diff: ingress filter of npppd/pipex.

Thu, 19 Jan 2012 19:37:53 -0800 

The diff will make the ingress filter of pipex and npppd configurable
and disable it by default.  After this change we need to add 

  ppp.ingress_filter: true

to npppd.conf if it is needed.  I promise to write about this
configuration in the man page when the man page becomes available.

ok? comment?

Index: sys/net/pipex.c
===================================================================
RCS file: /cvs/src/sys/net/pipex.c,v
retrieving revision 1.24
diff -u -p -r1.24 pipex.c
--- sys/net/pipex.c     18 Jan 2012 02:02:53 -0000      1.24
+++ sys/net/pipex.c     20 Jan 2012 00:58:18 -0000
@@ -1124,15 +1124,16 @@ pipex_ip_input(struct mbuf *m0, struct p
                        goto drop;
        }
 #endif
-
-       /* ingress filter */
-       ip = mtod(m0, struct ip *);
-       if ((ip->ip_src.s_addr & session->ip_netmask.sin_addr.s_addr) !=
-           session->ip_address.sin_addr.s_addr) {
-               pipex_session_log(session, LOG_DEBUG,
-                   "ip packet discarded by ingress filter (src %s)",
-                   inet_ntoa(ip->ip_src));
-               goto drop;
+       if (ISSET(session->ppp_flags, PIPEX_PPP_INGRESS_FILTER)) {
+               /* ingress filter */
+               ip = mtod(m0, struct ip *);
+               if ((ip->ip_src.s_addr & session->ip_netmask.sin_addr.s_addr) !=
+                   session->ip_address.sin_addr.s_addr) {
+                       pipex_session_log(session, LOG_DEBUG,
+                           "ip packet discarded by ingress filter (src %s)",
+                           inet_ntoa(ip->ip_src));
+                       goto drop;
+               }
        }
 
        /* idle timer */
Index: sys/net/pipex.h
===================================================================
RCS file: /cvs/src/sys/net/pipex.h,v
retrieving revision 1.10
diff -u -p -r1.10 pipex.h
--- sys/net/pipex.h     15 Oct 2011 03:24:11 -0000      1.10
+++ sys/net/pipex.h     20 Jan 2012 00:58:18 -0000
@@ -89,6 +89,7 @@ struct pipex_session_req {
 #define        PIPEX_PPP_MPPE_REQUIRED         0x00000040
 #define        PIPEX_PPP_HAS_ACF               0x00000080
 #define        PIPEX_PPP_ADJUST_TCPMSS         0x00000100
+#define        PIPEX_PPP_INGRESS_FILTER        0x00000200
        int8_t          pr_ccp_id;              /* CCP current packet id */
        int             pr_ppp_id;              /* PPP Id. */
        uint16_t        pr_peer_mru;            /* Peer's MRU */
Index: usr.sbin/npppd/npppd/npppd.c
===================================================================
RCS file: /cvs/src/usr.sbin/npppd/npppd/npppd.c,v
retrieving revision 1.14
diff -u -p -r1.14 npppd.c
--- usr.sbin/npppd/npppd/npppd.c        18 Jan 2012 03:13:04 -0000      1.14
+++ usr.sbin/npppd/npppd/npppd.c        20 Jan 2012 00:58:19 -0000
@@ -887,10 +887,10 @@ npppd_network_output(npppd *_this, npppd
                pip = (struct ip *)pktp;
        }
 
-#ifndef        NO_INGRES_FILTER
-       if ((pip->ip_src.s_addr & ppp->ppp_framed_ip_netmask.s_addr) !=
-           (ppp->ppp_framed_ip_address.s_addr &
-                   ppp->ppp_framed_ip_netmask.s_addr)) {
+       if (ppp->ingress_filter != 0 &&
+           (pip->ip_src.s_addr & ppp->ppp_framed_ip_netmask.s_addr)
+                   != (ppp->ppp_framed_ip_address.s_addr &
+                       ppp->ppp_framed_ip_netmask.s_addr)) {
                char logbuf[80];
                strlcpy(logbuf, inet_ntoa(pip->ip_dst), sizeof(logbuf));
                ppp_log(ppp, LOG_INFO,
@@ -899,7 +899,6 @@ npppd_network_output(npppd *_this, npppd
 
                return;
        }
-#endif
        if (ppp->timeout_sec > 0 && !ip_is_idle_packet(pip, lbuf))
                ppp_reset_idle_timeout(ppp);
 
@@ -942,6 +941,8 @@ pipex_setup_common(npppd_ppp *ppp, struc
 
        if (ppp->adjust_mss != 0)
                req->pr_ppp_flags |= PIPEX_PPP_ADJUST_TCPMSS;
+       if (ppp->ingress_filter != 0)
+               req->pr_ppp_flags |= PIPEX_PPP_INGRESS_FILTER;
 
        req->pr_ip_srcaddr = ppp->pppd->iface[0].ip4addr;
        req->pr_ip_address = ppp->ppp_framed_ip_address;
Index: usr.sbin/npppd/npppd/ppp.c
===================================================================
RCS file: /cvs/src/usr.sbin/npppd/npppd/ppp.c,v
retrieving revision 1.11
diff -u -p -r1.11 ppp.c
--- usr.sbin/npppd/npppd/ppp.c  18 Jan 2012 03:13:04 -0000      1.11
+++ usr.sbin/npppd/npppd/ppp.c  20 Jan 2012 00:58:19 -0000
@@ -162,7 +162,8 @@ ppp_init(npppd *pppd, npppd_ppp *_this)
            ppp_config_str_equal(_this, "log.in.pktdump",  "true", 0);
        _this->log_dump_out =
            ppp_config_str_equal(_this, "log.out.pktdump",  "true", 0);
-
+       _this->ingress_filter = ppp_config_str_equal(_this, "ingress_filter",
+           "true", 0);
 
 #ifdef USE_NPPPD_MPPE
        mppe_init(&_this->mppe, _this);
Index: usr.sbin/npppd/npppd/ppp.h
===================================================================
RCS file: /cvs/src/usr.sbin/npppd/npppd/ppp.h,v
retrieving revision 1.8
diff -u -p -r1.8 ppp.h
--- usr.sbin/npppd/npppd/ppp.h  18 Jan 2012 03:13:04 -0000      1.8
+++ usr.sbin/npppd/npppd/ppp.h  20 Jan 2012 00:58:19 -0000
@@ -545,7 +545,9 @@ struct _npppd_ppp {
                        pipex_started:1,
                        /** pipex is enabled? */
                        pipex_enabled:1,
-                       reserved:3;
+                       /** ingress filter */
+                       ingress_filter:1,
+                       reserved:2;
        uint8_t         /** IP address is assigned from dynamic address pool */
                        assign_dynapool:1,
                        /** assigned IP address is enabled? */

Reply via email to