Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost> writes:
> I'll post a new proposal when I have all of this sorted out and tested.
I'm now running with the below patch applied, and it works as expected
for vlan and tun traffic. The other uses of pfil_run_hooks() are left
unchanged; they're generally OK, and the little bit of tidying up around
them that I still think ought to be done (particularly the one in
sys/netinet/ip_input.c) can be left for another day. This patch fixes
the errors in if_vlan.c, and adds filtering to if_tun.c.
I'll run it locally for a few days, testing some more, and watching for
possible mbuf related problems, and then commit the change.
Possible bonus improvement: tun_output() was always returning 0, even if
errors occured, and I fixed that. That *may* be the reason for another
change I just observed: my NetBSD OpenVPN clients would be slow to
connect, taking from a few seconds to a couple of minutes to get their
VPNs operative, as opposed to Linux clients, which would get online
immediately. Mounting NFS file systems on the NetBSD clients over the
established VPN would take between two and ten seconds, typically. This
morning, I restarted one of my clients, and to my surprise saw it both
connect the VPN and mount the file systems with no delays. Might have
been a fluke; might be real. I'll test some more.
Index: sys/net/if_tun.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_tun.c,v
retrieving revision 1.142
diff -u -p -r1.142 if_tun.c
--- sys/net/if_tun.c 6 Dec 2017 07:40:16 -0000 1.142
+++ sys/net/if_tun.c 13 Mar 2018 06:12:17 -0000
@@ -555,6 +555,11 @@ tun_output(struct ifnet *ifp, struct mbu
bpf_mtap_af(ifp, dst->sa_family, m0);
+ if ((error = pfil_run_hooks(ifp->if_pfil, &m0, ifp, PFIL_OUT)) != 0)
+ goto out;
+ if (m0 == NULL)
+ goto out;
+
switch(dst->sa_family) {
#ifdef INET6
case AF_INET6:
@@ -624,10 +629,10 @@ tun_output(struct ifnet *ifp, struct mbu
mutex_exit(&tp->tun_lock);
out:
- if (error && m0) {
+ if (error && m0)
m_freem(m0);
- }
- return 0;
+
+ return error;
}
static void
@@ -941,6 +946,11 @@ tunwrite(dev_t dev, struct uio *uio, int
bpf_mtap_af(ifp, dst.sa_family, top);
+ if ((error = pfil_run_hooks(ifp->if_pfil, &top, ifp, PFIL_IN)) != 0)
+ goto out0;
+ if (top == NULL)
+ goto out0;
+
mutex_enter(&tp->tun_lock);
if ((tp->tun_flags & TUN_INITED) == 0) {
/* Interface was destroyed */
Index: sys/net/if_vlan.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_vlan.c,v
retrieving revision 1.124
diff -u -p -r1.124 if_vlan.c
--- sys/net/if_vlan.c 15 Jan 2018 16:36:51 -0000 1.124
+++ sys/net/if_vlan.c 13 Mar 2018 06:12:17 -0000
@@ -1432,12 +1432,10 @@ vlan_transmit(struct ifnet *ifp, struct
bpf_mtap(ifp, m);
- if (pfil_run_hooks(ifp->if_pfil, &m, ifp, PFIL_OUT) != 0) {
- if (m != NULL)
- m_freem(m);
- error = 0;
+ if ((error = pfil_run_hooks(ifp->if_pfil, &m, ifp, PFIL_OUT)) != 0)
+ goto out;
+ if (m == NULL)
goto out;
- }
/*
* If the parent can insert the tag itself, just mark
@@ -1609,11 +1607,10 @@ vlan_input(struct ifnet *ifp, struct mbu
m_set_rcvif(m, &ifv->ifv_if);
ifv->ifv_if.if_ipackets++;
- if (pfil_run_hooks(ifp->if_pfil, &m, ifp, PFIL_IN) != 0) {
- if (m != NULL)
- m_freem(m);
+ if (pfil_run_hooks(ifp->if_pfil, &m, ifp, PFIL_IN) != 0)
+ goto out;
+ if (m == NULL)
goto out;
- }
m->m_flags &= ~M_PROMISC;
if_input(&ifv->ifv_if, m);
-tih
--
Most people who graduate with CS degrees don't understand the significance
of Lisp. Lisp is the most important idea in computer science. --Alan Kay
Attachment:
signature.asc
Description: PGP signature