From owner-svn-src-stable@freebsd.org  Mon Nov 26 11:32:23 2018
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71F64115627D;
 Mon, 26 Nov 2018 11:32:23 +0000 (UTC)
 (envelope-from eugen@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id F1EAA6EA77;
 Mon, 26 Nov 2018 11:32:22 +0000 (UTC)
 (envelope-from eugen@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA5D731A6;
 Mon, 26 Nov 2018 11:32:22 +0000 (UTC)
 (envelope-from eugen@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAQBWM0L030036;
 Mon, 26 Nov 2018 11:32:22 GMT (envelope-from eugen@FreeBSD.org)
Received: (from eugen@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAQBWMYG030035;
 Mon, 26 Nov 2018 11:32:22 GMT (envelope-from eugen@FreeBSD.org)
Message-Id: <201811261132.wAQBWMYG030035@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: eugen set sender to
 eugen@FreeBSD.org using -f
From: Eugene Grosbein <eugen@FreeBSD.org>
Date: Mon, 26 Nov 2018 11:32:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r340956 - stable/11/sys/netpfil/ipfw
X-SVN-Group: stable-11
X-SVN-Commit-Author: eugen
X-SVN-Commit-Paths: stable/11/sys/netpfil/ipfw
X-SVN-Commit-Revision: 340956
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: F1EAA6EA77
X-Spamd-Result: default: False [1.19 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_SHORT(-0.05)[-0.053,0];
 NEURAL_SPAM_LONG(0.63)[0.630,0];
 NEURAL_SPAM_MEDIUM(0.61)[0.608,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 11:32:23 -0000

Author: eugen
Date: Mon Nov 26 11:32:22 2018
New Revision: 340956
URL: https://svnweb.freebsd.org/changeset/base/340956

Log:
  MFC r339810: ipfw: implement ngtee/netgraph actions for layer-2 frames.
  
    Kernel part of ipfw does not support and ignores rules other than
    "pass", "deny" and dummynet-related for layer-2 (ethernet frames).
    Others are processed as "pass".
  
    Make it support ngtee/netgraph rules just like they are supported
    for IP packets. For example, this allows us to mirror some frames
    selectively to another interface for delivery to remote network analyzer
    over RSPAN vlan. Assuming ng_ipfw(4) netgraph node has a hook named "900"
    attached to "lower" hook of vlan900's ng_ether(4) node, that would be
    as simple as:
  
    ipfw add ngtee 900 ip from any to 8.8.8.8 layer2 out xmit igb0
  
  PR:		213452
  Tested-by:	Fyodor Ustinov <ufm@ufm.su>

Modified:
  stable/11/sys/netpfil/ipfw/ip_fw_pfil.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- stable/11/sys/netpfil/ipfw/ip_fw_pfil.c	Mon Nov 26 11:28:34 2018	(r340955)
+++ stable/11/sys/netpfil/ipfw/ip_fw_pfil.c	Mon Nov 26 11:32:22 2018	(r340956)
@@ -315,11 +315,12 @@ ipfw_check_frame(void *arg, struct mbuf **m0, struct i
 	struct ip_fw_args args;
 	struct m_tag *mtag;
 
+	bzero(&args, sizeof(args));
+
+again:
 	/* fetch start point from rule, if any.  remove the tag if present. */
 	mtag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL);
-	if (mtag == NULL) {
-		args.rule.slot = 0;
-	} else {
+	if (mtag != NULL) {
 		args.rule = *((struct ipfw_rule_ref *)(mtag+1));
 		m_tag_delete(*m0, mtag);
 		if (args.rule.info & IPFW_ONEPASS)
@@ -376,14 +377,27 @@ ipfw_check_frame(void *arg, struct mbuf **m0, struct i
 
 	case IP_FW_DUMMYNET:
 		ret = EACCES;
+		int dir2;
 
 		if (ip_dn_io_ptr == NULL)
 			break; /* i.e. drop */
 
 		*m0 = NULL;
-		dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT;
-		ip_dn_io_ptr(&m, dir | PROTO_LAYER2, &args);
+		dir2 = (dir == PFIL_IN) ? DIR_IN : DIR_OUT;
+		ip_dn_io_ptr(&m, dir2 | PROTO_LAYER2, &args);
 		return 0;
+
+	case IP_FW_NGTEE:
+	case IP_FW_NETGRAPH:
+		if (ng_ipfw_input_p == NULL) {
+			ret = EACCES;
+			break; /* i.e. drop */
+		}
+		ret = ng_ipfw_input_p(m0, (dir == PFIL_IN) ? DIR_IN : DIR_OUT,
+			&args, (i == IP_FW_NGTEE) ? 1 : 0);
+		if (i == IP_FW_NGTEE) /* ignore errors for NGTEE */
+			goto again;	/* continue with packet */
+		break;
 
 	default:
 		KASSERT(0, ("%s: unknown retval", __func__));