Adding packet filtering to tun interfaces

[Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>]

I use a few VPN tunnels, mostly between my own systems, but also a
couple where the other end is not under my control.  For this reason,
I've had NPF configured to block incoming traffic from the other end of
those.  Recently, I discovered that this made no difference, as the tun
device doesn't submit its packets to the packet filtering mechanism.

I've been running with the below modification for a couple of weeks, on
amd64 and evbarm, and it works as expected.  If anyone knows of a good
reason why tun shouldn't enable packet filtering, please speak up.
Otherwise, I'll be committing this in a couple of days.

Index: sys/net/if_tun.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_tun.c,v
retrieving revision 1.142
diff -u -r1.142 if_tun.c
--- sys/net/if_tun.c	6 Dec 2017 07:40:16 -0000	1.142
+++ sys/net/if_tun.c	11 Mar 2018 16:25:43 -0000
@@ -555,6 +555,13 @@
 
 	bpf_mtap_af(ifp, dst->sa_family, m0);
 
+	if (pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT) != 0) {
+		if (m0 != NULL)
+			m_freem(m0);
+		error = 0;
+		goto out;
+	}
+
 	switch(dst->sa_family) {
 #ifdef INET6
 	case AF_INET6:
@@ -941,6 +948,12 @@
 
 	bpf_mtap_af(ifp, dst.sa_family, top);
 
+	if (pfil_run_hooks(ifp->if_pfil, &top, ifp, PFIL_IN) != 0) {
+		if (top != NULL)
+			m_freem(top);
+		goto out0;
+	}
+
 	mutex_enter(&tp->tun_lock);
 	if ((tp->tun_flags & TUN_INITED) == 0) {
 		/* Interface was destroyed */

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay