I use a few VPN tunnels, mostly between my own systems, but also a
couple where the other end is not under my control. For this reason,
I've had NPF configured to block incoming traffic from the other end of
those. Recently, I discovered that this made no difference, as the tun
device doesn't submit its packets to the packet filtering mechanism.
I've been running with the below modification for a couple of weeks, on
amd64 and evbarm, and it works as expected. If anyone knows of a good
reason why tun shouldn't enable packet filtering, please speak up.
Otherwise, I'll be committing this in a couple of days.
Index: sys/net/if_tun.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_tun.c,v
retrieving revision 1.142
diff -u -r1.142 if_tun.c
--- sys/net/if_tun.c 6 Dec 2017 07:40:16 -0000 1.142
+++ sys/net/if_tun.c 11 Mar 2018 16:25:43 -0000
@@ -555,6 +555,13 @@
bpf_mtap_af(ifp, dst->sa_family, m0);
+ if (pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT) != 0) {
+ if (m0 != NULL)
+ m_freem(m0);
+ error = 0;
+ goto out;
+ }
+
switch(dst->sa_family) {
#ifdef INET6
case AF_INET6:
@@ -941,6 +948,12 @@
bpf_mtap_af(ifp, dst.sa_family, top);
+ if (pfil_run_hooks(ifp->if_pfil, &top, ifp, PFIL_IN) != 0) {
+ if (top != NULL)
+ m_freem(top);
+ goto out0;
+ }
+
mutex_enter(&tp->tun_lock);
if ((tp->tun_flags & TUN_INITED) == 0) {
/* Interface was destroyed */