CVS commit: src/sys/net

[Tom Ivar Helbekkmo]

Module Name:    src
Committed By:   tih
Date:           Fri Mar 16 17:12:05 UTC 2018

Modified Files:
        src/sys/net: if_tun.c

Log Message:
Add packet filtering to tun(4) interfaces.

Calls to pfil_run_hooks() were missing in if_tun.c.  This meant that
filtering configuration could be added to e.g. /etc/npf.conf, but
would be ignored, because the filter never saw the packets.  This
change adds the required calls.

While here, correct the return value from tun_output(): it's been
returning 0 regardless of any error condition present, but will now
correctly propagate such information upward.

Thanks to maxv for guidance!

OK: christos, martin


To generate a diff of this commit:
cvs rdiff -u -r1.142 -r1.143 src/sys/net/if_tun.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_tun.c
diff -u src/sys/net/if_tun.c:1.142 src/sys/net/if_tun.c:1.143
--- src/sys/net/if_tun.c:1.142	Wed Dec  6 07:40:16 2017
+++ src/sys/net/if_tun.c	Fri Mar 16 17:12:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_tun.c,v 1.142 2017/12/06 07:40:16 ozaki-r Exp $	*/
+/*	$NetBSD: if_tun.c,v 1.143 2018/03/16 17:12:04 tih Exp $	*/
 
 /*
  * Copyright (c) 1988, Julian Onions <j...@cs.nott.ac.uk>
@@ -19,7 +19,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.142 2017/12/06 07:40:16 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.143 2018/03/16 17:12:04 tih Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -555,6 +555,11 @@ tun_output(struct ifnet *ifp, struct mbu
 
 	bpf_mtap_af(ifp, dst->sa_family, m0);
 
+	if ((error = pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT)) != 0)
+		goto out;
+	if (m0 == NULL)
+		goto out;
+
 	switch(dst->sa_family) {
 #ifdef INET6
 	case AF_INET6:
@@ -624,10 +629,10 @@ tun_output(struct ifnet *ifp, struct mbu
 
 	mutex_exit(&tp->tun_lock);
 out:
-	if (error && m0) {
+	if (error && m0)
 		m_freem(m0);
-	}
-	return 0;
+
+	return error;
 }
 
 static void
@@ -941,6 +946,11 @@ tunwrite(dev_t dev, struct uio *uio, int
 
 	bpf_mtap_af(ifp, dst.sa_family, top);
 
+	if ((error = pfil_run_hooks(ifp->if_pfil, &top, ifp, PFIL_IN)) != 0)
+		goto out0;
+	if (top == NULL)
+		goto out0;
+
 	mutex_enter(&tp->tun_lock);
 	if ((tp->tun_flags & TUN_INITED) == 0) {
 		/* Interface was destroyed */