Home | History | Annotate | Download | only in npf
History log of /src/sys/net/npf/npf_conn.c
RevisionDateAuthorComments
 1.35  22-Jan-2023  riastradh npf(9): Update comment to reduce diff from upstream.

No functional change.
 1.34  13-Feb-2022  riastradh npf(4): Use atomic_store_release and atomic_load_consume for conn_db.

...or atomic_load_relaxed, when npf->conn_lock is held, for the sake
of C11.

No need for store-before-load implied by membar_sync.
 1.33  25-Jan-2021  christos s/npf_config_lock/npf->config_lock/ in the comments
 1.32  30-May-2020  rmind branches: 1.32.2;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.31  23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.30  29-Sep-2019  rmind NPF ifmap: rework and fix a few small bugs.
 1.29  06-Aug-2019  christos - npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.28  06-Aug-2019  christos Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.
 1.27  23-Jul-2019  rmind branches: 1.27.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.26  19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.25  29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.24  10-Dec-2017  rmind branches: 1.24.2; 1.24.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.
 1.23  29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.22  26-Dec-2016  christos branches: 1.22.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.21  10-Dec-2016  christos revert dir hack.
 1.20  10-Dec-2016  christos Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.
 1.19  10-Dec-2016  kre Remove what looks like remnant (partly removed already) debug code,
which could not possibly compile as it was.
 1.18  10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.17  08-Dec-2016  rmind NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.
 1.16  05-Feb-2015  rmind branches: 1.16.2;
npf_conn_establish: fix the previous change - drop the reference on error.
 1.15  01-Feb-2015  rmind - npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
 1.14  20-Dec-2014  rmind NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.13  30-Nov-2014  rmind NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
 1.12  24-Aug-2014  rmind branches: 1.12.2;
- npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.
 1.11  11-Aug-2014  rmind branches: 1.11.2;
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
 1.10  10-Aug-2014  rmind branches: 1.10.2;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.9  26-Jul-2014  rmind branches: 1.9.2;
npf_conn_conkey: fix a comment.
 1.8  25-Jul-2014  rmind npf_conn_conkey: adjust to return the key length and add a comment
describing the key layout.
 1.7  25-Jul-2014  rmind npf_mk_connlist: destroy the connections on error path.
 1.6  23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.5  20-Jul-2014  joerg Drop variable only used in return.
 1.4  20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.3  19-Jul-2014  christos gcc-4.8 complains about not being able to inline
 1.2  19-Jul-2014  rmind Fix gcc warnings.
 1.1  19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.9.2.2  10-Aug-2014  tls Rebase.
 1.9.2.1  26-Jul-2014  tls file npf_conn.c was added on branch tls-earlyentropy on 2014-08-10 06:56:16 +0000
 1.10.2.5  15-Mar-2015  snj Pull up following revision(s) (requested by rmind in ticket #586):
sys/net/npf/npf_conn.c: revision 1.16
npf_conn_establish: fix the previous change - drop the reference on error.
 1.10.2.4  04-Feb-2015  snj Pull up following revision(s) (requested by rmind in ticket #479):
lib/libnpf/npf.c: revision 1.35
lib/libnpf/npf.h: revision 1.28
sys/net/npf/npf_conn.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.61
sys/net/npf/npf_ruleset.c: revision 1.41
usr.sbin/npf/npfctl/npf.conf.5: revision 1.44
usr.sbin/npf/npfctl/npf_parse.y: revision 1.37
usr.sbin/npf/npfctl/npf_show.c: revisions 1.16, 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.46
load the config file before bpfjit so that we can disable the warning.
--
Don't depend on yacc to include stdlib.h or string.h.
--
- npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
--
npf.conf(5): mention alg, include in the example, minor fix.
--
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
--
libnpf: add npf_rule_getid() and npf_rule_getcode().
Missed in the previous commit.
--
npfctl_print_rule: print the ID in hex, not decimal.
 1.10.2.3  22-Dec-2014  msaitoh Pull up following revision(s) (requested by rmind in ticket #347):
sys/net/npf/npf_nat.c: revision 1.38
sys/net/npf/npf_conn.h: revision 1.8
sys/net/npf/npf_conn.c: revision 1.14
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.10.2.2  01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.10.2.1  29-Aug-2014  martin Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
 1.11.2.3  03-Dec-2017  jdolecek update from HEAD
 1.11.2.2  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.11.2.1  11-Aug-2014  tls file npf_conn.c was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
 1.12.2.2  05-Feb-2017  skrll Sync with HEAD
 1.12.2.1  06-Apr-2015  skrll Sync with HEAD
 1.16.2.2  20-Mar-2017  pgoyette Sync with HEAD
 1.16.2.1  07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.22.2.1  21-Apr-2017  bouyer Sync with HEAD
 1.24.4.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.24.4.1  10-Jun-2019  christos Sync with HEAD
 1.24.2.2  26-Jan-2019  pgoyette Sync with HEAD
 1.24.2.1  30-Sep-2018  pgoyette Ssync with HEAD
 1.27.2.4  20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.27.2.3  25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.27.2.2  04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.27.2.1  07-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #25):

sys/net/npf/npf_conn.h: revision 1.17
sys/net/npf/npf.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.28
sys/net/npf/npf_conn.c: revision 1.29

Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.32.2.1  03-Apr-2021  thorpej Sync with HEAD.

RSS XML Feed