The diff will make the ingress filter of pipex and npppd configurable and disable it by default. After this change we need to add
ppp.ingress_filter: true to npppd.conf if it is needed. I promise to write about this configuration in the man page when the man page becomes available. ok? comment? Index: sys/net/pipex.c =================================================================== RCS file: /cvs/src/sys/net/pipex.c,v retrieving revision 1.24 diff -u -p -r1.24 pipex.c --- sys/net/pipex.c 18 Jan 2012 02:02:53 -0000 1.24 +++ sys/net/pipex.c 20 Jan 2012 00:58:18 -0000 @@ -1124,15 +1124,16 @@ pipex_ip_input(struct mbuf *m0, struct p goto drop; } #endif - - /* ingress filter */ - ip = mtod(m0, struct ip *); - if ((ip->ip_src.s_addr & session->ip_netmask.sin_addr.s_addr) != - session->ip_address.sin_addr.s_addr) { - pipex_session_log(session, LOG_DEBUG, - "ip packet discarded by ingress filter (src %s)", - inet_ntoa(ip->ip_src)); - goto drop; + if (ISSET(session->ppp_flags, PIPEX_PPP_INGRESS_FILTER)) { + /* ingress filter */ + ip = mtod(m0, struct ip *); + if ((ip->ip_src.s_addr & session->ip_netmask.sin_addr.s_addr) != + session->ip_address.sin_addr.s_addr) { + pipex_session_log(session, LOG_DEBUG, + "ip packet discarded by ingress filter (src %s)", + inet_ntoa(ip->ip_src)); + goto drop; + } } /* idle timer */ Index: sys/net/pipex.h =================================================================== RCS file: /cvs/src/sys/net/pipex.h,v retrieving revision 1.10 diff -u -p -r1.10 pipex.h --- sys/net/pipex.h 15 Oct 2011 03:24:11 -0000 1.10 +++ sys/net/pipex.h 20 Jan 2012 00:58:18 -0000 @@ -89,6 +89,7 @@ struct pipex_session_req { #define PIPEX_PPP_MPPE_REQUIRED 0x00000040 #define PIPEX_PPP_HAS_ACF 0x00000080 #define PIPEX_PPP_ADJUST_TCPMSS 0x00000100 +#define PIPEX_PPP_INGRESS_FILTER 0x00000200 int8_t pr_ccp_id; /* CCP current packet id */ int pr_ppp_id; /* PPP Id. */ uint16_t pr_peer_mru; /* Peer's MRU */ Index: usr.sbin/npppd/npppd/npppd.c =================================================================== RCS file: /cvs/src/usr.sbin/npppd/npppd/npppd.c,v retrieving revision 1.14 diff -u -p -r1.14 npppd.c --- usr.sbin/npppd/npppd/npppd.c 18 Jan 2012 03:13:04 -0000 1.14 +++ usr.sbin/npppd/npppd/npppd.c 20 Jan 2012 00:58:19 -0000 @@ -887,10 +887,10 @@ npppd_network_output(npppd *_this, npppd pip = (struct ip *)pktp; } -#ifndef NO_INGRES_FILTER - if ((pip->ip_src.s_addr & ppp->ppp_framed_ip_netmask.s_addr) != - (ppp->ppp_framed_ip_address.s_addr & - ppp->ppp_framed_ip_netmask.s_addr)) { + if (ppp->ingress_filter != 0 && + (pip->ip_src.s_addr & ppp->ppp_framed_ip_netmask.s_addr) + != (ppp->ppp_framed_ip_address.s_addr & + ppp->ppp_framed_ip_netmask.s_addr)) { char logbuf[80]; strlcpy(logbuf, inet_ntoa(pip->ip_dst), sizeof(logbuf)); ppp_log(ppp, LOG_INFO, @@ -899,7 +899,6 @@ npppd_network_output(npppd *_this, npppd return; } -#endif if (ppp->timeout_sec > 0 && !ip_is_idle_packet(pip, lbuf)) ppp_reset_idle_timeout(ppp); @@ -942,6 +941,8 @@ pipex_setup_common(npppd_ppp *ppp, struc if (ppp->adjust_mss != 0) req->pr_ppp_flags |= PIPEX_PPP_ADJUST_TCPMSS; + if (ppp->ingress_filter != 0) + req->pr_ppp_flags |= PIPEX_PPP_INGRESS_FILTER; req->pr_ip_srcaddr = ppp->pppd->iface[0].ip4addr; req->pr_ip_address = ppp->ppp_framed_ip_address; Index: usr.sbin/npppd/npppd/ppp.c =================================================================== RCS file: /cvs/src/usr.sbin/npppd/npppd/ppp.c,v retrieving revision 1.11 diff -u -p -r1.11 ppp.c --- usr.sbin/npppd/npppd/ppp.c 18 Jan 2012 03:13:04 -0000 1.11 +++ usr.sbin/npppd/npppd/ppp.c 20 Jan 2012 00:58:19 -0000 @@ -162,7 +162,8 @@ ppp_init(npppd *pppd, npppd_ppp *_this) ppp_config_str_equal(_this, "log.in.pktdump", "true", 0); _this->log_dump_out = ppp_config_str_equal(_this, "log.out.pktdump", "true", 0); - + _this->ingress_filter = ppp_config_str_equal(_this, "ingress_filter", + "true", 0); #ifdef USE_NPPPD_MPPE mppe_init(&_this->mppe, _this); Index: usr.sbin/npppd/npppd/ppp.h =================================================================== RCS file: /cvs/src/usr.sbin/npppd/npppd/ppp.h,v retrieving revision 1.8 diff -u -p -r1.8 ppp.h --- usr.sbin/npppd/npppd/ppp.h 18 Jan 2012 03:13:04 -0000 1.8 +++ usr.sbin/npppd/npppd/ppp.h 20 Jan 2012 00:58:19 -0000 @@ -545,7 +545,9 @@ struct _npppd_ppp { pipex_started:1, /** pipex is enabled? */ pipex_enabled:1, - reserved:3; + /** ingress filter */ + ingress_filter:1, + reserved:2; uint8_t /** IP address is assigned from dynamic address pool */ assign_dynapool:1, /** assigned IP address is enabled? */