Home | History | Annotate | Download | only in npf
History log of /src/sys/net/npf/npf.c
RevisionDateAuthorComments
 1.44  27-Aug-2020  riastradh npf: Make sure to initialize portmap_lock only once.

PR kern/55586
 1.43  30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.42  07-Feb-2020  thorpej Use percpu_foreach_xcall() to gather volatile per-cpu counters. These
must be serialized against the interrupts / soft-interrupts in which
they're manipulated, as well as protected from non-atomic 64-bit memory
loads on 32-bit platforms.
 1.41  25-Aug-2019  rmind branches: 1.41.2;
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.40  11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.39  06-Aug-2019  christos - npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.38  23-Jul-2019  rmind branches: 1.38.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.37  19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.36  29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.35  12-Sep-2018  christos Fix lockdebug diagnostic error of trying to acquire an rw_lock from a
pserialized active context. From riastradh@
 1.34  01-Jun-2017  chs branches: 1.34.8; 1.34.10;
remove checks for failure after memory allocation calls that cannot fail:

kmem_alloc() with KM_SLEEP
kmem_zalloc() with KM_SLEEP
percpu_alloc()
pserialize_create()
psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.
 1.33  26-Dec-2016  christos branches: 1.33.6;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.32  10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.31  29-Oct-2015  christos branches: 1.31.2;
Simplify even further and fix non-modular kernels:
We cannot use the init at attach() trick, because other npf ext modules
will load before the attach function is called on non modular kernels.
 1.30  27-Oct-2015  christos modules don't define MODULAR.
 1.29  27-Oct-2015  christos simplify (and fix) logic.
 1.28  19-Oct-2015  martin Ifdef npf_init() the same way as all it's callers are protected.
 1.27  19-Oct-2015  christos Fix the code so that it works in all 3 cases: non-modular, modular/builtin,
modular/filesystem. In the non-modular case we initialize through attach.
In the modular/builtin case we define the module to be class misc so it
attaches late (after percpu is initialized) since driver modules attach
too early. In the modular/filesystem case we define it to be a driver
module since we autoload it via /dev/npf open.
 1.26  18-Oct-2015  jmcneill Defer initialization of built-in npf module until other pseudo-devices
are initialized. MODULE_CLASS_DRIVER modules are now initialized before
autoconfiguration starts, but npf_init has a dependency on percpu(9) which
doesn't work until CPUs have attached (at least on ARM).
 1.25  18-Oct-2015  christos needs to be driver, otherwise it will not load!
 1.24  17-Oct-2015  jmcneill mark this MODULE_CLASS_MISC as npf_init cannot run when builtin driver modules are initialized
 1.23  20-Aug-2015  christos include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.
 1.22  25-Jul-2014  dholland branches: 1.22.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.
 1.21  23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.20  19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.19  16-Mar-2014  dholland branches: 1.19.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.
 1.18  08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.17  19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.16  02-Jun-2013  rmind branches: 1.16.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.15  09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.14  29-Oct-2012  rmind Implement NPF table listing and preservation of entries on reload.
Bump the version.
 1.13  16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.12  15-Jul-2012  rmind branches: 1.12.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.11  22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10  13-Mar-2012  elad Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
 1.9  11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.8  20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.7  15-Jan-2012  rmind branches: 1.7.2;
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.6  06-Nov-2011  tron branches: 1.6.4;
Change module class to driver as npf(4) is a pseudo device.
 1.5  25-Apr-2011  yamt branches: 1.5.4;
fix module build
 1.4  02-Feb-2011  rmind branches: 1.4.2;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.3  18-Jan-2011  rmind branches: 1.3.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.2  18-Dec-2010  rmind branches: 1.2.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.1  22-Aug-2010  rmind branches: 1.1.2; 1.1.4;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.1.4.2  22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.1.4.1  22-Aug-2010  uebayasi file npf.c was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.1.2.2  09-Oct-2010  yamt sync with head
 1.1.2.1  22-Aug-2010  yamt file npf.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.2.2.1  06-Jun-2011  jruoho Sync with HEAD.
 1.3.2.1  08-Feb-2011  bouyer Sync with HEAD
 1.4.2.3  31-May-2011  rmind sync with head
 1.4.2.2  05-Mar-2011  rmind sync with head
 1.4.2.1  02-Feb-2011  rmind file npf.c was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.5.4.4  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.5.4.3  30-Oct-2012  yamt sync with head
 1.5.4.2  17-Apr-2012  yamt sync with head
 1.5.4.1  10-Nov-2011  yamt sync with head
 1.6.4.3  05-Apr-2012  mrg sync to latest -current.
 1.6.4.2  24-Feb-2012  mrg sync to -current.
 1.6.4.1  18-Feb-2012  mrg merge to -current.
 1.7.2.7  11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.7.2.6  24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.7.2.5  19-Nov-2012  msaitoh Fix a bug that the patch was incorrectly applied with last commit.
 1.7.2.4  18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.7.2.3  16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.7.2.2  26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.7.2.1  03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.12.2.5  03-Dec-2017  jdolecek update from HEAD
 1.12.2.4  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.12.2.3  23-Jun-2013  tls resync from head
 1.12.2.2  25-Feb-2013  tls resync with head
 1.12.2.1  20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.16.2.1  18-May-2014  rmind sync with head
 1.19.2.1  10-Aug-2014  tls Rebase.
 1.22.4.4  28-Aug-2017  skrll Sync with HEAD
 1.22.4.3  05-Feb-2017  skrll Sync with HEAD
 1.22.4.2  27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.22.4.1  22-Sep-2015  skrll Sync with HEAD
 1.31.2.4  07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.31.2.3  26-Jul-2016  pgoyette Rename LOCALCOUNT_INITIALIZER to DEVSW_MODULE_INIT. This better describes
what we're doing, and why.
 1.31.2.2  19-Jul-2016  pgoyette Instead of repeatedly typing the conditional initialization of the
.d_localcount members in the various {b,c}devsw, define an initializer
macro and use it. This also removes the need for defining new symbols
for each 'struct localcount'.

As suggested by riastradh@
 1.31.2.1  18-Jul-2016  pgoyette Rump drivers are always installed via devsw_attach() so we need to
always allocate a 'struct localcount' for these drivers whenever they
are built as modules.
 1.33.6.2  29-Apr-2017  pgoyette Remove more unnecessary #include for sys/localcount.h
 1.33.6.1  27-Apr-2017  pgoyette Restore all work from the former pgoyette-localcount branch (which is
now abandoned doe to cvs merge botch).

The branch now builds, and installs via anita. There are still some
problems (cgd is non-functional and all atf tests time-out) but they
will get resolved soon.
 1.34.10.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.34.10.1  10-Jun-2019  christos Sync with HEAD
 1.34.8.2  26-Jan-2019  pgoyette Sync with HEAD
 1.34.8.1  30-Sep-2018  pgoyette Ssync with HEAD
 1.38.2.4  20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.38.2.3  01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.38.2.2  13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.38.2.1  07-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #25):

sys/net/npf/npf_conn.h: revision 1.17
sys/net/npf/npf.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.28
sys/net/npf/npf_conn.c: revision 1.29

Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.41.2.1  29-Feb-2020  ad Sync with head.

RSS XML Feed