Module Name: src Committed By: kardel Date: Sun Feb 12 13:38:37 UTC 2023
Modified Files: src/sys/net/npf: npf.h npf_mbuf.c npf_sendpkt.c Log Message: PR kern/56052: allow block-return packets passed through without rule matching. Included up-stream as https://github.com/rmind/npf/pull/115 To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/net/npf/npf.h cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.63 src/sys/net/npf/npf.h:1.64 --- src/sys/net/npf/npf.h:1.63 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf.h Sun Feb 12 13:38:37 2023 @@ -122,6 +122,7 @@ void * nbuf_ensure_writable(nbuf_t *, s bool nbuf_cksum_barrier(nbuf_t *, int); int nbuf_add_tag(nbuf_t *, uint32_t); +int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t); int nbuf_find_tag(nbuf_t *, uint32_t *); /* Index: src/sys/net/npf/npf_mbuf.c diff -u src/sys/net/npf/npf_mbuf.c:1.24 src/sys/net/npf/npf_mbuf.c:1.25 --- src/sys/net/npf/npf_mbuf.c:1.24 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_mbuf.c Sun Feb 12 13:38:37 2023 @@ -36,7 +36,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.24 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.25 2023/02/12 13:38:37 kardel Exp $"); #include <sys/param.h> #include <sys/mbuf.h> @@ -297,14 +297,13 @@ nbuf_cksum_barrier(nbuf_t *nbuf, int di) } /* - * nbuf_add_tag: associate a tag with the network buffer. + * npf_mbuf_add_tag: associate a tag with the network buffer. * * => Returns 0 on success or error number on failure. */ int -nbuf_add_tag(nbuf_t *nbuf, uint32_t val) +npf_mbuf_add_tag(nbuf_t *nbuf, struct mbuf *m, uint32_t val) { - struct mbuf *m = nbuf->nb_mbuf0; #ifdef _KERNEL struct m_tag *mt; uint32_t *dat; @@ -328,6 +327,18 @@ nbuf_add_tag(nbuf_t *nbuf, uint32_t val) } /* + * nbuf_add_tag: associate a tag with the network buffer. + * + * => Returns 0 on success or error number on failure. + */ +int +nbuf_add_tag(nbuf_t *nbuf, uint32_t val) +{ + struct mbuf *m = nbuf->nb_mbuf0; + return npf_mbuf_add_tag(nbuf, m, val); +} + +/* * nbuf_find_tag: find a tag associated with a network buffer. * * => Returns 0 on success or error number on failure. Index: src/sys/net/npf/npf_sendpkt.c diff -u src/sys/net/npf/npf_sendpkt.c:1.22 src/sys/net/npf/npf_sendpkt.c:1.23 --- src/sys/net/npf/npf_sendpkt.c:1.22 Sat May 30 14:16:56 2020 +++ src/sys/net/npf/npf_sendpkt.c Sun Feb 12 13:38:37 2023 @@ -33,7 +33,7 @@ #ifdef _KERNEL #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.22 2020/05/30 14:16:56 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.23 2023/02/12 13:38:37 kardel Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -197,6 +197,9 @@ npf_return_tcp(npf_cache_t *npc) } } + /* don't look at our generated reject packets going out */ + (void)npf_mbuf_add_tag(npc->npc_nbuf, m, NPF_NTAG_PASS); + /* Pass to IP layer. */ if (npf_iscached(npc, NPC_IP4)) { return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); @@ -215,6 +218,9 @@ npf_return_icmp(const npf_cache_t *npc) { struct mbuf *m = nbuf_head_mbuf(npc->npc_nbuf); + /* don't look at our generated reject packets going out */ + (void)nbuf_add_tag(npc->npc_nbuf, NPF_NTAG_PASS); + if (npf_iscached(npc, NPC_IP4)) { icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT, 0, 0); return 0;