On Wed, Dec 18, 2019 at 03:27:58PM +0300, Andrey V. Elsukov wrote:
A> > Log:
A> > New pfil(9) KPI together with newborn pfil API and control utility.
A> >
A> > The KPI have been reviewed and cleansed of features that were planned
A> > back 20 years ago and never implemented. The pfil(9) internals have
A> > been made opaque to protocols with only returned types and function
A> > declarations exposed. The KPI is made more strict, but at the same time
A> > more extensible, as kernel uses same command structures that userland
A> > ioctl uses.
A> >
A> > In nutshell [KA]PI is about declaring filtering points, declaring
A> > filters and linking and unlinking them together.
A> >
A> > New [KA]PI makes it possible to reconfigure pfil(9) configuration:
A> > change order of hooks, rehook filter from one filtering point to a
A> > different one, disconnect a hook on output leaving it on input only,
A> > prepend/append a filter to existing list of filters.
A> >
A> > Now it possible for a single packet filter to provide multiple rulesets
A> > that may be linked to different points. Think of per-interface ACLs in
A> > Cisco or Juniper. None of existing packet filters yet support that,
A> > however limited usage is already possible, e.g. default ruleset can
A> > be moved to single interface, as soon as interface would pride their
A> > filtering points.
A> >
A> > Another future feature is possiblity to create pfil heads, that provide
A> > not an mbuf pointer but just a memory pointer with length. That would
A> > allow filtering at very early stages of a packet lifecycle, e.g. when
A> > packet has just been received by a NIC and no mbuf was yet allocated.
A> It seems that this commit has changed the error code returned from
A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but
A> now it became EPERM. Was it intentional?
I don't think that was intentional. Can you please review this patch?
--
Gleb Smirnoff
Index: sys/net/if_bridge.c
===================================================================
--- sys/net/if_bridge.c (revision 355964)
+++ sys/net/if_bridge.c (working copy)
@@ -3191,7 +3191,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
dir == PFIL_OUT && ifp != NULL) {
switch (pfil_run_hooks(V_link_pfil_head, mp, ifp, dir, NULL)) {
case PFIL_DROPPED:
- return (EPERM);
+ return (EACCES);
case PFIL_CONSUMED:
return (0);
}
@@ -3312,7 +3312,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
case PFIL_CONSUMED:
return (0);
case PFIL_DROPPED:
- return (EPERM);
+ return (EACCES);
default:
break;
}
Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c (revision 355964)
+++ sys/netinet/ip_output.c (working copy)
@@ -130,7 +130,7 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp
odst.s_addr = ip->ip_dst.s_addr;
switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) {
case PFIL_DROPPED:
- *error = EPERM;
+ *error = EACCES;
/* FALLTHROUGH */
case PFIL_CONSUMED:
return 1; /* Finished */
Index: sys/netinet6/ip6_output.c
===================================================================
--- sys/netinet6/ip6_output.c (revision 355964)
+++ sys/netinet6/ip6_output.c (working copy)
@@ -898,7 +898,7 @@ again:
ip6 = mtod(m, struct ip6_hdr *);
break;
case PFIL_DROPPED:
- error = EPERM;
+ error = EACCES;
/* FALLTHROUGH */
case PFIL_CONSUMED:
goto done;
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
