diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2005-11-03 20:00:19 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2005-11-03 20:00:19 +0000 |
| commit | d800cbd157ae776892caa95f34727945ca3d1aaf (patch) | |
| tree | 0e310e22b7bb1217fb33464d1829221ee48ff2c0 /sys | |
| parent | afb982b6101e1d87540dc498a098618c34d30b0e (diff) | |
re-implement the bpf "filter drop" option that it actually works. the
bpf FILDROP interface exists for about one year but the required
interface to the drivers was missing - so it was useless. this new
approach based on a design by henning@ uses a new mbuf flag to mark
filtered packets and to drop them in the generic network stack input
routines (like ether_input).
for example; after some additional testing, this could be used by
dhclient to filter everything except DHCP packets (track tech@
for a corresponding dhclient diff). the "filter dropped" packets won't
reach the network stack. so it's probably some kind of a very basic
application layer packet filter ;).
ok canacar@, discussed with henning@ and others
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/bpf.c | 21 | ||||
| -rw-r--r-- | sys/net/bpf.h | 8 | ||||
| -rw-r--r-- | sys/net/if_ethersubr.c | 10 | ||||
| -rw-r--r-- | sys/net80211/ieee80211_input.c | 11 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 5 |
5 files changed, 36 insertions, 19 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c index f329bde00b6..c7ff40f28f6 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.c,v 1.59 2005/07/31 03:52:18 pascoe Exp $ */ +/* $OpenBSD: bpf.c,v 1.60 2005/11/03 20:00:18 reyk Exp $ */ /* $NetBSD: bpf.c,v 1.33 1997/02/21 23:59:35 thorpej Exp $ */ /* @@ -1157,17 +1157,16 @@ bpf_mcopy(const void *src_arg, void *dst_arg, size_t len) /* * Incoming linkage from device drivers, when packet is in an mbuf chain. */ -int +void bpf_mtap(caddr_t arg, struct mbuf *m) { struct bpf_if *bp = (struct bpf_if *)arg; struct bpf_d *d; size_t pktlen, slen; struct mbuf *m0; - int drop = 0; if (m == NULL) - return (0); + return; pktlen = 0; for (m0 = m; m0 != 0; m0 = m0->m_next) @@ -1182,10 +1181,8 @@ bpf_mtap(caddr_t arg, struct mbuf *m) bpf_catchpacket(d, (u_char *)m, pktlen, slen, bpf_mcopy); if (d->bd_fildrop) - drop++; + m->m_flags |= M_FILDROP; } - - return (drop); } /* @@ -1197,7 +1194,7 @@ bpf_mtap(caddr_t arg, struct mbuf *m) * fields in this header that we initialize, and will not try to free * it or keep a pointer to it. */ -int +void bpf_mtap_hdr(caddr_t arg, caddr_t data, u_int dlen, struct mbuf *m) { struct m_hdr mh; @@ -1207,7 +1204,8 @@ bpf_mtap_hdr(caddr_t arg, caddr_t data, u_int dlen, struct mbuf *m) mh.mh_len = dlen; mh.mh_data = data; - return bpf_mtap(arg, (struct mbuf *) &mh); + bpf_mtap(arg, (struct mbuf *) &mh); + m->m_flags |= mh.mh_flags & M_FILDROP; } /* @@ -1219,7 +1217,7 @@ bpf_mtap_hdr(caddr_t arg, caddr_t data, u_int dlen, struct mbuf *m) * fields in this header that we initialize, and will not try to free * it or keep a pointer to it. */ -int +void bpf_mtap_af(caddr_t arg, u_int32_t af, struct mbuf *m) { struct m_hdr mh; @@ -1229,7 +1227,8 @@ bpf_mtap_af(caddr_t arg, u_int32_t af, struct mbuf *m) mh.mh_len = 4; mh.mh_data = (caddr_t)⁡ - return bpf_mtap(arg, (struct mbuf *) &mh); + bpf_mtap(arg, (struct mbuf *) &mh); + m->m_flags |= mh.mh_flags & M_FILDROP; } /* diff --git a/sys/net/bpf.h b/sys/net/bpf.h index b6e8c0e1610..3a435af6ed4 100644 --- a/sys/net/bpf.h +++ b/sys/net/bpf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.h,v 1.31 2005/07/31 03:52:18 pascoe Exp $ */ +/* $OpenBSD: bpf.h,v 1.32 2005/11/03 20:00:18 reyk Exp $ */ /* $NetBSD: bpf.h,v 1.15 1996/12/13 07:57:33 mikel Exp $ */ /* @@ -261,9 +261,9 @@ struct bpf_dltlist { #ifdef _KERNEL int bpf_validate(struct bpf_insn *, int); int bpf_tap(caddr_t, u_char *, u_int); -int bpf_mtap(caddr_t, struct mbuf *); -int bpf_mtap_hdr(caddr_t, caddr_t, u_int, struct mbuf *); -int bpf_mtap_af(caddr_t, u_int32_t, struct mbuf *); +void bpf_mtap(caddr_t, struct mbuf *); +void bpf_mtap_hdr(caddr_t, caddr_t, u_int, struct mbuf *); +void bpf_mtap_af(caddr_t, u_int32_t, struct mbuf *); void bpfattach(caddr_t *, struct ifnet *, u_int, u_int); void bpfdetach(struct ifnet *); void bpfilterattach(int); diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index 6a7eeed9407..ee4bbf4c1d2 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_ethersubr.c,v 1.98 2005/10/17 08:43:35 henning Exp $ */ +/* $OpenBSD: if_ethersubr.c,v 1.99 2005/11/03 20:00:18 reyk Exp $ */ /* $NetBSD: if_ethersubr.c,v 1.19 1996/05/07 02:40:30 thorpej Exp $ */ /* @@ -615,6 +615,14 @@ ether_input(ifp, eh, m) ac = (struct arpcom *)ifp; /* + * If packet has been filtered by the bpf listener, drop it now + */ + if (m->m_flags & M_FILDROP) { + m_free(m); + return; + } + + /* * If packet is unicast and we're in promiscuous mode, make sure it * is for us. Drop otherwise. */ diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index eaa2559a2ec..709255a3cb9 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -1,5 +1,5 @@ /* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */ -/* $OpenBSD: ieee80211_input.c,v 1.11 2005/09/13 12:11:03 reyk Exp $ */ +/* $OpenBSD: ieee80211_input.c,v 1.12 2005/11/03 20:00:18 reyk Exp $ */ /*- * Copyright (c) 2001 Atsushi Onoe @@ -408,6 +408,15 @@ ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, #if NBPFILTER > 0 if (ic->ic_rawbpf) bpf_mtap(ic->ic_rawbpf, m); + /* + * Drop mbuf if it was filtered by bpf. Normally, this is + * done in ether_input() but IEEE 802.11 management frames + * are a special case. + */ + if (m->m_flags & M_FILDROP) { + m_freem(m); + return; + } #endif (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); m_freem(m); diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 1d5b2f13a81..63ab629aeea 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.83 2005/10/17 08:43:34 henning Exp $ */ +/* $OpenBSD: mbuf.h,v 1.84 2005/11/03 20:00:18 reyk Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -143,10 +143,11 @@ struct mbuf { #define M_ANYCAST6 0x4000 /* received as IPv6 anycast */ #define M_LINK0 0x8000 /* link layer specific flag */ #define M_LOOP 0x0040 /* for Mbuf statistics */ +#define M_FILDROP 0x0080 /* dropped by bpf filter */ /* flags copied when copying m_pkthdr */ #define M_COPYFLAGS (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|\ - M_AUTH|M_ANYCAST6|M_LOOP|M_TUNNEL|M_LINK0) + M_AUTH|M_ANYCAST6|M_LOOP|M_TUNNEL|M_LINK0|M_FILDROP) /* Checksumming flags */ #define M_IPV4_CSUM_OUT 0x0001 /* IPv4 checksum needed */ |