- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly. - npf_nat_newpolicy: restore the policy ID. - npfctl_load: fix error code handling for the limit cases. - npf_config_import: fix the inverted logic. - npfctl_load: improve error handling.
This commit is contained in:
rmind
parent
1624076525
commit
670c10ba87
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
|
||||
/* $NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
|
||||
@ -30,7 +30,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.33 2014/08/11 23:48:01 rmind Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <netinet/in_systm.h>
|
||||
@ -237,11 +237,11 @@ npf_config_import(const char *path)
|
||||
nl_config_t *ncf;
|
||||
|
||||
npf_dict = prop_dictionary_internalize_from_file(path);
|
||||
if (npf_dict) {
|
||||
if (!npf_dict) {
|
||||
return NULL;
|
||||
}
|
||||
ncf = _npf_config_consdict(npf_dict);
|
||||
if (ncf == NULL) {
|
||||
if (!ncf) {
|
||||
prop_object_release(npf_dict);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $ */
|
||||
/* $NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
|
||||
@ -34,7 +34,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.14 2014/07/20 00:37:41 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.15 2014/08/11 23:48:01 rmind Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
@ -244,3 +244,24 @@ npf_alg_conn(npf_cache_t *npc, int di)
|
||||
pserialize_read_exit(s);
|
||||
return con;
|
||||
}
|
||||
|
||||
prop_array_t
|
||||
npf_alg_export(void)
|
||||
{
|
||||
prop_array_t alglist = prop_array_create();
|
||||
|
||||
KASSERT(npf_config_locked_p());
|
||||
|
||||
for (u_int i = 0; i < alg_count; i++) {
|
||||
const npf_alg_t *alg = &alg_list[i];
|
||||
|
||||
if (alg->na_name == NULL) {
|
||||
continue;
|
||||
}
|
||||
prop_dictionary_t algdict = prop_dictionary_create();
|
||||
prop_dictionary_set_cstring(algdict, "name", alg->na_name);
|
||||
prop_array_add(alglist, algdict);
|
||||
prop_object_release(algdict);
|
||||
}
|
||||
return alglist;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $ */
|
||||
/* $NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
|
||||
@ -99,7 +99,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.10 2014/08/10 19:09:43 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_conn.c,v 1.11 2014/08/11 23:48:01 rmind Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
@ -917,8 +917,11 @@ npf_conn_import(npf_conndb_t *cd, prop_dictionary_t cdict,
|
||||
}
|
||||
memcpy(&con->c_state, d, sizeof(npf_state_t));
|
||||
|
||||
/* Reconstruct NAT association, if any, or return NULL. */
|
||||
con->c_nat = npf_nat_import(cdict, natlist, con);
|
||||
/* Reconstruct NAT association, if any. */
|
||||
if ((obj = prop_dictionary_get(cdict, "nat")) != NULL &&
|
||||
(con->c_nat = npf_nat_import(obj, natlist, con)) == NULL) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* Fetch and copy the keys for each direction.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $ */
|
||||
/* $NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
||||
@ -37,7 +37,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.38 2014/08/11 01:54:12 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.39 2014/08/11 23:48:01 rmind Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/conf.h>
|
||||
@ -84,7 +84,9 @@ npf_mk_table_entries(npf_table_t *t, prop_array_t entries)
|
||||
prop_dictionary_t ent;
|
||||
int error = 0;
|
||||
|
||||
/* Fill all the entries. */
|
||||
if (prop_object_type(entries) != PROP_TYPE_ARRAY) {
|
||||
return EINVAL;
|
||||
}
|
||||
eit = prop_array_iterator(entries);
|
||||
while ((ent = prop_object_iterator_next(eit)) != NULL) {
|
||||
const npf_addr_t *addr;
|
||||
@ -148,12 +150,7 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables,
|
||||
}
|
||||
|
||||
/* Get the entries or binary data. */
|
||||
prop_array_t entries = prop_dictionary_get(tbldict, "entries");
|
||||
if (prop_object_type(entries) != PROP_TYPE_ARRAY) {
|
||||
NPF_ERR_DEBUG(errdict);
|
||||
error = EINVAL;
|
||||
break;
|
||||
}
|
||||
prop_array_t ents = prop_dictionary_get(tbldict, "entries");
|
||||
prop_object_t obj = prop_dictionary_get(tbldict, "data");
|
||||
void *blob = prop_data_data(obj);
|
||||
size_t size = prop_data_size(obj);
|
||||
@ -177,7 +174,7 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables,
|
||||
error = npf_tableset_insert(tblset, t);
|
||||
KASSERT(error == 0);
|
||||
|
||||
if ((error = npf_mk_table_entries(t, entries)) != 0) {
|
||||
if (ents && (error = npf_mk_table_entries(t, ents)) != 0) {
|
||||
NPF_ERR_DEBUG(errdict);
|
||||
break;
|
||||
}
|
||||
@ -546,6 +543,7 @@ npfctl_load(u_long cmd, void *data)
|
||||
/* NAT policies. */
|
||||
natlist = prop_dictionary_get(npf_dict, "nat");
|
||||
if ((nitems = prop_array_count(natlist)) > NPF_MAX_RULES) {
|
||||
error = E2BIG;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
@ -558,6 +556,7 @@ npfctl_load(u_long cmd, void *data)
|
||||
/* Tables. */
|
||||
tables = prop_dictionary_get(npf_dict, "tables");
|
||||
if ((nitems = prop_array_count(tables)) > NPF_MAX_TABLES) {
|
||||
error = E2BIG;
|
||||
goto fail;
|
||||
}
|
||||
tblset = npf_tableset_create(nitems);
|
||||
@ -569,6 +568,7 @@ npfctl_load(u_long cmd, void *data)
|
||||
/* Rule procedures. */
|
||||
rprocs = prop_dictionary_get(npf_dict, "rprocs");
|
||||
if ((nitems = prop_array_count(rprocs)) > NPF_MAX_RPROCS) {
|
||||
error = E2BIG;
|
||||
goto fail;
|
||||
}
|
||||
rpset = npf_rprocset_create();
|
||||
@ -580,6 +580,7 @@ npfctl_load(u_long cmd, void *data)
|
||||
/* Rules. */
|
||||
rules = prop_dictionary_get(npf_dict, "rules");
|
||||
if ((nitems = prop_array_count(rules)) > NPF_MAX_RULES) {
|
||||
error = E2BIG;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
@ -682,8 +683,11 @@ npfctl_save(u_long cmd, void *data)
|
||||
if (error) {
|
||||
goto out;
|
||||
}
|
||||
prop_array_t alglist = npf_alg_export();
|
||||
|
||||
npf_dict = prop_dictionary_create();
|
||||
prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
|
||||
prop_dictionary_set_and_rel(npf_dict, "algs", alglist);
|
||||
prop_dictionary_set_and_rel(npf_dict, "rules", rulelist);
|
||||
prop_dictionary_set_and_rel(npf_dict, "nat", natlist);
|
||||
prop_dictionary_set_and_rel(npf_dict, "tables", tables);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_impl.h,v 1.58 2014/08/11 01:54:12 rmind Exp $ */
|
||||
/* $NetBSD: npf_impl.h,v 1.59 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
||||
@ -338,6 +338,7 @@ npf_alg_t * npf_alg_construct(const char *);
|
||||
bool npf_alg_match(npf_cache_t *, npf_nat_t *, int);
|
||||
void npf_alg_exec(npf_cache_t *, npf_nat_t *, bool);
|
||||
npf_conn_t * npf_alg_conn(npf_cache_t *, int);
|
||||
prop_array_t npf_alg_export(void);
|
||||
|
||||
/* Debugging routines. */
|
||||
const char * npf_addr_dump(const npf_addr_t *, int);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $ */
|
||||
/* $NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
|
||||
@ -71,7 +71,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.32 2014/08/10 19:09:43 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.33 2014/08/11 23:48:01 rmind Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
@ -199,9 +199,10 @@ npf_nat_newpolicy(prop_dictionary_t natdict, npf_ruleset_t *rset)
|
||||
|
||||
np = kmem_zalloc(sizeof(npf_natpolicy_t), KM_SLEEP);
|
||||
|
||||
/* Translation type and flags. */
|
||||
/* The translation type, flags and policy ID. */
|
||||
prop_dictionary_get_int32(natdict, "type", &np->n_type);
|
||||
prop_dictionary_get_uint32(natdict, "flags", &np->n_flags);
|
||||
prop_dictionary_get_uint64(natdict, "nat-policy", &np->n_id);
|
||||
|
||||
/* Should be exclusively either inbound or outbound NAT. */
|
||||
if (((np->n_type == NPF_NATIN) ^ (np->n_type == NPF_NATOUT)) == 0) {
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $ */
|
||||
/* $NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
||||
@ -30,7 +30,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: npfctl.c,v 1.42 2014/07/23 05:00:38 htodd Exp $");
|
||||
__RCSID("$NetBSD: npfctl.c,v 1.43 2014/08/11 23:48:01 rmind Exp $");
|
||||
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/stat.h>
|
||||
@ -506,7 +506,12 @@ npfctl_load(int fd)
|
||||
if (ncf == NULL) {
|
||||
return errno;
|
||||
}
|
||||
error = npf_config_submit(ncf, fd);
|
||||
errno = error = npf_config_submit(ncf, fd);
|
||||
if (error) {
|
||||
nl_error_t ne;
|
||||
_npf_config_error(ncf, &ne);
|
||||
npfctl_print_error(&ne);
|
||||
}
|
||||
npf_config_destroy(ncf);
|
||||
return error;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user