From owner-freebsd-current@FreeBSD.ORG Mon Apr 6 12:21:20 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9149A1065680 for ; Mon, 6 Apr 2009 12:21:20 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: from mail-bw0-f164.google.com (mail-bw0-f164.google.com [209.85.218.164]) by mx1.freebsd.org (Postfix) with ESMTP id 0BC328FC1E for ; Mon, 6 Apr 2009 12:21:19 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: by bwz8 with SMTP id 8so1802851bwz.43 for ; Mon, 06 Apr 2009 05:21:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=EMUIzHaeFiz18XySmqW1TR7uTD8FLk9UavDvL4oV8j0=; b=EX1DY7W+PA5GRnc0b3XUXDEMQjND1bHRrQsEo/mYAcAPdxSSj7IyXQcAysWZFNmNLG kt3QvRnRs863m3Ew5M8mQAIdbR0TU50+U9Bbfspf/23E5x2eArLta6f4MREduxT1XC8L uPGpzb5IvjbxFodldhBhWz5NR1Ka1ll1ygBsg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=m06hfiHPHZ1GliqfKdOAeOxYxGkIitGIeZDYli0IxR6SktsmUTN/jm/Siq2nz0Q90I DUSgnZmc5T34Ue3m3rh2MewL9EGw0mwM4Sg0DH3tGzByqzZld1vlk82xYEMx1lilNtG3 HmwYCjejQsjEcjKEQuA+uDXGBDhBCsKoVToXs= MIME-Version: 1.0 Received: by 10.204.116.8 with SMTP id k8mr1616679bkq.117.1239018503089; Mon, 06 Apr 2009 04:48:23 -0700 (PDT) Date: Mon, 6 Apr 2009 14:48:23 +0300 Message-ID: From: Maxim Ignatenko To: freebsd-current@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [patch] matching IPv4 broadcast packets in ipfw X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2009 12:21:20 -0000 >From my point of view it can be useful only on laptops, where you don't know exact broadcast addresses for all situations, but still want to deny/allow broadcast packets. Maybe I've missed something, then, please, correct me :) P.S.: another idea - maybe would be better to add it as possible value for dst-ip instead of rule option P.P.S.: before adding two "== NULL" in ip_fw2.c I had often kernel panics, even without broadcast option in ruleset. I would be very glad if someone can explain these to me. Patch itself: --- sys/netinet/ip_fw2.c.orig 2009-04-05 20:43:08.000000000 +0300 +++ sys/netinet/ip_fw2.c 2009-04-06 09:55:04.000000000 +0300 @@ -3131,6 +3131,27 @@ mtag->m_tag_id <= p[1]; } break; + case O_BROADCAST: + if (is_ipv4) + { + struct ifnet *ifp; + ifp=(oif ? oif : m->m_pkthdr.rcvif); + if (ifp == NULL || + (ifp->if_flags | IFF_BROADCAST) == 0) + break; + struct ifaddr *ia; + TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { + if (ia->ifa_broadaddr == NULL || + ia->ifa_broadaddr->sa_family != AF_INET) + continue; + if (((struct sockaddr_in *)(ia->ifa_broadaddr))-> + sin_addr.s_addr == dst_ip.s_addr) { + match=1; + break; + } + } + } + break; } /* @@ -3897,6 +3918,7 @@ case O_IN: case O_FRAG: case O_DIVERTED: + case O_BROADCAST: case O_IPOPT: case O_IPTOS: case O_IPPRECEDENCE: --- sys/netinet/ip_fw.h.orig 2009-04-05 21:41:08.000000000 +0300 +++ sys/netinet/ip_fw.h 2009-04-05 21:46:23.000000000 +0300 @@ -179,6 +179,8 @@ O_SETFIB, /* arg1=FIB number */ O_FIB, /* arg1=FIB desired fib number */ + O_BROADCAST, /* matches IP packets sent on broadcast address */ + O_LAST_OPCODE /* not an opcode! */ }; --- sbin/ipfw/ipfw2.c.orig 2009-04-05 21:23:38.000000000 +0300 +++ sbin/ipfw/ipfw2.c 2009-04-06 09:25:39.000000000 +0300 @@ -291,6 +291,7 @@ { "src-ipv6", TOK_SRCIP6}, { "src-ip6", TOK_SRCIP6}, { "//", TOK_COMMENT }, + { "broadcast", TOK_BROADCAST}, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ @@ -1506,6 +1507,10 @@ print_newports((ipfw_insn_u16 *)cmd, 0, O_TAGGED); break; + + case O_BROADCAST: + printf(" broadcast"); + break; default: printf(" [opcode %d len %d]", @@ -3455,6 +3460,10 @@ ac = 0; break; + case TOK_BROADCAST: + fill_cmd(cmd, O_BROADCAST, 0, 0); + break; + case TOK_TAGGED: if (ac > 0 && strpbrk(*av, "-,")) { if (!add_ports(cmd, *av, 0, O_TAGGED)) --- sbin/ipfw/ipfw2.h.orig 2009-04-05 21:23:47.000000000 +0300 +++ sbin/ipfw/ipfw2.h 2009-04-05 21:27:22.000000000 +0300 @@ -141,6 +141,7 @@ TOK_ANTISPOOF, TOK_IPSEC, TOK_COMMENT, + TOK_BROADCAST, TOK_PLR, TOK_NOERROR, --- sbin/ipfw/ipfw.8.orig 2009-04-06 02:10:47.000000000 +0300 +++ sbin/ipfw/ipfw.8 2009-04-06 02:13:54.000000000 +0300 @@ -1135,6 +1135,8 @@ .It Cm bridged Alias for .Cm layer2 . +.It Cm broadcast +Matches broadcast packets on non-point-to-point interfaces. .It Cm diverted Matches only packets generated by a divert socket. .It Cm diverted-loopback