diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2004-12-22 17:17:57 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2004-12-22 17:17:57 +0000 |
| commit | 918b923f5bb7286ed02d9c5697215bdaab798030 (patch) | |
| tree | 4f1ec81115f88bfb563ac6e9a8c5293d235e3336 /sys/net | |
| parent | 876705771ce25a4fde66ddfeeaed78e36c2522fa (diff) | |
Introduce 'set skip on <ifspec>' to support a list of interfaces where no
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pf_if.c | 40 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 18 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 8 |
4 files changed, 68 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 28bb0a313ef..1a775158169 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.475 2004/12/17 17:32:28 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.476 2004/12/22 17:17:55 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5627,6 +5627,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, kif = pfi_index2kif[ifp->if_index]; if (kif == NULL) return (PF_DROP); + if (kif->pfik_flags & PFI_IFLAG_SKIP) + return (PF_PASS); #ifdef DIAGNOSTIC if ((m->m_flags & M_PKTHDR) == 0) @@ -5934,6 +5936,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, kif = pfi_index2kif[ifp->if_index]; if (kif == NULL) return (PF_DROP); + if (kif->pfik_flags & PFI_IFLAG_SKIP) + return (PF_PASS); #ifdef DIAGNOSTIC if ((m->m_flags & M_PKTHDR) == 0) diff --git a/sys/net/pf_if.c b/sys/net/pf_if.c index ad652919090..26ce0ee731e 100644 --- a/sys/net/pf_if.c +++ b/sys/net/pf_if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_if.c,v 1.22 2004/12/13 23:51:22 dhartmei Exp $ */ +/* $OpenBSD: pf_if.c,v 1.23 2004/12/22 17:17:55 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -689,6 +689,44 @@ pfi_clr_istats(const char *name, int *nzero, int flags) } int +pfi_set_flags(const char *name, int flags) +{ + struct pfi_kif *p; + int s; + + if (flags & ~PFI_IFLAG_SETABLE_MASK) + return (EINVAL); + + s = splsoftnet(); + RB_FOREACH(p, pfi_ifhead, &pfi_ifs) { + if (pfi_skip_if(name, p, PFI_FLAG_GROUP|PFI_FLAG_INSTANCE)) + continue; + p->pfik_flags |= flags; + } + splx(s); + return (0); +} + +int +pfi_clear_flags(const char *name, int flags) +{ + struct pfi_kif *p; + int s; + + if (flags & ~PFI_IFLAG_SETABLE_MASK) + return (EINVAL); + + s = splsoftnet(); + RB_FOREACH(p, pfi_ifhead, &pfi_ifs) { + if (pfi_skip_if(name, p, PFI_FLAG_GROUP|PFI_FLAG_INSTANCE)) + continue; + p->pfik_flags &= ~flags; + } + splx(s); + return (0); +} + +int pfi_get_ifaces(const char *name, struct pfi_if *buf, int *size, int flags) { struct pfi_kif *p; diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 3003f0482b6..6cd20ed4297 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.136 2004/12/10 22:13:26 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.137 2004/12/22 17:17:55 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1028,6 +1028,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) case DIOCCLRSRCNODES: case DIOCIGETIFACES: case DIOCICLRISTATS: + case DIOCSETIFFLAG: + case DIOCCLRIFFLAG: break; case DIOCRCLRTABLES: case DIOCRADDTABLES: @@ -2767,6 +2769,20 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } + case DIOCSETIFFLAG: { + struct pfioc_iface *io = (struct pfioc_iface *)addr; + + error = pfi_set_flags(io->pfiio_name, io->pfiio_flags); + break; + } + + case DIOCCLRIFFLAG: { + struct pfioc_iface *io = (struct pfioc_iface *)addr; + + error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags); + break; + } + default: error = ENODEV; break; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 60cc689ebc1..136903a3d83 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.209 2004/12/10 22:13:26 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.210 2004/12/22 17:17:55 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -869,6 +869,8 @@ struct pfi_kif { #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ #define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */ +#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ +#define PFI_IFLAG_SETABLE_MASK 0x0100 /* setable via DIOC{SET,CLR}IFFLAG */ struct pf_pdesc { u_int64_t tot_len; /* Make Mickey money */ @@ -1326,6 +1328,8 @@ struct pfioc_iface { #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface) +#define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) +#define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) #ifdef _KERNEL RB_HEAD(pf_src_tree, pf_src_node); @@ -1488,6 +1492,8 @@ void pfi_dynaddr_remove(struct pf_addr_wrap *); void pfi_fill_oldstatus(struct pf_status *); int pfi_clr_istats(const char *, int *, int); int pfi_get_ifaces(const char *, struct pfi_if *, int *, int); +int pfi_set_flags(const char *, int); +int pfi_clear_flags(const char *, int); int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, sa_family_t); |