Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 21.12.2019 01:14, Gleb Smirnoff wrote: > A> > Another future feature is possiblity to create pfil heads, that provide > A> > not an mbuf pointer but just a memory pointer with length. That would > A> > allow filtering at very early stages of a packet lifecycle, e.g. when > A> > packet has just been received by a NIC and no mbuf was yet allocated. > A> It seems that this commit has changed the error code returned from > A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but > A> now it became EPERM. Was it intentional? > > I don't think that was intentional. Can you please review this patch? LGTM, thanks! -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On Wed, Dec 18, 2019 at 03:27:58PM +0300, Andrey V. Elsukov wrote:
A> > Log:
A> > New pfil(9) KPI together with newborn pfil API and control utility.
A> >
A> > The KPI have been reviewed and cleansed of features that were planned
A> > back 20 years ago and never implemented. The pfil(9) internals have
A> > been made opaque to protocols with only returned types and function
A> > declarations exposed. The KPI is made more strict, but at the same time
A> > more extensible, as kernel uses same command structures that userland
A> > ioctl uses.
A> >
A> > In nutshell [KA]PI is about declaring filtering points, declaring
A> > filters and linking and unlinking them together.
A> >
A> > New [KA]PI makes it possible to reconfigure pfil(9) configuration:
A> > change order of hooks, rehook filter from one filtering point to a
A> > different one, disconnect a hook on output leaving it on input only,
A> > prepend/append a filter to existing list of filters.
A> >
A> > Now it possible for a single packet filter to provide multiple rulesets
A> > that may be linked to different points. Think of per-interface ACLs in
A> > Cisco or Juniper. None of existing packet filters yet support that,
A> > however limited usage is already possible, e.g. default ruleset can
A> > be moved to single interface, as soon as interface would pride their
A> > filtering points.
A> >
A> > Another future feature is possiblity to create pfil heads, that provide
A> > not an mbuf pointer but just a memory pointer with length. That would
A> > allow filtering at very early stages of a packet lifecycle, e.g. when
A> > packet has just been received by a NIC and no mbuf was yet allocated.
A> It seems that this commit has changed the error code returned from
A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but
A> now it became EPERM. Was it intentional?
I don't think that was intentional. Can you please review this patch?
--
Gleb Smirnoff
Index: sys/net/if_bridge.c
===
--- sys/net/if_bridge.c (revision 355964)
+++ sys/net/if_bridge.c (working copy)
@@ -3191,7 +3191,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
dir == PFIL_OUT && ifp != NULL) {
switch (pfil_run_hooks(V_link_pfil_head, mp, ifp, dir, NULL)) {
case PFIL_DROPPED:
- return (EPERM);
+ return (EACCES);
case PFIL_CONSUMED:
return (0);
}
@@ -3312,7 +3312,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
case PFIL_CONSUMED:
return (0);
case PFIL_DROPPED:
- return (EPERM);
+ return (EACCES);
default:
break;
}
Index: sys/netinet/ip_output.c
===
--- sys/netinet/ip_output.c (revision 355964)
+++ sys/netinet/ip_output.c (working copy)
@@ -130,7 +130,7 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp
odst.s_addr = ip->ip_dst.s_addr;
switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) {
case PFIL_DROPPED:
- *error = EPERM;
+ *error = EACCES;
/* FALLTHROUGH */
case PFIL_CONSUMED:
return 1; /* Finished */
Index: sys/netinet6/ip6_output.c
===
--- sys/netinet6/ip6_output.c (revision 355964)
+++ sys/netinet6/ip6_output.c (working copy)
@@ -898,7 +898,7 @@ again:
ip6 = mtod(m, struct ip6_hdr *);
break;
case PFIL_DROPPED:
- error = EPERM;
+ error = EACCES;
/* FALLTHROUGH */
case PFIL_CONSUMED:
goto done;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On December 18, 2019 4:27:58 AM PST, "Andrey V. Elsukov" wrote: >On 01.02.2019 02:01, Gleb Smirnoff wrote: >> Author: glebius >> Date: Thu Jan 31 23:01:03 2019 >> New Revision: 343631 >> URL: https://svnweb.freebsd.org/changeset/base/343631 >> >> Log: >> New pfil(9) KPI together with newborn pfil API and control utility. >> >> The KPI have been reviewed and cleansed of features that were >planned >> back 20 years ago and never implemented. The pfil(9) internals >have >> been made opaque to protocols with only returned types and function >> declarations exposed. The KPI is made more strict, but at the same >time >> more extensible, as kernel uses same command structures that >userland >> ioctl uses. >> >> In nutshell [KA]PI is about declaring filtering points, declaring >> filters and linking and unlinking them together. >> >> New [KA]PI makes it possible to reconfigure pfil(9) configuration: >> change order of hooks, rehook filter from one filtering point to a >> different one, disconnect a hook on output leaving it on input >only, >> prepend/append a filter to existing list of filters. >> >> Now it possible for a single packet filter to provide multiple >rulesets >> that may be linked to different points. Think of per-interface ACLs >in >> Cisco or Juniper. None of existing packet filters yet support that, >> however limited usage is already possible, e.g. default ruleset can >> be moved to single interface, as soon as interface would pride >their >> filtering points. >> >> Another future feature is possiblity to create pfil heads, that >provide >> not an mbuf pointer but just a memory pointer with length. That >would >> allow filtering at very early stages of a packet lifecycle, e.g. >when >> packet has just been received by a NIC and no mbuf was yet >allocated. >It seems that this commit has changed the error code returned from >ip[6]_output() when a packet is blocked. Previously it was EACCES, but >now it became EPERM. Was it intentional? EPERM, operation not permitted regardless of privilege, is more appropriate. -- Pardon the typos and autocorrect, small keyboard in use. Cy Schubert FreeBSD UNIX: Web: https://www.FreeBSD.org The need of the many outweighs the greed of the few. Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 01.02.2019 02:01, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 > > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > > The KPI have been reviewed and cleansed of features that were planned > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same time > more extensible, as kernel uses same command structures that userland > ioctl uses. > > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > > Now it possible for a single packet filter to provide multiple rulesets > that may be linked to different points. Think of per-interface ACLs in > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > > Another future feature is possiblity to create pfil heads, that provide > not an mbuf pointer but just a memory pointer with length. That would > allow filtering at very early stages of a packet lifecycle, e.g. when > packet has just been received by a NIC and no mbuf was yet allocated. It seems that this commit has changed the error code returned from ip[6]_output() when a packet is blocked. Previously it was EACCES, but now it became EPERM. Was it intentional? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 1/31/19 3:01 PM, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 > > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > > The KPI have been reviewed and cleansed of features that were planned > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same time > more extensible, as kernel uses same command structures that userland > ioctl uses. > > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > > Now it possible for a single packet filter to provide multiple rulesets > that may be linked to different points. Think of per-interface ACLs in > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > > Another future feature is possiblity to create pfil heads, that provide > not an mbuf pointer but just a memory pointer with length. That would > allow filtering at very early stages of a packet lifecycle, e.g. when > packet has just been received by a NIC and no mbuf was yet allocated. > > Differential Revision: https://reviews.freebsd.org/D18951 > > Added: > head/sbin/pfilctl/ > head/sbin/pfilctl/Makefile (contents, props changed) > head/sbin/pfilctl/pfilctl.8 (contents, props changed) > head/sbin/pfilctl/pfilctl.c (contents, props changed) > Modified: > head/ObsoleteFiles.inc > head/sbin/Makefile > head/share/man/man9/Makefile > head/share/man/man9/pfil.9 > head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c > head/sys/net/if_bridge.c > head/sys/net/if_enc.c > head/sys/net/if_ethersubr.c > head/sys/net/if_var.h > head/sys/net/pfil.c > head/sys/net/pfil.h > head/sys/netinet/ip_fastfwd.c > head/sys/netinet/ip_input.c > head/sys/netinet/ip_output.c > head/sys/netinet/ip_var.h > head/sys/netinet/siftr.c > head/sys/netinet6/ip6_fastfwd.c > head/sys/netinet6/ip6_forward.c > head/sys/netinet6/ip6_input.c > head/sys/netinet6/ip6_output.c > head/sys/netinet6/ip6_var.h > head/sys/netpfil/ipfw/ip_fw_eaction.c > head/sys/netpfil/ipfw/ip_fw_pfil.c > head/sys/netpfil/pf/pf_ioctl.c This breaks the build. https://ci.freebsd.org/job/FreeBSD-head-powerpc64-build/9220/console > 23:28:54 cc1: warnings being treated as errors > 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c: In function 'help': > 23:28:54 /usr/src/sbin/pfilctl/pfilctl.c:97: warning: nested extern > declaration of '__progname' > 23:28:54 --- all_subdir_lib --- > 23:28:54 --- clog.3.gz --- > 23:28:54 gzip -cn /usr/src/lib/msun/man/clog.3 > clog.3.gz > 23:28:54 --- all_subdir_sbin --- > 23:28:54 *** [pfilctl.o] Error code 1 > 23:28:54 > 23:28:54 make[4]: stopped in /usr/src/sbin/pfilctl -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
Author: glebius Date: Thu Jan 31 23:01:03 2019 New Revision: 343631 URL: https://svnweb.freebsd.org/changeset/base/343631 Log: New pfil(9) KPI together with newborn pfil API and control utility. The KPI have been reviewed and cleansed of features that were planned back 20 years ago and never implemented. The pfil(9) internals have been made opaque to protocols with only returned types and function declarations exposed. The KPI is made more strict, but at the same time more extensible, as kernel uses same command structures that userland ioctl uses. In nutshell [KA]PI is about declaring filtering points, declaring filters and linking and unlinking them together. New [KA]PI makes it possible to reconfigure pfil(9) configuration: change order of hooks, rehook filter from one filtering point to a different one, disconnect a hook on output leaving it on input only, prepend/append a filter to existing list of filters. Now it possible for a single packet filter to provide multiple rulesets that may be linked to different points. Think of per-interface ACLs in Cisco or Juniper. None of existing packet filters yet support that, however limited usage is already possible, e.g. default ruleset can be moved to single interface, as soon as interface would pride their filtering points. Another future feature is possiblity to create pfil heads, that provide not an mbuf pointer but just a memory pointer with length. That would allow filtering at very early stages of a packet lifecycle, e.g. when packet has just been received by a NIC and no mbuf was yet allocated. Differential Revision:https://reviews.freebsd.org/D18951 Added: head/sbin/pfilctl/ head/sbin/pfilctl/Makefile (contents, props changed) head/sbin/pfilctl/pfilctl.8 (contents, props changed) head/sbin/pfilctl/pfilctl.c (contents, props changed) Modified: head/ObsoleteFiles.inc head/sbin/Makefile head/share/man/man9/Makefile head/share/man/man9/pfil.9 head/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c head/sys/net/if_bridge.c head/sys/net/if_enc.c head/sys/net/if_ethersubr.c head/sys/net/if_var.h head/sys/net/pfil.c head/sys/net/pfil.h head/sys/netinet/ip_fastfwd.c head/sys/netinet/ip_input.c head/sys/netinet/ip_output.c head/sys/netinet/ip_var.h head/sys/netinet/siftr.c head/sys/netinet6/ip6_fastfwd.c head/sys/netinet6/ip6_forward.c head/sys/netinet6/ip6_input.c head/sys/netinet6/ip6_output.c head/sys/netinet6/ip6_var.h head/sys/netpfil/ipfw/ip_fw_eaction.c head/sys/netpfil/ipfw/ip_fw_pfil.c head/sys/netpfil/pf/pf_ioctl.c Modified: head/ObsoleteFiles.inc == --- head/ObsoleteFiles.inc Thu Jan 31 22:58:17 2019(r343630) +++ head/ObsoleteFiles.inc Thu Jan 31 23:01:03 2019(r343631) @@ -38,6 +38,12 @@ # xargs -n1 | sort | uniq -d; # done +# 20190131: pfil(9) changed +OLD_FILES+=usr/share/man/man9/pfil_hook_get.9 +OLD_FILES+=usr/share/man/man9/pfil_rlock.9 +OLD_FILES+=usr/share/man/man9/pfil_runlock.9 +OLD_FILES+=usr/share/man/man9/pfil_wlock.9 +OLD_FILES+=usr/share/man/man9/pfil_wunlock.9 # 20190126: adv(4) / adw(4) removal OLD_FILES+=usr/share/man/man4/adv.4.gz OLD_FILES+=usr/share/man/man4/adw.4.gz Modified: head/sbin/Makefile == --- head/sbin/Makefile Thu Jan 31 22:58:17 2019(r343630) +++ head/sbin/Makefile Thu Jan 31 23:01:03 2019(r343631) @@ -52,6 +52,7 @@ SUBDIR=adjkerntz \ newfs_msdos \ nfsiod \ nos-tun \ + pfilctl \ ping \ rcorder \ reboot \ Added: head/sbin/pfilctl/Makefile == --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfilctl/Makefile Thu Jan 31 23:01:03 2019(r343631) @@ -0,0 +1,9 @@ +# $FreeBSD$ + +PROG= pfilctl +SRCS= pfilctl.c +WARNS?=6 + +MAN= pfilctl.8 + +.include Added: head/sbin/pfilctl/pfilctl.8 == --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfilctl/pfilctl.8 Thu Jan 31 23:01:03 2019(r343631) @@ -0,0 +1,117 @@ +.\" Copyright (c) 2019 Gleb Smirnoff +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS
