.h>
 
 #include "npf_impl.h"
@@ -55,12 +56,16 @@
 	npf_algfunc_t			na_seid_func;
 };
 
-static LIST_HEAD(, npf_alg)		nat_alg_list	__read_mostly;
+static LIST_HEAD(, npf_alg)		nat_alg_list	__cacheline_aligned;
+static kmutex_t				nat_alg_lock	__cacheline_aligned;
+static pserialize_t			nat_alg_psz	__cacheline_aligned;
 
 void
 npf_alg_sysinit(void)
 {
 
+	mutex_init(&nat_alg_lock, MUTEX_DEFAULT, IPL_NONE);
+	nat_alg_psz = pserialize_create();
 	LIST_INIT(&nat_alg_list);
 }
 
@@ -69,6 +74,8 @@
 {
 
 	KASSERT(LIST_EMPTY(&nat_alg_list));
+	pserialize_destroy(nat_alg_psz);
+	mutex_destroy(&nat_alg_lock);
 }
 
 /*
@@ -88,7 +95,11 @@
 	alg->na_out_func = out;
 	alg->na_in_func = in;
 	alg->na_seid_func = seid;
+
+	mutex_enter(&nat_alg_lock);
 	LIST_INSERT_HEAD(&nat_alg_list, alg, na_entry);
+	mutex_exit(&nat_alg_lock);
+
 	return alg;
 }
 
@@ -98,17 +109,15 @@
 int
 npf_alg_unregister(npf_alg_t *alg)
 {
-	npf_alg_t *it;
 
-	LIST_FOREACH(it, &nat_alg_list, na_entry) {
-		if (alg == it)
-			break;
-	}
-	if (it != NULL) {
-		LIST_REMOVE(alg, na_entry);
-	}
-	/* TODO: Flush relevant sessions. */
+	mutex_enter(&nat_alg_lock);
+	LIST_REMOVE(alg, na_entry);
+	pserialize_perform(nat_alg_psz);
+	mutex_exit(&nat_alg_lock);
+
+	npf_nat_freealg(alg);
 	kmem_free(alg, sizeof(npf_alg_t));
+
 	return 0;
 }
 
@@ -119,15 +128,20 @@
 npf_alg_match(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt)
 {
 	npf_alg_t *alg;
-	npf_algfunc_t func;
+	bool match = false;
+	int s;
 
+	s = pserialize_read_enter();
 	LIST_FOREACH(alg, &nat_alg_list, na_entry) {
-		func = alg->na_match_func;
+		npf_algfunc_t func = alg->na_match_func;
+
 		if (func && func(npc, nbuf, nt)) {
-			return true;
+			match = true;
+			break;
 		}
 	}
-	return false;
+	pserialize_read_exit(s);
+	return match;
 }
 
 /*
@@ -137,7 +151,9 @@
 npf_alg_exec(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, const int di)
 {
 	npf_alg_t *alg;
+	int s;
 
+	s = pserialize_read_enter();
 	LIST_FOREACH(alg, &nat_alg_list, na_entry) {
 		if ((di & PFIL_OUT) != 0 && alg->na_out_func != NULL) {
 			(alg->na_out_func)(npc, nbuf, nt);
@@ -148,19 +164,25 @@
 			continue;
 		}
 	}
+	pserialize_read_exit(s);
 }
 
 bool
 npf_alg_sessionid(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *key)
 {
 	npf_alg_t *alg;
-	npf_algfunc_t func;
+	bool nkey = false;
+	int s;
 
+	s = pserialize_read_enter();
 	LIST_FOREACH(alg, &nat_alg_list, na_entry) {
-		func = alg->na_seid_func;
+		npf_algfunc_t func = alg->na_seid_func;
+
 		if (func && func(npc, nbuf, (npf_nat_t *)key)) {
-			return true;
+			nkey = true;
+			break;
 		}
 	}
-	return false;
+	pserialize_read_exit(s);
+	return nkey;
 }
--- a/sys/net/npf/npf_impl.h	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_impl.h	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.15 2012/05/30 21:38:03 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.16 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -177,7 +177,13 @@
 uint16_t	npf_fixup32_cksum(uint16_t, uint32_t, uint32_t);
 uint16_t	npf_addr_cksum(uint16_t, int, npf_addr_t *, npf_addr_t *);
 uint32_t	npf_addr_sum(const int, const npf_addr_t *, const npf_addr_t *);
-int		npf_tcpsaw(npf_cache_t *, tcp_seq *, tcp_seq *, uint32_t *);
+int		npf_addr_cmp(const npf_addr_t *, const npf_netmask_t,
+		    const npf_addr_t *, const npf_netmask_t);
+void		npf_addr_mask(const npf_addr_t *, const npf_netmask_t,
+		    npf_addr_t *);
+
+int		npf_tcpsaw(const npf_cache_t *, tcp_seq *, tcp_seq *,
+		    uint32_t *);
 bool		npf_fetch_tcpopts(const npf_cache_t *, nbuf_t *,
 		    uint16_t *, int *);
 bool		npf_normalize(npf_cache_t *, nbuf_t *, bool, bool, u_int, u_int);
@@ -291,6 +297,7 @@
 void		npf_nat_getorig(npf_nat_t *, npf_addr_t **, in_port_t *);
 void		npf_nat_gettrans(npf_nat_t *, npf_addr_t **, in_port_t *);
 void		npf_nat_setalg(npf_nat_t *, npf_alg_t *, uintptr_t);
+void		npf_nat_freealg(npf_alg_t *);
 
 int		npf_nat_save(prop_dictionary_t, prop_array_t, npf_nat_t *);
 npf_nat_t *	npf_nat_restore(prop_dictionary_t, npf_session_t *);
--- a/sys/net/npf/npf_inet.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_inet.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: npf_inet.c,v 1.11 2012/02/20 00:18:19 rmind Exp $	*/
+/*	$NetBSD: npf_inet.c,v 1.12 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -31,10 +31,15 @@
 
 /*
  * Various procotol related helper routines.
+ *
+ * This layer manipulates npf_cache_t structure i.e. caches requested headers
+ * and stores which information was cached in the information bit field.
+ * It is also responsibility of this layer to update or invalidate the cache
+ * on rewrites (e.g. by translation routines).
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.11 2012/02/20 00:18:19 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.12 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -121,14 +126,86 @@
 	return mix;
 }
 
+static inline void
+npf_generate_mask(npf_addr_t *out, const npf_netmask_t mask)
+{
+	uint_fast8_t length = mask;
+
+	/* Note: maximum length is 32 for IPv4 and 128 for IPv6. */
+	KASSERT(length <= NPF_MAX_NETMASK);
+
+	for (int i = 0; i < 4; i++) {
+		if (length >= 32) {
+			out->s6_addr32[i] = htonl(0xffffffff);
+			length -= 32;
+		} else {
+			out->s6_addr32[i] = htonl(0xffffffff << (32 - length));
+			length = 0;
+		}
+	}
+}
+
+/*
+ * npf_addr_mask: apply the mask to a given address and store the result.
+ */
+void
+npf_addr_mask(const npf_addr_t *addr, const npf_netmask_t mask, npf_addr_t *out)
+{
+	npf_addr_t realmask;
+
+	npf_generate_mask(&realmask, mask);
+
+	for (int i = 0; i < 4; i++) {
+		out->s6_addr32[i] = addr->s6_addr32[i] & realmask.s6_addr32[i];
+	}
+}
+
+/*
+ * npf_addr_cmp: compare two addresses, either IPv4 or IPv6.
+ *
+ * => Ignore the mask, if NPF_NO_NETMASK is specified.
+ * => Return 0 if equal and -1 or 1 if less or greater accordingly.
+ */
+int
+npf_addr_cmp(const npf_addr_t *addr1, const npf_netmask_t mask1,
+    const npf_addr_t *addr2, const npf_netmask_t mask2)
+{
+	npf_addr_t realmask1, realmask2;
+
+	if (mask1 != NPF_NO_NETMASK) {
+		npf_generate_mask(&realmask1, mask1);
+	}
+	if (mask2 != NPF_NO_NETMASK) {
+		npf_generate_mask(&realmask2, mask2);
+	}
+
+	for (int i = 0; i < 4; i++) {
+		const uint32_t x = mask1 != NPF_NO_NETMASK ?
+		    addr1->s6_addr32[i] & realmask1.s6_addr32[i] :
+		    addr1->s6_addr32[i];
+		const uint32_t y = mask2 != NPF_NO_NETMASK ?
+		    addr2->s6_addr32[i] & realmask2.s6_addr32[i] :
+		    addr2->s6_addr32[i];
+		if (x < y) {
+			return -1;
+		}
+		if (x > y) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 /*
  * npf_tcpsaw: helper to fetch SEQ, ACK, WIN and return TCP data length.
- * Returns all values in host byte-order.
+ *
+ * => Returns all values in host byte-order.
  */
 int
-npf_tcpsaw(npf_cache_t *npc, tcp_seq *seq, tcp_seq *ack, uint32_t *win)
+npf_tcpsaw(const npf_cache_t *npc, tcp_seq *seq, tcp_seq *ack, uint32_t *win)
 {
-	struct tcphdr *th = &npc->npc_l4.tcp;
+	const struct tcphdr *th = &npc->npc_l4.tcp;
 	u_int thlen;
 
 	KASSERT(npf_iscached(npc, NPC_TCP));
@@ -139,11 +216,10 @@
 	thlen = th->th_off << 2;
 
 	if (npf_iscached(npc, NPC_IP4)) {
-		struct ip *ip = &npc->npc_ip.v4;
+		const struct ip *ip = &npc->npc_ip.v4;
 		return ntohs(ip->ip_len) - npf_cache_hlen(npc) - thlen;
-	} else {
-		KASSERT(npf_iscached(npc, NPC_IP6));
-		struct ip6_hdr *ip6 = &npc->npc_ip.v6;
+	} else if (npf_iscached(npc, NPC_IP6)) {
+		const struct ip6_hdr *ip6 = &npc->npc_ip.v6;
 		return ntohs(ip6->ip6_plen) - thlen;
 	}
 	return 0;
@@ -179,6 +255,7 @@
 	if (nbuf_advfetch(&nbuf, &n_ptr, step, sizeof(val), &val)) {
 		return false;
 	}
+
 	switch (val) {
 	case TCPOPT_EOL:
 		/* Done. */
@@ -225,6 +302,7 @@
 		topts_len -= val;
 		step = val - 1;
 	}
+
 	/* Any options left? */
 	if (__predict_true(topts_len > 0)) {
 		goto next;
@@ -238,21 +316,21 @@
 bool
 npf_fetch_ip(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr)
 {
-	struct ip *ip;
-	struct ip6_hdr *ip6;
 	uint8_t ver;
 
 	if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(uint8_t), &ver)) {
 		return false;
 	}
+
 	switch (ver >> 4) {
-	case IPVERSION:
-		/* IPv4 */
-		ip = &npc->npc_ip.v4;
-		/* Fetch the header. */
+	case IPVERSION: {
+		struct ip *ip = &npc->npc_ip.v4;
+
+		/* Fetch IPv4 header. */
 		if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(struct ip), ip)) {
 			return false;
 		}
+
 		/* Check header length and fragment offset. */
 		if ((u_int)(ip->ip_hl << 2) < sizeof(struct ip)) {
 			return false;
@@ -261,6 +339,7 @@
 			/* Note fragmentation. */
 			npc->npc_info |= NPC_IPFRAG;
 		}
+
 		/* Cache: layer 3 - IPv4. */
 		npc->npc_ipsz = sizeof(struct in_addr);
 		npc->npc_srcip = (npf_addr_t *)&ip->ip_src;
@@ -269,31 +348,31 @@
 		npc->npc_hlen = ip->ip_hl << 2;
 		npc->npc_next_proto = npc->npc_ip.v4.ip_p;
 		break;
+	}
 
-	case (IPV6_VERSION >> 4):
-		ip6 = &npc->npc_ip.v6;
+	case (IPV6_VERSION >> 4): {
+		struct ip6_hdr *ip6 = &npc->npc_ip.v6;
+		size_t toskip;
+		bool done;
+
+		/* Fetch IPv6 header. */
 		if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(struct ip6_hdr), ip6)) {
 			return false;
 		}
 
-		bool done = false;
-		uint_fast8_t next_proto;
-		size_t toskip;
-
 		/* Initial next-protocol value. */
-		next_proto = ip6->ip6_nxt;
+		npc->npc_next_proto = ip6->ip6_nxt;
 		toskip = sizeof(struct ip6_hdr);
 		npc->npc_hlen = 0;
+		done = false;
 
+		/*
+		 * Advance by the length of the previous known header and
+		 * fetch by the lengh of next extension header.
+		 */
 		do {
 			struct ip6_ext ip6e;
 
-			npc->npc_next_proto = next_proto;
-
-			/*
-			 * Advance by the length of the previous known header
-			 * and fetch the next extension header's length.
-			 */
 			if (nbuf_advfetch(&nbuf, &n_ptr, toskip,
 			    sizeof(struct ip6_ext), &ip6e)) {
 				return false;
@@ -315,21 +394,28 @@
 				break;
 			}
 			npc->npc_hlen += toskip;
-			next_proto = ip6e.ip6e_nxt;
+			npc->npc_next_proto = ip6e.ip6e_nxt;
 
 		} while (!done);
 
+		/* Cache: layer 3 - IPv6. */
 		npc->npc_ipsz = sizeof(struct in6_addr);
 		npc->npc_srcip = (npf_addr_t *)&ip6->ip6_src;
 		npc->npc_dstip = (npf_addr_t *)&ip6->ip6_dst;
 		npc->npc_info |= NPC_IP6;
 		break;
+	}
 	default:
 		return false;
 	}
+
 	return true;
 }
 
+/*
+ * npf_fetch_tcp: fetch, check and cache TCP header.  If necessary,
+ * fetch and cache layer 3 as well.
+ */
 bool
 npf_fetch_tcp(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr)
 {
@@ -355,6 +441,10 @@
 	return true;
 }
 
+/*
+ * npf_fetch_udp: fetch, check and cache UDP header.  If necessary,
+ * fetch and cache layer 3 as well.
+ */
 bool
 npf_fetch_udp(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr)
 {
@@ -372,7 +462,7 @@
 	uh = &npc->npc_l4.udp;
 	hlen = npf_cache_hlen(npc);
 
-	/* Fetch ICMP header. */
+	/* Fetch UDP header. */
 	if (nbuf_advfetch(&nbuf, &n_ptr, hlen, sizeof(struct udphdr), uh)) {
 		return false;
 	}
@@ -384,8 +474,6 @@
 
 /*
  * npf_fetch_icmp: fetch ICMP code, type and possible query ID.
- *
- * => Stores both all fetched items into the cache.
  */
 bool
 npf_fetch_icmp(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr)
@@ -417,7 +505,7 @@
 
 /*
  * npf_cache_all: general routine to cache all relevant IP (v4 or v6)
- * and TCP, UDP or ICMP data.
+ * and TCP, UDP or ICMP headers.
  */
 int
 npf_cache_all(npf_cache_t *npc, nbuf_t *nbuf)
--- a/sys/net/npf/npf_instr.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_instr.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_instr.c,v 1.10 2012/02/20 00:18:20 rmind Exp $	*/
+/*	$NetBSD: npf_instr.c,v 1.11 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.10 2012/02/20 00:18:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.11 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -129,7 +129,7 @@
 	}
 	addr = sd ? npc->npc_srcip : npc->npc_dstip;
 	if (mask != NPF_NO_NETMASK) {
-		npf_calculate_masked_addr(&cmpaddr, addr, mask);
+		npf_addr_mask(addr, mask, &cmpaddr);
 		addr = &cmpaddr;
 	}
 	return memcmp(netaddr, addr, npc->npc_ipsz) ? -1 : 0;
--- a/sys/net/npf/npf_log.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_log.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_log.c,v 1.3 2012/02/20 00:18:20 rmind Exp $	*/
+/*	$NetBSD: npf_log.c,v 1.4 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_log.c,v 1.3 2012/02/20 00:18:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_log.c,v 1.4 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -58,7 +58,7 @@
 	int				sc_unit;
 } npflog_softc_t;
 
-static int	npflog_clone_create(struct if_clone *, int );
+static int	npflog_clone_create(struct if_clone *, int);
 static int	npflog_clone_destroy(ifnet_t *);
 
 static LIST_HEAD(, npflog_softc)	npflog_if_list	__cacheline_aligned;
@@ -120,11 +120,13 @@
 	ifp->if_dlt = DLT_NULL;
 	ifp->if_ioctl = npflog_ioctl;
 
+	KERNEL_LOCK(1, NULL);
 	if_attach(ifp);
 	if_alloc_sadl(ifp);
 	bpf_attach(ifp, DLT_NULL, 0);
+	LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
+	KERNEL_UNLOCK_ONE(NULL);
 
-	LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
 	return 0;
 }
 
@@ -133,9 +135,12 @@
 {
 	npflog_softc_t *sc = ifp->if_softc;
 
+	KERNEL_LOCK(1, NULL);
 	LIST_REMOVE(sc, sc_entry);
 	bpf_detach(ifp);
 	if_detach(ifp);
+	KERNEL_UNLOCK_ONE(NULL);
+
 	mutex_destroy(&sc->sc_lock);
 	kmem_free(sc, sizeof(npflog_softc_t));
 	return 0;
@@ -148,13 +153,6 @@
 	ifnet_t *ifp;
 	int family;
 
-	/* Find a pseudo-interface to log. */
-	ifp = if_byindex(if_idx);
-	if (ifp == NULL) {
-		/* No interface. */
-		return;
-	}
-
 	/* Set the address family. */
 	if (npf_iscached(npc, NPC_IP4)) {
 		family = AF_INET;
@@ -164,8 +162,17 @@
 		family = AF_UNSPEC;
 	}
 
+	KERNEL_LOCK(1, NULL);
+
+	/* Find a pseudo-interface to log. */
+	ifp = if_byindex(if_idx);
+	if (ifp == NULL) {
+		/* No interface. */
+		KERNEL_UNLOCK_ONE(NULL);
+		return;
+	}
+
 	/* Pass through BPF. */
-	KERNEL_LOCK(1, NULL);
 	ifp->if_opackets++;
 	ifp->if_obytes += m->m_pkthdr.len;
 	bpf_mtap_af(ifp, family, m);
--- a/sys/net/npf/npf_nat.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_nat.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.12 2012/03/11 18:27:59 rmind Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.13 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.12 2012/03/11 18:27:59 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.13 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -267,6 +267,12 @@
 	kmem_free(np, sizeof(npf_natpolicy_t));
 }
 
+void
+npf_nat_freealg(npf_alg_t *alg)
+{
+	(void)alg; /* TODO */
+}
+
 /*
  * npf_nat_matchpolicy: compare two NAT policies.
  *
--- a/sys/net/npf/npf_sendpkt.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_sendpkt.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_sendpkt.c,v 1.10 2012/05/06 02:45:25 rmind Exp $	*/
+/*	$NetBSD: npf_sendpkt.c,v 1.11 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.10 2012/05/06 02:45:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.11 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -108,7 +108,7 @@
 		memset(ip, 0, len);
 
 		/*
-		 * First fill of IPv4 header, for TCP checksum.
+		 * First, partially fill IPv4 header for TCP checksum.
 		 * Note: IP length contains TCP header length.
 		 */
 		ip->ip_p = IPPROTO_TCP;
@@ -134,7 +134,9 @@
 		th = (struct tcphdr *)(ip6 + 1);
 	}
 
-	/* Construct TCP header and compute the checksum. */
+	/*
+	 * Construct TCP header and compute the checksum.
+	 */
 	th->th_sport = oth->th_dport;
 	th->th_dport = oth->th_sport;
 	th->th_seq = htonl(ack);
@@ -148,7 +150,9 @@
 	if (npf_iscached(npc, NPC_IP4)) {
 		th->th_sum = in_cksum(m, len);
 
-		/* Second fill of IPv4 header, fill correct IP length. */
+		/*
+		 * Second, fill the rest of IPv4 header and correct IP length.
+		 */
 		ip->ip_v = IPVERSION;
 		ip->ip_hl = sizeof(struct ip) >> 2;
 		ip->ip_tos = IPTOS_LOWDELAY;
--- a/sys/net/npf/npf_session.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_session.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_session.c,v 1.12 2012/03/11 18:27:59 rmind Exp $	*/
+/*	$NetBSD: npf_session.c,v 1.13 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -74,7 +74,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.12 2012/03/11 18:27:59 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.13 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -483,6 +483,7 @@
 		atomic_inc_uint(&se->s_refcnt);
 	} else {
 		/* Silently block invalid packets. */
+		npf_stats_inc(NPF_STAT_INVALID_STATE);
 		*error = ENETUNREACH;
 		se = NULL;
 	}
--- a/sys/net/npf/npf_state.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_state.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: npf_state.c,v 1.7 2012/05/30 21:38:03 rmind Exp $	*/
+/*	$NetBSD: npf_state.c,v 1.8 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state.c,v 1.7 2012/05/30 21:38:03 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state.c,v 1.8 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -54,7 +54,7 @@
 #define	NPF_ANY_SESSION_ESTABLISHED	2
 #define	NPF_ANY_SESSION_NSTATES		3
 
-static const int npf_generic_fsm[NPF_ANY_SESSION_NSTATES][2] __read_mostly = {
+static const int npf_generic_fsm[NPF_ANY_SESSION_NSTATES][2] = {
 	[NPF_ANY_SESSION_CLOSED] = {
 		[NPF_FLOW_FORW]		= NPF_ANY_SESSION_NEW,
 	},
@@ -68,12 +68,19 @@
 	},
 };
 
-static const u_int npf_generic_timeout[] __read_mostly = {
+static u_int npf_generic_timeout[] __read_mostly = {
 	[NPF_ANY_SESSION_CLOSED]	= 0,
 	[NPF_ANY_SESSION_NEW]		= 30,
 	[NPF_ANY_SESSION_ESTABLISHED]	= 60,
 };
 
+/*
+ * npf_state_init: initialise the state structure.
+ *
+ * Should normally be called on a first packet, which also determines the
+ * direction in a case of connection-orientated protocol.  Returns true on
+ * success and false otherwise (e.g. if protocol is not supported).
+ */
 bool
 npf_state_init(const npf_cache_t *npc, nbuf_t *nbuf, npf_state_t *nst)
 {
@@ -111,6 +118,12 @@
 	mutex_destroy(&nst->nst_lock);
 }
 
+/*
+ * npf_state_inspect: inspect the packet according to the protocol state.
+ *
+ * Return true if packet is considered to match the state (e.g. for TCP,
+ * the packet belongs to the tracked connection) and false otherwise.
+ */
 bool
 npf_state_inspect(const npf_cache_t *npc, nbuf_t *nbuf,
     npf_state_t *nst, const bool forw)
@@ -137,9 +150,6 @@
 	NPF_TCP_STATE_SAMPLE(nst, ret);
 	mutex_exit(&nst->nst_lock);
 
-	if (__predict_false(!ret)) {
-		npf_stats_inc(NPF_STAT_INVALID_STATE);
-	}
 	return ret;
 }
 
--- a/sys/net/npf/npf_state_tcp.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_state_tcp.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: npf_state_tcp.c,v 1.6 2012/06/05 22:46:54 rmind Exp $	*/
+/*	$NetBSD: npf_state_tcp.c,v 1.7 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.6 2012/06/05 22:46:54 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.7 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -440,6 +440,10 @@
 	return true;
 }
 
+/*
+ * npf_state_tcp: inspect TCP segment, determine whether it belongs to
+ * the connection and track its state.
+ */
 bool
 npf_state_tcp(const npf_cache_t *npc, nbuf_t *nbuf, npf_state_t *nst, int di)
 {
@@ -447,7 +451,7 @@
 	const int tcpfl = th->th_flags, state = nst->nst_state;
 	int nstate;
 
-	KASSERT(mutex_owned(&nst->nst_lock));
+	KASSERT(nst->nst_state == 0 || mutex_owned(&nst->nst_lock));
 
 	/* Look for a transition to a new state. */
 	if (__predict_true((tcpfl & TH_RST) == 0)) {
--- a/sys/net/npf/npf_tableset.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/sys/net/npf/npf_tableset.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_tableset.c,v 1.10 2012/02/20 00:18:20 rmind Exp $	*/
+/*	$NetBSD: npf_tableset.c,v 1.11 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.10 2012/02/20 00:18:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.11 2012/06/22 13:43:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -164,7 +164,7 @@
 	const npf_tblent_t * const te1 = n1;
 	const npf_tblent_t * const te2 = n2;
 
-	return npf_compare_cidr(&te1->te_addr, te1->te_mask,
+	return npf_addr_cmp(&te1->te_addr, te1->te_mask,
 	    &te2->te_addr, te2->te_mask);
 }
 
@@ -174,7 +174,7 @@
 	const npf_tblent_t * const te = n1;
 	const npf_addr_t *t2 = key;
 
-	return npf_compare_cidr(&te->te_addr, te->te_mask, t2, NPF_NO_NETMASK);
+	return npf_addr_cmp(&te->te_addr, te->te_mask, t2, NPF_NO_NETMASK);
 }
 
 static const rb_tree_ops_t table_rbtree_ops = {
@@ -366,7 +366,7 @@
 	switch (t->t_type) {
 	case NPF_TABLE_HASH:
 		/* Generate hash value from: address & mask. */
-		npf_calculate_masked_addr(&val, addr, mask);
+		npf_addr_mask(addr, mask, &val);
 		htbl = table_hash_bucket(t, &val, sizeof(npf_addr_t));
 		/* Lookup to check for duplicates. */
 		LIST_FOREACH(it, htbl, te_entry.hashq) {
@@ -428,7 +428,7 @@
 	switch (t->t_type) {
 	case NPF_TABLE_HASH:
 		/* Generate hash value from: (address & mask). */
-		npf_calculate_masked_addr(&val, addr, mask);
+		npf_addr_mask(addr, mask, &val);
 		htbl = table_hash_bucket(t, &val, sizeof(npf_addr_t));
 		LIST_FOREACH(e, htbl, te_entry.hashq) {
 			if (e->te_mask != mask) {
@@ -446,7 +446,7 @@
 		break;
 	case NPF_TABLE_TREE:
 		/* Key: (address & mask). */
-		npf_calculate_masked_addr(&val, addr, mask);
+		npf_addr_mask(addr, mask, &val);
 		e = rb_tree_find_node(&t->t_rbtree, &val);
 		if (__predict_true(e != NULL)) {
 			rb_tree_remove_node(&t->t_rbtree, e);
@@ -486,20 +486,23 @@
 	case NPF_TABLE_HASH:
 		htbl = table_hash_bucket(t, addr, sizeof(npf_addr_t));
 		LIST_FOREACH(e, htbl, te_entry.hashq) {
-			if (npf_compare_cidr(addr, e->te_mask, &e->te_addr,
+			if (npf_addr_cmp(addr, e->te_mask, &e->te_addr,
 			    NPF_NO_NETMASK) == 0)
 				break;
 		}
 		break;
 	case NPF_TABLE_TREE:
 		e = rb_tree_find_node(&t->t_rbtree, addr);
-		KASSERT(e && npf_compare_cidr(addr, e->te_mask, &e->te_addr,
-		    NPF_NO_NETMASK) == 0);
 		break;
 	default:
 		KASSERT(false);
 	}
 	npf_table_put(t);
 
-	return e ? 0 : ENOENT;
+	if (e == NULL) {
+		return ENOENT;
+	}
+	KASSERT(npf_addr_cmp(addr, e->te_mask, &e->te_addr,
+	    NPF_NO_NETMASK) == 0);
+	return 0;
 }
--- a/usr.sbin/npf/npftest/libnpftest/npf_table_test.c	Fri Jun 22 12:45:43 2012 +0000
+++ b/usr.sbin/npf/npftest/libnpftest/npf_table_test.c	Fri Jun 22 13:43:17 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_table_test.c,v 1.1 2012/04/14 21:57:29 rmind Exp $	*/
+/*	$NetBSD: npf_table_test.c,v 1.2 2012/06/22 13:43:17 rmind Exp $	*/
 
 /*
  * NPF tableset test.
@@ -55,6 +55,15 @@
 	error = npf_tableset_insert(tblset, t2);
 	assert(error == 0);
 
+	/* Attempt to match non-existing entries - should fail. */
+	addr->s6_addr32[0] = inet_addr(ip_list[0]);
+
+	error = npf_table_match_addr(tblset, HASH_TID, addr);
+	assert(error != 0);
+
+	error = npf_table_match_addr(tblset, TREE_TID, addr);
+	assert(error != 0);
+
 	/* Fill both tables with IP addresses. */
 	for (i = 0; i < __arraycount(ip_list); i++) {
 		addr->s6_addr32[0] = inet_addr(ip_list[i]);