diff --git a/lib/libnpf/npf.c b/lib/libnpf/npf.c index 97e731f78e08..e438dc8c7d7e 100644 --- a/lib/libnpf/npf.c +++ b/lib/libnpf/npf.c @@ -1,4 +1,4 @@ -/* $NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $ */ +/* $NetBSD: npf.c,v 1.7 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2010-2012 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/02/05 00:37:13 rmind Exp $"); #include #include @@ -39,6 +39,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $"); #include #include +#include #include #include @@ -54,6 +55,8 @@ struct nl_config { /* Priority counters. */ pri_t ncf_rule_pri; pri_t ncf_nat_pri; + /* Error report. */ + prop_dictionary_t ncf_err; /* Custom file to externalise property-list. */ const char * ncf_plist; bool ncf_flush; @@ -80,7 +83,7 @@ npf_config_create(void) { nl_config_t *ncf; - ncf = malloc(sizeof(*ncf)); + ncf = calloc(1, sizeof(*ncf)); if (ncf == NULL) { return NULL; } @@ -101,8 +104,8 @@ npf_config_create(void) int npf_config_submit(nl_config_t *ncf, int fd) { - prop_dictionary_t npf_dict; const char *plist = ncf->ncf_plist; + prop_dictionary_t npf_dict; int error = 0; npf_dict = prop_dictionary_create(); @@ -119,9 +122,19 @@ npf_config_submit(nl_config_t *ncf, int fd) if (!prop_dictionary_externalize_to_file(npf_dict, plist)) { error = errno; } - } else { - error = prop_dictionary_send_ioctl(npf_dict, fd, IOC_NPF_RELOAD); + prop_object_release(npf_dict); + return error; } + + error = prop_dictionary_sendrecv_ioctl(npf_dict, fd, + IOC_NPF_RELOAD, &ncf->ncf_err); + if (error) { + prop_object_release(npf_dict); + assert(ncf->ncf_err == NULL); + return error; + } + + prop_dictionary_get_int32(ncf->ncf_err, "errno", &error); prop_object_release(npf_dict); return error; } @@ -142,6 +155,21 @@ npf_config_flush(int fd) return error; } +void +_npf_config_error(nl_config_t *ncf, nl_error_t *ne) +{ + memset(ne, 0, sizeof(*ne)); + prop_dictionary_get_int32(ncf->ncf_err, "id", &ne->ne_id); + prop_dictionary_get_cstring(ncf->ncf_err, + "source-file", &ne->ne_source_file); + prop_dictionary_get_uint32(ncf->ncf_err, + "source-line", &ne->ne_source_line); + prop_dictionary_get_int32(ncf->ncf_err, + "ncode-error", &ne->ne_ncode_error); + prop_dictionary_get_int32(ncf->ncf_err, + "ncode-errat", &ne->ne_ncode_errat); +} + void npf_config_destroy(nl_config_t *ncf) { @@ -150,6 +178,9 @@ npf_config_destroy(nl_config_t *ncf) prop_object_release(ncf->ncf_rproc_list); prop_object_release(ncf->ncf_table_list); prop_object_release(ncf->ncf_nat_list); + if (ncf->ncf_err) { + prop_object_release(ncf->ncf_err); + } free(ncf); } @@ -531,10 +562,14 @@ npf_table_destroy(nl_table_t *tl) int npf_update_rule(int fd, const char *rname __unused, nl_rule_t *rl) { - prop_dictionary_t rldict = rl->nrl_dict; + prop_dictionary_t rldict = rl->nrl_dict, errdict = NULL; int error; - error = prop_dictionary_send_ioctl(rldict, fd, IOC_NPF_UPDATE_RULE); + error = prop_dictionary_sendrecv_ioctl(rldict, fd, + IOC_NPF_UPDATE_RULE, &errdict); + if (errdict) { + prop_object_release(errdict); + } return error; } diff --git a/lib/libnpf/npf.h b/lib/libnpf/npf.h index f587486640b5..28bd19c414d1 100644 --- a/lib/libnpf/npf.h +++ b/lib/libnpf/npf.h @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.5 2012/01/15 00:49:47 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.6 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -53,6 +53,18 @@ typedef struct nl_table nl_table_t; typedef struct nl_rule nl_nat_t; +#ifdef _NPF_PRIVATE + +typedef struct { + int ne_id; + char * ne_source_file; + u_int ne_source_line; + int ne_ncode_error; + int ne_ncode_errat; +} nl_error_t; + +#endif + #define NPF_CODE_NCODE 1 #define NPF_CODE_BPF 2 @@ -65,6 +77,7 @@ int npf_config_submit(nl_config_t *, int); void npf_config_destroy(nl_config_t *); int npf_config_flush(int); #ifdef _NPF_PRIVATE +void _npf_config_error(nl_config_t *, nl_error_t *); void _npf_config_setsubmit(nl_config_t *, const char *); #endif diff --git a/sys/net/npf/npf.h b/sys/net/npf/npf.h index cd7a12ad3eb1..8e06431893da 100644 --- a/sys/net/npf/npf.h +++ b/sys/net/npf/npf.h @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.12 2012/01/15 00:49:48 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.13 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. @@ -49,7 +49,7 @@ #include "testing.h" #endif -#define NPF_VERSION 3 +#define NPF_VERSION 4 /* * Public declarations and definitions. @@ -309,11 +309,11 @@ typedef enum { #define IOC_NPF_VERSION _IOR('N', 100, int) #define IOC_NPF_SWITCH _IOW('N', 101, int) -#define IOC_NPF_RELOAD _IOW('N', 102, struct plistref) +#define IOC_NPF_RELOAD _IOWR('N', 102, struct plistref) #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) #define IOC_NPF_STATS _IOW('N', 104, void *) #define IOC_NPF_SESSIONS_SAVE _IOR('N', 105, struct plistref) #define IOC_NPF_SESSIONS_LOAD _IOW('N', 106, struct plistref) -#define IOC_NPF_UPDATE_RULE _IOW('N', 107, struct plistref) +#define IOC_NPF_UPDATE_RULE _IOWR('N', 107, struct plistref) #endif /* _NPF_NET_H_ */ diff --git a/sys/net/npf/npf_ctl.c b/sys/net/npf/npf_ctl.c index 59f90901ab71..cd1e8a2770e6 100644 --- a/sys/net/npf/npf_ctl.c +++ b/sys/net/npf/npf_ctl.c @@ -1,4 +1,4 @@ -/* $NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $ */ +/* $NetBSD: npf_ctl.c,v 1.12 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12 2012/02/05 00:37:13 rmind Exp $"); #include #include @@ -48,6 +48,14 @@ __KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $"); #include "npf_ncode.h" #include "npf_impl.h" +#if defined(DEBUG) || defined(DIAGNOSTIC) +#define NPF_ERR_DEBUG(e) \ + prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \ + prop_dictionary_set_uint32((e), "source-line", __LINE__); +#else +#define NPF_ERR_DEBUG(e) +#endif + /* * npfctl_switch: enable or disable packet inspection. */ @@ -69,15 +77,18 @@ npfctl_switch(void *data) } static int __noinline -npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables) +npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables, + prop_dictionary_t errdict) { prop_object_iterator_t it; prop_dictionary_t tbldict; int error = 0; /* Tables - array. */ - if (prop_object_type(tables) != PROP_TYPE_ARRAY) + if (prop_object_type(tables) != PROP_TYPE_ARRAY) { + NPF_ERR_DEBUG(errdict); return EINVAL; + } it = prop_array_iterator(tables); while ((tbldict = prop_object_iterator_next(it)) != NULL) { @@ -90,6 +101,7 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables) /* Table - dictionary. */ if (prop_object_type(tbldict) != PROP_TYPE_DICTIONARY) { + NPF_ERR_DEBUG(errdict); error = EINVAL; break; } @@ -98,7 +110,7 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables) prop_dictionary_get_uint32(tbldict, "id", &tid); prop_dictionary_get_int32(tbldict, "type", &type); - /* Validate them. */ + /* Validate them, check for duplicate IDs. */ error = npf_table_check(tblset, tid, type); if (error) break; @@ -106,6 +118,7 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables) /* Create and insert the table. */ t = npf_table_create(tid, type, 1024); /* XXX */ if (t == NULL) { + NPF_ERR_DEBUG(errdict); error = ENOMEM; break; } @@ -115,6 +128,7 @@ npf_mk_tables(npf_tableset_t *tblset, prop_array_t tables) /* Entries. */ entries = prop_dictionary_get(tbldict, "entries"); if (prop_object_type(entries) != PROP_TYPE_ARRAY) { + NPF_ERR_DEBUG(errdict); error = EINVAL; break; } @@ -153,6 +167,7 @@ npf_mk_rproc(prop_array_t rprocs, const char *rpname) while ((rpdict = prop_object_iterator_next(it)) != NULL) { const char *iname; prop_dictionary_get_cstring_nocopy(rpdict, "name", &iname); + KASSERT(iname != NULL); if (strcmp(rpname, iname) == 0) break; } @@ -170,42 +185,65 @@ npf_mk_rproc(prop_array_t rprocs, const char *rpname) } static int __noinline -npf_mk_singlerule(prop_dictionary_t rldict, prop_array_t rps, npf_rule_t **rl) +npf_mk_ncode(prop_object_t obj, void **code, size_t *csize, + prop_dictionary_t errdict) +{ + const void *ncptr; + int nc_err, errat; + size_t nc_size; + void *nc; + + /* + * Allocate, copy and validate n-code. XXX: Inefficient. + */ + ncptr = prop_data_data_nocopy(obj); + nc_size = prop_data_size(obj); + if (ncptr == NULL || nc_size > NPF_NCODE_LIMIT) { + NPF_ERR_DEBUG(errdict); + return ERANGE; + } + nc = npf_ncode_alloc(nc_size); + if (nc == NULL) { + NPF_ERR_DEBUG(errdict); + return ENOMEM; + } + memcpy(nc, ncptr, nc_size); + nc_err = npf_ncode_validate(nc, nc_size, &errat); + if (nc_err) { + npf_ncode_free(nc, nc_size); + prop_dictionary_set_int32(errdict, "ncode-error", nc_err); + prop_dictionary_set_int32(errdict, "ncode-errat", errat); + return EINVAL; + } + *code = nc; + *csize = nc_size; + return 0; +} + +static int __noinline +npf_mk_singlerule(prop_dictionary_t rldict, prop_array_t rps, npf_rule_t **rl, + prop_dictionary_t errdict) { const char *rnm; npf_rproc_t *rp; prop_object_t obj; size_t nc_size; void *nc; + int p, error; /* Rule - dictionary. */ - if (prop_object_type(rldict) != PROP_TYPE_DICTIONARY) + if (prop_object_type(rldict) != PROP_TYPE_DICTIONARY) { + NPF_ERR_DEBUG(errdict); return EINVAL; + } - /* N-code (binary data). */ + error = 0; obj = prop_dictionary_get(rldict, "ncode"); if (obj) { - const void *ncptr; - int npf_err, errat; - - /* - * Allocate, copy and validate n-code. XXX: Inefficient. - */ - ncptr = prop_data_data_nocopy(obj); - nc_size = prop_data_size(obj); - if (ncptr == NULL || nc_size > NPF_NCODE_LIMIT) { - return EINVAL; - } - nc = npf_ncode_alloc(nc_size); - if (nc == NULL) { - return EINVAL; - } - memcpy(nc, ncptr, nc_size); - npf_err = npf_ncode_validate(nc, nc_size, &errat); - if (npf_err) { - npf_ncode_free(nc, nc_size); - /* TODO: return error details via proplib */ - return EINVAL; + /* N-code (binary data). */ + error = npf_mk_ncode(obj, &nc, &nc_size, errdict); + if (error) { + goto err; } } else { /* No n-code. */ @@ -220,7 +258,9 @@ npf_mk_singlerule(prop_dictionary_t rldict, prop_array_t rps, npf_rule_t **rl) if (nc) { npf_ncode_free(nc, nc_size); /* XXX */ } - return EINVAL; + NPF_ERR_DEBUG(errdict); + error = EINVAL; + goto err; } } else { rp = NULL; @@ -228,23 +268,30 @@ npf_mk_singlerule(prop_dictionary_t rldict, prop_array_t rps, npf_rule_t **rl) /* Finally, allocate and return the rule. */ *rl = npf_rule_alloc(rldict, rp, nc, nc_size); + KASSERT(*rl != NULL); return 0; +err: + prop_dictionary_get_int32(rldict, "priority", &p); /* XXX */ + prop_dictionary_set_int32(errdict, "id", p); + return error; } static int __noinline -npf_mk_subrules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) +npf_mk_subrules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs, + prop_dictionary_t errdict) { prop_object_iterator_t it; prop_dictionary_t rldict; int error = 0; if (prop_object_type(rules) != PROP_TYPE_ARRAY) { + NPF_ERR_DEBUG(errdict); return EINVAL; } it = prop_array_iterator(rules); while ((rldict = prop_object_iterator_next(it)) != NULL) { npf_rule_t *rl; - error = npf_mk_singlerule(rldict, rprocs, &rl); + error = npf_mk_singlerule(rldict, rprocs, &rl, errdict); if (error) { break; } @@ -255,7 +302,8 @@ npf_mk_subrules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) } static int __noinline -npf_mk_rules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) +npf_mk_rules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs, + prop_dictionary_t errdict) { prop_object_iterator_t it; prop_dictionary_t rldict, rpdict; @@ -263,13 +311,16 @@ npf_mk_rules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) /* Rule procedures and the ruleset - arrays. */ if (prop_object_type(rprocs) != PROP_TYPE_ARRAY || - prop_object_type(rules) != PROP_TYPE_ARRAY) + prop_object_type(rules) != PROP_TYPE_ARRAY) { + NPF_ERR_DEBUG(errdict); return EINVAL; + } it = prop_array_iterator(rprocs); while ((rpdict = prop_object_iterator_next(it)) != NULL) { if (prop_dictionary_get(rpdict, "rproc-ptr")) { prop_object_iterator_release(it); + NPF_ERR_DEBUG(errdict); return EINVAL; } } @@ -283,7 +334,7 @@ npf_mk_rules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) npf_rule_t *rl; /* Generate a single rule. */ - error = npf_mk_singlerule(rldict, rprocs, &rl); + error = npf_mk_singlerule(rldict, rprocs, &rl, errdict); if (error) { break; } @@ -296,7 +347,7 @@ npf_mk_rules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) continue; } rlsetsub = npf_rule_subset(rl); - error = npf_mk_subrules(rlsetsub, subrules, rprocs); + error = npf_mk_subrules(rlsetsub, subrules, rprocs, errdict); if (error) break; } @@ -308,15 +359,18 @@ npf_mk_rules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs) } static int __noinline -npf_mk_natlist(npf_ruleset_t *nset, prop_array_t natlist) +npf_mk_natlist(npf_ruleset_t *nset, prop_array_t natlist, + prop_dictionary_t errdict) { prop_object_iterator_t it; prop_dictionary_t natdict; int error; /* NAT policies - array. */ - if (prop_object_type(natlist) != PROP_TYPE_ARRAY) + if (prop_object_type(natlist) != PROP_TYPE_ARRAY) { + NPF_ERR_DEBUG(errdict); return EINVAL; + } error = 0; it = prop_array_iterator(natlist); @@ -326,6 +380,7 @@ npf_mk_natlist(npf_ruleset_t *nset, prop_array_t natlist) /* NAT policy - dictionary. */ if (prop_object_type(natdict) != PROP_TYPE_DICTIONARY) { + NPF_ERR_DEBUG(errdict); error = EINVAL; break; } @@ -334,7 +389,7 @@ npf_mk_natlist(npf_ruleset_t *nset, prop_array_t natlist) * NAT policies are standard rules, plus additional * information for translation. Make a rule. */ - error = npf_mk_singlerule(natdict, NULL, &rl); + error = npf_mk_singlerule(natdict, NULL, &rl, errdict); if (error) { break; } @@ -349,7 +404,7 @@ npf_mk_natlist(npf_ruleset_t *nset, prop_array_t natlist) /* Allocate a new NAT policy and assign to the rule. */ np = npf_nat_newpolicy(natdict, nset); if (np == NULL) { - npf_rule_free(rl); + NPF_ERR_DEBUG(errdict); error = ENOMEM; break; } @@ -370,12 +425,12 @@ npf_mk_natlist(npf_ruleset_t *nset, prop_array_t natlist) int npfctl_reload(u_long cmd, void *data) { - const struct plistref *pref = data; + struct plistref *pref = data; + prop_dictionary_t dict, errdict; prop_array_t natlist, tables, rprocs, rules; npf_tableset_t *tblset = NULL; npf_ruleset_t *rlset = NULL; npf_ruleset_t *nset = NULL; - prop_dictionary_t dict; bool flush; int error; @@ -389,10 +444,13 @@ npfctl_reload(u_long cmd, void *data) if (dict == NULL) return EINVAL; #endif + /* Dictionary for error reporting. */ + errdict = prop_dictionary_create(); + /* NAT policies. */ nset = npf_ruleset_create(); natlist = prop_dictionary_get(dict, "translation"); - error = npf_mk_natlist(nset, natlist); + error = npf_mk_natlist(nset, natlist, errdict); if (error) { goto fail; } @@ -400,7 +458,7 @@ npfctl_reload(u_long cmd, void *data) /* Tables. */ tblset = npf_tableset_create(); tables = prop_dictionary_get(dict, "tables"); - error = npf_mk_tables(tblset, tables); + error = npf_mk_tables(tblset, tables, errdict); if (error) { goto fail; } @@ -409,7 +467,7 @@ npfctl_reload(u_long cmd, void *data) rlset = npf_ruleset_create(); rprocs = prop_dictionary_get(dict, "rprocs"); rules = prop_dictionary_get(dict, "rules"); - error = npf_mk_rules(rlset, rules, rprocs); + error = npf_mk_rules(rlset, rules, rprocs, errdict); if (error) { goto fail; } @@ -445,7 +503,12 @@ fail: npf_tableset_destroy(tblset); } prop_object_release(dict); - return error; + + /* Error report. */ + prop_dictionary_set_int32(errdict, "errno", error); + prop_dictionary_copyout_ioctl(pref, cmd, errdict); + prop_object_release(errdict); + return 0; } /* @@ -454,8 +517,8 @@ fail: int npfctl_update_rule(u_long cmd, void *data) { - const struct plistref *pref = data; - prop_dictionary_t dict; + struct plistref *pref = data; + prop_dictionary_t dict, errdict; prop_array_t subrules; prop_object_t obj; npf_ruleset_t *rlset; @@ -473,10 +536,14 @@ npfctl_update_rule(u_long cmd, void *data) if (dict == NULL) return EINVAL; #endif + + /* Dictionary for error reporting. */ + errdict = prop_dictionary_create(); + /* Create the ruleset and construct sub-rules. */ rlset = npf_ruleset_create(); subrules = prop_dictionary_get(dict, "subrules"); - error = npf_mk_subrules(rlset, subrules, NULL); + error = npf_mk_subrules(rlset, subrules, NULL, errdict); if (error) { goto out; } @@ -491,6 +558,11 @@ out: /* Error path. */ npf_ruleset_destroy(rlset); } prop_object_release(dict); + + /* Error report. */ + prop_dictionary_set_int32(errdict, "errno", error); + prop_dictionary_copyout_ioctl(pref, cmd, errdict); + prop_object_release(errdict); return error; } diff --git a/sys/net/npf/npf_nat.c b/sys/net/npf/npf_nat.c index 48ea68a27c6f..e6c8e9665ac1 100644 --- a/sys/net/npf/npf_nat.c +++ b/sys/net/npf/npf_nat.c @@ -1,4 +1,4 @@ -/* $NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */ +/* $NetBSD: npf_nat.c,v 1.10 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc. @@ -76,7 +76,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.10 2012/02/05 00:37:13 rmind Exp $"); #include #include @@ -181,14 +181,19 @@ npf_nat_newpolicy(prop_dictionary_t natdict, npf_ruleset_t *nrlset) npf_portmap_t *pm; np = kmem_zalloc(sizeof(npf_natpolicy_t), KM_SLEEP); - mutex_init(&np->n_lock, MUTEX_DEFAULT, IPL_SOFTNET); - cv_init(&np->n_cv, "npfnatcv"); - LIST_INIT(&np->n_nat_list); /* Translation type and flags. */ prop_dictionary_get_int32(natdict, "type", &np->n_type); prop_dictionary_get_uint32(natdict, "flags", &np->n_flags); - KASSERT(np->n_type == NPF_NATIN || np->n_type == NPF_NATOUT); + + /* Should be exclusively either inbound or outbound NAT. */ + if (((np->n_type == NPF_NATIN) ^ (np->n_type == NPF_NATOUT)) == 0) { + kmem_free(np, sizeof(npf_natpolicy_t)); + return NULL; + } + mutex_init(&np->n_lock, MUTEX_DEFAULT, IPL_SOFTNET); + cv_init(&np->n_cv, "npfnatcv"); + LIST_INIT(&np->n_nat_list); /* Translation IP. */ obj = prop_dictionary_get(natdict, "translation-ip"); diff --git a/sys/net/npf/npf_processor.c b/sys/net/npf/npf_processor.c index fb669a4421f8..b5da32e2329d 100644 --- a/sys/net/npf/npf_processor.c +++ b/sys/net/npf/npf_processor.c @@ -1,4 +1,4 @@ -/* $NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $ */ +/* $NetBSD: npf_processor.c,v 1.9 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc. @@ -54,7 +54,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.9 2012/02/05 00:37:13 rmind Exp $"); #include #include @@ -452,7 +452,7 @@ jmp_check: error = nc_ptr_check(&iptr, nc, sz, 3, NULL, 0); break; case NPF_OPCODE_IP4MASK: - error = nc_ptr_check(&iptr, nc, sz, 3, &val, 1); + error = nc_ptr_check(&iptr, nc, sz, 3, &val, 3); if (error) { return error; } @@ -461,7 +461,7 @@ jmp_check: } break; case NPF_OPCODE_IP6MASK: - error = nc_ptr_check(&iptr, nc, sz, 6, &val, 1); + error = nc_ptr_check(&iptr, nc, sz, 6, &val, 6); if (error) { return error; } @@ -507,12 +507,13 @@ static inline int nc_jmp_check(const void *nc, size_t sz, const uintptr_t jaddr) { uintptr_t iaddr = (uintptr_t)nc; - size_t _jmp, adv; - bool _ret; int error; KASSERT(iaddr != jaddr); do { + size_t _jmp, adv; + bool _ret; + error = nc_insn_check(iaddr, nc, sz, &adv, &_jmp, &_ret); if (error) { break; diff --git a/usr.sbin/npf/npfctl/npf_build.c b/usr.sbin/npf/npfctl/npf_build.c index bd0adede8c50..976e7bad6f10 100644 --- a/usr.sbin/npf/npfctl/npf_build.c +++ b/usr.sbin/npf/npfctl/npf_build.c @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.3 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.3 2012/02/05 00:37:13 rmind Exp $"); #include #include @@ -75,6 +75,11 @@ npfctl_config_send(int fd) errx(EXIT_FAILURE, "default group was not defined"); } error = npf_config_submit(npf_conf, fd); + if (error) { + nl_error_t ne; + _npf_config_error(npf_conf, &ne); + npfctl_print_error(&ne); + } npf_config_destroy(npf_conf); return error; } diff --git a/usr.sbin/npf/npfctl/npfctl.c b/usr.sbin/npf/npfctl/npfctl.c index 084684ff6bd7..3c914129b105 100644 --- a/usr.sbin/npf/npfctl/npfctl.c +++ b/usr.sbin/npf/npfctl/npfctl.c @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $ */ +/* $NetBSD: npfctl.c,v 1.10 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.10 2012/02/05 00:37:13 rmind Exp $"); #include #include @@ -207,6 +207,31 @@ npfctl_print_stats(int fd) return 0; } +void +npfctl_print_error(const nl_error_t *ne) +{ + static const char *ncode_errors[] = { + [-NPF_ERR_OPCODE] = "invalid instruction", + [-NPF_ERR_JUMP] = "invalid jump", + [-NPF_ERR_REG] = "invalid register", + [-NPF_ERR_INVAL] = "invalid argument value", + [-NPF_ERR_RANGE] = "processing out of range" + }; + const int nc_err = ne->ne_ncode_error; + const char *srcfile = ne->ne_source_file; + + if (srcfile) { + warnx("source %s line %d", srcfile, ne->ne_source_line); + } + if (nc_err) { + warnx("n-code error (%d): %s at offset 0x%x", + nc_err, ncode_errors[-nc_err], ne->ne_ncode_errat); + } + if (ne->ne_id) { + warnx("object: %d", ne->ne_id); + } +} + static void npfctl(int action, int argc, char **argv) { diff --git a/usr.sbin/npf/npfctl/npfctl.h b/usr.sbin/npf/npfctl/npfctl.h index db7e4cf571e8..2a33c829c3fa 100644 --- a/usr.sbin/npf/npfctl/npfctl.h +++ b/usr.sbin/npf/npfctl/npfctl.h @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.h,v 1.10 2012/01/15 00:49:48 rmind Exp $ */ +/* $NetBSD: npfctl.h,v 1.11 2012/02/05 00:37:13 rmind Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -91,6 +91,7 @@ void * xrealloc(void *, size_t); char * xstrdup(const char *); char * xstrndup(const char *, size_t); +void npfctl_print_error(const nl_error_t *); bool npfctl_table_exists_p(const char *); in_port_t npfctl_portno(const char *); uint8_t npfctl_icmpcode(uint8_t, const char *);