Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
245,564 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

192 Commits

Author SHA1 Message Date
rmind 8274d601f9 NPF: add support for static (stateless) NAT. 2014-02-07 23:45:22 +00:00
christos 61a4b10e07 fix vax build. 2014-02-06 18:48:09 +00:00
wiz 83d796ca12 Update count. Add serial comma. 2014-02-06 07:36:36 +00:00
rmind ffcdc4af8d Add support for CDB based NPF tables. 2014-02-06 02:51:28 +00:00
rmind e43f79569a npftest: fix previous harder - pass and use libc's random(3). 2014-02-05 03:49:48 +00:00
rmind bb1fedd189 npftest: fix the failure of NAT test -- adjust for RUMP's conversion to 
the in-kernel CPRNG (hi pooka!).
 2014-02-05 03:30:13 +00:00
rmind 55b0c96054 - npfctl: fix table IDs (breakage since the table naming was added). 
- libnpf: remove npf_table_exists_p() from public API.
 2014-02-03 02:21:52 +00:00
rmind 1e9541dade npftest: adjust for the npf_bpf_filter() change. 2013-11-23 19:40:11 +00:00
rmind e636c1e87f npfctl: need to rewind the list after calling print_table(). XXX libnpf. 2013-11-22 18:42:02 +00:00
rmind 805a41fbfe Add npf_tableset_syncdict() to sync the table IDs in the proplib dictionary, 
as they can change on reload now.  Also, fix table name checking in npfctl.
 2013-11-22 00:25:51 +00:00
christos 8216c37c22 CID 1129614: dereference after null 2013-11-19 17:01:45 +00:00
rmind d116583e69 Simplify parsing of npf.conf elements, create the npfvar_t when a value is 
parsed (to be used as a general structured for variables and inlined values),
few misc improvements.
 2013-11-19 00:28:41 +00:00
rmind 3fb1890bf5 Rename some tokens, use more accurate names (the current ones are incorrect 
or missleading) and add few comments in the parser code.
 2013-11-18 21:39:03 +00:00
rmind 2566fe9fff Add bsd.own.mk for MKSLJIT, reorder some vars. 2013-11-16 17:12:35 +00:00
alnsn a36c412b37 Link to -lrumpnet_bpfjit and -lrumpkern_sljit iff MKSLJIT != "no". 2013-11-16 15:58:30 +00:00
rmind 467de1619d Enable bpfjit for npftest. 2013-11-16 01:41:43 +00:00
wiz d8099589ae Remove trailing whitespace. 2013-11-12 06:07:30 +00:00
rmind 1e7342c150 NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is 
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes.  Bump NPF_VERSION.
 2013-11-12 00:46:34 +00:00
rmind a79812ea10 NPF: add support for specifying the interfaces before they are attached. 
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections).  Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 2013-11-08 00:38:26 +00:00
kefren 915c0cd28e sync an example with the latest group syntax change 2013-11-05 13:09:12 +00:00
rmind 05a7a9a52e npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3. 2013-11-05 01:50:30 +00:00
joerg d41a00c8da Add missing dead. 2013-09-24 22:52:14 +00:00
rmind a99ac6280c npftest: add a choice of "rule" or "state" for -b option. 2013-09-24 02:44:20 +00:00
rmind a484105289 npftest: add some concurrency testing code. 2013-09-24 02:04:21 +00:00
rmind 5f3b7e2652 Update npftest.conf for the recent syntax adjustments. 2013-09-23 15:30:32 +00:00
wiz 4fe1cb8b61 Remove trailing whitespace. 2013-09-20 21:30:49 +00:00
rmind f797733a7e - NPF: change the group/ruleset syntax - simplify. Update npf.conf(5) manual. 
- Add support for the inline pcap-filter(7) syntax in the rule, e.g.:
	block out final pcap-filter "tcp and dst 10.1.1.252"
 2013-09-20 03:03:52 +00:00
rmind f5730e945b npfctl: remove some n-code leftovers, fix the build, update the man pages. 2013-09-19 12:05:11 +00:00
rmind 7b5edfdc0d NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm! 2013-09-19 01:49:07 +00:00
rmind 4e592132ab - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in 
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 2013-09-19 01:04:45 +00:00
rmind ce38978248 - Add NPF table flushing functionality. 
- Fix line numbering for npfctl debug command.
 2013-05-19 20:45:34 +00:00
christos 464306f9db always allow hex where decimal is allowed. 2013-05-09 19:12:03 +00:00
christos bc0f55de88 Make ALG's autoloadable by providing in the config file: 
alg "algname"
 2013-03-20 00:29:46 +00:00
rmind 543d2971ab - Extend npf.conf syntax to support dynamic NAT policies. 
- Imply dynamic group when using "ruleset" keyword.
 2013-03-18 02:17:49 +00:00
christos 29e670c87b more explicit syntax 2013-03-13 02:44:28 +00:00
christos 5f0daf8289 more todo's 2013-03-13 02:41:23 +00:00
christos b46215b9d2 add another 2013-03-13 02:36:51 +00:00
christos 668937be38 one more fixed 2013-03-11 16:38:31 +00:00
christos 08ba3be1b4 more breakage. 2013-03-11 02:12:15 +00:00
christos fce0192186 explain further. 2013-03-11 02:02:28 +00:00
christos 8493e8dcfc separate sess commands. 2013-03-11 00:39:32 +00:00
christos feb589a817 remove dup usage. 2013-03-11 00:34:43 +00:00
christos c85651a383 fix usage 2013-03-11 00:16:59 +00:00
christos 58bc4d4e58 handle port "ftp-data" 2013-03-11 00:09:07 +00:00
christos cd72feefe1 more 2013-03-11 00:05:36 +00:00
christos b58e208695 my laundry list 2013-03-11 00:04:46 +00:00
christos 2acab3345b centralize error handling and print what went wrong instead of "ioctl" 2013-03-10 23:59:00 +00:00
christos 8c8be406dd modules moved to /lib 2013-03-10 23:57:07 +00:00
christos e0620b41b3 deal with strings as interfaces 2013-03-10 23:11:26 +00:00
christos 9f5f8a86c5 normalise -> normalize 2013-03-10 21:55:40 +00:00
rmind e1515f844d Fix the example (deja vu?). 2013-03-10 21:17:30 +00:00
rmind e9a253f3c1 npftest/npf_blockall_rule: set NPF_RULE_DYNAMIC flag for the test rule. 2013-02-18 23:09:20 +00:00
rmind 56910be779 - Convert NPF dynamic rule ID to just incremented 64-bit counter. 
- Fix multiple bugs.  Also, update the man page.
 2013-02-16 21:11:12 +00:00
rmind 90957242c6 npftest: adjust for recent change. 2013-02-11 02:52:32 +00:00
rmind 82975ead3b Allow filtering on IP addresses even if the L4 protocol is unknown. 
Patch from spz@.
 2013-02-11 00:00:20 +00:00
rmind 50c5afcad4 - Fix NPF config reload with dynamic rules present. 
- Implement list and flush commands on a dynamic ruleset.
 2013-02-10 23:47:37 +00:00
rmind 0e21825481 NPF: 
- Implement dynamic NPF rules.  Controlled through npf(3) library of via
  npfctl rule command.  A rule can be removed using a unique identifier,
  returned on addition, or using a key which is SHA1 hash of the rule.
  Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 2013-02-09 03:35:31 +00:00
spz a3b287e514 IPv6 linklocal address printing cosmetics 2013-02-01 05:40:07 +00:00
rmind 3107fd1eb5 - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free 
the mbuf chain on failure.  Fixes some corner cases.  Improve regression
  test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
  The problem was found and fix provided by Anthony Mallet.
 2013-01-20 18:45:56 +00:00
rmind 352f160615 - Rework NPF's nbuf interface: use advancing and ensuring as a main method. 
Eliminate unnecessary copy and simplify.  Adapt regression tests.
- Simplify ICMP ALG a little.  While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 2012-12-24 19:05:42 +00:00
rmind 57ff5416fd - Add NPF version check in proplist as well, not only ioctl. Bump the version. 
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages.  Misc.
 2012-12-23 21:01:03 +00:00
rmind f960ba1c63 npfctl: add 'validate' command to check the config, but not load it. Update 
the man page.  Also add a small note about 'debug' command, PR/47298.
 2012-12-10 02:26:04 +00:00
rmind 7d7f70e66e - npf.conf(5): fix of the example config. 
- Mention npf_ext_log in a comment.
 2012-12-06 22:36:51 +00:00
rmind 5111d7eafd npfctl: extend syntax for extracting interface IP address(es) by the family. 2012-11-26 20:34:28 +00:00
rmind 4a1b0d45b2 npfctl(8): mention table listing. 2012-11-15 22:22:53 +00:00
rmind b4a9940e50 npfctl: switch to ecalloc(3). 2012-11-15 22:20:27 +00:00
rmind 7b016567c0 npfctl: switch to efun(3) routines. 2012-11-05 23:47:12 +00:00
christos 599362a983 put in /sbin 2012-11-01 03:21:49 +00:00
martin 73809d4025 gcc 4.1 is not smart enough to notice "arg" is only used when initialized 
correctly and produces a "might be used unintialized" warning.
 2012-10-31 08:54:39 +00:00
rmind 64647e51e4 Implement NPF table listing and preservation of entries on reload. 
Bump the version.
 2012-10-29 02:27:11 +00:00
rmind 3ed953299c Fix for npfctl show case. Improve some description while here. 2012-10-28 16:27:20 +00:00
rmind e7cdd21f2e npfctl/yyerror(): print the right line number if we already parsed the line. 2012-10-02 23:38:52 +00:00
wiz df3325de63 Wording, more macros. 2012-09-30 21:15:08 +00:00
rmind 395bd44a04 Add some content to the Procedures section. 2012-09-30 21:09:30 +00:00
wiz cda4ed683f Use more markup. New sentence, new line. 2012-09-30 13:15:03 +00:00
spz 34865a25d0 Add some content to the "Rules" section. 2012-09-30 12:59:31 +00:00
wiz c92c93101c Whitespace fixes, remove unnecessary Pp 
XXX: Subsections Rules and Procedures seem empty?
 2012-09-30 07:43:03 +00:00
rmind 703f289235 npf.conf(5): add syntax section and a first cut describing the structural 
elements.  Some improvements and fixes from spz@.
 2012-09-29 19:50:03 +00:00
spz 6d80dd36ba re-work the description part of the man page, as discussed with rmind@ 2012-09-28 18:36:02 +00:00
rmind aed1e968f7 npf.conf(5): improve and explain grammar definition. 2012-09-26 21:58:27 +00:00
rmind 8c6e21bf5e Implement dynamic NPF extensions interface. An extension consists of 
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module.  Move normalisation and logging functionality into their own
extensions.  More improvements to come.
 2012-09-16 13:47:41 +00:00
joerg c4eabd7bd6 More __dead 2012-09-14 15:37:03 +00:00
martin 5a79cb1f57 Do not build npftest without shared libraries - it can't work. 2012-09-13 21:02:50 +00:00
rjs 5abdc4ce9a Allow build with MKRUMP=no. 2012-09-12 19:20:37 +00:00
martin 9cf2fc91c7 Fix printf format 2012-09-12 16:26:02 +00:00
martin 18d0240310 Install the npftest binary 2012-09-12 14:06:02 +00:00
martin a76a87c096 Add two new command line options to help integration into ATF: 
-L lists the available test cases, -T executes a single named test.
 2012-09-12 08:47:14 +00:00
rmind 8f51214c07 npfctl usage: minor formatting fix. 2012-09-01 19:08:01 +00:00
rmind b8c27e4a39 npftest: 
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.

Tested on sparc64 by martin@, all tests pass.
 2012-08-21 20:52:11 +00:00
rmind e0cfa502eb Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build. 2012-08-15 19:47:38 +00:00
rmind 68f7a7bc54 Move and rename librumpdev_npf to librumpnet_npf. 2012-08-14 22:31:43 +00:00
rmind f95b2549d9 - npfctl show: add most of the missing cases. 
- Few minor improvements to NPF man pages.
 2012-08-13 01:18:31 +00:00
rmind 63f44833ba - Extend npftest: add ruleset inspection testing from the config generated 
by npfctl debug functionality.  Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
  share between the entries and thus fix the handling of them.  Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 2012-08-12 03:35:13 +00:00
rmind 4ad5029440 - npf_fetch_tcpopts: fix off-by-one when validating TCP option length 
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 2012-07-21 17:11:01 +00:00
rmind 083c690112 - npfctl_print_stats: beautification a la French style. 
- npfctl_icmpcode: fix the build break.
 2012-07-19 22:22:53 +00:00
spz 7cf84a83d6 teach npf ipv6-icmp 
reviewed by rmind@
 2012-07-19 21:52:29 +00:00
joerg 7219ead3a1 Add missing __dead. 2012-07-19 06:31:26 +00:00
rmind a3b239f6f3 - Rework NPF tables and fix support for IPv6. Implement tree table type 
using radix / Patricia tree.  Universal IPv4/IPv6 comparator for ptree(3)
  was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 2012-07-15 00:22:58 +00:00
rmind 33b678d7e0 NPF improvements: 
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 2012-07-01 23:21:06 +00:00
rmind 4940c18bab Fix and update npf.conf(5), npfctl(8) and its usage message. 2012-06-27 23:05:28 +00:00