Add ability to have mbufs disappear (to another interface) during

npf_rproc_run(). For upcoming npf_ext_route extension. Guidance and ok by rmind@.
2014-05-19 18:45:51 +00:00 · 2014-05-19 18:45:51 +00:00 · 2f89c03432
commit 2f89c03432
parent ed36ef9858
7 changed files with 41 additions and 26 deletions
--- a/sys/net/npf/npf.h
+++ b/sys/net/npf/npf.h
@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.38 2014/03/14 11:29:44 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.39 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@ -188,7 +188,7 @@ typedef struct {
 	void *		ctx;
 	int		(*ctor)(npf_rproc_t *, prop_dictionary_t);
 	void		(*dtor)(npf_rproc_t *, void *);
-	void		(*proc)(npf_cache_t *, nbuf_t *, void *, int *);
+	bool		(*proc)(npf_cache_t *, nbuf_t *, void *, int *);
 } npf_ext_ops_t;

 void *		npf_ext_register(const char *, const npf_ext_ops_t *);
--- a/sys/net/npf/npf_ext_log.c
+++ b/sys/net/npf/npf_ext_log.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ext_log.c,v 1.6 2013/03/11 17:03:55 christos Exp $	*/
+/*	$NetBSD: npf_ext_log.c,v 1.7 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@ -34,7 +34,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.6 2013/03/11 17:03:55 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.7 2014/05/19 18:45:51 jakllsch Exp $");

 #include <sys/types.h>
 #include <sys/module.h>
@ -78,7 +78,7 @@ npf_log_dtor(npf_rproc_t *rp, void *meta)
 	kmem_free(meta, sizeof(npf_ext_log_t));
 }

-static void
+static bool
 npf_log(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
 {
 	struct mbuf *m = nbuf_head_mbuf(nbuf);
@ -102,7 +102,7 @@ npf_log(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
 	if (ifp == NULL) {
 		/* No interface. */
 		KERNEL_UNLOCK_ONE(NULL);
-		return;
+		return true;
 	}

 	/* Pass through BPF. */
@ -110,6 +110,8 @@ npf_log(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
 	ifp->if_obytes += m->m_pkthdr.len;
 	bpf_mtap_af(ifp, family, m);
 	KERNEL_UNLOCK_ONE(NULL);
+
+	return true;
 }

 /*
--- a/sys/net/npf/npf_ext_normalize.c
+++ b/sys/net/npf/npf_ext_normalize.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ext_normalize.c,v 1.1 2013/03/12 20:47:48 christos Exp $	*/
+/*	$NetBSD: npf_ext_normalize.c,v 1.2 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@ -27,7 +27,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.1 2013/03/12 20:47:48 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalize.c,v 1.2 2014/05/19 18:45:51 jakllsch Exp $");

 #include <sys/types.h>
 #include <sys/module.h>
@ -140,7 +140,7 @@ npf_normalize_ip4(npf_cache_t *npc, npf_normalize_t *np)
 /*
 * npf_normalize: the main routine to normalize IPv4 and/or TCP headers.
 */
-static void
+static bool
 npf_normalize(npf_cache_t *npc, nbuf_t *nbuf, void *params, int *decision)
 {
 	npf_normalize_t *np = params;
@ -150,7 +150,7 @@ npf_normalize(npf_cache_t *npc, nbuf_t *nbuf, void *params, int *decision)

 	/* Skip, if already blocking. */
 	if (*decision == NPF_DECISION_BLOCK) {
-		return;
+		return true;
 	}

 	/* Normalise IPv4.  Nothing to do for IPv6. */
@ -165,15 +165,15 @@ npf_normalize(npf_cache_t *npc, nbuf_t *nbuf, void *params, int *decision)
 	if (maxmss == 0 || !npf_iscached(npc, NPC_TCP) ||
 	    (th->th_flags & TH_SYN) == 0) {
 		/* Not required; done. */
-		return;
+		return true;
 	}
 	mss = 0;
 	if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
-		return;
+		return true;
 	}
 	if (ntohs(mss) <= maxmss) {
 		/* Nothing else to do. */
-		return;
+		return true;
 	}
 	maxmss = htons(maxmss);

@ -182,6 +182,8 @@ npf_normalize(npf_cache_t *npc, nbuf_t *nbuf, void *params, int *decision)
 		cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
 		th->th_sum = cksum;
 	}
+
+	return true;
 }

 static int
--- a/sys/net/npf/npf_ext_rndblock.c
+++ b/sys/net/npf/npf_ext_rndblock.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ext_rndblock.c,v 1.3 2013/03/11 17:03:55 christos Exp $	*/
+/*	$NetBSD: npf_ext_rndblock.c,v 1.4 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2012 The NetBSD Foundation, Inc.
@ -32,7 +32,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.3 2013/03/11 17:03:55 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ext_rndblock.c,v 1.4 2014/05/19 18:45:51 jakllsch Exp $");

 #include <sys/types.h>
 #include <sys/cprng.h>
@ -96,7 +96,7 @@ npf_ext_rndblock_dtor(npf_rproc_t *rp, void *meta)
 /*
 * npf_ext_rndblock: main routine implementing the extension functionality.
 */
-static void
+static bool
 npf_ext_rndblock(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
 {
 	npf_ext_rndblock_t *rndblock = meta;
@ -104,7 +104,7 @@ npf_ext_rndblock(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)

 	/* Skip, if already blocking. */
 	if (*decision == NPF_DECISION_BLOCK) {
-		return;
+		return true;
 	}

 	/*
@ -129,6 +129,8 @@ npf_ext_rndblock(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
 			*decision = NPF_DECISION_BLOCK;
 		}
 	}
+
+	return true;
 }

 /*
--- a/sys/net/npf/npf_handler.c
+++ b/sys/net/npf/npf_handler.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_handler.c,v 1.29 2014/03/14 11:29:44 rmind Exp $	*/
+/*	$NetBSD: npf_handler.c,v 1.30 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@ -36,7 +36,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.29 2014/03/14 11:29:44 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.30 2014/05/19 18:45:51 jakllsch Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -252,8 +252,13 @@ block:
 	 * Execute the rule procedure, if any is associated.
 	 * It may reverse the decision from pass to block.
 	 */
-	if (rp) {
-		npf_rproc_run(&npc, &nbuf, rp, &decision);
+	if (rp && !npf_rproc_run(&npc, &nbuf, rp, &decision)) {
+		if (se) {
+			npf_session_release(se);
+		}
+		npf_rproc_release(rp);
+		*mp = NULL;
+		return 0;
 	}
 out:
 	/*
--- a/sys/net/npf/npf_impl.h
+++ b/sys/net/npf/npf_impl.h
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.50 2014/03/14 11:29:44 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.51 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@ -298,7 +298,7 @@ void		npf_rprocset_insert(npf_rprocset_t *, npf_rproc_t *);
 npf_rproc_t *	npf_rproc_create(prop_dictionary_t);
 void		npf_rproc_acquire(npf_rproc_t *);
 void		npf_rproc_release(npf_rproc_t *);
-void		npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int *);
+bool		npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int *);

 /* Session handling interface. */
 void		npf_session_sysinit(void);
--- a/sys/net/npf/npf_rproc.c
+++ b/sys/net/npf/npf_rproc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_rproc.c,v 1.9 2013/03/11 01:56:37 christos Exp $	*/
+/*	$NetBSD: npf_rproc.c,v 1.10 2014/05/19 18:45:51 jakllsch Exp $	*/

 /*-
 * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@ -330,7 +330,7 @@ npf_rproc_assign(npf_rproc_t *rp, void *params)
 *
 * => Reference on the rule procedure must be held.
 */
-void
+bool
 npf_rproc_run(npf_cache_t *npc, nbuf_t *nbuf, npf_rproc_t *rp, int *decision)
 {
 	const unsigned extcount = rp->rp_ext_count;
@ -343,10 +343,14 @@ npf_rproc_run(npf_cache_t *npc, nbuf_t *nbuf, npf_rproc_t *rp, int *decision)
 		const npf_ext_ops_t *extops = ext->ext_ops;

 		KASSERT(ext->ext_refcnt > 0);
-		extops->proc(npc, nbuf, rp->rp_ext_meta[i], decision);
+		if (!extops->proc(npc, nbuf, rp->rp_ext_meta[i], decision)) {
+			return false;
+		}

 		if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) {
 			npf_recache(npc, nbuf);
 		}
 	}
+
+	return true;
 }