I'm ADSL subscriber, and using ppp(8) to PPPoE to my ISP. I'm also
want to get a IPv6 tunnel for my home network, but I find that ppp(8)
does filter-out my IPv6 tunneling packet by implicit ruleset.
This is because ppp(8) does filter out if not specified, and there is
no way to specify ipv6 tunneling packet. It's not welcomed for me, so
I write a patch attached below.
This patch does teach ppp(8) about 'ipv6' protocol (protocol number
41) to filter. This patch also fixes not-initializing 'f_dstop'
variable for other protocols.
Anybody review my patch for me ? If it works well, I'll try to send a
PR to include this patch to ppp(8) itself.
-- -
Makoto MATSUSHITA
Index: command.c
===================================================================
RCS file: /pub/cvsup/FreeBSD.cvs/src/usr.sbin/ppp/command.c,v
retrieving revision 1.259
diff -u -r1.259 command.c
--- command.c 2001/06/18 15:00:20 1.259
+++ command.c 2001/07/01 18:25:16
@@ -2120,7 +2120,7 @@
"escape characters", "set escape hex-digit ..."},
{"filter", NULL, filter_Set, LOCAL_AUTH,
"packet filters", "set filter alive|dial|in|out rule-no permit|deny "
- "[src_addr[/width]] [dst_addr[/width]] [tcp|udp|icmp|ospf|igmp "
+ "[src_addr[/width]] [dst_addr[/width]] [tcp|udp|icmp|ospf|igmp|ipv6 "
"[src [lt|eq|gt port]] [dst [lt|eq|gt port]] [estab] [syn] [finrst]]"},
{"hangup", NULL, SetVariable, LOCAL_AUTH | LOCAL_CX,
"hangup script", "set hangup chat-script", (const void *) VAR_HANGUP},
Index: filter.c
===================================================================
RCS file: /pub/cvsup/FreeBSD.cvs/src/usr.sbin/ppp/filter.c,v
retrieving revision 1.48
diff -u -r1.48 filter.c
--- filter.c 2001/06/13 21:52:16 1.48
+++ filter.c 2001/07/02 14:47:46
@@ -197,7 +197,7 @@
switch (argc) {
case 0:
/* permit/deny all ICMP types */
- tgt->f_srcop = OP_NONE;
+ tgt->f_srcop = tgt->f_dstop = OP_NONE;
break;
case 3:
@@ -209,6 +209,7 @@
}
tgt->f_srcop = OP_EQ;
tgt->f_srcport = type;
+ tgt->f_dstop = OP_NONE;
}
break;
@@ -286,11 +287,27 @@
log_Printf(LogWARN, "ParseIgmp: Too many parameters\n");
return 0;
} else
- tgt->f_srcop = OP_NONE;
+ tgt->f_srcop = tgt->f_dstop = OP_NONE;
return 1;
}
+static int
+ParseIPv6(int argc, char const * const *argv, struct filterent *tgt)
+{
+ /*
+ * Filter currently is a catch-all. Requests are either permitted or
+ * dropped.
+ */
+ if (argc != 0) {
+ log_Printf(LogWARN, "ParseIPv6: Too many parameters\n");
+ return 0;
+ } else
+ tgt->f_srcop = tgt->f_dstop = OP_NONE;
+
+ return 1;
+}
+
#ifdef P_GRE
static int
ParseGRE(int argc, char const * const *argv, struct filterent *tgt)
@@ -303,7 +320,7 @@
log_Printf(LogWARN, "ParseGRE: Too many parameters\n");
return 0;
} else
- tgt->f_srcop = OP_NONE;
+ tgt->f_srcop = tgt->f_dstop = OP_NONE;
return 1;
}
@@ -321,7 +338,7 @@
log_Printf(LogWARN, "ParseOspf: Too many parameters\n");
return 0;
} else
- tgt->f_srcop = OP_NONE;
+ tgt->f_srcop = tgt->f_dstop = OP_NONE;
return 1;
}
@@ -495,6 +512,9 @@
case P_IPIP:
val = ParseUdpOrTcp(argc, argv, P_IPIP, &filterdata);
break;
+ case P_IPV6:
+ val = ParseIPv6(argc, argv, &filterdata);
+ break;
case P_ICMP:
val = ParseIcmp(argc, argv, &filterdata);
break;
@@ -653,7 +673,8 @@
}
static const char * const protoname[] = {
- "none", "tcp", "udp", "icmp", "ospf", "igmp", "gre", "ipip"
+ "none", "tcp", "udp", "icmp", "ospf", "igmp",
+ "gre", "esp", "ah", "ipip", "ipv6"
};
const char *
Index: filter.h
===================================================================
RCS file: /pub/cvsup/FreeBSD.cvs/src/usr.sbin/ppp/filter.h,v
retrieving revision 1.27
diff -u -r1.27 filter.h
--- filter.h 2001/06/13 21:52:16 1.27
+++ filter.h 2001/07/01 18:09:41
@@ -43,6 +43,7 @@
#define P_ESP 7
#define P_AH 8
#define P_IPIP 9
+#define P_IPV6 10
/* Operations - f_srcop, f_dstop */
#define OP_NONE 0
Index: ip.c
===================================================================
RCS file: /pub/cvsup/FreeBSD.cvs/src/usr.sbin/ppp/ip.c,v
retrieving revision 1.93
diff -u -r1.93 ip.c
--- ip.c 2001/06/18 15:00:22 1.93
+++ ip.c 2001/07/02 14:43:57
@@ -289,6 +289,15 @@
sport = dport = 0;
estab = syn = finrst = -1;
break;
+ case IPPROTO_IPV6:
+ cproto = P_IPV6;
+ if (datalen < 20) { /* RFC2893 Section 3.5: 5 * 32bit words */
+ log_Printf(LogFILTER, " error: IPV6 header incorrect\n");
+ return 1;
+ }
+ sport = dport = 0;
+ estab = syn = finrst = -1;
+ break;
case IPPROTO_UDP:
cproto = P_UDP;
if (datalen < 8) { /* UDP header is 8 octets */
@@ -640,6 +649,20 @@
len = ntohs(pip->ip_len) - (pip->ip_hl << 2);
snprintf(logbuf + loglen, sizeof logbuf - loglen,
"OSPF: %s ---> ", inet_ntoa(pip->ip_src));
+ loglen += strlen(logbuf + loglen);
+ snprintf(logbuf + loglen, sizeof logbuf - loglen,
+ "%s (%d/%d)", inet_ntoa(pip->ip_dst), len, nb);
+ loglen += strlen(logbuf + loglen);
+ }
+ break;
+#endif
+
+#ifdef IPPROTO_IPV6
+ case IPPROTO_IPV6:
+ if (logit && loglen < sizeof logbuf) {
+ len = ntohs(pip->ip_len) - (pip->ip_hl << 2);
+ snprintf(logbuf + loglen, sizeof logbuf - loglen,
+ "IPv6: %s ---> ", inet_ntoa(pip->ip_src));
loglen += strlen(logbuf + loglen);
snprintf(logbuf + loglen, sizeof logbuf - loglen,
"%s (%d/%d)", inet_ntoa(pip->ip_dst), len, nb);
Index: ppp.8
===================================================================
RCS file: /pub/cvsup/FreeBSD.cvs/src/usr.sbin/ppp/ppp.8,v
retrieving revision 1.267
diff -u -r1.267 ppp.8
--- ppp.8 2001/06/20 19:55:58 1.267
+++ ppp.8 2001/07/02 03:56:11
@@ -1746,6 +1746,7 @@
.Sq icmp ,
.Sq igmp ,
.Sq ipip ,
+.Sq ipv6 ,
.Sq ospf ,
.Sq udp
or
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
