From owner-svn-soc-all@FreeBSD.ORG Wed Jun 11 15:01:11 2014 Return-Path: Delivered-To: svn-soc-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0B8969F3 for ; Wed, 11 Jun 2014 15:01:11 +0000 (UTC) Received: from socsvn.freebsd.org (socsvn.freebsd.org [IPv6:2001:1900:2254:206a::50:2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D288B21AE for ; Wed, 11 Jun 2014 15:01:10 +0000 (UTC) Received: from socsvn.freebsd.org ([127.0.1.124]) by socsvn.freebsd.org (8.14.8/8.14.8) with ESMTP id s5BF1Atk068503 for ; Wed, 11 Jun 2014 15:01:10 GMT (envelope-from dpl@FreeBSD.org) Received: (from www@localhost) by socsvn.freebsd.org (8.14.8/8.14.8/Submit) id s5BF19ki068144 for svn-soc-all@FreeBSD.org; Wed, 11 Jun 2014 15:01:09 GMT (envelope-from dpl@FreeBSD.org) Date: Wed, 11 Jun 2014 15:01:09 GMT Message-Id: <201406111501.s5BF19ki068144@socsvn.freebsd.org> X-Authentication-Warning: socsvn.freebsd.org: www set sender to dpl@FreeBSD.org using -f From: dpl@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r269402 - soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-soc-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: SVN commit messages for the entire Summer of Code repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 15:01:11 -0000 Author: dpl Date: Wed Jun 11 15:01:09 2014 New Revision: 269402 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269402 Log: Added antispoof, and ipsec. Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Wed Jun 11 14:53:58 2014 (r269401) +++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c Wed Jun 11 15:01:09 2014 (r269402) @@ -1591,26 +1591,7 @@ break; case O_ANTISPOOF: - /* Outgoing packets automatically pass/match */ - if (oif == NULL && hlen > 0 && - ( (is_ipv4 && in_localaddr(src_ip)) -#ifdef INET6 - || (is_ipv6 && - in6_localaddr(&(args->f_id.src_ip6))) -#endif - )) - match = -#ifdef INET6 - is_ipv6 ? verify_path6( - &(args->f_id.src_ip6), - m->m_pkthdr.rcvif, - args->f_id.fib) : -#endif - verify_path(src_ip, - m->m_pkthdr.rcvif, - args->f_id.fib); - else - match = 1; + rule_antispoof(&match, oif, hlen, is_ipv4, is_ipv6, src_ip, args, m); break; case O_IPSEC: Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h ============================================================================== --- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Wed Jun 11 14:53:58 2014 (r269401) +++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h Wed Jun 11 15:01:09 2014 (r269402) @@ -574,9 +574,30 @@ verify_path(src_ip, NULL, args->f_id.fib))); } +// XXX typeof(m)? inline void -rule_antispoof(int *match, struct ifnet *oif, u_int hlen, int is_ipv4 struct in_addr *src_ip, int is_ipv6 struct ip_fw_args *args, m) +rule_antispoof(int *match, struct ifnet *oif, u_int hlen, int is_ipv4, int is_ipv6, struct in_addr *src_ip, struct ip_fw_args *args, m) { + /* Outgoing packets automatically pass/match */ + if (oif == NULL && hlen > 0 && + ( (is_ipv4 && in_localaddr(src_ip)) +#ifdef INET6 + || (is_ipv6 && + in6_localaddr(&(args->f_id.src_ip6))) +#endif + )) + *match = +#ifdef INET6 + is_ipv6 ? verify_path6( + &(args->f_id.src_ip6), + m->m_pkthdr.rcvif, + args->f_id.fib) : +#endif + verify_path(src_ip, + m->m_pkthdr.rcvif, + args->f_id.fib); + else + *match = 1; } inline void @@ -647,9 +668,10 @@ inline void rule_ipsec(int *match, m) { + match = (m_tag_find(m, + PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); } - -endif +#endif #ifndef USERSPACE inline void