Date: Fri, 20 Dec 2019 14:14:15 -0800 From: Gleb Smirnoff <glebius@freebsd.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf Message-ID: <20191220221415.GU2706@FreeBSD.org> In-Reply-To: <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru> References: <201901312301.x0VN13lM097213@repo.freebsd.org> <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Wed, Dec 18, 2019 at 03:27:58PM +0300, Andrey V. Elsukov wrote:
A> > Log:
A> > New pfil(9) KPI together with newborn pfil API and control utility.
A> >
A> > The KPI have been reviewed and cleansed of features that were planned
A> > back 20 years ago and never implemented. The pfil(9) internals have
A> > been made opaque to protocols with only returned types and function
A> > declarations exposed. The KPI is made more strict, but at the same time
A> > more extensible, as kernel uses same command structures that userland
A> > ioctl uses.
A> >
A> > In nutshell [KA]PI is about declaring filtering points, declaring
A> > filters and linking and unlinking them together.
A> >
A> > New [KA]PI makes it possible to reconfigure pfil(9) configuration:
A> > change order of hooks, rehook filter from one filtering point to a
A> > different one, disconnect a hook on output leaving it on input only,
A> > prepend/append a filter to existing list of filters.
A> >
A> > Now it possible for a single packet filter to provide multiple rulesets
A> > that may be linked to different points. Think of per-interface ACLs in
A> > Cisco or Juniper. None of existing packet filters yet support that,
A> > however limited usage is already possible, e.g. default ruleset can
A> > be moved to single interface, as soon as interface would pride their
A> > filtering points.
A> >
A> > Another future feature is possiblity to create pfil heads, that provide
A> > not an mbuf pointer but just a memory pointer with length. That would
A> > allow filtering at very early stages of a packet lifecycle, e.g. when
A> > packet has just been received by a NIC and no mbuf was yet allocated.
A> It seems that this commit has changed the error code returned from
A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but
A> now it became EPERM. Was it intentional?
I don't think that was intentional. Can you please review this patch?
--
Gleb Smirnoff
[-- Attachment #2 --]
Index: sys/net/if_bridge.c
===================================================================
--- sys/net/if_bridge.c (revision 355964)
+++ sys/net/if_bridge.c (working copy)
@@ -3191,7 +3191,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
dir == PFIL_OUT && ifp != NULL) {
switch (pfil_run_hooks(V_link_pfil_head, mp, ifp, dir, NULL)) {
case PFIL_DROPPED:
- return (EPERM);
+ return (EACCES);
case PFIL_CONSUMED:
return (0);
}
@@ -3312,7 +3312,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
case PFIL_CONSUMED:
return (0);
case PFIL_DROPPED:
- return (EPERM);
+ return (EACCES);
default:
break;
}
Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c (revision 355964)
+++ sys/netinet/ip_output.c (working copy)
@@ -130,7 +130,7 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp
odst.s_addr = ip->ip_dst.s_addr;
switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) {
case PFIL_DROPPED:
- *error = EPERM;
+ *error = EACCES;
/* FALLTHROUGH */
case PFIL_CONSUMED:
return 1; /* Finished */
Index: sys/netinet6/ip6_output.c
===================================================================
--- sys/netinet6/ip6_output.c (revision 355964)
+++ sys/netinet6/ip6_output.c (working copy)
@@ -898,7 +898,7 @@ again:
ip6 = mtod(m, struct ip6_hdr *);
break;
case PFIL_DROPPED:
- error = EPERM;
+ error = EACCES;
/* FALLTHROUGH */
case PFIL_CONSUMED:
goto done;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191220221415.GU2706>