From owner-svn-src-all@freebsd.org Fri Dec 20 22:14:26 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3064D1E5739; Fri, 20 Dec 2019 22:14:26 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (glebi.us [162.251.186.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47fjhd3tRFz4W7F; Fri, 20 Dec 2019 22:14:25 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id xBKMEGcG032832 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 20 Dec 2019 14:14:16 -0800 (PST) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id xBKMEFro032831; Fri, 20 Dec 2019 14:14:15 -0800 (PST) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@freebsd.org using -f Date: Fri, 20 Dec 2019 14:14:15 -0800 From: Gleb Smirnoff To: "Andrey V. Elsukov" Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf Message-ID: <20191220221415.GU2706@FreeBSD.org> References: <201901312301.x0VN13lM097213@repo.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="w2JjAQZceEVGylhD" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47fjhd3tRFz4W7F X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-1.92 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.97)[-0.974,0]; NEURAL_HAM_LONG(-0.94)[-0.944,0]; ASN(0.00)[asn:27348, ipnet:162.251.186.0/24, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2019 22:14:26 -0000 --w2JjAQZceEVGylhD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Dec 18, 2019 at 03:27:58PM +0300, Andrey V. Elsukov wrote: A> > Log: A> > New pfil(9) KPI together with newborn pfil API and control utility. A> > A> > The KPI have been reviewed and cleansed of features that were planned A> > back 20 years ago and never implemented. The pfil(9) internals have A> > been made opaque to protocols with only returned types and function A> > declarations exposed. The KPI is made more strict, but at the same time A> > more extensible, as kernel uses same command structures that userland A> > ioctl uses. A> > A> > In nutshell [KA]PI is about declaring filtering points, declaring A> > filters and linking and unlinking them together. A> > A> > New [KA]PI makes it possible to reconfigure pfil(9) configuration: A> > change order of hooks, rehook filter from one filtering point to a A> > different one, disconnect a hook on output leaving it on input only, A> > prepend/append a filter to existing list of filters. A> > A> > Now it possible for a single packet filter to provide multiple rulesets A> > that may be linked to different points. Think of per-interface ACLs in A> > Cisco or Juniper. None of existing packet filters yet support that, A> > however limited usage is already possible, e.g. default ruleset can A> > be moved to single interface, as soon as interface would pride their A> > filtering points. A> > A> > Another future feature is possiblity to create pfil heads, that provide A> > not an mbuf pointer but just a memory pointer with length. That would A> > allow filtering at very early stages of a packet lifecycle, e.g. when A> > packet has just been received by a NIC and no mbuf was yet allocated. A> It seems that this commit has changed the error code returned from A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but A> now it became EPERM. Was it intentional? I don't think that was intentional. Can you please review this patch? -- Gleb Smirnoff --w2JjAQZceEVGylhD Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="EACCES.diff" Index: sys/net/if_bridge.c =================================================================== --- sys/net/if_bridge.c (revision 355964) +++ sys/net/if_bridge.c (working copy) @@ -3191,7 +3191,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, dir == PFIL_OUT && ifp != NULL) { switch (pfil_run_hooks(V_link_pfil_head, mp, ifp, dir, NULL)) { case PFIL_DROPPED: - return (EPERM); + return (EACCES); case PFIL_CONSUMED: return (0); } @@ -3312,7 +3312,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, case PFIL_CONSUMED: return (0); case PFIL_DROPPED: - return (EPERM); + return (EACCES); default: break; } Index: sys/netinet/ip_output.c =================================================================== --- sys/netinet/ip_output.c (revision 355964) +++ sys/netinet/ip_output.c (working copy) @@ -130,7 +130,7 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp odst.s_addr = ip->ip_dst.s_addr; switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) { case PFIL_DROPPED: - *error = EPERM; + *error = EACCES; /* FALLTHROUGH */ case PFIL_CONSUMED: return 1; /* Finished */ Index: sys/netinet6/ip6_output.c =================================================================== --- sys/netinet6/ip6_output.c (revision 355964) +++ sys/netinet6/ip6_output.c (working copy) @@ -898,7 +898,7 @@ again: ip6 = mtod(m, struct ip6_hdr *); break; case PFIL_DROPPED: - error = EPERM; + error = EACCES; /* FALLTHROUGH */ case PFIL_CONSUMED: goto done; --w2JjAQZceEVGylhD--