| History log of /src/usr.sbin/npf/npftest/libnpftest |
| Revision | Date | Author | Comments |
| 1.14 | 20-Jul-2025 |
joe | l2 only tests
for this test suite, we test to ensure that all frames
are passed by default when no layer 2 rules are set in the config
reviewed by christos@
|
| 1.13 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.12 | 01-Jun-2025 |
joe | testing for NPF user/group filtering: reviewed by christos@
|
| 1.11 | 30-May-2020 |
rmind | branches: 1.11.8;
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.10 | 19-Jan-2019 |
rmind | branches: 1.10.2;
Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.9 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.8 | 16-Nov-2013 |
rmind | branches: 1.8.24; 1.8.26;
Enable bpfjit for npftest.
|
| 1.7 | 24-Sep-2013 |
rmind | npftest: add some concurrency testing code.
|
| 1.6 | 19-Sep-2013 |
rmind | NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
|
| 1.5 | 19-Sep-2013 |
rmind | - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
|
| 1.4 | 12-Aug-2012 |
rmind | branches: 1.4.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.3 | 04-Jun-2012 |
rmind | branches: 1.3.2;
npftest: add a module for TCP state tracking and add few test cases.
|
| 1.2 | 30-May-2012 |
rmind | npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
|
| 1.1 | 14-Apr-2012 |
rmind | branches: 1.1.2;
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
|
| 1.1.2.4 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.2.3 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.2.1 | 14-Apr-2012 |
yamt | file Makefile was added on branch yamt-pagecache on 2012-04-17 00:09:51 +0000
|
| 1.3.2.3 | 13-Aug-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.3.2.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.3.2.1 | 04-Jun-2012 |
riz | file Makefile was added on branch netbsd-6 on 2012-06-26 00:07:18 +0000
|
| 1.4.2.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.8.26.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.8.24.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.8.24.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.10.2.1 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.11.8.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.12 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.11 | 23-Jul-2019 |
rmind | branches: 1.11.12;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.10 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.9 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.8 | 26-Dec-2016 |
christos | branches: 1.8.12; 1.8.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.7 | 20-Jul-2014 |
rmind | branches: 1.7.4; 1.7.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
|
| 1.6 | 25-Jun-2014 |
rmind | Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).
|
| 1.5 | 24-Jun-2014 |
alnsn | Implement copfuncs and external memory in bpfjit.
|
| 1.4 | 23-Nov-2013 |
rmind | branches: 1.4.2; 1.4.4;
npftest: adjust for the npf_bpf_filter() change.
|
| 1.3 | 16-Nov-2013 |
rmind | Enable bpfjit for npftest.
|
| 1.2 | 08-Nov-2013 |
rmind | NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.
Bump NPF_VERSION.
|
| 1.1 | 19-Sep-2013 |
rmind | - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
|
| 1.4.4.2 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.4.4.1 | 23-Nov-2013 |
yamt | file npf_bpf_test.c was added on branch yamt-pagecache on 2014-05-22 11:43:07 +0000
|
| 1.4.2.1 | 10-Aug-2014 |
tls | Rebase.
|
| 1.7.8.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.7.4.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.7.4.1 | 20-Jul-2014 |
tls | file npf_bpf_test.c was added on branch tls-maxphys on 2014-08-20 00:05:11 +0000
|
| 1.8.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.8.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.8.12.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.8.12.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.11.12.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.4 | 30-May-2020 |
rmind | Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.3 | 11-Aug-2019 |
rmind | Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
|
| 1.2 | 23-Jul-2019 |
rmind | branches: 1.2.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.1 | 19-Jan-2019 |
rmind | branches: 1.1.2; 1.1.4;
Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.1.4.3 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.1.4.2 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.1.4.1 | 19-Jan-2019 |
christos | file npf_conn_test.c was added on branch phil-wifi on 2019-06-10 22:10:35 +0000
|
| 1.1.2.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.1.2.1 | 19-Jan-2019 |
pgoyette | file npf_conn_test.c was added on branch pgoyette-compat on 2019-01-26 22:00:39 +0000
|
| 1.2.2.2 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.2.2.1 | 13-Aug-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #49):
usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3
npf-params(7): add more bpf.jit details.
From David H. Gutteridge.
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
|
| 1.3 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.2 | 27-Aug-2020 |
riastradh | branches: 1.2.8;
npftest: Wait at least one tick in each gc busy wait iteration.
Otherwise the busy wait loop runs a little too fast for the gc about
half the times I run the test.
XXX We should really arrange mstohz to round up!
|
| 1.1 | 30-May-2020 |
rmind | branches: 1.1.2;
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.1.2.3 | 20-Jun-2020 |
martin | Adapt to netbsd-9 branch
|
| 1.1.2.2 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.1.2.1 | 30-May-2020 |
martin | file npf_gc_test.c was added on branch netbsd-9 on 2020-06-20 15:46:48 +0000
|
| 1.2.8.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.3 | 10-Jul-2025 |
joe | branches: 1.3.4;
Add more test to layer2 filtering for variables as a set
simplify the BPF code for multiword
we have tests to cover all possible cases in layer2 filtering
|
| 1.2 | 02-Jul-2025 |
christos | fix lint build
|
| 1.1 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.3.4.2 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.3.4.1 | 10-Jul-2025 |
perseant | file npf_l2rule_test.c was added on branch perseant-exfatfs on 2025-08-02 05:58:53 +0000
|
| 1.12 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.11 | 30-May-2020 |
rmind | branches: 1.11.8;
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.10 | 21-Aug-2019 |
rmind | - npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
|
| 1.9 | 23-Jul-2019 |
rmind | branches: 1.9.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.8 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.7 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.6 | 26-Dec-2016 |
christos | branches: 1.6.12; 1.6.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.5 | 13-Feb-2014 |
rmind | branches: 1.5.8;
NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.
Thanks to S.P.Zeidler for the help with NPTv6 work!
|
| 1.4 | 24-Dec-2012 |
rmind | - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
|
| 1.3 | 01-Jul-2012 |
rmind | branches: 1.3.2;
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
|
| 1.2 | 30-May-2012 |
rmind | branches: 1.2.2;
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
|
| 1.1 | 14-Apr-2012 |
rmind | branches: 1.1.2;
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
|
| 1.1.2.5 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.2.4 | 23-Jan-2013 |
yamt | sync with head
|
| 1.1.2.3 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.2.1 | 14-Apr-2012 |
yamt | file npf_mbuf_subr.c was added on branch yamt-pagecache on 2012-04-17 00:09:51 +0000
|
| 1.2.2.4 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.2.2.3 | 05-Jul-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
|
| 1.2.2.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.2.2.1 | 30-May-2012 |
riz | file npf_mbuf_subr.c was added on branch netbsd-6 on 2012-06-26 00:07:18 +0000
|
| 1.3.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.3.2.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.5.8.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.6.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.6.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.6.12.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.6.12.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.9.2.2 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.9.2.1 | 01-Sep-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #139):
lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37
- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
|
| 1.11.8.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.14 | 30-May-2020 |
rmind | Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.13 | 11-Aug-2019 |
rmind | Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
|
| 1.12 | 23-Jul-2019 |
rmind | branches: 1.12.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.11 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.10 | 26-Dec-2016 |
christos | branches: 1.10.12; 1.10.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.9 | 20-Jul-2014 |
rmind | branches: 1.9.6;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
|
| 1.8 | 13-Feb-2014 |
rmind | branches: 1.8.2;
NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.
Thanks to S.P.Zeidler for the help with NPTv6 work!
|
| 1.7 | 07-Feb-2014 |
rmind | NPF: add support for static (stateless) NAT.
|
| 1.6 | 05-Feb-2014 |
rmind | npftest: fix previous harder - pass and use libc's random(3).
|
| 1.5 | 05-Feb-2014 |
rmind | npftest: fix the failure of NAT test -- adjust for RUMP's conversion to
the in-kernel CPRNG (hi pooka!).
|
| 1.4 | 24-Sep-2013 |
rmind | npftest: add some concurrency testing code.
|
| 1.3 | 19-Sep-2013 |
rmind | - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
|
| 1.2 | 24-Dec-2012 |
rmind | - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
|
| 1.1 | 12-Aug-2012 |
rmind | branches: 1.1.2; 1.1.4; 1.1.6;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.1.6.4 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.6.3 | 23-Jan-2013 |
yamt | sync with head
|
| 1.1.6.2 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.6.1 | 12-Aug-2012 |
yamt | file npf_nat_test.c was added on branch yamt-pagecache on 2012-10-30 19:00:47 +0000
|
| 1.1.4.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.1.4.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.1.2.3 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.1.2.2 | 13-Aug-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.1.2.1 | 12-Aug-2012 |
riz | file npf_nat_test.c was added on branch netbsd-6 on 2012-08-13 17:49:53 +0000
|
| 1.8.2.1 | 10-Aug-2014 |
tls | Rebase.
|
| 1.9.6.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.10.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.10.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.10.12.1 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.12.2.2 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.12.2.1 | 13-Aug-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #49):
usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3
npf-params(7): add more bpf.jit details.
From David H. Gutteridge.
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
|
| 1.10 | 21-Aug-2019 |
rmind | - npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
|
| 1.9 | 25-Jul-2019 |
rmind | branches: 1.9.2;
npftest: fix double-free in npf_nbuf_test().
|
| 1.8 | 23-Jul-2019 |
rmind | NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.7 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.6 | 26-Dec-2016 |
christos | branches: 1.6.12; 1.6.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.5 | 08-Nov-2013 |
rmind | branches: 1.5.8;
NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.
Bump NPF_VERSION.
|
| 1.4 | 20-Jan-2013 |
rmind | - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.3 | 24-Dec-2012 |
rmind | - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
|
| 1.2 | 21-Aug-2012 |
rmind | branches: 1.2.2;
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
|
| 1.1 | 14-Apr-2012 |
rmind | branches: 1.1.2; 1.1.4;
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
|
| 1.1.4.4 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.1.4.3 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
|
| 1.1.4.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.1.4.1 | 14-Apr-2012 |
riz | file npf_nbuf_test.c was added on branch netbsd-6 on 2012-06-26 00:07:18 +0000
|
| 1.1.2.5 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.2.4 | 23-Jan-2013 |
yamt | sync with head
|
| 1.1.2.3 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.2.1 | 14-Apr-2012 |
yamt | file npf_nbuf_test.c was added on branch yamt-pagecache on 2012-04-17 00:09:51 +0000
|
| 1.2.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.2.2.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.5.8.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.6.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.6.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.6.12.1 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.9.2.1 | 01-Sep-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #139):
lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37
- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
|
| 1.9 | 11-Aug-2019 |
rmind | Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
|
| 1.8 | 23-Jul-2019 |
rmind | branches: 1.8.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.7 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.6 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.5 | 26-Dec-2016 |
christos | branches: 1.5.12; 1.5.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.4 | 25-Jun-2014 |
rmind | branches: 1.4.4; 1.4.8;
npftest: add an example in the README, fix the total in npf_test_conc().
|
| 1.3 | 24-Sep-2013 |
joerg | branches: 1.3.2; 1.3.4;
Add missing dead.
|
| 1.2 | 24-Sep-2013 |
rmind | npftest: add a choice of "rule" or "state" for -b option.
|
| 1.1 | 24-Sep-2013 |
rmind | npftest: add some concurrency testing code.
|
| 1.3.4.2 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.3.4.1 | 24-Sep-2013 |
yamt | file npf_perf_test.c was added on branch yamt-pagecache on 2014-05-22 11:43:07 +0000
|
| 1.3.2.1 | 10-Aug-2014 |
tls | Rebase.
|
| 1.4.8.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.4.4.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.4.4.1 | 25-Jun-2014 |
tls | file npf_perf_test.c was added on branch tls-maxphys on 2014-08-20 00:05:11 +0000
|
| 1.5.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.5.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.5.12.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.5.12.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.8.2.1 | 13-Aug-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #49):
usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3
npf-params(7): add more bpf.jit details.
From David H. Gutteridge.
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
|
| 1.5 | 19-Sep-2013 |
rmind | NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
|
| 1.4 | 24-Dec-2012 |
rmind | - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
|
| 1.3 | 21-Aug-2012 |
rmind | branches: 1.3.2;
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
|
| 1.2 | 01-Jul-2012 |
rmind | NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
|
| 1.1 | 14-Apr-2012 |
rmind | branches: 1.1.2; 1.1.4;
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
|
| 1.1.4.5 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.1.4.4 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
|
| 1.1.4.3 | 05-Jul-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
|
| 1.1.4.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.1.4.1 | 14-Apr-2012 |
riz | file npf_processor_test.c was added on branch netbsd-6 on 2012-06-26 00:07:19 +0000
|
| 1.1.2.5 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.2.4 | 23-Jan-2013 |
yamt | sync with head
|
| 1.1.2.3 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.2.1 | 14-Apr-2012 |
yamt | file npf_processor_test.c was added on branch yamt-pagecache on 2012-04-17 00:09:51 +0000
|
| 1.3.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.3.2.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.3 | 01-Jul-2025 |
joe | branches: 1.3.4;
Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.2 | 01-Jun-2025 |
skrll | Fix the build.
|
| 1.1 | 01-Jun-2025 |
joe | NPF user/group testing main module
|
| 1.3.4.2 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.3.4.1 | 01-Jul-2025 |
perseant | file npf_rid_test.c was added on branch perseant-exfatfs on 2025-08-02 05:58:53 +0000
|
| 1.26 | 20-Aug-2025 |
joe | PR bin/59511
when extracting variables for filtering in NPF, allow the handler to
recursively extract all variables that might be present in the parent variable
to fully get all the filter elements present in them. this issue poses a security risk
as intruders can find their way into your machine if you intend to block them
but have their IPs in a nested variable with other IPs as well.
so this needs to be pulled up to 9, 10, 11
this fix has been reviewed by christos@ and martin@ and tests have been included.
|
| 1.25 | 10-Aug-2025 |
mlelstv | Include local_ip3 in tests.
|
| 1.24 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.23 | 30-Oct-2024 |
riastradh | npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules
|
| 1.22 | 30-Oct-2024 |
riastradh | npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules
|
| 1.21 | 29-Oct-2024 |
riastradh | npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules
|
| 1.20 | 29-Oct-2024 |
riastradh | npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules
|
| 1.19 | 25-Aug-2019 |
rmind | branches: 1.19.8; 1.19.10;
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
|
| 1.18 | 11-Aug-2019 |
rmind | Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
|
| 1.17 | 23-Jul-2019 |
rmind | branches: 1.17.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.16 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.15 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.14 | 29-Jan-2017 |
christos | branches: 1.14.10; 1.14.12;
fix function argument.
|
| 1.13 | 26-Dec-2016 |
christos | branches: 1.13.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.12 | 10-Aug-2014 |
rmind | branches: 1.12.6;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
|
| 1.11 | 20-Jul-2014 |
rmind | NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
|
| 1.10 | 24-Sep-2013 |
rmind | branches: 1.10.2;
npftest: add some concurrency testing code.
|
| 1.9 | 19-Sep-2013 |
rmind | NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
|
| 1.8 | 19-Sep-2013 |
rmind | - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
|
| 1.7 | 18-Feb-2013 |
rmind | npftest/npf_blockall_rule: set NPF_RULE_DYNAMIC flag for the test rule.
|
| 1.6 | 16-Feb-2013 |
rmind | - Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
|
| 1.5 | 11-Feb-2013 |
rmind | npftest: adjust for recent change.
|
| 1.4 | 09-Feb-2013 |
rmind | NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
|
| 1.3 | 24-Dec-2012 |
rmind | - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
|
| 1.2 | 21-Aug-2012 |
rmind | branches: 1.2.2; 1.2.4;
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
|
| 1.1 | 12-Aug-2012 |
rmind | branches: 1.1.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.1.2.6 | 18-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #829):
usr.sbin/npf/npfctl/npfctl.8: revision 1.13
usr.sbin/npf/npfctl/npf_build.c: revision 1.21
lib/libnpf/npf.c: revision 1.18
sys/net/npf/npf_ctl.c: revision 1.23
usr.sbin/npf/npfctl/npfctl.h: revision 1.27
lib/libnpf/npf.h: revision 1.15
sys/net/npf/npf_ruleset.c: revision 1.19
sys/net/npf/npf_impl.h: revision 1.28
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.31
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.6
- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
|
| 1.1.2.5 | 11-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
|
| 1.1.2.4 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.1.2.3 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
|
| 1.1.2.2 | 13-Aug-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.1.2.1 | 12-Aug-2012 |
riz | file npf_rule_test.c was added on branch netbsd-6 on 2012-08-13 17:49:53 +0000
|
| 1.2.4.4 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.2.4.3 | 23-Jan-2013 |
yamt | sync with head
|
| 1.2.4.2 | 30-Oct-2012 |
yamt | sync with head
|
| 1.2.4.1 | 21-Aug-2012 |
yamt | file npf_rule_test.c was added on branch yamt-pagecache on 2012-10-30 19:00:48 +0000
|
| 1.2.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.2.2.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.10.2.1 | 10-Aug-2014 |
tls | Rebase.
|
| 1.12.6.2 | 20-Mar-2017 |
pgoyette | Sync with HEAD
|
| 1.12.6.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.13.2.1 | 21-Apr-2017 |
bouyer | Sync with HEAD
|
| 1.14.12.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.14.12.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.14.10.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.14.10.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.17.2.3 | 17-Nov-2024 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1918):
usr.sbin/npf/npftest/npftest.conf: revision 1.10
usr.sbin/npf/npftest/npftest.conf: revision 1.11
usr.sbin/npf/npftest/npftest.conf: revision 1.12
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.23
tests/net/npf/t_npf.sh: revision 1.5
tests/net/npf/t_npf.sh: revision 1.6
tests/net/npf/t_npf.sh: revision 1.7
npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules
npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules
npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules
npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules
npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.
PR bin/55403: npfctl miscompiles IPv6 rules
|
| 1.17.2.2 | 01-Sep-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #141):
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
|
| 1.17.2.1 | 13-Aug-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #49):
usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3
npf-params(7): add more bpf.jit details.
From David H. Gutteridge.
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
|
| 1.19.10.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.19.8.1 | 17-Nov-2024 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1002):
usr.sbin/npf/npftest/npftest.conf: revision 1.10
usr.sbin/npf/npftest/npftest.conf: revision 1.11
usr.sbin/npf/npftest/npftest.conf: revision 1.12
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.23
tests/net/npf/t_npf.sh: revision 1.5
tests/net/npf/t_npf.sh: revision 1.6
tests/net/npf/t_npf.sh: revision 1.7
npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules
npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules
npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules
npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules
npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.
PR bin/55403: npfctl miscompiles IPv6 rules
|
| 1.11 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.10 | 30-May-2020 |
rmind | branches: 1.10.8;
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.9 | 23-Jul-2019 |
rmind | branches: 1.9.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.8 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.7 | 26-Dec-2016 |
christos | branches: 1.7.12; 1.7.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.6 | 20-Jul-2014 |
rmind | branches: 1.6.6;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
|
| 1.5 | 08-Nov-2013 |
rmind | branches: 1.5.2;
NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.
Bump NPF_VERSION.
|
| 1.4 | 24-Dec-2012 |
rmind | - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
|
| 1.3 | 21-Aug-2012 |
rmind | branches: 1.3.2; 1.3.4;
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
|
| 1.2 | 01-Jul-2012 |
rmind | NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
|
| 1.1 | 04-Jun-2012 |
rmind | branches: 1.1.2;
npftest: add a module for TCP state tracking and add few test cases.
|
| 1.1.2.5 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
|
| 1.1.2.4 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
|
| 1.1.2.3 | 05-Jul-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
|
| 1.1.2.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.1.2.1 | 04-Jun-2012 |
riz | file npf_state_test.c was added on branch netbsd-6 on 2012-06-26 00:07:18 +0000
|
| 1.3.4.4 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.3.4.3 | 23-Jan-2013 |
yamt | sync with head
|
| 1.3.4.2 | 30-Oct-2012 |
yamt | sync with head
|
| 1.3.4.1 | 21-Aug-2012 |
yamt | file npf_state_test.c was added on branch yamt-pagecache on 2012-10-30 19:00:48 +0000
|
| 1.3.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.3.2.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.5.2.1 | 10-Aug-2014 |
tls | Rebase.
|
| 1.6.6.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.7.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.7.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.7.12.1 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.9.2.1 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.10.8.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.12 | 23-Jul-2019 |
rmind | NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.11 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.10 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.9 | 26-Dec-2016 |
christos | branches: 1.9.12; 1.9.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.8 | 06-Feb-2014 |
rmind | branches: 1.8.8;
Add support for CDB based NPF tables.
|
| 1.7 | 12-Nov-2013 |
rmind | NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).
Few misc fixes. Bump NPF_VERSION.
|
| 1.6 | 29-Oct-2012 |
rmind | Implement NPF table listing and preservation of entries on reload.
Bump the version.
|
| 1.5 | 21-Aug-2012 |
rmind | branches: 1.5.2;
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
|
| 1.4 | 15-Jul-2012 |
rmind | - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
|
| 1.3 | 01-Jul-2012 |
rmind | NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
|
| 1.2 | 22-Jun-2012 |
rmind | branches: 1.2.2;
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
|
| 1.1 | 14-Apr-2012 |
rmind | branches: 1.1.2;
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
|
| 1.1.2.4 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.2.3 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.2.1 | 14-Apr-2012 |
yamt | file npf_table_test.c was added on branch yamt-pagecache on 2012-04-17 00:09:51 +0000
|
| 1.2.2.7 | 24-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see "Reflection Scan: an Off-Path Attack
on TCP" by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
|
| 1.2.2.6 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
|
| 1.2.2.5 | 16-Jul-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
|
| 1.2.2.4 | 05-Jul-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
|
| 1.2.2.3 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
|
| 1.2.2.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.2.2.1 | 22-Jun-2012 |
riz | file npf_table_test.c was added on branch netbsd-6 on 2012-06-26 00:07:18 +0000
|
| 1.5.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.5.2.1 | 20-Nov-2012 |
tls | Resync to 2012-11-19 00:00:00 UTC
|
| 1.8.8.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.9.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.9.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.9.12.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.9.12.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.24 | 20-Jul-2025 |
joe | l2 only tests
for this test suite, we test to ensure that all frames
are passed by default when no layer 2 rules are set in the config
reviewed by christos@
|
| 1.23 | 01-Jul-2025 |
joe | Rump testing for layer 2 filtering in NPF
reviewed by christos@
|
| 1.22 | 01-Jun-2025 |
joe | testing for NPF user/group filtering: reviewed by christos@
|
| 1.21 | 30-May-2020 |
rmind | branches: 1.21.8;
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.20 | 23-Apr-2020 |
joerg | npftest_mbufops and npftest_ifops are owned by npf_mbuf_subr.c
|
| 1.19 | 23-Jul-2019 |
rmind | branches: 1.19.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.18 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.17 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.16 | 26-Dec-2016 |
christos | branches: 1.16.12; 1.16.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.15 | 13-Feb-2014 |
rmind | branches: 1.15.8;
NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.
Thanks to S.P.Zeidler for the help with NPTv6 work!
|
| 1.14 | 07-Feb-2014 |
rmind | NPF: add support for static (stateless) NAT.
|
| 1.13 | 06-Feb-2014 |
rmind | Add support for CDB based NPF tables.
|
| 1.12 | 05-Feb-2014 |
rmind | npftest: fix previous harder - pass and use libc's random(3).
|
| 1.11 | 08-Nov-2013 |
rmind | NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.
Bump NPF_VERSION.
|
| 1.10 | 24-Sep-2013 |
rmind | npftest: add a choice of "rule" or "state" for -b option.
|
| 1.9 | 24-Sep-2013 |
rmind | npftest: add some concurrency testing code.
|
| 1.8 | 19-Sep-2013 |
rmind | NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
|
| 1.7 | 19-Sep-2013 |
rmind | - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
|
| 1.6 | 15-Aug-2012 |
rmind | branches: 1.6.2;
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
|
| 1.5 | 12-Aug-2012 |
rmind | - Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.4 | 01-Jul-2012 |
rmind | NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
|
| 1.3 | 04-Jun-2012 |
rmind | branches: 1.3.2;
npftest: add a module for TCP state tracking and add few test cases.
|
| 1.2 | 30-May-2012 |
rmind | npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
|
| 1.1 | 14-Apr-2012 |
rmind | branches: 1.1.2;
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
|
| 1.1.2.4 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.1.2.3 | 30-Oct-2012 |
yamt | sync with head
|
| 1.1.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.2.1 | 14-Apr-2012 |
yamt | file npf_test.h was added on branch yamt-pagecache on 2012-04-17 00:09:51 +0000
|
| 1.3.2.5 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #678):
sys/rump/librump/rumpkern/rump.c: revision 1.243
sys/rump/librump/rumpkern/rump.c: revision 1.244
sys/rump/librump/rumpkern/rump.c: revision 1.245
sys/rump/librump/rumpkern/rump.c: revision 1.246
usr.sbin/npf/npftest/npftest.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.2
usr.sbin/npf/npftest/npftest.h: revision 1.5
sys/rump/net/Makefile.rumpnetcomp: revision 1.5
sys/rump/net/lib/libnpf/shlib_version: revision 1.1
sys/net/npf/npf_impl.h: revision 1.22
sys/rump/dev/lib/libnpf/Makefile: file removal
usr.sbin/npf/npftest/Makefile: revision 1.3
sys/rump/dev/lib/libnpf/component.c: file removal
sys/rump/dev/lib/libnpf/shlib_version: file removal
sys/net/npf/npf_state.c: revision 1.12
sys/rump/net/lib/libnpf/component.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.6
sys/rump/net/lib/libnpf/Makefile: revision 1.1
Move and rename librumpdev_npf to librumpnet_npf.
Enable the build of librumpnet_npf.
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
Call pserialize_init() during rump start-up, since librump/net/npf
uses it.
It helps to include the declaration of the routine being called.
We also need kcpuset_init() now.
Use correct routine name - kcpuset_sysinit() vs kcpuset_init()
|
| 1.3.2.4 | 13-Aug-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.3.2.3 | 05-Jul-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
|
| 1.3.2.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.3.2.1 | 04-Jun-2012 |
riz | file npf_test.h was added on branch netbsd-6 on 2012-06-26 00:07:18 +0000
|
| 1.6.2.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.15.8.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.16.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.16.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.16.12.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.16.12.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.19.2.1 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.21.8.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.19 | 27-Aug-2020 |
riastradh | npf: Make sure to initialize portmap_lock only once.
PR kern/55586
|
| 1.18 | 30-May-2020 |
rmind | npftest -- npf_test_init(): add a workaround for NetBSD.
|
| 1.17 | 30-May-2020 |
rmind | Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
|
| 1.16 | 11-Aug-2019 |
rmind | Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
|
| 1.15 | 23-Jul-2019 |
rmind | branches: 1.15.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
| 1.14 | 19-Jan-2019 |
rmind | Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
|
| 1.13 | 29-Sep-2018 |
rmind | NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
|
| 1.12 | 26-Dec-2016 |
christos | branches: 1.12.12; 1.12.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
|
| 1.11 | 10-Aug-2014 |
tls | branches: 1.11.6;
Merge tls-earlyentropy branch into HEAD.
|
| 1.10 | 23-Jul-2014 |
rmind | NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
|
| 1.9 | 13-Feb-2014 |
rmind | branches: 1.9.2;
NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.
Thanks to S.P.Zeidler for the help with NPTv6 work!
|
| 1.8 | 05-Feb-2014 |
rmind | npftest: fix previous harder - pass and use libc's random(3).
|
| 1.7 | 05-Feb-2014 |
rmind | npftest: fix the failure of NAT test -- adjust for RUMP's conversion to
the in-kernel CPRNG (hi pooka!).
|
| 1.6 | 08-Nov-2013 |
rmind | NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.
Bump NPF_VERSION.
|
| 1.5 | 24-Sep-2013 |
rmind | npftest: add some concurrency testing code.
|
| 1.4 | 15-Aug-2012 |
rmind | branches: 1.4.2; 1.4.4;
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
|
| 1.3 | 12-Aug-2012 |
rmind | - Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.2 | 21-Jul-2012 |
rmind | - npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
|
| 1.1 | 30-May-2012 |
rmind | branches: 1.1.2;
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
|
| 1.1.2.5 | 18-Nov-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #678):
sys/rump/librump/rumpkern/rump.c: revision 1.243
sys/rump/librump/rumpkern/rump.c: revision 1.244
sys/rump/librump/rumpkern/rump.c: revision 1.245
sys/rump/librump/rumpkern/rump.c: revision 1.246
usr.sbin/npf/npftest/npftest.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.2
usr.sbin/npf/npftest/npftest.h: revision 1.5
sys/rump/net/Makefile.rumpnetcomp: revision 1.5
sys/rump/net/lib/libnpf/shlib_version: revision 1.1
sys/net/npf/npf_impl.h: revision 1.22
sys/rump/dev/lib/libnpf/Makefile: file removal
usr.sbin/npf/npftest/Makefile: revision 1.3
sys/rump/dev/lib/libnpf/component.c: file removal
sys/rump/dev/lib/libnpf/shlib_version: file removal
sys/net/npf/npf_state.c: revision 1.12
sys/rump/net/lib/libnpf/component.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.6
sys/rump/net/lib/libnpf/Makefile: revision 1.1
Move and rename librumpdev_npf to librumpnet_npf.
Enable the build of librumpnet_npf.
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
Call pserialize_init() during rump start-up, since librump/net/npf
uses it.
It helps to include the declaration of the routine being called.
We also need kcpuset_init() now.
Use correct routine name - kcpuset_sysinit() vs kcpuset_init()
|
| 1.1.2.4 | 13-Aug-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
|
| 1.1.2.3 | 25-Jul-2012 |
jdc | Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).
Add missing __dead.
teach npf ipv6-icmp
reviewed by rmind@
- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.
- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
|
| 1.1.2.2 | 26-Jun-2012 |
riz | Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
|
| 1.1.2.1 | 30-May-2012 |
riz | file npf_test_subr.c was added on branch netbsd-6 on 2012-06-26 00:07:19 +0000
|
| 1.4.4.3 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.4.4.2 | 30-Oct-2012 |
yamt | sync with head
|
| 1.4.4.1 | 15-Aug-2012 |
yamt | file npf_test_subr.c was added on branch yamt-pagecache on 2012-10-30 19:00:49 +0000
|
| 1.4.2.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.9.2.2 | 10-Aug-2014 |
tls | Rebase.
|
| 1.9.2.1 | 09-Aug-2014 |
tls | Replace "ccrand" ChaCha implementation of cprng_fast with Taylor's smaller
and somewhat simpler one. Fix rump builds so we can build a distribution.
|
| 1.11.6.1 | 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.12.14.2 | 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.12.14.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.12.12.2 | 26-Jan-2019 |
pgoyette | Sync with HEAD
|
| 1.12.12.1 | 30-Sep-2018 |
pgoyette | Ssync with HEAD
|
| 1.15.2.2 | 20-Jun-2020 |
martin | Pull up following revision(s) (requested by rmind in ticket #956):
usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
npftest -- npf_test_init(): add a workaround for NetBSD.
npf-params(7): fix the state.key defaults.
npf-params.7: s/filer/filter/
Adjust to "npfctl debug" command line changes, from rmind@.
Use more markup.
|
| 1.15.2.1 | 13-Aug-2019 |
martin | Pull up following revision(s) (requested by rmind in ticket #49):
usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3
npf-params(7): add more bpf.jit details.
From David H. Gutteridge.
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
|
| 1.1 | 20-Jul-2025 |
joe | branches: 1.1.4;
l2 only tests
for this test suite, we test to ensure that all frames
are passed by default when no layer 2 rules are set in the config
reviewed by christos@
|
| 1.1.4.2 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.1.4.1 | 20-Jul-2025 |
perseant | file npfl2onlytest.c was added on branch perseant-exfatfs on 2025-08-02 05:58:53 +0000
|
