Permalink
Browse files

Major rework: migrate NPF to the libnv (nvlist library).

- libnv is FreeBSD's name/value pairs library; it replaces proplib.
  See: https://github.com/wheelsystems/nvlist/
- This conversion significantly simplifies the code and moves NPF to a
  binary serialisation format (replacing the XML-like format).
- Fix multiple memory/reference leaks and potentially use-after-free bugs.
- WARNING: This change makes libnpf incompatible with the previous versions.
  Different serialisation format also means NPF connection/config saving and
  loading is not compatible with the previous versions either.
  • Loading branch information...
rmind committed Jun 10, 2018
1 parent e3a8e34 commit f92d171096cf9dc5e80879c833b1ebf2f8ef6a52
Showing with 1,418 additions and 1,773 deletions.
  1. +1 −1 LICENSE
  2. +4 −14 README.md
  3. +8 −2 dpdk/README.md
  4. +3 −3 dpdk/npf_dpdk_demo.c
  5. +12 −12 pkg/SPECS/npf.spec
  6. +7 −9 pkg/SPECS/npfctl.spec
  7. +25 −21 src/kern/Makefile
  8. +0 −2 src/kern/if_npflog.c
  9. +0 −2 src/kern/if_npflog.h
  10. +3 −5 src/kern/npf.c
  11. +10 −12 src/kern/npf.h
  12. +9 −10 src/kern/npf_alg.c
  13. +0 −2 src/kern/npf_alg_icmp.c
  14. +0 −2 src/kern/npf_bpf.c
  15. +0 −2 src/kern/npf_conf.c
  16. +59 −97 src/kern/npf_conn.c
  17. +3 −6 src/kern/npf_conn.h
  18. +280 −365 src/kern/npf_ctl.c
  19. +2 −4 src/kern/npf_ext_log.c
  20. +5 −7 src/kern/npf_ext_normalize.c
  21. +3 −5 src/kern/npf_ext_rndblock.c
  22. +0 −2 src/kern/npf_handler.c
  23. +0 −2 src/kern/npf_if.c
  24. +0 −2 src/kern/npf_ifaddr.c
  25. +15 −16 src/kern/npf_impl.h
  26. +0 −2 src/kern/npf_inet.c
  27. +0 −2 src/kern/npf_mbuf.c
  28. +42 −49 src/kern/npf_nat.c
  29. +0 −2 src/kern/npf_os.c
  30. +17 −15 src/kern/npf_rproc.c
  31. +60 −82 src/kern/npf_ruleset.c
  32. +0 −2 src/kern/npf_sendpkt.c
  33. +0 −2 src/kern/npf_state.c
  34. +0 −2 src/kern/npf_state_tcp.c
  35. +23 −17 src/kern/npf_tableset.c
  36. +0 −2 src/kern/npf_worker.c
  37. +1 −1 src/kern/stand/cext.h
  38. +34 −5 src/kern/stand/npf_stand.h
  39. +25 −18 src/libnpf/Makefile
  40. +8 −7 src/libnpf/libnpf.3
  41. +565 −756 src/libnpf/npf.c
  42. +5 −7 src/libnpf/npf.h
  43. +20 −10 src/npfctl/Makefile
  44. +0 −2 src/npfctl/npf_bpf_comp.c
  45. +39 −76 src/npfctl/npf_build.c
  46. +5 −3 src/npfctl/npf_data.c
  47. +0 −2 src/npfctl/npf_extmod.c
  48. +0 −2 src/npfctl/npf_parse.y
  49. +1 −2 src/npfctl/npf_rule.c
  50. +0 −2 src/npfctl/npf_scan.l
  51. +4 −6 src/npfctl/npf_show.c
  52. +0 −2 src/npfctl/npf_var.c
  53. +0 −2 src/npfctl/npf_var.h
  54. +2 −4 src/npfctl/npfctl.c
  55. +2 −3 src/npfctl/npfctl.h
  56. +1 −1 src/npfctl/util.h
  57. +25 −14 src/npftest/Makefile
  58. +5 −5 src/npftest/README
  59. +2 −2 src/npftest/libnpftest/npf_bpf_test.c
  60. +2 −1 src/npftest/libnpftest/npf_mbuf_subr.c
  61. +2 −2 src/npftest/libnpftest/npf_perf_test.c
  62. +10 −11 src/npftest/libnpftest/npf_rule_test.c
  63. +14 −16 src/npftest/libnpftest/npf_table_test.c
  64. +1 −1 src/npftest/libnpftest/npf_test.h
  65. +3 −3 src/npftest/libnpftest/npf_test_subr.c
  66. +51 −25 src/npftest/npftest.c
@@ -1,5 +1,5 @@
/*-
* Copyright (c) 2014-2015 Mindaugas Rasiukevicius <rmind at netbsd org>
* Copyright (c) 2014-2018 Mindaugas Rasiukevicius <rmind at netbsd org>
* Copyright (c) 2010-2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
@@ -2,10 +2,9 @@

NPF is a layer 3 packet filter, supporting IPv4 and IPv6 as well as layer
4 protocols such as TCP, UDP, and ICMP. It was designed with a focus on
high performance, scalability, and modularity.

NPF was started from scratch in 2009. It is written in C99 and is
distributed under the 2-clause BSD license.
high performance, scalability and modularity. NPF was written from
scratch in 2009. It is written in C99 and distributed under the 2-clause
BSD license.

This repository contains a **standalone** version of NPF.

@@ -36,17 +35,8 @@ http://www.netbsd.org/~rmind/npf/
## Source code structure

src/ - root directory of the standalone NPF

kern/ - the kernel component
http://nxr.netbsd.org/xref/src/sys/net/npf/

kern/ - the kernel component (as a library)
libnpf/ - library to manage the kernel component
http://nxr.netbsd.org/xref/src/lib/libnpf/

npfctl/ - command line user interface to control NPF
http://nxr.netbsd.org/xref/src/usr.sbin/npf/npfctl/

npftest/ - unit tests and utility to debug NPF
http://nxr.netbsd.org/xref/src/usr.sbin/npf/npftest/

pkg/ - packaging files (e.g. RPM specs)
@@ -5,9 +5,15 @@ describe how to build and run a quick NPF + DPDK demo.

## Install dependencies

- Install proplib RPM package.
- Install libnv RPM package.

TBD
git clone https://github.com/rmind/nvlist
cd nvlist/pkg && make rpm && rpm -ihv RPMS/x86_64/liblpm-*

- Install libqsbr RPM package:

git clone https://github.com/rmind/libqsbr
cd libqsbr/pkg && make rpm && rpm -ihv RPMS/x86_64/liblpm-*

- Install liblpm RPM package:

@@ -133,15 +133,15 @@ static void
load_npf_config(npf_t *npf, nl_config_t *ncf)
{
npf_error_t errinfo;
void *ref;
void *config_ref;

/*
* - Build the config: we get a reference for loading.
* - Load the config to the NPF instance.
* - Destroy the config (reference becomes invalid).
*/
ref = npf_config_build(ncf);
if (npf_load(npf, ref, &errinfo) != 0) {
config_ref = npf_config_build(ncf);
if (npf_load(npf, config_ref, &errinfo) != 0) {
errx(EXIT_FAILURE, "npf_load() failed");
}
npf_config_destroy(ncf);
@@ -1,35 +1,35 @@
Name: npf
Version: 0.2.1
Version: 1.0.0
Release: 1%{?dist}
Summary: Standalone NPF package
License: BSD
URL: http://www.netbsd.org/~rmind/npf/
URL: https://github.com/rmind/npf
Source0: npf.tar.gz

BuildRequires: make
BuildRequires: libtool
BuildRequires: liblpm >= 0.2.0
BuildRequires: libqsbr
#BuildRequires: libnv-devel
Requires: libbpfjit
BuildRequires: libqsbr
BuildRequires: liblpm >= 0.2.0
#BuildRequires: libcdb-devel
#BuildRequires: libprop-devel

Requires: libnv
Requires: libbpfjit
Requires: libqsbr
Requires: liblpm
Requires: libcdb
Requires: libprop
Requires: libbpfjit
Requires: jemalloc

%description

NPF is a layer 3 packet filter, supporting IPv4 and IPv6 as well as layer
4 protocols such as TCP, UDP, and ICMP. It was designed with a focus on
high performance, scalability, and modularity. NPF was written from scratch
in 2009 and is distributed under the 2-clause BSD license.
high performance, scalability and modularity. NPF was written from
scratch in 2009. It is written in C99 and distributed under the 2-clause
BSD license.

This RPM package is a standalone version of NPF. It contains libnpfkern
and libnpf libraries.
This RPM package is a standalone version of NPF. It contains the
libnpfkern and libnpf libraries.


%prep
@@ -1,29 +1,27 @@
Name: npfctl
Version: 0.1
Version: 1.0
Release: 1%{?dist}
Summary: Standalone NPF package: npfctl utility
License: BSD
URL: http://www.netbsd.org/~rmind/npf/
URL: https://github.com/rmind/npf
Source0: npf.tar.gz

BuildRequires: make
BuildRequires: libtool
BuildRequires: openssl-devel
#BuildRequires: libcdb-devel
#BuildRequires: libprop-devel
#BuildRequires: libnv-devel
BuildRequires: flex
BuildRequires: byacc

Requires: libcdb
Requires: libprop
Requires: libnv
Requires: npf

%description

NPF is a layer 3 packet filter, supporting IPv4 and IPv6 as well as layer
4 protocols such as TCP, UDP, and ICMP. It was designed with a focus on
high performance, scalability, and modularity. NPF was written from scratch
in 2009 and is distributed under the 2-clause BSD license.
high performance, scalability and modularity. NPF was written from
scratch in 2009. It is written in C99 and distributed under the 2-clause
BSD license.

This RPM package contains npfctl(8) utility.

@@ -3,40 +3,44 @@
# This file is in the Public Domain.
#

CFLAGS= -std=gnu99 -O2 -flto -g -Wall -Wextra -Werror
CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith
CFLAGS+= -I stand -D_NPF_STANDALONE #-DUSE_JUDY
CFLAGS+= -D__RCSID\(x\)=

CFLAGS+= -Wno-unused-parameter -Wno-unused-variable -Wno-unused-function
CFLAGS+= -Wno-unused
CFLAGS+= -std=c99 -O2 -g -Wall -Wextra -Werror
CFLAGS+= -D_POSIX_C_SOURCE=200809L
CFLAGS+= -D_GNU_SOURCE -D_DEFAULT_SOURCE
CFLAGS+= -I stand -D_NPF_STANDALONE -D__RCSID\(x\)=
CFLAGS+= -Wno-unused-local-typedefs -Wno-unused-parameter

SYSNAME:= $(shell uname -s)

#
# Extended warning flags.
#
CFLAGS+= -Wno-unknown-warning-option # gcc vs clang

CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith
CFLAGS+= -Wmissing-declarations -Wredundant-decls -Wnested-externs
CFLAGS+= -Wshadow -Wcast-qual -Wcast-align -Wwrite-strings
CFLAGS+= -Wold-style-definition
CFLAGS+= -Wsuggest-attribute=noreturn #-Wjump-misses-init

# New GCC 6/7 flags:
#CFLAGS+= -Wduplicated-cond -Wmisleading-indentation -Wnull-dereference
#CFLAGS+= -Wduplicated-branches -Wrestrict

#
# WARNING: All symbols must be hidden by default to not conflict with
# the libnpf(3) library. The debug version would, however, conflict.
#
ifeq ($(DEBUG),1)
CFLAGS+= -O1 -DDEBUG -fno-omit-frame-pointer
CFLAGS+= -Og -DDEBUG -fno-omit-frame-pointer
CFLAGS+= -D_NPF_TESTING
else
CFLAGS+= -fvisibility=hidden
CFLAGS+= -DNDEBUG
LDFLAGS= -flto
endif
LDFLAGS+= -lpthread -lpcap -lqsbr -llpm -lcdb -lprop -lbpfjit
ifeq ($(SYSNAME),Linux)
LDFLAGS+= -ljemalloc #-lJudy
endif

#
# System specific flags
#

LDFLAGS+= -lpthread -lnv -lpcap -lqsbr -llpm -lcdb -lbpfjit
ifeq ($(SYSNAME),Linux)
CFLAGS+= -D_POSIX_C_SOURCE=200809L
CFLAGS+= -D_BSD_SOURCE -D__FAVOR_BSD=1
LDFLAGS+= -ljemalloc
endif

#
@@ -64,7 +68,7 @@ endif
INCS= npf.h npfkern.h
MANS= npfkern.3

$(LIB).la: LDFLAGS+= -rpath $(LIBDIR)
$(LIB).la: LDFLAGS+= -rpath $(LIBDIR) -version-info 1:0:0
install/%.la: ILIBDIR= $(DESTDIR)/$(LIBDIR)
install: IINCDIR= $(DESTDIR)/$(INCDIR)
install: IMANDIR= $(DESTDIR)/$(MANDIR)/man3/
@@ -92,6 +96,6 @@ install: $(addprefix install/,$(LIB).la)

clean:
libtool --mode=clean rm
rm -rf .libs *.o *.lo *.la stand/*.{l,}o stand/*.la
rm -rf .libs *.o *.lo *.la stand/*.o stand/*.lo stand/*.la

.PHONY: all lib install clean
@@ -1,5 +1,3 @@
/* $NetBSD: if_npflog.c,v 1.5 2017/01/29 00:15:54 christos Exp $ */

/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -1,5 +1,3 @@
/* $NetBSD: if_npflog.h,v 1.1 2017/01/29 00:15:54 christos Exp $ */

/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -1,5 +1,3 @@
/* $NetBSD: npf.c,v 1.34 2017/06/01 02:45:14 chs Exp $ */

/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -48,7 +46,7 @@ __KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.34 2017/06/01 02:45:14 chs Exp $");
#include "npf_impl.h"
#include "npf_conn.h"

__read_mostly static npf_t * npf_kernel_ctx = NULL;
static __read_mostly npf_t * npf_kernel_ctx = NULL;

__dso_public int
npf_sysinit(unsigned nworkers)
@@ -109,9 +107,9 @@ npf_destroy(npf_t *npf)
}

__dso_public int
npf_load(npf_t *npf, void *ref, npf_error_t *err)
npf_load(npf_t *npf, void *config_ref, npf_error_t *err)
{
return npfctl_load(npf, 0, ref);
return npfctl_load(npf, 0, config_ref);
}

__dso_public void
@@ -1,5 +1,3 @@
/* $NetBSD: npf.h,v 1.57 2018/04/19 21:50:09 christos Exp $ */

/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -39,15 +37,16 @@
#include <sys/param.h>
#include <sys/types.h>

#define NPF_VERSION 19
#define NPF_VERSION 20

#if defined(_NPF_STANDALONE)
#include "npf_stand.h"
#else
#include <sys/ioctl.h>
#include <prop/proplib.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <dnv.h>
#include <nv.h>
#endif

struct npf;
@@ -199,17 +198,16 @@ typedef struct npf_rproc npf_rproc_t;

typedef struct {
uint64_t mi_rid;
u_int mi_retfl;
u_int mi_di;
unsigned mi_retfl;
unsigned mi_di;
} npf_match_info_t;

typedef struct {
unsigned int version;
void * ctx;
int (*ctor)(npf_rproc_t *, prop_dictionary_t);
void (*dtor)(npf_rproc_t *, void *);
bool (*proc)(npf_cache_t *, void *, const npf_match_info_t *,
int *);
u_int version;
void * ctx;
int (*ctor)(npf_rproc_t *, const nvlist_t *);
void (*dtor)(npf_rproc_t *, void *);
bool (*proc)(npf_cache_t *, void *, const npf_match_info_t *, int *);
} npf_ext_ops_t;

void * npf_ext_register(npf_t *, const char *, const npf_ext_ops_t *);
@@ -1,5 +1,3 @@
/* $NetBSD: npf_alg.c,v 1.16 2016/12/26 23:05:06 christos Exp $ */

/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -114,6 +112,7 @@ npf_alg_construct(npf_t *npf, const char *name)
npf_config_enter(npf);
if ((alg = npf_alg_lookup(npf, name)) == NULL) {
char modname[NPF_EXT_PREFLEN + 64];

snprintf(modname, sizeof(modname), "%s%s", alg_prefix, name);
npf_config_exit(npf);

@@ -261,24 +260,24 @@ npf_alg_conn(npf_cache_t *npc, int di)
return con;
}

prop_array_t
npf_alg_export(npf_t *npf)
int
npf_alg_export(npf_t *npf, nvlist_t *npf_dict)
{
prop_array_t alglist = prop_array_create();
npf_algset_t *aset = npf->algset;

KASSERT(npf_config_locked_p(npf));

for (u_int i = 0; i < aset->alg_count; i++) {
const npf_alg_t *alg = &aset->alg_list[i];
nvlist_t *algdict;

if (alg->na_name == NULL) {
continue;
}
prop_dictionary_t algdict = prop_dictionary_create();
prop_dictionary_set_cstring(algdict, "name", alg->na_name);
prop_array_add(alglist, algdict);
prop_object_release(algdict);
algdict = nvlist_create(0);
nvlist_add_string(algdict, "name", alg->na_name);
nvlist_append_nvlist_array(npf_dict, "algs", algdict);
nvlist_destroy(algdict);
}
return alglist;
return 0;
}
@@ -1,5 +1,3 @@
/* $NetBSD: npf_alg_icmp.c,v 1.30 2018/03/23 08:34:57 maxv Exp $ */

/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -1,5 +1,3 @@
/* $NetBSD: npf_bpf.c,v 1.13 2017/12/10 00:07:36 rmind Exp $ */

/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -1,5 +1,3 @@
/* $NetBSD: npf_conf.c,v 1.11 2017/01/03 00:58:05 rmind Exp $ */

/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
* All rights reserved.
Oops, something went wrong.

0 comments on commit f92d171

Please sign in to comment.