Home | History | Annotate | Download | only in npfctl
History log of /src/usr.sbin/npf/npfctl/npf_bpf_comp.c
RevisionDateAuthorComments
 1.19  10-Jul-2025  joe Add more test to layer2 filtering for variables as a set

simplify the BPF code for multiword
we have tests to cover all possible cases in layer2 filtering
 1.18  01-Jul-2025  joe userland code for layer 2 filtering in NPF

reviewed by christos@
 1.17  30-Oct-2024  riastradh npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.

PR bin/55403: npfctl miscompiles IPv6 rules
 1.16  30-May-2020  rmind branches: 1.16.6; 1.16.8;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.15  25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.14  08-Aug-2019  rmind NPF: fix BPF byte-code generation for a port-range used in a group.
Resolved PR/52609 and PR/54169.
 1.13  23-Jul-2019  rmind branches: 1.13.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.12  17-Apr-2019  tih Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'

The documented default "flags S/SAFR" for stateful rules that affect
TCP packets but don't specify any flags, doesn't actually get applied
to a rule like "pass stateful out all". The big problem with this is
that when you then do a "block return-rst" for an incoming packet, the
generated RST packet will create state for the connection attempt it's
blocking, so that a second attempt from the same source will pass.

This change makes the default flags actually apply to such simple
rules. It also fixes a related bug in the code generation for the
flag matching, where part of the action could erroneously be omitted.

Reviewed by <rmind>
Closes PR bin/54124
Pullup to NetBSD 8
 1.11  29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.10  27-Dec-2016  rmind branches: 1.10.6; 1.10.12; 1.10.14;
npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
 1.9  26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.8  08-Jun-2015  rmind branches: 1.8.2;
- npfctl: fix the confusion in the parser (0/0 case with no other filter).
- Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
 1.7  29-Jun-2014  rmind branches: 1.7.2; 1.7.4;
NPF:
- Populate the BPF external memory store with L3 information.
- Eliminate NPF_COP_L3 call and just use the data in the memstore.
- Bump NPF_VERSION.
 1.6  31-May-2014  rmind npfctl_build_code: generate TCP/UDP check for ports case when other blocks
do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
 1.5  15-May-2014  rmind branches: 1.5.2;
NPF: imply SYN-only check for the stateful rules by default (when inspecting
TCP packets). Many users trip here. This behaviour can be overriden with the
explicit "flags" keyword, but other configuration does not really make sense.
 1.4  15-Mar-2014  rmind branches: 1.4.2;
npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
 1.3  13-Feb-2014  rmind npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
 1.2  05-Nov-2013  rmind npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
 1.1  19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.4.2.1  10-Aug-2014  tls Rebase.
 1.5.2.2  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.5.2.1  15-May-2014  yamt file npf_bpf_comp.c was added on branch yamt-pagecache on 2014-05-22 11:43:07 +0000
 1.7.4.2  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.7.4.1  29-Jun-2014  tls file npf_bpf_comp.c was added on branch tls-maxphys on 2014-08-20 00:05:11 +0000
 1.7.2.1  10-Jun-2015  snj Pull up following revision(s) (requested by rmind in ticket #835):
sys/net/npf/npf_ctl.c: revision 1.42
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.40
- npfctl: fix the confusion in the parser (0/0 case with no other filter).
- Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
 1.8.2.1  07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.10.14.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.10.14.1  10-Jun-2019  christos Sync with HEAD
 1.10.12.1  30-Sep-2018  pgoyette Ssync with HEAD
 1.10.6.1  19-Apr-2019  martin Pull up following revision(s) (requested by tih in ticket #1232):

usr.sbin/npf/npfctl/npf_build.c: revision 1.48
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.12

Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'

The documented default "flags S/SAFR" for stateful rules that affect
TCP packets but don't specify any flags, doesn't actually get applied
to a rule like "pass stateful out all". The big problem with this is
that when you then do a "block return-rst" for an incoming packet, the
generated RST packet will create state for the connection attempt it's
blocking, so that a second attempt from the same source will pass.

This change makes the default flags actually apply to such simple
rules. It also fixes a related bug in the code generation for the
flag matching, where part of the action could erroneously be omitted.

Reviewed by <rmind>
Closes PR bin/54124
Pullup to NetBSD 8
 1.13.2.4  17-Nov-2024  martin Pull up following revision(s) (requested by riastradh in ticket #1918):

usr.sbin/npf/npftest/npftest.conf: revision 1.10
usr.sbin/npf/npftest/npftest.conf: revision 1.11
usr.sbin/npf/npftest/npftest.conf: revision 1.12
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.23
tests/net/npf/t_npf.sh: revision 1.5
tests/net/npf/t_npf.sh: revision 1.6
tests/net/npf/t_npf.sh: revision 1.7

npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules


npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules


npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules


npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules


npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.
PR bin/55403: npfctl miscompiles IPv6 rules
 1.13.2.3  20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.13.2.2  01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.13.2.1  11-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #44):

usr.sbin/npf/npfctl/npfctl.h: revision 1.49
usr.sbin/npf/npfctl/npf_build.c: revision 1.51
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.14

NPF: fix BPF byte-code generation for a port-range used in a group.
Resolved PR/52609 and PR/54169.
 1.16.8.1  02-Aug-2025  perseant Sync with HEAD
 1.16.6.1  17-Nov-2024  martin Pull up following revision(s) (requested by riastradh in ticket #1002):

usr.sbin/npf/npftest/npftest.conf: revision 1.10
usr.sbin/npf/npftest/npftest.conf: revision 1.11
usr.sbin/npf/npftest/npftest.conf: revision 1.12
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.23
tests/net/npf/t_npf.sh: revision 1.5
tests/net/npf/t_npf.sh: revision 1.6
tests/net/npf/t_npf.sh: revision 1.7

npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules

npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules

npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules

npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules

npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.
PR bin/55403: npfctl miscompiles IPv6 rules

RSS XML Feed