- Add NPF table flushing functionality. trunk
authorrmind <rmind@NetBSD.org>
Sun, 19 May 2013 20:45:34 +0000
branchtrunk
changeset 218676 fc720603f7c0
parent 218675 8a08117c08c4
child 218677 f08e720525ee
- Add NPF table flushing functionality. - Fix line numbering for npfctl debug command.
sys/net/npf/npf_ctl.c
sys/net/npf/npf_impl.h
sys/net/npf/npf_tableset.c
usr.sbin/npf/npfctl/npf_build.c
usr.sbin/npf/npfctl/npf_parse.y
usr.sbin/npf/npfctl/npfctl.c
--- a/sys/net/npf/npf_ctl.c	Sun May 19 17:07:04 2013 +0000
+++ b/sys/net/npf/npf_ctl.c	Sun May 19 20:45:34 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ctl.c,v 1.24 2013/03/20 00:29:47 christos Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.25 2013/05/19 20:45:34 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.24 2013/03/20 00:29:47 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.25 2013/05/19 20:45:34 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/conf.h>
@@ -813,6 +813,9 @@
 		error = npf_table_list(tblset, nct->nct_tid,
 		    nct->nct_data.buf.buf, nct->nct_data.buf.len);
 		break;
+	case NPF_CMD_TABLE_FLUSH:
+		error = npf_table_flush(tblset, nct->nct_tid);
+		break;
 	default:
 		error = EINVAL;
 		break;
--- a/sys/net/npf/npf_impl.h	Sun May 19 17:07:04 2013 +0000
+++ b/sys/net/npf/npf_impl.h	Sun May 19 20:45:34 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.29 2013/03/20 00:29:47 christos Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.30 2013/05/19 20:45:34 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -220,6 +220,7 @@
 int		npf_table_lookup(npf_tableset_t *, u_int,
 		    const int, const npf_addr_t *);
 int		npf_table_list(npf_tableset_t *, u_int, void *, size_t);
+int		npf_table_flush(npf_tableset_t *, u_int);
 
 /* Ruleset interface. */
 npf_ruleset_t *	npf_ruleset_create(size_t);
--- a/sys/net/npf/npf_tableset.c	Sun May 19 17:07:04 2013 +0000
+++ b/sys/net/npf/npf_tableset.c	Sun May 19 20:45:34 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_tableset.c,v 1.17 2013/02/09 03:35:32 rmind Exp $	*/
+/*	$NetBSD: npf_tableset.c,v 1.18 2013/05/19 20:45:34 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.17 2013/02/09 03:35:32 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.18 2013/05/19 20:45:34 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -223,6 +223,19 @@
 }
 
 static void
+table_hash_destroy(npf_table_t *t)
+{
+	for (unsigned n = 0; n <= t->t_hashmask; n++) {
+		npf_tblent_t *ent;
+
+		while ((ent = LIST_FIRST(&t->t_hashl[n])) != NULL) {
+			LIST_REMOVE(ent, te_entry.hashq);
+			pool_cache_put(tblent_cache, ent);
+		}
+	}
+}
+
+static void
 table_tree_destroy(pt_tree_t *tree)
 {
 	npf_tblent_t *ent;
@@ -282,14 +295,7 @@
 
 	switch (t->t_type) {
 	case NPF_TABLE_HASH:
-		for (unsigned n = 0; n <= t->t_hashmask; n++) {
-			npf_tblent_t *ent;
-
-			while ((ent = LIST_FIRST(&t->t_hashl[n])) != NULL) {
-				LIST_REMOVE(ent, te_entry.hashq);
-				pool_cache_put(tblent_cache, ent);
-			}
-		}
+		table_hash_destroy(t);
 		hashdone(t->t_hashl, HASH_LIST, t->t_hashmask);
 		break;
 	case NPF_TABLE_TREE:
@@ -592,3 +598,34 @@
 
 	return error;
 }
+
+/*
+ * npf_table_flush: remove all table entries.
+ */
+int
+npf_table_flush(npf_tableset_t *tset, u_int tid)
+{
+	npf_table_t *t;
+
+	if ((u_int)tid >= NPF_TABLE_SLOTS || (t = tset[tid]) == NULL) {
+		return EINVAL;
+	}
+
+	rw_enter(&t->t_lock, RW_WRITER);
+	switch (t->t_type) {
+	case NPF_TABLE_HASH:
+		table_hash_destroy(t);
+		t->t_nitems = 0;
+		break;
+	case NPF_TABLE_TREE:
+		table_tree_destroy(&t->t_tree[0]);
+		table_tree_destroy(&t->t_tree[1]);
+		t->t_nitems = 0;
+		break;
+	default:
+		KASSERT(false);
+	}
+	rw_exit(&t->t_lock);
+
+	return 0;
+}
--- a/usr.sbin/npf/npfctl/npf_build.c	Sun May 19 17:07:04 2013 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c	Sun May 19 20:45:34 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_build.c,v 1.23 2013/03/20 00:29:47 christos Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.24 2013/05/19 20:45:34 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.23 2013/03/20 00:29:47 christos Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.24 2013/05/19 20:45:34 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -384,8 +384,10 @@
 	 */
 	code = npfctl_ncgen_complete(nc, &len);
 	if (npf_debug) {
+		extern char *yytext;
 		extern int yylineno;
-		printf("RULE AT LINE %d\n", yylineno);
+
+		printf("RULE AT LINE %d\n", yylineno - (int)(*yytext == '\n'));
 		npfctl_ncgen_print(code, len);
 	}
 	assert(code && len > 0);
--- a/usr.sbin/npf/npfctl/npf_parse.y	Sun May 19 17:07:04 2013 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y	Sun May 19 20:45:34 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_parse.y,v 1.23 2013/05/09 19:12:03 christos Exp $	*/
+/*	$NetBSD: npf_parse.y,v 1.24 2013/05/19 20:45:34 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -326,12 +326,13 @@
 	}
 	;
 
-alg	
+alg
 	: ALG STRING
 	{
 		npfctl_build_alg($2);
 	}
 	;
+
 procs
 	: proc_call SEPLINE procs
 	{
@@ -478,6 +479,7 @@
 	| group
 	| ruleset
 	|
+	;
 
 rule
 	: block_or_pass opt_stateful rule_dir opt_final on_ifindex
--- a/usr.sbin/npf/npfctl/npfctl.c	Sun May 19 17:07:04 2013 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.c	Sun May 19 20:45:34 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $	*/
+/*	$NetBSD: npfctl.c,v 1.37 2013/05/19 20:45:34 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.37 2013/05/19 20:45:34 rmind Exp $");
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -115,10 +115,7 @@
 	const char *progname = getprogname();
 
 	fprintf(stderr,
-	    "Usage:\t%s start | stop | flush | show | stats\n", 
-	    progname);
-	fprintf(stderr,
-	    "\t%s sess-load | sess-save\n",
+	    "Usage:\t%s start | stop | flush | show | stats\n",
 	    progname);
 	fprintf(stderr,
 	    "\t%s validate | reload [<rule-file>]\n",
@@ -138,6 +135,9 @@
 	fprintf(stderr,
 	    "\t%s table <tid> { list | flush }\n",
 	    progname);
+	fprintf(stderr,
+	    "\t%s sess-load | sess-save\n",
+	    progname);
 	exit(EXIT_FAILURE);
 }
 
@@ -279,6 +279,7 @@
 		{ "del",	NPF_CMD_TABLE_REMOVE		},
 		{ "test",	NPF_CMD_TABLE_LOOKUP		},
 		{ "list",	NPF_CMD_TABLE_LIST		},
+		{ "flush",	NPF_CMD_TABLE_FLUSH		},
 		{ NULL,		0				}
 	};
 	npf_ioctl_table_t nct;
@@ -302,17 +303,27 @@
 	if (tblops[n].cmd == NULL) {
 		errx(EXIT_FAILURE, "invalid command '%s'", cmd);
 	}
-	if (nct.nct_cmd != NPF_CMD_TABLE_LIST) {
+
+	switch (nct.nct_cmd) {
+	case NPF_CMD_TABLE_LIST:
+	case NPF_CMD_TABLE_FLUSH:
+		break;
+	default:
 		if (argc < 3) {
 			usage();
 		}
 		arg = argv[2];
 	}
+
 again:
-	if (nct.nct_cmd == NPF_CMD_TABLE_LIST) {
+	switch (nct.nct_cmd) {
+	case NPF_CMD_TABLE_LIST:
 		nct.nct_data.buf.buf = ecalloc(1, buflen);
 		nct.nct_data.buf.len = buflen;
-	} else {
+		break;
+	case NPF_CMD_TABLE_FLUSH:
+		break;
+	default:
 		if (!npfctl_parse_cidr(arg, &fam, &alen)) {
 			errx(EXIT_FAILURE, "invalid CIDR '%s'", arg);
 		}