NPF: finish up the rework of npfctl_save() mechanism.

sys/net/npf/npf_conf.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_conf.c,v 1.7 2014/07/23 01:25:34 rmind Exp $	*/
+/*	$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.7 2014/07/23 01:25:34 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_conf.c,v 1.8 2014/08/11 01:54:12 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -66,7 +66,6 @@ typedef struct {
 	npf_tableset_t *	n_tables;
 	npf_ruleset_t *		n_nat_rules;
 	npf_rprocset_t *	n_rprocs;
-	prop_dictionary_t	n_dict;
 	bool			n_default_pass;
 } npf_config_t;
 
@@ -77,7 +76,6 @@ static pserialize_t		npf_config_psz		__cacheline_aligned;
 void
 npf_config_init(void)
 {
-	prop_dictionary_t dict;
 	npf_ruleset_t *rlset, *nset;
 	npf_rprocset_t *rpset;
 	npf_tableset_t *tset;
@@ -86,19 +84,17 @@ npf_config_init(void)
 	npf_config_psz = pserialize_create();
 
 	/* Load the empty configuration. */
-	dict = prop_dictionary_create();
 	tset = npf_tableset_create(0);
 	rpset = npf_rprocset_create();
 	rlset = npf_ruleset_create(0);
 	nset = npf_ruleset_create(0);
-	npf_config_load(dict, rlset, tset, nset, rpset, NULL, true);
+	npf_config_load(rlset, tset, nset, rpset, NULL, true);
 	KASSERT(npf_config != NULL);
 }
 
 static void
 npf_config_destroy(npf_config_t *nc)
 {
-	prop_object_release(nc->n_dict);
 	npf_ruleset_destroy(nc->n_rules);
 	npf_ruleset_destroy(nc->n_nat_rules);
 	npf_rprocset_destroy(nc->n_rprocs);
@@ -127,8 +123,8 @@ npf_config_fini(void)
  * Performs the necessary synchronisation and destroys the old config.
  */
 void
-npf_config_load(prop_dictionary_t dict, npf_ruleset_t *rset,
-    npf_tableset_t *tset, npf_ruleset_t *nset, npf_rprocset_t *rpset,
+npf_config_load(npf_ruleset_t *rset, npf_tableset_t *tset,
+    npf_ruleset_t *nset, npf_rprocset_t *rpset,
     npf_conndb_t *conns, bool flush)
 {
 	npf_config_t *nc, *onc;
@@ -138,7 +134,6 @@ npf_config_load(prop_dictionary_t dict, npf_ruleset_t *rset,
 	nc->n_tables = tset;
 	nc->n_nat_rules = nset;
 	nc->n_rprocs = rpset;
-	nc->n_dict = dict;
 	nc->n_default_pass = flush;
 
 	/*
@@ -185,9 +180,6 @@ npf_config_load(prop_dictionary_t dict, npf_ruleset_t *rset,
 	 * If not flushing - enable the connection tracking.
 	 */
 	npf_conn_load(conns, !flush);
-
-	/* Sync the config proplib data. */
-	npf_tableset_syncdict(tset, dict);
 	mutex_exit(&npf_config_lock);
 
 	/* Finally, it is safe to destroy the old config. */
@@ -261,10 +253,10 @@ npf_config_tableset(void)
 	return npf_config->n_tables;
 }
 
-prop_dictionary_t
-npf_config_dict(void)
+npf_rprocset_t *
+npf_config_rprocs(void)
 {
-	return npf_config->n_dict;
+	return npf_config->n_rprocs;
 }
 
 bool

sys/net/npf/npf_ctl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ctl.c,v 1.37 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.37 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/conf.h>
@@ -181,7 +181,6 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables,
 			NPF_ERR_DEBUG(errdict);
 			break;
 		}
-		prop_dictionary_remove(tbldict, "entries");
 	}
 	prop_object_iterator_release(it);
 	/*
@@ -555,7 +554,6 @@ npfctl_load(u_long cmd, void *data)
 	if (error) {
 		goto fail;
 	}
-	prop_dictionary_remove(npf_dict, "nat");
 
 	/* Tables. */
 	tables = prop_dictionary_get(npf_dict, "tables");
@@ -597,7 +595,6 @@ npfctl_load(u_long cmd, void *data)
 		if (error) {
 			goto fail;
 		}
-		prop_dictionary_remove(npf_dict, "conn-list");
 	}
 
 	flush = false;
@@ -606,7 +603,7 @@ npfctl_load(u_long cmd, void *data)
 	/*
 	 * Finally - perform the load.
 	 */
-	npf_config_load(npf_dict, rlset, tblset, nset, rpset, conndb, flush);
+	npf_config_load(rlset, tblset, nset, rpset, conndb, flush);
 
 	/* Done.  Since data is consumed now, we shall not destroy it. */
 	tblset = NULL;
@@ -630,9 +627,7 @@ fail:
 	if (tblset) {
 		npf_tableset_destroy(tblset);
 	}
-	if (error) {
-		prop_object_release(npf_dict);
-	}
+	prop_object_release(npf_dict);
 
 	/* Error report. */
 #ifndef _NPF_TESTING
@@ -653,12 +648,15 @@ int
 npfctl_save(u_long cmd, void *data)
 {
 	struct plistref *pref = data;
-	prop_array_t conlist, natlist;
-	prop_dictionary_t npf_dict;
+	prop_array_t rulelist, natlist, tables, rprocs, conlist;
+	prop_dictionary_t npf_dict = NULL;
 	int error;
 
-	conlist = prop_array_create();
+	rulelist = prop_array_create();
 	natlist = prop_array_create();
+	tables = prop_array_create();
+	rprocs = prop_array_create();
+	conlist = prop_array_create();
 
 	/*
 	 * Serialise the connections and NAT policies.
@@ -668,21 +666,42 @@ npfctl_save(u_long cmd, void *data)
 	if (error) {
 		goto out;
 	}
+	error = npf_ruleset_export(npf_config_ruleset(), rulelist);
+	if (error) {
+		goto out;
+	}
 	error = npf_ruleset_export(npf_config_natset(), natlist);
 	if (error) {
 		goto out;
 	}
-	npf_dict = npf_config_dict();
+	error = npf_tableset_export(npf_config_tableset(), tables);
+	if (error) {
+		goto out;
+	}
+	error = npf_rprocset_export(npf_config_rprocs(), rprocs);
+	if (error) {
+		goto out;
+	}
+	npf_dict = prop_dictionary_create();
+	prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
+	prop_dictionary_set_and_rel(npf_dict, "rules", rulelist);
 	prop_dictionary_set_and_rel(npf_dict, "nat", natlist);
+	prop_dictionary_set_and_rel(npf_dict, "tables", tables);
+	prop_dictionary_set_and_rel(npf_dict, "rprocs", rprocs);
 	prop_dictionary_set_and_rel(npf_dict, "conn-list", conlist);
 	prop_dictionary_set_bool(npf_dict, "active", npf_pfil_registered_p());
 	error = prop_dictionary_copyout_ioctl(pref, cmd, npf_dict);
 out:
 	npf_config_exit();
 
-	if (error) {
-		prop_object_release(conlist);
+	if (!npf_dict) {
+		prop_object_release(rulelist);
 		prop_object_release(natlist);
+		prop_object_release(tables);
+		prop_object_release(rprocs);
+		prop_object_release(conlist);
+	} else {
+		prop_object_release(npf_dict);
 	}
 	return error;
 }

sys/net/npf/npf_impl.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.57 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.58 2014/08/11 01:54:12 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -149,13 +149,12 @@ bool		npf_config_locked_p(void);
 int		npf_config_read_enter(void);
 void		npf_config_read_exit(int);
 
-void		npf_config_load(prop_dictionary_t, npf_ruleset_t *,
-		    npf_tableset_t *, npf_ruleset_t *, npf_rprocset_t *,
-		    npf_conndb_t *, bool);
+void		npf_config_load(npf_ruleset_t *, npf_tableset_t *,
+		    npf_ruleset_t *, npf_rprocset_t *, npf_conndb_t *, bool);
 npf_ruleset_t *	npf_config_ruleset(void);
 npf_ruleset_t *	npf_config_natset(void);
 npf_tableset_t *npf_config_tableset(void);
-prop_dictionary_t npf_config_dict(void);
+npf_rprocset_t *npf_config_rprocs(void);
 bool		npf_default_pass(void);
 
 int		npf_worker_sysinit(void);
@@ -237,7 +236,7 @@ int		npf_tableset_insert(npf_tableset_t *, npf_table_t *);
 npf_table_t *	npf_tableset_getbyname(npf_tableset_t *, const char *);
 npf_table_t *	npf_tableset_getbyid(npf_tableset_t *, u_int);
 void		npf_tableset_reload(npf_tableset_t *, npf_tableset_t *);
-void		npf_tableset_syncdict(const npf_tableset_t *, prop_dictionary_t);
+int		npf_tableset_export(const npf_tableset_t *, prop_array_t);
 
 npf_table_t *	npf_table_create(const char *, u_int, int, void *, size_t);
 void		npf_table_destroy(npf_table_t *);
@@ -292,6 +291,7 @@ npf_rprocset_t *npf_rprocset_create(void);
 void		npf_rprocset_destroy(npf_rprocset_t *);
 npf_rproc_t *	npf_rprocset_lookup(npf_rprocset_t *, const char *);
 void		npf_rprocset_insert(npf_rprocset_t *, npf_rproc_t *);
+int		npf_rprocset_export(const npf_rprocset_t *, prop_array_t);
 
 npf_rproc_t *	npf_rproc_create(prop_dictionary_t);
 void		npf_rproc_acquire(npf_rproc_t *);

sys/net/npf/npf_rproc.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_rproc.c,v 1.11 2014/07/20 00:37:41 rmind Exp $	*/
+/*	$NetBSD: npf_rproc.c,v 1.12 2014/08/11 01:54:12 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -261,6 +261,22 @@ npf_rprocset_insert(npf_rprocset_t *rpset, npf_rproc_t *rp)
 	LIST_INSERT_HEAD(&rpset->rps_list, rp, rp_entry);
 }
 
+int
+npf_rprocset_export(const npf_rprocset_t *rpset, prop_array_t rprocs)
+{
+	prop_dictionary_t rpdict;
+	const npf_rproc_t *rp;
+
+	LIST_FOREACH(rp, &rpset->rps_list, rp_entry) {
+		rpdict = prop_dictionary_create();
+		prop_dictionary_set_cstring(rpdict, "name", rp->rp_name);
+		prop_dictionary_set_uint32(rpdict, "flags", rp->rp_flags);
+		prop_array_add(rprocs, rpdict);
+		prop_object_release(rpdict);
+	}
+	return 0;
+}
+
 /*
  * npf_rproc_create: construct a new rule procedure, lookup and associate
  * the extension calls with it.

sys/net/npf/npf_ruleset.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ruleset.c,v 1.36 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.36 2014/08/10 19:09:43 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.37 2014/08/11 01:54:12 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -115,7 +115,11 @@ struct npf_rule {
 	prop_data_t		r_info;
 };
 
-static int	npf_rule_export(const npf_rule_t *, prop_dictionary_t);
+#define	SKIPTO_ADJ_FLAG		(1U << 31)
+#define	SKIPTO_MASK		(SKIPTO_ADJ_FLAG - 1)
+
+static int	npf_rule_export(const npf_ruleset_t *,
+    const npf_rule_t *, prop_dictionary_t);
 
 /*
  * Private attributes - must be in the NPF_RULE_PRIVMASK range.
@@ -193,7 +197,7 @@ npf_ruleset_insert(npf_ruleset_t *rlset, npf_rule_t *rl)
 	rlset->rs_nitems++;
 
 	if (rl->r_skip_to < ++n) {
-		rl->r_skip_to = n;
+		rl->r_skip_to = SKIPTO_ADJ_FLAG | n;
 	}
 }
 
@@ -342,12 +346,13 @@ npf_ruleset_list(npf_ruleset_t *rlset, const char *rname)
 		rldict = prop_dictionary_create();
 		KASSERT(rl->r_parent == rg);
 
-		if (npf_rule_export(rl, rldict) ||
-		    !prop_array_add(rules, rldict)) {
+		if (npf_rule_export(rlset, rl, rldict)) {
 			prop_object_release(rldict);
 			prop_object_release(rules);
 			return NULL;
 		}
+		prop_array_add(rules, rldict);
+		prop_object_release(rldict);
 	}
 
 	if (!prop_dictionary_set(rgdict, "rules", rules)) {
@@ -377,17 +382,19 @@ npf_ruleset_flush(npf_ruleset_t *rlset, const char *rname)
 int
 npf_ruleset_export(const npf_ruleset_t *rlset, prop_array_t rules)
 {
-	const npf_rule_t *rl;
+	const u_int nitems = rlset->rs_nitems;
 	int error = 0;
+	u_int n = 0;
 
 	KASSERT(npf_config_locked_p());
 
-	LIST_FOREACH(rl, &rlset->rs_all, r_aentry) {
+	while (n < nitems) {
+		const npf_rule_t *rl = rlset->rs_rules[n];
 		const npf_natpolicy_t *natp = rl->r_natp;
 		prop_dictionary_t rldict;
 
 		rldict = prop_dictionary_create();
-		if ((error = npf_rule_export(rl, rldict)) != 0) {
+		if ((error = npf_rule_export(rlset, rl, rldict)) != 0) {
 			prop_object_release(rldict);
 			break;
 		}
@@ -395,10 +402,9 @@ npf_ruleset_export(const npf_ruleset_t *rlset, prop_array_t rules)
 			prop_object_release(rldict);
 			break;
 		}
-		if (!prop_array_add(rules, rldict)) {
-			prop_object_release(rldict);
-			return ENOMEM;
-		}
+		prop_array_add(rules, rldict);
+		prop_object_release(rldict);
+		n++;
 	}
 	return error;
 }
@@ -625,14 +631,18 @@ npf_rule_alloc(prop_dictionary_t rldict)
 }
 
 static int
-npf_rule_export(const npf_rule_t *rl, prop_dictionary_t rldict)
+npf_rule_export(const npf_ruleset_t *rlset, const npf_rule_t *rl,
+    prop_dictionary_t rldict)
 {
+	u_int skip_to = 0;
 	prop_data_t d;
 
 	prop_dictionary_set_uint32(rldict, "attr", rl->r_attr);
 	prop_dictionary_set_int32(rldict, "prio", rl->r_priority);
-	prop_dictionary_set_uint32(rldict, "skip-to", rl->r_skip_to);
-
+	if ((rl->r_skip_to & SKIPTO_ADJ_FLAG) == 0) {
+		skip_to = rl->r_skip_to & SKIPTO_MASK;
+	}
+	prop_dictionary_set_uint32(rldict, "skip-to", skip_to);
 	prop_dictionary_set_int32(rldict, "code-type", rl->r_type);
 	if (rl->r_code) {
 		d = prop_data_create_data(rl->r_code, rl->r_clen);
@@ -652,7 +662,9 @@ npf_rule_export(const npf_rule_t *rl, prop_dictionary_t rldict)
 		d = prop_data_create_data(rl->r_key, NPF_RULE_MAXKEYLEN);
 		prop_dictionary_set_and_rel(rldict, "key", d);
 	}
-	prop_dictionary_set(rldict, "info", rl->r_info);
+	if (rl->r_info) {
+		prop_dictionary_set(rldict, "info", rl->r_info);
+	}
 	return 0;
 }
 
@@ -836,7 +848,7 @@ npf_ruleset_inspect(npf_cache_t *npc, const npf_ruleset_t *rlset,
 
 	while (n < nitems) {
 		npf_rule_t *rl = rlset->rs_rules[n];
-		const u_int skip_to = rl->r_skip_to;
+		const u_int skip_to = rl->r_skip_to & SKIPTO_MASK;
 		const uint32_t attr = rl->r_attr;
 
 		KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));

sys/net/npf/npf_tableset.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_tableset.c,v 1.21 2014/02/06 02:51:28 rmind Exp $	*/
+/*	$NetBSD: npf_tableset.c,v 1.22 2014/08/11 01:54:12 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.21 2014/02/06 02:51:28 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.22 2014/08/11 01:54:12 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -256,10 +256,9 @@ npf_tableset_reload(npf_tableset_t *nts, npf_tableset_t *ots)
 	}
 }
 
-void
-npf_tableset_syncdict(const npf_tableset_t *ts, prop_dictionary_t ndict)
+int
+npf_tableset_export(const npf_tableset_t *ts, prop_array_t tables)
 {
-	prop_array_t tables = prop_array_create();
 	const npf_table_t *t;
 
 	KASSERT(npf_config_locked_p());
@@ -276,9 +275,7 @@ npf_tableset_syncdict(const npf_tableset_t *ts, prop_dictionary_t ndict)
 		prop_array_add(tables, tdict);
 		prop_object_release(tdict);
 	}
-	prop_dictionary_remove(ndict, "tables");
-	prop_dictionary_set(ndict, "tables", tables);
-	prop_object_release(tables);
+	return 0;
 }
 
 /*