Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Dec 2019 14:14:15 -0800
From:      Gleb Smirnoff <glebius@freebsd.org>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
Message-ID:  <20191220221415.GU2706@FreeBSD.org>
In-Reply-To: <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru>
References:  <201901312301.x0VN13lM097213@repo.freebsd.org> <f88b296e-d03a-8c43-3202-6ece60974b10@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--w2JjAQZceEVGylhD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Dec 18, 2019 at 03:27:58PM +0300, Andrey V. Elsukov wrote:
A> > Log:
A> >   New pfil(9) KPI together with newborn pfil API and control utility.
A> >   
A> >   The KPI have been reviewed and cleansed of features that were planned
A> >   back 20 years ago and never implemented.  The pfil(9) internals have
A> >   been made opaque to protocols with only returned types and function
A> >   declarations exposed. The KPI is made more strict, but at the same time
A> >   more extensible, as kernel uses same command structures that userland
A> >   ioctl uses.
A> >   
A> >   In nutshell [KA]PI is about declaring filtering points, declaring
A> >   filters and linking and unlinking them together.
A> >   
A> >   New [KA]PI makes it possible to reconfigure pfil(9) configuration:
A> >   change order of hooks, rehook filter from one filtering point to a
A> >   different one, disconnect a hook on output leaving it on input only,
A> >   prepend/append a filter to existing list of filters.
A> >   
A> >   Now it possible for a single packet filter to provide multiple rulesets
A> >   that may be linked to different points. Think of per-interface ACLs in
A> >   Cisco or Juniper. None of existing packet filters yet support that,
A> >   however limited usage is already possible, e.g. default ruleset can
A> >   be moved to single interface, as soon as interface would pride their
A> >   filtering points.
A> >   
A> >   Another future feature is possiblity to create pfil heads, that provide
A> >   not an mbuf pointer but just a memory pointer with length. That would
A> >   allow filtering at very early stages of a packet lifecycle, e.g. when
A> >   packet has just been received by a NIC and no mbuf was yet allocated.
A> It seems that this commit has changed the error code returned from
A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but
A> now it became EPERM. Was it intentional?

I don't think that was intentional. Can you please review this patch?

-- 
Gleb Smirnoff

--w2JjAQZceEVGylhD
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="EACCES.diff"

Index: sys/net/if_bridge.c
===================================================================
--- sys/net/if_bridge.c	(revision 355964)
+++ sys/net/if_bridge.c	(working copy)
@@ -3191,7 +3191,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
 	    dir == PFIL_OUT && ifp != NULL) {
 		switch (pfil_run_hooks(V_link_pfil_head, mp, ifp, dir, NULL)) {
 		case PFIL_DROPPED:
-			return (EPERM);
+			return (EACCES);
 		case PFIL_CONSUMED:
 			return (0);
 		}
@@ -3312,7 +3312,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp,
 	case PFIL_CONSUMED:
 		return (0);
 	case PFIL_DROPPED:
-		return (EPERM);
+		return (EACCES);
 	default:
 		break;
 	}
Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c	(revision 355964)
+++ sys/netinet/ip_output.c	(working copy)
@@ -130,7 +130,7 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp
 	odst.s_addr = ip->ip_dst.s_addr;
 	switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) {
 	case PFIL_DROPPED:
-		*error = EPERM;
+		*error = EACCES;
 		/* FALLTHROUGH */
 	case PFIL_CONSUMED:
 		return 1; /* Finished */
Index: sys/netinet6/ip6_output.c
===================================================================
--- sys/netinet6/ip6_output.c	(revision 355964)
+++ sys/netinet6/ip6_output.c	(working copy)
@@ -898,7 +898,7 @@ again:
 		ip6 = mtod(m, struct ip6_hdr *);
 		break;
 	case PFIL_DROPPED:
-		error = EPERM;
+		error = EACCES;
 		/* FALLTHROUGH */
 	case PFIL_CONSUMED:
 		goto done;

--w2JjAQZceEVGylhD--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191220221415.GU2706>