change pfil order for ipfw, just like m0n0wall did. When ipfw forwards traffic, ignore route-to and rdr
fixes for https://github.com/opnsense/core/issues/1189 and https://github.com/opnsense/core/issues/1166
This commit is contained in:
parent
7226352c36
commit
83fd8a61b9
|
@ -199,7 +199,7 @@ int
|
|||
pfil_head_unregister(struct pfil_head *ph)
|
||||
{
|
||||
struct packet_filter_hook *pfh, *pfnext;
|
||||
|
||||
|
||||
PFIL_HEADLIST_LOCK();
|
||||
LIST_REMOVE(ph, ph_list);
|
||||
PFIL_HEADLIST_UNLOCK();
|
||||
|
@ -243,7 +243,7 @@ pfil_add_hook(pfil_func_t func, void *arg, int flags, struct pfil_head *ph)
|
|||
int err;
|
||||
|
||||
if (flags & PFIL_IN) {
|
||||
pfh1 = (struct packet_filter_hook *)malloc(sizeof(*pfh1),
|
||||
pfh1 = (struct packet_filter_hook *)malloc(sizeof(*pfh1),
|
||||
M_IFADDR, (flags & PFIL_WAITOK) ? M_WAITOK : M_NOWAIT);
|
||||
if (pfh1 == NULL) {
|
||||
err = ENOMEM;
|
||||
|
@ -333,11 +333,15 @@ pfil_chain_add(pfil_chain_t *chain, struct packet_filter_hook *pfh1, int flags)
|
|||
/*
|
||||
* Insert the input list in reverse order of the output list so that
|
||||
* the same path is followed in or out of the kernel.
|
||||
* original from m0n0wall: insert hooks in reverse order (with respect to default
|
||||
* FreeBSD behavior) to ensure that the dynamically loaded ipfw
|
||||
* is called before ipfilter for outbound and after ipfilter for
|
||||
* inbound packets (due to NAT).
|
||||
*/
|
||||
if (flags & PFIL_IN)
|
||||
TAILQ_INSERT_HEAD(chain, pfh1, pfil_chain);
|
||||
else
|
||||
TAILQ_INSERT_TAIL(chain, pfh1, pfil_chain);
|
||||
else
|
||||
TAILQ_INSERT_HEAD(chain, pfh1, pfil_chain);
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
@ -396,7 +400,7 @@ vnet_pfil_uninit(const void *unused)
|
|||
*/
|
||||
VNET_SYSINIT(vnet_pfil_init, PFIL_SYSINIT_ORDER, PFIL_VNET_ORDER,
|
||||
vnet_pfil_init, NULL);
|
||||
|
||||
|
||||
/*
|
||||
* Closing up shop. These are done in REVERSE ORDER. Not called on reboot.
|
||||
*
|
||||
|
|
|
@ -2080,7 +2080,7 @@ pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic,
|
|||
#endif /* INET6 */
|
||||
}
|
||||
|
||||
if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
|
||||
if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
|
||||
CSUM_DELAY_DATA_IPV6)) {
|
||||
*pc = ~*pc;
|
||||
if (! *pc)
|
||||
|
@ -5322,6 +5322,16 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
|
|||
goto bad_locked;
|
||||
}
|
||||
|
||||
/**
|
||||
* OPNsense, when ipfw tries to forward our package, ignore route-to (captive portal)
|
||||
*/
|
||||
if ((*m)->m_flags & M_IP_NEXTHOP) {
|
||||
if (s) {
|
||||
PF_STATE_UNLOCK(s);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
if (r->rt == PF_DUPTO) {
|
||||
if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
|
||||
if (s)
|
||||
|
@ -5411,6 +5421,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
|
|||
in_delayed_cksum(m0);
|
||||
m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
|
||||
}
|
||||
|
||||
#ifdef SCTP
|
||||
if (m0->m_pkthdr.csum_flags & CSUM_SCTP & ~ifp->if_hwassist) {
|
||||
sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2));
|
||||
|
@ -5502,6 +5513,17 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
|
|||
goto bad_locked;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* OPNsense, when ipfw tries to forward our package, ignore route-to (captive portal)
|
||||
*/
|
||||
if ((*m)->m_flags & M_IP6_NEXTHOP) {
|
||||
if (s) {
|
||||
PF_STATE_UNLOCK(s);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
if (r->rt == PF_DUPTO) {
|
||||
if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
|
||||
if (s)
|
||||
|
|
|
@ -637,6 +637,11 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
|
|||
}
|
||||
break;
|
||||
case PF_RDR: {
|
||||
/**
|
||||
* OPNsense, when ipfw tries to forward our package, ignore pf redirect (captive portal)
|
||||
*/
|
||||
if (m->m_flags & (M_IP_NEXTHOP | M_IP6_NEXTHOP))
|
||||
goto notrans;
|
||||
if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
|
||||
goto notrans;
|
||||
if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)
|
||||
|
|
Loading…
Reference in New Issue