socsvn commit: r269402 - soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw

dpl at FreeBSD.org dpl at FreeBSD.org
Wed Jun 11 15:01:11 UTC 2014 

Author: dpl
Date: Wed Jun 11 15:01:09 2014
New Revision: 269402
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269402

Log:
  Added antispoof, and ipsec.
  

Modified:
  soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
  soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h

Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c	Wed Jun 11 14:53:58 2014	(r269401)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_fw2.c	Wed Jun 11 15:01:09 2014	(r269402)
@@ -1591,26 +1591,7 @@
 				break;
 
 			case O_ANTISPOOF:
-				/* Outgoing packets automatically pass/match */
-				if (oif == NULL && hlen > 0 &&
-				    (  (is_ipv4 && in_localaddr(src_ip))
-#ifdef INET6
-				    || (is_ipv6 &&
-				        in6_localaddr(&(args->f_id.src_ip6)))
-#endif
-				    ))
-					match =
-#ifdef INET6
-					    is_ipv6 ? verify_path6(
-					        &(args->f_id.src_ip6),
-					        m->m_pkthdr.rcvif,
-						args->f_id.fib) :
-#endif
-					    verify_path(src_ip,
-					    	m->m_pkthdr.rcvif,
-					        args->f_id.fib);
-				else
-					match = 1;
+				rule_antispoof(&match, oif, hlen, is_ipv4, is_ipv6, src_ip, args, m);
 				break;
 
 			case O_IPSEC:

Modified: soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h
==============================================================================
--- soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h	Wed Jun 11 14:53:58 2014	(r269401)
+++ soc2014/dpl/netmap-ipfw/sys/netpfil/ipfw/ip_rules.h	Wed Jun 11 15:01:09 2014	(r269402)
@@ -574,9 +574,30 @@
 	    verify_path(src_ip, NULL, args->f_id.fib)));
 }
 
+// XXX typeof(m)?
 inline void
-rule_antispoof(int *match, struct ifnet *oif, u_int hlen, int is_ipv4 struct in_addr *src_ip, int is_ipv6 struct ip_fw_args *args, m)
+rule_antispoof(int *match, struct ifnet *oif, u_int hlen, int is_ipv4, int is_ipv6, struct in_addr *src_ip, struct ip_fw_args *args, m)
 {
+	/* Outgoing packets automatically pass/match */
+	if (oif == NULL && hlen > 0 &&
+	    (  (is_ipv4 && in_localaddr(src_ip))
+#ifdef INET6
+	    || (is_ipv6 &&
+	        in6_localaddr(&(args->f_id.src_ip6)))
+#endif
+	    ))
+		*match =
+#ifdef INET6
+		    is_ipv6 ? verify_path6(
+		        &(args->f_id.src_ip6),
+		        m->m_pkthdr.rcvif,
+			args->f_id.fib) :
+#endif
+		    verify_path(src_ip,
+		    	m->m_pkthdr.rcvif,
+		        args->f_id.fib);
+	else
+		*match = 1;
 }
 
 inline void
@@ -647,9 +668,10 @@
 inline void
 rule_ipsec(int *match, m)
 {
+	match = (m_tag_find(m,
+	    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
 }
-
-endif
+#endif
 
 #ifndef USERSPACE
 inline void

More information about the svn-soc-all mailing list