Skip to content

Commit 67709d2

Browse files
rmindrmind
authored
Add more comments to explain the ALG API (#35)
1 parent cd6b4f4 commit 67709d2

File tree

2 files changed

+58
-19
lines changed

2 files changed

+58
-19
lines changed

src/kern/npf_alg.c

Lines changed: 57 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*-
2-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
2+
* Copyright (c) 2010-2019 The NetBSD Foundation, Inc.
33
* All rights reserved.
44
*
55
* This material is based upon work partially supported by The
@@ -40,8 +40,6 @@ __KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.19 2019/01/19 21:19:31 rmind Exp $");
4040

4141
#include <sys/kmem.h>
4242
#include <sys/pserialize.h>
43-
#include <sys/mutex.h>
44-
#include <net/pfil.h>
4543
#include <sys/module.h>
4644
#endif
4745

@@ -55,20 +53,20 @@ __KERNEL_RCSID(0, "$NetBSD: npf_alg.c,v 1.19 2019/01/19 21:19:31 rmind Exp $");
5553

5654
struct npf_alg {
5755
const char * na_name;
58-
u_int na_slot;
56+
unsigned na_slot;
5957
};
6058

6159
struct npf_algset {
6260
/* List of ALGs and the count. */
6361
npf_alg_t alg_list[NPF_MAX_ALGS];
64-
u_int alg_count;
62+
unsigned alg_count;
6563

6664
/* Matching, inspection and translation functions. */
6765
npfa_funcs_t alg_funcs[NPF_MAX_ALGS];
6866
};
6967

70-
static const char alg_prefix[] = "npf_alg_";
71-
#define NPF_EXT_PREFLEN (sizeof(alg_prefix) - 1)
68+
#define NPF_ALG_PREF "npf_alg_"
69+
#define NPF_ALG_PREFLEN (sizeof(NPF_ALG_PREF) - 1)
7270

7371
void
7472
npf_alg_init(npf_t *npf)
@@ -94,7 +92,7 @@ npf_alg_lookup(npf_t *npf, const char *name)
9492

9593
KASSERT(npf_config_locked_p(npf));
9694

97-
for (u_int i = 0; i < aset->alg_count; i++) {
95+
for (unsigned i = 0; i < aset->alg_count; i++) {
9896
npf_alg_t *alg = &aset->alg_list[i];
9997
const char *aname = alg->na_name;
10098

@@ -111,9 +109,9 @@ npf_alg_construct(npf_t *npf, const char *name)
111109

112110
npf_config_enter(npf);
113111
if ((alg = npf_alg_lookup(npf, name)) == NULL) {
114-
char modname[NPF_EXT_PREFLEN + 64];
112+
char modname[NPF_ALG_PREFLEN + 64];
115113

116-
snprintf(modname, sizeof(modname), "%s%s", alg_prefix, name);
114+
snprintf(modname, sizeof(modname), "%s%s", NPF_ALG_PREF, name);
117115
npf_config_exit(npf);
118116

119117
if (module_autoload(modname, MODULE_CLASS_MISC) != 0) {
@@ -135,7 +133,7 @@ npf_alg_register(npf_t *npf, const char *name, const npfa_funcs_t *funcs)
135133
npf_algset_t *aset = npf->algset;
136134
npfa_funcs_t *afuncs;
137135
npf_alg_t *alg;
138-
u_int i;
136+
unsigned i;
139137

140138
npf_config_enter(npf);
141139
if (npf_alg_lookup(npf, name) != NULL) {
@@ -178,7 +176,7 @@ int
178176
npf_alg_unregister(npf_t *npf, npf_alg_t *alg)
179177
{
180178
npf_algset_t *aset = npf->algset;
181-
u_int i = alg->na_slot;
179+
unsigned i = alg->na_slot;
182180
npfa_funcs_t *afuncs;
183181

184182
/* Deactivate the functions first. */
@@ -198,7 +196,16 @@ npf_alg_unregister(npf_t *npf, npf_alg_t *alg)
198196
}
199197

200198
/*
201-
* npf_alg_match: call ALG matching inspectors, determine if any ALG matches.
199+
* npf_alg_match: call the ALG matching inspectors.
200+
*
201+
* The purpose of the "matching" inspector function in the ALG API
202+
* is to determine whether this connection matches the ALG criteria
203+
* i.e. is concerning the ALG. If yes, ALG can associate itself with
204+
* the given NAT state structure and set/save an arbitrary parameter.
205+
* This is done using the using the npf_nat_setalg() function.
206+
*
207+
* => This is called when the packet matches the dynamic NAT policy
208+
* and the NAT state entry is being created for it [NAT-ESTABLISH].
202209
*/
203210
bool
204211
npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di)
@@ -207,8 +214,10 @@ npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di)
207214
bool match = false;
208215
int s;
209216

217+
KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
218+
210219
s = pserialize_read_enter();
211-
for (u_int i = 0; i < aset->alg_count; i++) {
220+
for (unsigned i = 0; i < aset->alg_count; i++) {
212221
const npfa_funcs_t *f = &aset->alg_funcs[i];
213222

214223
if (f->match && f->match(npc, nt, di)) {
@@ -221,16 +230,26 @@ npf_alg_match(npf_cache_t *npc, npf_nat_t *nt, int di)
221230
}
222231

223232
/*
224-
* npf_alg_exec: execute ALG hooks for translation.
233+
* npf_alg_exec: execute the ALG translation processors.
234+
*
235+
* The ALG function would perform any additional packet translation
236+
* or manipulation here. The translate function will be called by
237+
* once the ALG has been associated with the NAT state through the
238+
* npf_alg_match() inspector.
239+
*
240+
* => This is called when the packet is being translated according
241+
* to the dynamic NAT logic [NAT-TRANSLATE].
225242
*/
226243
void
227244
npf_alg_exec(npf_cache_t *npc, npf_nat_t *nt, bool forw)
228245
{
229246
npf_algset_t *aset = npc->npc_ctx->algset;
230247
int s;
231248

249+
KASSERTMSG(npf_iscached(npc, NPC_IP46), "expecting protocol number");
250+
232251
s = pserialize_read_enter();
233-
for (u_int i = 0; i < aset->alg_count; i++) {
252+
for (unsigned i = 0; i < aset->alg_count; i++) {
234253
const npfa_funcs_t *f = &aset->alg_funcs[i];
235254

236255
if (f->translate) {
@@ -240,6 +259,23 @@ npf_alg_exec(npf_cache_t *npc, npf_nat_t *nt, bool forw)
240259
pserialize_read_exit(s);
241260
}
242261

262+
/*
263+
* npf_alg_conn: query ALGs giving which may perform a custom state lookup.
264+
*
265+
* The purpose of ALG connection inspection function is to provide
266+
* ALGs with a mechanism to override the regular connection state
267+
* lookup, if they need to. For example, some ALGs may want to
268+
* extract and use a different 5-tuple to perform a lookup.
269+
*
270+
* => This is called at the beginning of the connection state lookup
271+
* function [CONN-LOOKUP].
272+
*
273+
* => Must use the npf_conn_lookup() function to perform the custom
274+
* connection state lookup and return the result.
275+
*
276+
* => Returning NULL will result in NPF performing a regular state
277+
* lookup for the packet.
278+
*/
243279
npf_conn_t *
244280
npf_alg_conn(npf_cache_t *npc, int di)
245281
{
@@ -248,7 +284,7 @@ npf_alg_conn(npf_cache_t *npc, int di)
248284
int s;
249285

250286
s = pserialize_read_enter();
251-
for (u_int i = 0; i < aset->alg_count; i++) {
287+
for (unsigned i = 0; i < aset->alg_count; i++) {
252288
const npfa_funcs_t *f = &aset->alg_funcs[i];
253289

254290
if (!f->inspect)
@@ -260,14 +296,17 @@ npf_alg_conn(npf_cache_t *npc, int di)
260296
return con;
261297
}
262298

299+
/*
300+
* npf_alg_export: serialise the configuration of ALGs.
301+
*/
263302
int
264303
npf_alg_export(npf_t *npf, nvlist_t *npf_dict)
265304
{
266305
npf_algset_t *aset = npf->algset;
267306

268307
KASSERT(npf_config_locked_p(npf));
269308

270-
for (u_int i = 0; i < aset->alg_count; i++) {
309+
for (unsigned i = 0; i < aset->alg_count; i++) {
271310
const npf_alg_t *alg = &aset->alg_list[i];
272311
nvlist_t *algdict;
273312

src/kern/npf_connkey.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,7 @@ npf_conn_conkey(const npf_cache_t *npc, npf_connkey_t *key, const bool forw)
159159
const unsigned alen = npc->npc_alen;
160160
const struct tcphdr *th;
161161
const struct udphdr *uh;
162-
uint16_t id[2];
162+
uint16_t id[2] = { 0, 0 };
163163

164164
switch (proto) {
165165
case IPPROTO_TCP:

0 commit comments

Comments
 (0)