Re: mask support for ethernet bridge filtering

2012-07-13 Thread Henning Brauer 
* sven falempin sven.falem...@gmail.com [2012-07-12 17:37]:
 Inline diff

even without judging on wether we'll want that at all (I'm still
sceptic):

 +//inline
 +int
 +bridge_test_ea(struct ether_addr *ea_packet, struct ether_addr *ea_rules,
 +struct ether_addr *ea_mask) {
 + int i;
 + struct ether_addr ea_cmp;
 + for (i = 0; i  ETHER_ADDR_LEN; ++i) {
 + ea_cmp.ether_addr_octet[i] = ea_mask-ether_addr_octet[i]
 +  ea_packet-ether_addr_octet[i];
 + }
 + return (bcmp(ea_cmp, ea_rules, ETHER_ADDR_LEN));
 +}
 +

that is horribly ugly. spend some time with style(9).

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: mask support for ethernet bridge filtering

2012-07-12 Thread sven falempin 
Inline diff

2012/7/3 sven falempin sven.falem...@gmail.com

 This diff enables the possibilty of using a mask on bridges rules.

 I have test it like this :

 $ cat /etc/hostname.bridge0


 up
 add re0
 add vether0
 rule pass out on vether0 src 78:2b:4f:00:00:00 mask ff:ff:ff:00:00:00 tag
 booz
 rule block out on vether0 src 78:2b:00:00:00:00 mask ff:ff:00:00:00:00
 $ cat /etc/hostname.vether0
 inet 172.16.0.2 255.255.0.0
 $ cat /etc/hostname.re0
 inet 10.15.0.3 255.255.0.0

 then from a machine on the 10.15/24 network i add an alias to access
 172.16/24  through bridge0

 blocking and tagging are ok.

 Unexpected result:
  - block on re0 just block everything, not just the bridging (forwarding
 to vether
  - this is not dynamic (after a flushrule i cannot block - this is not
 related to the patch)

 --

 -
 () ascii ribbon campaign - against html e-mail
 /\


Index: ./sys/net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.193
diff -u -r1.193 if_bridge.c
--- ./sys/net/if_bridge.c 4 Jul 2011 06:54:49 - 1.193
+++ ./sys/net/if_bridge.c 3 Jul 2012 22:52:25 -
@@ -76,6 +76,8 @@
 #include netinet6/ip6_var.h
 #endif

+#include sys/syslog.h
+
 #if NPF  0
 #include net/pfvar.h
 #define BRIDGE_IN PF_IN
@@ -145,6 +147,8 @@
 struct ifbrlreq *, int out);
 int bridge_flushrule(struct bridge_iflist *);
 int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *);
+int bridge_test_ea(struct ether_addr *, struct ether_addr *,
+struct ether_addr *);
 u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *,
 struct mbuf *);
 struct mbuf *bridge_ip(struct bridge_softc *, int, struct ifnet *,
@@ -910,6 +914,8 @@
  req.ifbr_flags = n-brl_flags;
  req.ifbr_src = n-brl_src;
  req.ifbr_dst = n-brl_dst;
+ req.ifbr_src_mask = n-brl_src_mask;
+ req.ifbr_dst_mask = n-brl_dst_mask;
 #if NPF  0
  req.ifbr_tagname[0] = '\0';
  if (n-brl_tag)
@@ -933,6 +939,8 @@
  req.ifbr_flags = n-brl_flags;
  req.ifbr_src = n-brl_src;
  req.ifbr_dst = n-brl_dst;
+ req.ifbr_src_mask = n-brl_src_mask;
+ req.ifbr_dst_mask = n-brl_dst_mask;
 #if NPF  0
  req.ifbr_tagname[0] = '\0';
  if (n-brl_tag)
@@ -2204,33 +2212,36 @@
  return (1);
 }

+//inline
+int
+bridge_test_ea(struct ether_addr *ea_packet, struct ether_addr *ea_rules,
+struct ether_addr *ea_mask) {
+ int i;
+ struct ether_addr ea_cmp;
+ for (i = 0; i  ETHER_ADDR_LEN; ++i) {
+ ea_cmp.ether_addr_octet[i] = ea_mask-ether_addr_octet[i]
+  ea_packet-ether_addr_octet[i];
+ }
+ return (bcmp(ea_cmp, ea_rules, ETHER_ADDR_LEN));
+}
+
 u_int8_t
 bridge_filterrule(struct brl_head *h, struct ether_header *eh, struct mbuf
*m)
 {
  struct brl_node *n;
- u_int8_t flags;

  SIMPLEQ_FOREACH(n, h, brl_next) {
- flags = n-brl_flags  (BRL_FLAG_SRCVALID|BRL_FLAG_DSTVALID);
- if (flags == 0)
- goto return_action;
- if (flags == (BRL_FLAG_SRCVALID|BRL_FLAG_DSTVALID)) {
- if (bcmp(eh-ether_shost, n-brl_src, ETHER_ADDR_LEN))
- continue;
- if (bcmp(eh-ether_dhost, n-brl_dst, ETHER_ADDR_LEN))
- continue;
- goto return_action;
- }
- if (flags == BRL_FLAG_SRCVALID) {
- if (bcmp(eh-ether_shost, n-brl_src, ETHER_ADDR_LEN))
+ if ( n-brl_flags  BRL_FLAG_SRCVALID ) {
+ if (bridge_test_ea( (struct ether_addr *)eh-ether_shost,
+n-brl_src, n-brl_src_mask))
  continue;
- goto return_action;
  }
- if (flags == BRL_FLAG_DSTVALID) {
- if (bcmp(eh-ether_dhost, n-brl_dst, ETHER_ADDR_LEN))
+ if (n-brl_flags   BRL_FLAG_DSTVALID) {
+ if (bridge_test_ea( (struct ether_addr *)eh-ether_dhost,
+n-brl_dst, n-brl_dst_mask))
  continue;
- goto return_action;
  }
+ goto return_action;
  }
  return (BRL_ACTION_PASS);

@@ -2249,8 +2260,10 @@
  n = malloc(sizeof(*n), M_DEVBUF, M_NOWAIT);
  if (n == NULL)
  return (ENOMEM);
- bcopy(req-ifbr_src, n-brl_src, sizeof(struct ether_addr));
- bcopy(req-ifbr_dst, n-brl_dst, sizeof(struct ether_addr));
+ n-brl_src = req-ifbr_src;
+ n-brl_dst = req-ifbr_dst;
+ n-brl_src_mask = req-ifbr_src_mask;
+ n-brl_dst_mask = req-ifbr_dst_mask;
  n-brl_action = req-ifbr_action;
  n-brl_flags = req-ifbr_flags;
 #if NPF  0
Index: ./sys/net/if_bridge.h
===
RCS file: /cvs/src/sys/net/if_bridge.h,v
retrieving revision 1.34
diff -u -r1.34 if_bridge.h
--- ./sys/net/if_bridge.h 20 Nov 2010 14:23:09 - 1.34
+++ ./sys/net/if_bridge.h 3 Jul 2012 22:52:25 -
@@ -194,7 +194,9 @@
  u_int8_t ifbr_action; /* disposition */
  u_int8_t ifbr_flags; /* flags */
  struct ether_addr ifbr_src; /* source mac */
+ struct ether_addr ifbr_src_mask; /* source mac mask */
  struct ether_addr ifbr_dst; /* destination mac */
+ struct ether_addr ifbr_dst_mask; /* destination mac mask */
  char ifbr_tagname[PF_TAG_NAME_SIZE]; /* pf tagname */
 };
 #define BRL_ACTION_BLOCK 0x01 /* block frame */
@@ -257,7 +259,9 @@
 struct brl_node {

mask support for ethernet bridge filtering

2012-07-03 Thread sven falempin 
This diff enables the possibilty of using a mask on bridges rules.

I have test it like this :

$ cat /etc/hostname.bridge0


up
add re0
add vether0
rule pass out on vether0 src 78:2b:4f:00:00:00 mask ff:ff:ff:00:00:00 tag
booz
rule block out on vether0 src 78:2b:00:00:00:00 mask ff:ff:00:00:00:00
$ cat /etc/hostname.vether0
inet 172.16.0.2 255.255.0.0
$ cat /etc/hostname.re0
inet 10.15.0.3 255.255.0.0

then from a machine on the 10.15/24 network i add an alias to access
172.16/24  through bridge0

blocking and tagging are ok.

Unexpected result:
 - block on re0 just block everything, not just the bridging (forwarding to
vether
 - this is not dynamic (after a flushrule i cannot block - this is not
related to the patch)

-- 
-
() ascii ribbon campaign - against html e-mail
/\

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of mac-filter.diff]