So now I added the ip6_output and I think i got a solution for the
accept, but I'm not 100% sure if that is enough. I tested it and it
looked fine. I couldn't test the ip6_output, because i don't have the
enviroment for it till now :) I'll hope to do this tommorw.
The '@'-thing is something completly diffrent. I wrote something and
faild by testing it since the pfctl seems not happy about to find a
'@' in the pf.conf... I'll take a look for it tommorw, too.
Index: kern/uipc_socket.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.67
diff -p -r1.67 uipc_socket.c
*** kern/uipc_socket.c 20 Dec 2007 17:16:50 -0000 1.67
--- kern/uipc_socket.c 7 Mar 2008 21:30:55 -0000
***************
*** 48,53 ****
--- 48,55 ----
#include <sys/resourcevar.h>
#include <sys/pool.h>
+ #include <net/pfvar.h>
+
void filt_sordetach(struct knote *kn);
int filt_soread(struct knote *kn, long hint);
void filt_sowdetach(struct knote *kn);
*************** socreate(int dom, struct socket **aso, i
*** 115,120 ****
--- 117,123 ----
so->so_rgid = p->p_cred->p_rgid;
so->so_egid = p->p_ucred->cr_gid;
so->so_cpid = p->p_pid;
+ so->so_pftag = 0;
so->so_proto = prp;
error = (*prp->pr_usrreq)(so, PRU_ATTACH, NULL,
(struct mbuf *)(long)proto, NULL);
*************** sofree(struct socket *so)
*** 188,193 ****
--- 191,200 ----
if (!soqremque(so, 0))
return;
}
+
+ if(so->so_pftag != 0)
+ pf_tag_unref(so->so_pftag);
+
sbrelease(&so->so_snd);
sorflush(so);
pool_put(&socket_pool, so);
*************** soaccept(struct socket *so, struct mbuf
*** 279,284 ****
--- 286,293 ----
else
error = ECONNABORTED;
splx(s);
+ if (!error && so->so_pftag)
+ pf_tag_ref(so->so_pftag);
return (error);
}
*************** sosetopt(struct socket *so, int level, i
*** 1085,1090 ****
--- 1094,1119 ----
}
break;
}
+
+ case SO_PFTAG:
+ {
+ if (m == NULL) {
+ error = EINVAL;
+ goto bad;
+ }
+ if(so->so_pftag != 0)
+ {
+ pf_tag_unref(so->so_pftag);
+ }
+
+ so->so_pftag = pf_tagname2tag(mtod(m, char *));
+ if(so->so_pftag == 0)
+ {
+ error = EINVAL; /*XXX*/
+ goto bad;
+ }
+ break;
+ }
default:
error = ENOPROTOOPT;
*************** sogetopt(struct socket *so, int level, i
*** 1173,1178 ****
--- 1202,1215 ----
mtod(m, struct timeval *)->tv_sec = val / hz;
mtod(m, struct timeval *)->tv_usec =
(val % hz) * tick;
+ break;
+ }
+ case SO_PFTAG:
+ {
+ char tagname[PF_TAG_NAME_SIZE];
+ pf_tag2tagname(so->so_pftag, tagname);
+ m->m_len = strlen(tagname) + 1;
+ strlcpy(mtod(m, char *), tagname, m->m_len);
break;
}
Index: net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.259
diff -p -r1.259 pfvar.h
*** net/pfvar.h 2 Dec 2007 12:08:04 -0000 1.259
--- net/pfvar.h 7 Mar 2008 21:30:55 -0000
***************
*** 41,46 ****
--- 41,47 ----
#include <net/radix.h>
#include <net/route.h>
+ #include <net/if.h>
#include <netinet/ip_ipsp.h>
#include <netinet/tcp_fsm.h>
Index: netinet/ip_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.190
diff -p -r1.190 ip_output.c
*** netinet/ip_output.c 29 Oct 2007 16:19:23 -0000 1.190
--- netinet/ip_output.c 7 Mar 2008 21:30:56 -0000
*************** ip_output(struct mbuf *m0, ...)
*** 118,138 ****
struct m_tag *mtag;
struct tdb_ident *tdbi;
- struct inpcb *inp;
struct tdb *tdb;
int s;
#endif /* IPSEC */
va_start(ap, m0);
opt = va_arg(ap, struct mbuf *);
ro = va_arg(ap, struct route *);
flags = va_arg(ap, int);
imo = va_arg(ap, struct ip_moptions *);
! #ifdef IPSEC
inp = va_arg(ap, struct inpcb *);
! if (inp && (inp->inp_flags & INP_IPV6) != 0)
! panic("ip_output: IPv6 pcb is passed");
#endif /* IPSEC */
va_end(ap);
#ifdef DIAGNOSTIC
--- 118,144 ----
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct tdb *tdb;
int s;
#endif /* IPSEC */
+ struct inpcb *inp;
va_start(ap, m0);
opt = va_arg(ap, struct mbuf *);
ro = va_arg(ap, struct route *);
flags = va_arg(ap, int);
imo = va_arg(ap, struct ip_moptions *);
!
inp = va_arg(ap, struct inpcb *);
! if(inp)
! {
! if(inp->inp_socket->so_pftag != 0)
! pf_tag_packet(m, inp->inp_socket->so_pftag, -1);
! #ifdef IPSEC
! if((inp->inp_flags & INP_IPV6) != 0)
! panic("ip_output: IPv6 pcb is passed");
#endif /* IPSEC */
+ }
va_end(ap);
#ifdef DIAGNOSTIC
Index: netinet6/ip6_output.c
===================================================================
RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.99
diff -p -r1.99 ip6_output.c
*** netinet6/ip6_output.c 1 Jun 2007 00:52:38 -0000 1.99
--- netinet6/ip6_output.c 7 Mar 2008 21:30:56 -0000
*************** ip6_output(m0, opt, ro, flags, im6o, ifp
*** 183,188 ****
--- 183,194 ----
if (inp && (inp->inp_flags & INP_IPV6) == 0)
panic("ip6_output: IPv4 pcb is passed");
#endif /* IPSEC */
+
+ if (inp)
+ {
+ if (inp->inp_socket->so_pftag != 0)
+ pf_tag_packet(m, inp->inp_socket->so_pftag, -1);
+ }
ip6 = mtod(m, struct ip6_hdr *);
finaldst = ip6->ip6_dst;
Index: sys/socket.h
===================================================================
RCS file: /cvs/src/sys/sys/socket.h,v
retrieving revision 1.55
diff -p -r1.55 socket.h
*** sys/socket.h 27 Nov 2007 16:22:14 -0000 1.55
--- sys/socket.h 7 Mar 2008 21:30:56 -0000
***************
*** 80,85 ****
--- 80,86 ----
#define SO_ERROR 0x1007 /* get error status and clear */
#define SO_TYPE 0x1008 /* get socket type */
#define SO_NETPROC 0x1020 /* multiplex; network
processing */
+ #define SO_PFTAG 0x1030 /* tag packets from this socket
*/
/*
* Structure used for manipulating linger option.
Index: sys/socketvar.h
===================================================================
RCS file: /cvs/src/sys/sys/socketvar.h,v
retrieving revision 1.40
diff -p -r1.40 socketvar.h
*** sys/socketvar.h 5 Jul 2007 09:04:04 -0000 1.40
--- sys/socketvar.h 7 Mar 2008 21:30:56 -0000
*************** struct socket {
*** 108,113 ****
--- 108,114 ----
uid_t so_euid, so_ruid; /* who opened the socket */
gid_t so_egid, so_rgid;
pid_t so_cpid; /* pid of process that opened socket */
+ u_int16_t so_pftag; /* tag a packet from this socket */
};
#define SB_EMPTY_FIXUP(sb)
\
