The ingress filter of pipex and npppd become configurable and disabled

by default.  After this change we need to add

  ppp.ingress_filter: true

to npppd.conf if it is needed.

ok sthen

5 files changed, 29 insertions, 23 deletions

diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index 2210bb8a995..c83aaa350f6 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.c,v 1.24 2012/01/18 02:02:53 yasuoka Exp $	*/
+/*	$OpenBSD: pipex.c,v 1.25 2012/01/23 03:36:21 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -1124,15 +1124,16 @@ pipex_ip_input(struct mbuf *m0, struct pipex_session *session)
 			goto drop;
 	}
 #endif
-
-	/* ingress filter */
-	ip = mtod(m0, struct ip *);
-	if ((ip->ip_src.s_addr & session->ip_netmask.sin_addr.s_addr) !=
-	    session->ip_address.sin_addr.s_addr) {
-		pipex_session_log(session, LOG_DEBUG,
-		    "ip packet discarded by ingress filter (src %s)",
-		    inet_ntoa(ip->ip_src));
-		goto drop;
+	if (ISSET(session->ppp_flags, PIPEX_PPP_INGRESS_FILTER)) {
+		/* ingress filter */
+		ip = mtod(m0, struct ip *);
+		if ((ip->ip_src.s_addr & session->ip_netmask.sin_addr.s_addr) !=
+		    session->ip_address.sin_addr.s_addr) {
+			pipex_session_log(session, LOG_DEBUG,
+			    "ip packet discarded by ingress filter (src %s)",
+			    inet_ntoa(ip->ip_src));
+			goto drop;
+		}
 	}
 
 	/* idle timer */
diff --git a/sys/net/pipex.h b/sys/net/pipex.h
index cddbbefc893..8b9a69f0abd 100644
--- a/sys/net/pipex.h
+++ b/sys/net/pipex.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.h,v 1.10 2011/10/15 03:24:11 yasuoka Exp $	*/
+/*	$OpenBSD: pipex.h,v 1.11 2012/01/23 03:36:21 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -89,6 +89,7 @@ struct pipex_session_req {
 #define	PIPEX_PPP_MPPE_REQUIRED		0x00000040
 #define	PIPEX_PPP_HAS_ACF		0x00000080
 #define	PIPEX_PPP_ADJUST_TCPMSS		0x00000100
+#define	PIPEX_PPP_INGRESS_FILTER	0x00000200
 	int8_t		pr_ccp_id;		/* CCP current packet id */
 	int		pr_ppp_id;		/* PPP Id. */
 	uint16_t	pr_peer_mru; 		/* Peer's MRU */
diff --git a/usr.sbin/npppd/npppd/npppd.c b/usr.sbin/npppd/npppd/npppd.c
index 78feb59e469..3516179bca1 100644
--- a/usr.sbin/npppd/npppd/npppd.c
+++ b/usr.sbin/npppd/npppd/npppd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: npppd.c,v 1.14 2012/01/18 03:13:04 yasuoka Exp $ */
+/* $OpenBSD: npppd.c,v 1.15 2012/01/23 03:36:22 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -29,7 +29,7 @@
  * Next pppd(nppd). This file provides a npppd daemon process and operations
  * for npppd instance.
  * @author	Yasuoka Masahiko
- * $Id: npppd.c,v 1.14 2012/01/18 03:13:04 yasuoka Exp $
+ * $Id: npppd.c,v 1.15 2012/01/23 03:36:22 yasuoka Exp $
  */
 #include <sys/cdefs.h>
 #include "version.h"
@@ -887,10 +887,10 @@ npppd_network_output(npppd *_this, npppd_ppp *ppp, int proto, u_char *pktp,
 		pip = (struct ip *)pktp;
 	}
 
-#ifndef	NO_INGRES_FILTER
-	if ((pip->ip_src.s_addr & ppp->ppp_framed_ip_netmask.s_addr) !=
-	    (ppp->ppp_framed_ip_address.s_addr &
-		    ppp->ppp_framed_ip_netmask.s_addr)) {
+	if (ppp->ingress_filter != 0 &&
+	    (pip->ip_src.s_addr & ppp->ppp_framed_ip_netmask.s_addr)
+		    != (ppp->ppp_framed_ip_address.s_addr &
+			ppp->ppp_framed_ip_netmask.s_addr)) {
 		char logbuf[80];
 		strlcpy(logbuf, inet_ntoa(pip->ip_dst), sizeof(logbuf));
 		ppp_log(ppp, LOG_INFO,
@@ -899,7 +899,6 @@ npppd_network_output(npppd *_this, npppd_ppp *ppp, int proto, u_char *pktp,
 
 		return;
 	}
-#endif
 	if (ppp->timeout_sec > 0 && !ip_is_idle_packet(pip, lbuf))
 		ppp_reset_idle_timeout(ppp);
 
@@ -942,6 +941,8 @@ pipex_setup_common(npppd_ppp *ppp, struct pipex_session_req *req)
 
 	if (ppp->adjust_mss != 0)
 		req->pr_ppp_flags |= PIPEX_PPP_ADJUST_TCPMSS;
+	if (ppp->ingress_filter != 0)
+		req->pr_ppp_flags |= PIPEX_PPP_INGRESS_FILTER;
 
 	req->pr_ip_srcaddr = ppp->pppd->iface[0].ip4addr;
 	req->pr_ip_address = ppp->ppp_framed_ip_address;
diff --git a/usr.sbin/npppd/npppd/ppp.c b/usr.sbin/npppd/npppd/ppp.c
index 789d7f38650..e8a35197cbf 100644
--- a/usr.sbin/npppd/npppd/ppp.c
+++ b/usr.sbin/npppd/npppd/ppp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ppp.c,v 1.11 2012/01/18 03:13:04 yasuoka Exp $ */
+/* $OpenBSD: ppp.c,v 1.12 2012/01/23 03:36:22 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* $Id: ppp.c,v 1.11 2012/01/18 03:13:04 yasuoka Exp $ */
+/* $Id: ppp.c,v 1.12 2012/01/23 03:36:22 yasuoka Exp $ */
 /**@file
  * This file provides PPP(Point-to-Point Protocol, RFC 1661) and
  * {@link :: _npppd_ppp PPP instance} related functions.
@@ -162,7 +162,8 @@ ppp_init(npppd *pppd, npppd_ppp *_this)
 	    ppp_config_str_equal(_this, "log.in.pktdump",  "true", 0);
 	_this->log_dump_out =
 	    ppp_config_str_equal(_this, "log.out.pktdump",  "true", 0);
-
+	_this->ingress_filter = ppp_config_str_equal(_this, "ingress_filter",
+	    "true", 0);
 
 #ifdef	USE_NPPPD_MPPE
 	mppe_init(&_this->mppe, _this);
diff --git a/usr.sbin/npppd/npppd/ppp.h b/usr.sbin/npppd/npppd/ppp.h
index a3b9e40856b..55ea451233b 100644
--- a/usr.sbin/npppd/npppd/ppp.h
+++ b/usr.sbin/npppd/npppd/ppp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ppp.h,v 1.8 2012/01/18 03:13:04 yasuoka Exp $ */
+/* $OpenBSD: ppp.h,v 1.9 2012/01/23 03:36:22 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -545,7 +545,9 @@ struct _npppd_ppp {
 			pipex_started:1,
 			/** pipex is enabled? */
 			pipex_enabled:1,
-			reserved:3;
+			/** ingress filter */
+			ingress_filter:1,
+			reserved:2;
 	uint8_t		/** IP address is assigned from dynamic address pool */
 			assign_dynapool:1,
 			/** assigned IP address is enabled? */