- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is loaded and set it to pass when flush operation is performed. - Use kmem_zalloc(9) instead of kmem_alloc(9) in few places. - npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction of rule procedure might happen in the interrupt handler (under a very rare condition, if config reload races with the handler). - npf_session_establish: check whether layer 3 and 4 are cached. - npfctl_build_group: do not make groups as passing rules. - Remove some unecessary header inclusion.
This commit is contained in:
parent
47c982a38d
commit
15d58f91b8
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $ */
|
/* $NetBSD: npf.c,v 1.8 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
||||||
@ -34,7 +34,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.8 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -70,6 +70,7 @@ typedef struct {
|
|||||||
npf_ruleset_t * n_rules;
|
npf_ruleset_t * n_rules;
|
||||||
npf_tableset_t * n_tables;
|
npf_tableset_t * n_tables;
|
||||||
npf_ruleset_t * n_nat_rules;
|
npf_ruleset_t * n_nat_rules;
|
||||||
|
bool n_default_pass;
|
||||||
} npf_core_t;
|
} npf_core_t;
|
||||||
|
|
||||||
static void npf_core_destroy(npf_core_t *);
|
static void npf_core_destroy(npf_core_t *);
|
||||||
@ -106,7 +107,7 @@ npf_init(void)
|
|||||||
rset = npf_ruleset_create();
|
rset = npf_ruleset_create();
|
||||||
tset = npf_tableset_create();
|
tset = npf_tableset_create();
|
||||||
nset = npf_ruleset_create();
|
nset = npf_ruleset_create();
|
||||||
npf_reload(rset, tset, nset);
|
npf_reload(rset, tset, nset, true);
|
||||||
KASSERT(npf_core != NULL);
|
KASSERT(npf_core != NULL);
|
||||||
|
|
||||||
#ifdef _MODULE
|
#ifdef _MODULE
|
||||||
@ -265,12 +266,14 @@ npf_core_destroy(npf_core_t *nc)
|
|||||||
* Then destroy old (unloaded) structures.
|
* Then destroy old (unloaded) structures.
|
||||||
*/
|
*/
|
||||||
void
|
void
|
||||||
npf_reload(npf_ruleset_t *rset, npf_tableset_t *tset, npf_ruleset_t *nset)
|
npf_reload(npf_ruleset_t *rset, npf_tableset_t *tset, npf_ruleset_t *nset,
|
||||||
|
bool flush)
|
||||||
{
|
{
|
||||||
npf_core_t *nc, *onc;
|
npf_core_t *nc, *onc;
|
||||||
|
|
||||||
/* Setup a new core structure. */
|
/* Setup a new core structure. */
|
||||||
nc = kmem_alloc(sizeof(npf_core_t), KM_SLEEP);
|
nc = kmem_zalloc(sizeof(npf_core_t), KM_SLEEP);
|
||||||
|
nc->n_default_pass = flush;
|
||||||
nc->n_rules = rset;
|
nc->n_rules = rset;
|
||||||
nc->n_tables = tset;
|
nc->n_tables = tset;
|
||||||
nc->n_nat_rules = nset;
|
nc->n_nat_rules = nset;
|
||||||
@ -330,6 +333,13 @@ npf_core_locked(void)
|
|||||||
return rw_lock_held(&npf_lock);
|
return rw_lock_held(&npf_lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool
|
||||||
|
npf_default_pass(void)
|
||||||
|
{
|
||||||
|
KASSERT(rw_lock_held(&npf_lock));
|
||||||
|
return npf_core->n_default_pass;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* NPF statistics interface.
|
* NPF statistics interface.
|
||||||
*/
|
*/
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_alg.c,v 1.2 2010/11/11 06:30:39 rmind Exp $ */
|
/* $NetBSD: npf_alg.c,v 1.3 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2010 The NetBSD Foundation, Inc.
|
* Copyright (c) 2010 The NetBSD Foundation, Inc.
|
||||||
@ -36,10 +36,9 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.2 2010/11/11 06:30:39 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.3 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
|
||||||
#include <sys/kmem.h>
|
#include <sys/kmem.h>
|
||||||
#include <sys/pool.h>
|
#include <sys/pool.h>
|
||||||
#include <net/pfil.h>
|
#include <net/pfil.h>
|
||||||
@ -83,7 +82,7 @@ npf_alg_register(npf_algfunc_t match, npf_algfunc_t out, npf_algfunc_t in,
|
|||||||
{
|
{
|
||||||
npf_alg_t *alg;
|
npf_alg_t *alg;
|
||||||
|
|
||||||
alg = kmem_alloc(sizeof(npf_alg_t), KM_SLEEP);
|
alg = kmem_zalloc(sizeof(npf_alg_t), KM_SLEEP);
|
||||||
alg->na_bptr = alg;
|
alg->na_bptr = alg;
|
||||||
alg->na_match_func = match;
|
alg->na_match_func = match;
|
||||||
alg->na_out_func = out;
|
alg->na_out_func = out;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_alg_icmp.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
|
/* $NetBSD: npf_alg_icmp.c,v 1.9 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2010 The NetBSD Foundation, Inc.
|
* Copyright (c) 2010 The NetBSD Foundation, Inc.
|
||||||
@ -34,10 +34,9 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.9 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
|
||||||
#include <sys/module.h>
|
#include <sys/module.h>
|
||||||
#include <sys/pool.h>
|
#include <sys/pool.h>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: npf_ctl.c,v 1.12 2012/02/05 00:37:13 rmind Exp $ */
|
/* $NetBSD: npf_ctl.c,v 1.13 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This material is based upon work partially supported by The
|
* This material is based upon work partially supported by The
|
||||||
@ -37,11 +37,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12 2012/02/05 00:37:13 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.13 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/conf.h>
|
#include <sys/conf.h>
|
||||||
#include <sys/kernel.h>
|
|
||||||
|
|
||||||
#include <prop/proplib.h>
|
#include <prop/proplib.h>
|
||||||
|
|
||||||
@ -479,7 +478,7 @@ npfctl_reload(u_long cmd, void *data)
|
|||||||
* Finally - reload ruleset, tableset and NAT policies.
|
* Finally - reload ruleset, tableset and NAT policies.
|
||||||
* Operation will be performed as a single transaction.
|
* Operation will be performed as a single transaction.
|
||||||
*/
|
*/
|
||||||
npf_reload(rlset, tblset, nset);
|
npf_reload(rlset, tblset, nset, flush);
|
||||||
|
|
||||||
/* Turn on/off session tracking accordingly. */
|
/* Turn on/off session tracking accordingly. */
|
||||||
npf_session_tracking(!flush);
|
npf_session_tracking(!flush);
|
||||||
@ -506,7 +505,9 @@ fail:
|
|||||||
|
|
||||||
/* Error report. */
|
/* Error report. */
|
||||||
prop_dictionary_set_int32(errdict, "errno", error);
|
prop_dictionary_set_int32(errdict, "errno", error);
|
||||||
|
#ifdef _KERNEL
|
||||||
prop_dictionary_copyout_ioctl(pref, cmd, errdict);
|
prop_dictionary_copyout_ioctl(pref, cmd, errdict);
|
||||||
|
#endif
|
||||||
prop_object_release(errdict);
|
prop_object_release(errdict);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -561,7 +562,9 @@ out: /* Error path. */
|
|||||||
|
|
||||||
/* Error report. */
|
/* Error report. */
|
||||||
prop_dictionary_set_int32(errdict, "errno", error);
|
prop_dictionary_set_int32(errdict, "errno", error);
|
||||||
|
#ifdef _KERNEL
|
||||||
prop_dictionary_copyout_ioctl(pref, cmd, errdict);
|
prop_dictionary_copyout_ioctl(pref, cmd, errdict);
|
||||||
|
#endif
|
||||||
prop_object_release(errdict);
|
prop_object_release(errdict);
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $ */
|
/* $NetBSD: npf_handler.c,v 1.14 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This material is based upon work partially supported by The
|
* This material is based upon work partially supported by The
|
||||||
@ -34,10 +34,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.13 2012/02/06 23:30:14 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.14 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/systm.h>
|
|
||||||
|
|
||||||
#include <sys/mbuf.h>
|
#include <sys/mbuf.h>
|
||||||
#include <sys/mutex.h>
|
#include <sys/mutex.h>
|
||||||
@ -61,8 +61,6 @@ static struct pfil_head * npf_ph_if = NULL;
|
|||||||
static struct pfil_head * npf_ph_inet = NULL;
|
static struct pfil_head * npf_ph_inet = NULL;
|
||||||
static struct pfil_head * npf_ph_inet6 = NULL;
|
static struct pfil_head * npf_ph_inet6 = NULL;
|
||||||
|
|
||||||
static bool default_pass = true;
|
|
||||||
|
|
||||||
int npf_packet_handler(void *, struct mbuf **, ifnet_t *, int);
|
int npf_packet_handler(void *, struct mbuf **, ifnet_t *, int);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -89,26 +87,28 @@ npf_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
|
|||||||
npf_ruleset_t *rlset;
|
npf_ruleset_t *rlset;
|
||||||
npf_rule_t *rl;
|
npf_rule_t *rl;
|
||||||
npf_rproc_t *rp;
|
npf_rproc_t *rp;
|
||||||
int retfl, error, ret;
|
int error, retfl;
|
||||||
|
int decision;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initialise packet information cache.
|
* Initialise packet information cache.
|
||||||
* Note: it is enough to clear the info bits.
|
* Note: it is enough to clear the info bits.
|
||||||
*/
|
*/
|
||||||
npc.npc_info = 0;
|
npc.npc_info = 0;
|
||||||
|
decision = NPF_DECISION_BLOCK;
|
||||||
error = 0;
|
error = 0;
|
||||||
retfl = 0;
|
retfl = 0;
|
||||||
rp = NULL;
|
rp = NULL;
|
||||||
ret = 0;
|
|
||||||
|
|
||||||
/* Cache everything. Determine whether it is an IP fragment. */
|
/* Cache everything. Determine whether it is an IP fragment. */
|
||||||
if (npf_cache_all(&npc, nbuf) & NPC_IPFRAG) {
|
if (npf_cache_all(&npc, nbuf) & NPC_IPFRAG) {
|
||||||
|
int ret = -1;
|
||||||
|
|
||||||
/* Pass to IPv4 or IPv6 reassembly mechanism. */
|
/* Pass to IPv4 or IPv6 reassembly mechanism. */
|
||||||
if (npf_iscached(&npc, NPC_IP4)) {
|
if (npf_iscached(&npc, NPC_IP4)) {
|
||||||
struct ip *ip = nbuf_dataptr(*mp);
|
struct ip *ip = nbuf_dataptr(*mp);
|
||||||
ret = ip_reass_packet(mp, ip);
|
ret = ip_reass_packet(mp, ip);
|
||||||
} else {
|
} else if (npf_iscached(&npc, NPC_IP6)) {
|
||||||
KASSERT(npf_iscached(&npc, NPC_IP6));
|
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
/*
|
/*
|
||||||
* Note: frag6_input() offset is the start of the
|
* Note: frag6_input() offset is the start of the
|
||||||
@ -116,11 +116,8 @@ npf_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
|
|||||||
*/
|
*/
|
||||||
const u_int hlen = npf_cache_hlen(&npc);
|
const u_int hlen = npf_cache_hlen(&npc);
|
||||||
ret = ip6_reass_packet(mp, hlen);
|
ret = ip6_reass_packet(mp, hlen);
|
||||||
#else
|
|
||||||
ret = -1;
|
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret) {
|
if (ret) {
|
||||||
error = EINVAL;
|
error = EINVAL;
|
||||||
se = NULL;
|
se = NULL;
|
||||||
@ -137,7 +134,9 @@ npf_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
|
|||||||
*/
|
*/
|
||||||
nbuf = (nbuf_t *)*mp;
|
nbuf = (nbuf_t *)*mp;
|
||||||
npc.npc_info = 0;
|
npc.npc_info = 0;
|
||||||
(void)npf_cache_all(&npc, nbuf);
|
|
||||||
|
ret = npf_cache_all(&npc, nbuf);
|
||||||
|
KASSERT((ret & NPC_IPFRAG) == 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Inspect the list of sessions. */
|
/* Inspect the list of sessions. */
|
||||||
@ -146,8 +145,10 @@ npf_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
|
|||||||
/* If "passing" session found - skip the ruleset inspection. */
|
/* If "passing" session found - skip the ruleset inspection. */
|
||||||
if (se && npf_session_pass(se, &rp)) {
|
if (se && npf_session_pass(se, &rp)) {
|
||||||
npf_stats_inc(NPF_STAT_PASS_SESSION);
|
npf_stats_inc(NPF_STAT_PASS_SESSION);
|
||||||
|
KASSERT(error == 0);
|
||||||
goto pass;
|
goto pass;
|
||||||
} else if (error) {
|
}
|
||||||
|
if (error) {
|
||||||
goto block;
|
goto block;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -156,13 +157,14 @@ npf_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
|
|||||||
rlset = npf_core_ruleset();
|
rlset = npf_core_ruleset();
|
||||||
rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
|
rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
|
||||||
if (rl == NULL) {
|
if (rl == NULL) {
|
||||||
|
bool default_pass = npf_default_pass();
|
||||||
npf_core_exit();
|
npf_core_exit();
|
||||||
|
|
||||||
if (default_pass) {
|
if (default_pass) {
|
||||||
npf_stats_inc(NPF_STAT_PASS_DEFAULT);
|
npf_stats_inc(NPF_STAT_PASS_DEFAULT);
|
||||||
goto pass;
|
goto pass;
|
||||||
}
|
}
|
||||||
npf_stats_inc(NPF_STAT_BLOCK_DEFAULT);
|
npf_stats_inc(NPF_STAT_BLOCK_DEFAULT);
|
||||||
error = ENETUNREACH;
|
|
||||||
goto block;
|
goto block;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -181,20 +183,21 @@ npf_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di)
|
|||||||
}
|
}
|
||||||
npf_stats_inc(NPF_STAT_PASS_RULESET);
|
npf_stats_inc(NPF_STAT_PASS_RULESET);
|
||||||
|
|
||||||
/* Establish a "pass" session, if required. */
|
/*
|
||||||
|
* Establish a "pass" session, if required. Just proceed, if session
|
||||||
|
* creation fails (e.g. due to unsupported protocol).
|
||||||
|
*
|
||||||
|
* Note: the reference on the rule procedure is transfered to the
|
||||||
|
* session. It will be released on session destruction.
|
||||||
|
*/
|
||||||
if ((retfl & NPF_RULE_KEEPSTATE) != 0 && !se) {
|
if ((retfl & NPF_RULE_KEEPSTATE) != 0 && !se) {
|
||||||
se = npf_session_establish(&npc, nbuf, di);
|
se = npf_session_establish(&npc, nbuf, di);
|
||||||
if (se == NULL) {
|
if (se) {
|
||||||
error = ENOMEM;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Note: the reference to the rule procedure is transfered to
|
|
||||||
* the session. It will be released on session destruction.
|
|
||||||
*/
|
|
||||||
npf_session_setpass(se, rp);
|
npf_session_setpass(se, rp);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
pass:
|
pass:
|
||||||
|
decision = NPF_DECISION_PASS;
|
||||||
KASSERT(error == 0);
|
KASSERT(error == 0);
|
||||||
/*
|
/*
|
||||||
* Perform NAT.
|
* Perform NAT.
|
||||||
@ -218,8 +221,8 @@ out:
|
|||||||
npf_rproc_release(rp);
|
npf_rproc_release(rp);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Pass the packet, if no error. */
|
/* Pass the packet if decided and there is no error. */
|
||||||
if (!error) {
|
if (decision == NPF_DECISION_PASS && !error) {
|
||||||
/*
|
/*
|
||||||
* XXX: Disable for now, it will be set accordingly later,
|
* XXX: Disable for now, it will be set accordingly later,
|
||||||
* for optimisations (to reduce inspection).
|
* for optimisations (to reduce inspection).
|
||||||
@ -236,9 +239,10 @@ out:
|
|||||||
if (retfl) {
|
if (retfl) {
|
||||||
npf_return_block(&npc, nbuf, retfl);
|
npf_return_block(&npc, nbuf, retfl);
|
||||||
}
|
}
|
||||||
if (error != ENETUNREACH) {
|
if (error) {
|
||||||
NPF_PRINTF(("NPF: error in handler '%d'\n", error));
|
|
||||||
npf_stats_inc(NPF_STAT_ERROR);
|
npf_stats_inc(NPF_STAT_ERROR);
|
||||||
|
} else {
|
||||||
|
error = ENETUNREACH;
|
||||||
}
|
}
|
||||||
m_freem(*mp);
|
m_freem(*mp);
|
||||||
*mp = NULL;
|
*mp = NULL;
|
||||||
@ -267,7 +271,7 @@ npf_register_pfil(void)
|
|||||||
npf_ph_if = pfil_head_get(PFIL_TYPE_IFNET, 0);
|
npf_ph_if = pfil_head_get(PFIL_TYPE_IFNET, 0);
|
||||||
npf_ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
|
npf_ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
|
||||||
npf_ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
|
npf_ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
|
||||||
if (npf_ph_if == NULL || npf_ph_inet == NULL) {
|
if (npf_ph_if == NULL || npf_ph_inet == NULL || npf_ph_inet6 == NULL) {
|
||||||
npf_ph_if = NULL;
|
npf_ph_if = NULL;
|
||||||
error = ENOENT;
|
error = ENOENT;
|
||||||
goto fail;
|
goto fail;
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: npf_impl.h,v 1.10 2012/02/06 23:30:14 rmind Exp $ */
|
/* $NetBSD: npf_impl.h,v 1.11 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This material is based upon work partially supported by The
|
* This material is based upon work partially supported by The
|
||||||
@ -91,6 +91,9 @@ typedef npf_table_t * npf_tableset_t;
|
|||||||
* DEFINITIONS.
|
* DEFINITIONS.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#define NPF_DECISION_BLOCK 0
|
||||||
|
#define NPF_DECISION_PASS 1
|
||||||
|
|
||||||
typedef bool (*npf_algfunc_t)(npf_cache_t *, nbuf_t *, void *);
|
typedef bool (*npf_algfunc_t)(npf_cache_t *, nbuf_t *, void *);
|
||||||
|
|
||||||
#define NPF_NCODE_LIMIT 1024
|
#define NPF_NCODE_LIMIT 1024
|
||||||
@ -127,7 +130,9 @@ npf_ruleset_t * npf_core_natset(void);
|
|||||||
npf_tableset_t *npf_core_tableset(void);
|
npf_tableset_t *npf_core_tableset(void);
|
||||||
void npf_core_exit(void);
|
void npf_core_exit(void);
|
||||||
bool npf_core_locked(void);
|
bool npf_core_locked(void);
|
||||||
void npf_reload(npf_ruleset_t *, npf_tableset_t *, npf_ruleset_t *);
|
bool npf_default_pass(void);
|
||||||
|
void npf_reload(npf_ruleset_t *, npf_tableset_t *,
|
||||||
|
npf_ruleset_t *, bool);
|
||||||
|
|
||||||
void npflogattach(int);
|
void npflogattach(int);
|
||||||
void npflogdetach(void);
|
void npflogdetach(void);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_inet.c,v 1.10 2011/11/29 20:05:30 rmind Exp $ */
|
/* $NetBSD: npf_inet.c,v 1.11 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
|
||||||
@ -34,10 +34,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.10 2011/11/29 20:05:30 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.11 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <net/pfil.h>
|
#include <net/pfil.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */
|
/* $NetBSD: npf_instr.c,v 1.10 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
||||||
@ -34,10 +34,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.10 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <net/ethertypes.h>
|
#include <net/ethertypes.h>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_log.c,v 1.2 2011/01/18 20:33:46 rmind Exp $ */
|
/* $NetBSD: npf_log.c,v 1.3 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
||||||
@ -34,10 +34,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_log.c,v 1.2 2011/01/18 20:33:46 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_log.c,v 1.3 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <sys/conf.h>
|
#include <sys/conf.h>
|
||||||
#include <sys/kmem.h>
|
#include <sys/kmem.h>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_nat.c,v 1.10 2012/02/05 00:37:13 rmind Exp $ */
|
/* $NetBSD: npf_nat.c,v 1.11 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
||||||
@ -76,10 +76,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.10 2012/02/05 00:37:13 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.11 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <sys/atomic.h>
|
#include <sys/atomic.h>
|
||||||
#include <sys/bitops.h>
|
#include <sys/bitops.h>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_processor.c,v 1.9 2012/02/05 00:37:13 rmind Exp $ */
|
/* $NetBSD: npf_processor.c,v 1.10 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
|
||||||
@ -47,17 +47,12 @@
|
|||||||
* N-code memory address and thus instructions should be word aligned.
|
* N-code memory address and thus instructions should be word aligned.
|
||||||
* All processing is done in 32 bit words, since both instructions (their
|
* All processing is done in 32 bit words, since both instructions (their
|
||||||
* codes) and arguments use 32 bits words.
|
* codes) and arguments use 32 bits words.
|
||||||
*
|
|
||||||
* TODO:
|
|
||||||
* - There is some space for better a abstraction. Duplicated opcode
|
|
||||||
* maintenance in npf_ncode_process() and nc_insn_check() might be avoided.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.9 2012/02/05 00:37:13 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.10 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/kmem.h>
|
#include <sys/kmem.h>
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_rproc.c,v 1.1 2012/02/06 23:30:14 rmind Exp $ */
|
/* $NetBSD: npf_rproc.c,v 1.2 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||||
@ -37,11 +37,10 @@
|
|||||||
__KERNEL_RCSID(0, "$NetBSD");
|
__KERNEL_RCSID(0, "$NetBSD");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <sys/atomic.h>
|
#include <sys/atomic.h>
|
||||||
#include <sys/kmem.h>
|
#include <sys/kmem.h>
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
#include "npf_impl.h"
|
#include "npf_impl.h"
|
||||||
|
|
||||||
@ -69,7 +68,7 @@ npf_rproc_create(prop_dictionary_t rpdict)
|
|||||||
npf_rproc_t *rp;
|
npf_rproc_t *rp;
|
||||||
const char *rname;
|
const char *rname;
|
||||||
|
|
||||||
rp = kmem_zalloc(sizeof(npf_rproc_t), KM_SLEEP);
|
rp = kmem_intr_zalloc(sizeof(npf_rproc_t), KM_SLEEP);
|
||||||
rp->rp_refcnt = 1;
|
rp->rp_refcnt = 1;
|
||||||
|
|
||||||
/* Name and flags. */
|
/* Name and flags. */
|
||||||
@ -107,7 +106,7 @@ npf_rproc_release(npf_rproc_t *rp)
|
|||||||
if (atomic_dec_uint_nv(&rp->rp_refcnt) != 0) {
|
if (atomic_dec_uint_nv(&rp->rp_refcnt) != 0) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
kmem_free(rp, sizeof(npf_rproc_t));
|
kmem_intr_free(rp, sizeof(npf_rproc_t));
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_ruleset.c,v 1.10 2012/02/06 23:30:14 rmind Exp $ */
|
/* $NetBSD: npf_ruleset.c,v 1.11 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||||
@ -34,10 +34,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.10 2012/02/06 23:30:14 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.11 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <sys/kmem.h>
|
#include <sys/kmem.h>
|
||||||
#include <sys/queue.h>
|
#include <sys/queue.h>
|
||||||
@ -208,7 +208,7 @@ npf_rule_alloc(prop_dictionary_t rldict, npf_rproc_t *rp,
|
|||||||
int errat __unused;
|
int errat __unused;
|
||||||
|
|
||||||
/* Allocate a rule structure. */
|
/* Allocate a rule structure. */
|
||||||
rl = kmem_alloc(sizeof(npf_rule_t), KM_SLEEP);
|
rl = kmem_zalloc(sizeof(npf_rule_t), KM_SLEEP);
|
||||||
TAILQ_INIT(&rl->r_subset.rs_queue);
|
TAILQ_INIT(&rl->r_subset.rs_queue);
|
||||||
rl->r_natp = NULL;
|
rl->r_natp = NULL;
|
||||||
|
|
||||||
@ -217,14 +217,14 @@ npf_rule_alloc(prop_dictionary_t rldict, npf_rproc_t *rp,
|
|||||||
rl->r_ncode = nc;
|
rl->r_ncode = nc;
|
||||||
rl->r_nc_size = nc_size;
|
rl->r_nc_size = nc_size;
|
||||||
|
|
||||||
/* Name (string, optional) */
|
/* Name (optional) */
|
||||||
if (prop_dictionary_get_cstring_nocopy(rldict, "name", &rname)) {
|
if (prop_dictionary_get_cstring_nocopy(rldict, "name", &rname)) {
|
||||||
strlcpy(rl->r_name, rname, NPF_RNAME_LEN);
|
strlcpy(rl->r_name, rname, NPF_RNAME_LEN);
|
||||||
} else {
|
} else {
|
||||||
rl->r_name[0] = '\0';
|
rl->r_name[0] = '\0';
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Attributes, priority and interface ID. */
|
/* Attributes, priority and interface ID (optional). */
|
||||||
prop_dictionary_get_uint32(rldict, "attributes", &rl->r_attr);
|
prop_dictionary_get_uint32(rldict, "attributes", &rl->r_attr);
|
||||||
prop_dictionary_get_int32(rldict, "priority", &rl->r_priority);
|
prop_dictionary_get_int32(rldict, "priority", &rl->r_priority);
|
||||||
prop_dictionary_get_uint32(rldict, "interface", &rl->r_ifid);
|
prop_dictionary_get_uint32(rldict, "interface", &rl->r_ifid);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_sendpkt.c,v 1.8 2011/11/29 20:05:30 rmind Exp $ */
|
/* $NetBSD: npf_sendpkt.c,v 1.9 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
||||||
@ -34,10 +34,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.9 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <netinet/in_systm.h>
|
#include <netinet/in_systm.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: npf_session.c,v 1.10 2011/11/29 20:05:30 rmind Exp $ */
|
/* $NetBSD: npf_session.c,v 1.11 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
|
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This material is based upon work partially supported by The
|
* This material is based upon work partially supported by The
|
||||||
@ -74,10 +74,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.10 2011/11/29 20:05:30 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.11 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
@ -93,7 +93,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.10 2011/11/29 20:05:30 rmind Exp $
|
|||||||
#include <sys/rwlock.h>
|
#include <sys/rwlock.h>
|
||||||
#include <sys/queue.h>
|
#include <sys/queue.h>
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
#include "npf_impl.h"
|
#include "npf_impl.h"
|
||||||
|
|
||||||
@ -277,7 +276,7 @@ sess_htable_create(void)
|
|||||||
npf_sehash_t *stbl, *sh;
|
npf_sehash_t *stbl, *sh;
|
||||||
u_int i;
|
u_int i;
|
||||||
|
|
||||||
stbl = kmem_alloc(SESS_HASH_BUCKETS * sizeof(*sh), KM_SLEEP);
|
stbl = kmem_zalloc(SESS_HASH_BUCKETS * sizeof(*sh), KM_SLEEP);
|
||||||
if (stbl == NULL) {
|
if (stbl == NULL) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -406,7 +405,10 @@ npf_session_inspect(npf_cache_t *npc, nbuf_t *nbuf, const int di, int *error)
|
|||||||
npf_sentry_t *sen;
|
npf_sentry_t *sen;
|
||||||
npf_session_t *se;
|
npf_session_t *se;
|
||||||
|
|
||||||
/* Layer 3 and 4 should be already cached for session tracking. */
|
/*
|
||||||
|
* If layer 3 and 4 are not cached - protocol is not supported
|
||||||
|
* or packet is invalid.
|
||||||
|
*/
|
||||||
if (!sess_tracking || !npf_iscached(npc, NPC_IP46) ||
|
if (!sess_tracking || !npf_iscached(npc, NPC_IP46) ||
|
||||||
!npf_iscached(npc, NPC_LAYER4)) {
|
!npf_iscached(npc, NPC_LAYER4)) {
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -491,7 +493,7 @@ npf_session_inspect(npf_cache_t *npc, nbuf_t *nbuf, const int di, int *error)
|
|||||||
/*
|
/*
|
||||||
* npf_establish_session: create a new session, insert into the global list.
|
* npf_establish_session: create a new session, insert into the global list.
|
||||||
*
|
*
|
||||||
* => Sessions is created with the held reference (for caller).
|
* => Session is created with the reference held for the caller.
|
||||||
*/
|
*/
|
||||||
npf_session_t *
|
npf_session_t *
|
||||||
npf_session_establish(const npf_cache_t *npc, nbuf_t *nbuf, const int di)
|
npf_session_establish(const npf_cache_t *npc, nbuf_t *nbuf, const int di)
|
||||||
@ -504,11 +506,14 @@ npf_session_establish(const npf_cache_t *npc, nbuf_t *nbuf, const int di)
|
|||||||
int proto, sz;
|
int proto, sz;
|
||||||
bool ok;
|
bool ok;
|
||||||
|
|
||||||
if (!sess_tracking) {
|
/*
|
||||||
|
* If layer 3 and 4 are not cached - protocol is not supported
|
||||||
|
* or packet is invalid.
|
||||||
|
*/
|
||||||
|
if (!sess_tracking || !npf_iscached(npc, NPC_IP46) ||
|
||||||
|
!npf_iscached(npc, NPC_LAYER4)) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
KASSERT(npf_iscached(npc, NPC_IP46));
|
|
||||||
KASSERT(npf_iscached(npc, NPC_LAYER4));
|
|
||||||
|
|
||||||
/* Allocate and initialise new state. */
|
/* Allocate and initialise new state. */
|
||||||
se = pool_cache_get(sess_cache, PR_NOWAIT);
|
se = pool_cache_get(sess_cache, PR_NOWAIT);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $ */
|
/* $NetBSD: npf_tableset.c,v 1.10 2012/02/20 00:18:20 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||||
@ -39,10 +39,10 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.10 2012/02/20 00:18:20 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <sys/atomic.h>
|
#include <sys/atomic.h>
|
||||||
#include <sys/hash.h>
|
#include <sys/hash.h>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_build.c,v 1.4 2012/02/06 00:37:52 rmind Exp $ */
|
/* $NetBSD: npf_build.c,v 1.5 2012/02/20 00:18:19 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
||||||
@ -34,7 +34,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: npf_build.c,v 1.4 2012/02/06 00:37:52 rmind Exp $");
|
__RCSID("$NetBSD: npf_build.c,v 1.5 2012/02/20 00:18:19 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
@ -400,9 +400,8 @@ npfctl_build_group(const char *name, int attr, u_int if_idx)
|
|||||||
} else if ((attr & attr_di) == 0) {
|
} else if ((attr & attr_di) == 0) {
|
||||||
attr |= attr_di;
|
attr |= attr_di;
|
||||||
}
|
}
|
||||||
attr |= (NPF_RULE_PASS | NPF_RULE_FINAL);
|
|
||||||
|
|
||||||
rl = npf_rule_create(name, attr, if_idx);
|
rl = npf_rule_create(name, attr | NPF_RULE_FINAL, if_idx);
|
||||||
npf_rule_insert(npf_conf, NULL, rl, NPF_PRI_NEXT);
|
npf_rule_insert(npf_conf, NULL, rl, NPF_PRI_NEXT);
|
||||||
current_group = rl;
|
current_group = rl;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user