tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Adding packet filtering to tun interfaces



Le 11/03/2018 à 19:51, Tom Ivar Helbekkmo a écrit :
I use a few VPN tunnels, mostly between my own systems, but also a
couple where the other end is not under my control.  For this reason,
I've had NPF configured to block incoming traffic from the other end of
those.  Recently, I discovered that this made no difference, as the tun
device doesn't submit its packets to the packet filtering mechanism.

I've been running with the below modification for a couple of weeks, on
amd64 and evbarm, and it works as expected.  If anyone knows of a good
reason why tun shouldn't enable packet filtering, please speak up.
Otherwise, I'll be committing this in a couple of days.

Index: sys/net/if_tun.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_tun.c,v
retrieving revision 1.142
diff -u -r1.142 if_tun.c
--- sys/net/if_tun.c	6 Dec 2017 07:40:16 -0000	1.142
+++ sys/net/if_tun.c	11 Mar 2018 16:25:43 -0000
@@ -555,6 +555,13 @@
bpf_mtap_af(ifp, dst->sa_family, m0); + if (pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT) != 0) {
+		if (m0 != NULL)
+			m_freem(m0);
+		error = 0;
+		goto out;
+	}
+
  	switch(dst->sa_family) {
  #ifdef INET6
  	case AF_INET6:
@@ -941,6 +948,12 @@
bpf_mtap_af(ifp, dst.sa_family, top); + if (pfil_run_hooks(ifp->if_pfil, &top, ifp, PFIL_IN) != 0) {
+		if (top != NULL)
+			m_freem(top);
+		goto out0;
+	}
+
  	mutex_enter(&tp->tun_lock);
  	if ((tp->tun_flags & TUN_INITED) == 0) {
  		/* Interface was destroyed */

Doesn't seem correct to me, pfil_run_hooks can return zero but still free
the mbuf. I think it should rather be:

+	if ((error = pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT)) != 0)
+		goto out;
+	if (m0 == NULL)
+		goto out;

Maxime


Home | Main Index | Thread Index | Old Index