Re: Adding packet filtering to tun interfaces

To: Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>
Subject: Re: Adding packet filtering to tun interfaces
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Mon, 12 Mar 2018 09:21:06 +0100

Le 12/03/2018 à 08:45, Tom Ivar Helbekkmo a écrit :

Maxime Villard <max%M00nBSD.net@localhost> writes:

Doesn't seem correct to me, pfil_run_hooks can return zero but still
free the mbuf.


When can it do that?


It can do that in L4 when handling fragments. When a fragment is received
NPF registers the packet in a list, and returns error=0 *mp=NULL. Later, when
the last fragment is received, the chain is complete; the packets in the list
are concatenated, and this time NPF returns error=0 *mp=reassembled_packet,
giving the "illusion" that the last received fragment was actually the
complete packet.

[...]

I think it should rather be:

+	if ((error = pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT)) != 0)
+		goto out;
+	if (m0 == NULL)
+		goto out;


I adapted the pfil_run_hooks() calls from those in if_vlan.c, so they'll
need fixing, too.


Mmh yes, they will need fixing, I missed that.

But now that I'm thinking about it... Are you sure that your change indeed
enforces NPF policies? If you pass ifp->if_pfil normally it doesn't do IP
filtering, unless I missed something else.

Maxime

Follow-Ups:
- Re: Adding packet filtering to tun interfaces
  - From: Tom Ivar Helbekkmo

References:
- Adding packet filtering to tun interfaces
  - From: Tom Ivar Helbekkmo
- Re: Adding packet filtering to tun interfaces
  - From: Maxime Villard
- Re: Adding packet filtering to tun interfaces
  - From: Tom Ivar Helbekkmo

Prev by Date: Re: Adding packet filtering to tun interfaces
Next by Date: Re: NPF: fast kick
Previous by Thread: Re: Adding packet filtering to tun interfaces
Next by Thread: Re: Adding packet filtering to tun interfaces
Indexes:

Home | Main Index | Thread Index | Old Index