change pfil order for ipfw, just like m0n0wall did. When ipfw forwards traffic, ignore route-to and rdr

fixes for https://github.com/opnsense/core/issues/1189 and https://github.com/opnsense/core/issues/1166
2016-09-21 04:15:28 +02:00 · 2016-09-21 04:15:28 +02:00 · 83fd8a61b9
parent 7226352c36
commit 83fd8a61b9
3 changed files with 37 additions and 6 deletions
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@ -199,7 +199,7 @@ int
 pfil_head_unregister(struct pfil_head *ph)
 {
 	struct packet_filter_hook *pfh, *pfnext;
-		
+
 	PFIL_HEADLIST_LOCK();
 	LIST_REMOVE(ph, ph_list);
 	PFIL_HEADLIST_UNLOCK();
@ -243,7 +243,7 @@ pfil_add_hook(pfil_func_t func, void *arg, int flags, struct pfil_head *ph)
 	int err;

 	if (flags & PFIL_IN) {
-		pfh1 = (struct packet_filter_hook *)malloc(sizeof(*pfh1), 
+		pfh1 = (struct packet_filter_hook *)malloc(sizeof(*pfh1),
 		    M_IFADDR, (flags & PFIL_WAITOK) ? M_WAITOK : M_NOWAIT);
 		if (pfh1 == NULL) {
 			err = ENOMEM;
@ -333,11 +333,15 @@ pfil_chain_add(pfil_chain_t *chain, struct packet_filter_hook *pfh1, int flags)
 	/*
 	 * Insert the input list in reverse order of the output list so that
 	 * the same path is followed in or out of the kernel.
+	 * original from m0n0wall: insert hooks in reverse order (with respect to default
+	 * FreeBSD behavior) to ensure that the dynamically loaded ipfw
+	 * is called before ipfilter for outbound and after ipfilter for
+	 * inbound packets (due to NAT).
 	 */
 	if (flags & PFIL_IN)
-		TAILQ_INSERT_HEAD(chain, pfh1, pfil_chain);
-	else
 		TAILQ_INSERT_TAIL(chain, pfh1, pfil_chain);
+	else
+		TAILQ_INSERT_HEAD(chain, pfh1, pfil_chain);
 	return (0);
 }

@ -396,7 +400,7 @@ vnet_pfil_uninit(const void *unused)
 */
 VNET_SYSINIT(vnet_pfil_init, PFIL_SYSINIT_ORDER, PFIL_VNET_ORDER,
    vnet_pfil_init, NULL);
- 
+
 /*
 * Closing up shop.  These are done in REVERSE ORDER.  Not called on reboot.
 *
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@ -2080,7 +2080,7 @@ pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic,
 #endif /* INET6 */
 	}

-	if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | 
+	if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
 	    CSUM_DELAY_DATA_IPV6)) {
 		*pc = ~*pc;
 		if (! *pc)
@ -5322,6 +5322,16 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 		goto bad_locked;
 	}

+	/**
+	 * OPNsense, when ipfw tries to forward our package, ignore route-to (captive portal)
+	 */
+	if ((*m)->m_flags & M_IP_NEXTHOP) {
+		if (s) {
+			PF_STATE_UNLOCK(s);
+		}
+		return;
+	}
+
 	if (r->rt == PF_DUPTO) {
 		if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
 			if (s)
@ -5411,6 +5421,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 		in_delayed_cksum(m0);
 		m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
 	}
+
 #ifdef SCTP
 	if (m0->m_pkthdr.csum_flags & CSUM_SCTP & ~ifp->if_hwassist) {
 		sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2));
@ -5502,6 +5513,17 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 		goto bad_locked;
 	}

+
+	/**
+	 * OPNsense, when ipfw tries to forward our package, ignore route-to (captive portal)
+	 */
+	if ((*m)->m_flags & M_IP6_NEXTHOP) {
+		if (s) {
+			PF_STATE_UNLOCK(s);
+		}
+		return;
+	}
+
 	if (r->rt == PF_DUPTO) {
 		if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
 			if (s)
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@ -637,6 +637,11 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
 		}
 		break;
 	case PF_RDR: {
+		/**
+		 * OPNsense, when ipfw tries to forward our package, ignore pf redirect (captive portal)
+		 */
+		if (m->m_flags & (M_IP_NEXTHOP | M_IP6_NEXTHOP))
+			goto notrans;
 		if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
 			goto notrans;
 		if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)