extend BIOCSFILDROP so it can be configured to not capture packets.

BIOCSFILDROP was already able to be used as a quick and dirty
firewall, which is especially useful when you you want to filter
non-ip things. however, capturing the packets you're dropping is a
lot of overhead when you just want to drop stuff. this extends
fildrop so you can tell bpf not to capture the packets it drops.

ok sthen@ mikeb@ claudio@ visa@

2 files changed, 50 insertions, 26 deletions

diff --git a/share/man/man4/bpf.4 b/share/man/man4/bpf.4
index f12731fc302..96c2c9af851 100644
--- a/share/man/man4/bpf.4
+++ b/share/man/man4/bpf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bpf.4,v 1.38 2016/04/28 19:07:19 natano Exp $
+.\"	$OpenBSD: bpf.4,v 1.39 2019/03/18 00:05:53 dlg Exp $
 .\"     $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $
 .\"
 .\" Copyright (c) 1990 The Regents of the University of California.
@@ -23,7 +23,7 @@
 .\" This document is derived in part from the enet man page (enet.4)
 .\" distributed with 4.3BSD Unix.
 .\"
-.Dd $Mdocdate: April 28 2016 $
+.Dd $Mdocdate: March 18 2019 $
 .Dt BPF 4
 .Os
 .Sh NAME
@@ -391,11 +391,24 @@ This flag is initialized to zero by default.
 .Pp
 .It Dv BIOCSFILDROP Fa "u_int *"
 .It Dv BIOCGFILDROP Fa "u_int *"
-Sets or gets the status of the
+Sets or gets the
 .Dq filter drop
-flag.
-If non-zero, packets matching any filters will be reported to the
-associated interface so that they can be dropped.
+action.
+The supported actions for packets matching the filter are:
+.Pp
+.Bl -tag -width "BPF_FILDROP_CAPTURE" -compact
+.It Dv BPF_FILDROP_PASS
+Accept and capture
+.It Dv BPF_FILDROP_CAPTURE
+Drop and capture
+.It Dv BPF_FILDROP_DROP
+Drop and do not capture
+.El
+.Pp
+Packets matching any filter configured to drop packets will be
+reported to the associated interface so that they can be dropped.
+The default action is
+.Dv BPF_FILDROP_PASS .
 .Pp
 .It Dv BIOCSDIRFILT Fa "u_int *"
 .It Dv BIOCGDIRFILT Fa "u_int *"
diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index d3cffa592c9..aa123b9b751 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bpf.c,v 1.170 2018/07/13 08:51:15 bluhm Exp $	*/
+/*	$OpenBSD: bpf.c,v 1.171 2019/03/18 00:05:52 dlg Exp $	*/
 /*	$NetBSD: bpf.c,v 1.33 1997/02/21 23:59:35 thorpej Exp $	*/
 
 /*
@@ -926,9 +926,20 @@ bpfioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
 		*(u_int *)addr = d->bd_fildrop;
 		break;
 
-	case BIOCSFILDROP:	/* set "filter-drop" flag */
-		d->bd_fildrop = *(u_int *)addr ? 1 : 0;
+	case BIOCSFILDROP: {	/* set "filter-drop" flag */
+		unsigned int fildrop = *(u_int *)addr;
+		switch (fildrop) {
+		case BPF_FILDROP_PASS:
+		case BPF_FILDROP_CAPTURE:
+		case BPF_FILDROP_DROP:
+			d->bd_fildrop = fildrop;
+			break;
+		default:
+			error = EINVAL;
+			break;
+		}
 		break;
+	}
 
 	case BIOCGDIRFILT:	/* get direction filter */
 		*(u_int *)addr = d->bd_dirfilt;
@@ -1261,23 +1272,26 @@ _bpf_mtap(caddr_t arg, const struct mbuf *m, u_int direction,
 		pktlen += m0->m_len;
 
 	SRPL_FOREACH(d, &sr, &bp->bif_dlist, bd_next) {
+		struct srp_ref bsr;
+		struct bpf_program *bf;
+		struct bpf_insn *fcode = NULL;
+
 		atomic_inc_long(&d->bd_rcount);
 
-		if ((direction & d->bd_dirfilt) != 0)
-			slen = 0;
-		else {
-			struct srp_ref bsr;
-			struct bpf_program *bf;
-			struct bpf_insn *fcode = NULL;
-
-			bf = srp_enter(&bsr, &d->bd_rfilter);
-			if (bf != NULL)
-				fcode = bf->bf_insns;
-			slen = bpf_mfilter(fcode, m, pktlen);
-			srp_leave(&bsr);
-		}
+		if (ISSET(d->bd_dirfilt, direction))
+			continue;
 
-		if (slen > 0) {
+		bf = srp_enter(&bsr, &d->bd_rfilter);
+		if (bf != NULL)
+			fcode = bf->bf_insns;
+		slen = bpf_mfilter(fcode, m, pktlen);
+		srp_leave(&bsr);
+
+		if (slen == 0)
+			continue;
+		if (d->bd_fildrop != BPF_FILDROP_PASS)
+			drop = 1;
+		if (d->bd_fildrop != BPF_FILDROP_DROP) {
 			if (!gottime++)
 				microtime(&tv);
 
@@ -1285,9 +1299,6 @@ _bpf_mtap(caddr_t arg, const struct mbuf *m, u_int direction,
 			bpf_catchpacket(d, (u_char *)m, pktlen, slen, cpfn,
 			    &tv);
 			mtx_leave(&d->bd_mtx);
-
-			if (d->bd_fildrop)
-				drop = 1;
 		}
 	}
 	SRPL_LEAVE(&sr);