IPPPD_FILTER option to filter packets for the HUPTIMEOUT; need kernel patch
This commit is contained in:
parent
7c386abdc8
commit
52f3800c53
|
@ -1,6 +1,7 @@
|
|||
mainmenu_option next_comment
|
||||
comment 'Options for ipppd'
|
||||
bool 'Support for MS chap secrets' CONFIG_IPPPD_MSCHAP
|
||||
bool 'Support for PPP filtering (need kernel patch)' CONFIG_IPPP_FILTER
|
||||
bool 'Support for RADIUS protocol' CONFIG_IPPPD_RADIUS
|
||||
bool 'Support for RADIUS wtmp logging' CONFIG_RADIUS_WTMP_LOGGING
|
||||
string 'radiusclient config file path' RADIUS_CLIENT_CONFIG_FILE
|
||||
|
|
|
@ -7,6 +7,7 @@ HAVE_LIBDES := @HAVE_LIBDES@
|
|||
HAVE_LIBCRYPT := @HAVE_LIBCRYPT@
|
||||
HAVE_SHADOW_H := @HAVE_SHADOW_H@
|
||||
HAVE_LZSCOMP_H:= @HAVE_LZSCOMP_H@
|
||||
IPPP_FILTER := @CONFIG_IPPP_FILTER@
|
||||
SBINDIR := @CONFIG_SBINDIR@
|
||||
MANDIR := @CONFIG_MANDIR@
|
||||
CC := @CC@
|
||||
|
@ -77,6 +78,10 @@ ifeq ($(HAVE_LIBCRYPT),1)
|
|||
LIBS = -lcrypt -lutil
|
||||
endif
|
||||
|
||||
ifeq ($(IPPP_FILTER),y)
|
||||
CFLAGS += -DIPPP_FILTER
|
||||
LIBS += -lpcap
|
||||
endif
|
||||
|
||||
SOURCE = RELNOTES configure *.in $(PPPDSRCS) $(HEADERS) $(MANPAGES)
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@ CONFIG_SBINDIR=`eval echo ${CONFIG_SBINDIR:-"/sbin"}`
|
|||
CONFIG_RUNDIR=`eval echo ${CONFIG_RUNDIR:-"/var/run"}`
|
||||
CONFIG_IPPPD_MSCHAP=${CONFIG_IPPPD_MSCHAP:-"n"}
|
||||
CONFIG_IPPPD_RADIUS=${CONFIG_IPPPD_RADIUS:-"n"}
|
||||
CONFIG_IPPP_FILTER=${CONFIG_IPPP_FILTER:-"n"}
|
||||
CONFIG_RADIUS_WTMP_LOGGING=${CONFIG_RADIUS_WTMP_LOGGING:-"n"}
|
||||
RADIUS_CLIENT_CONFIG_FILE=`eval echo ${RADIUS_CLIENT_CONFIG_FILE:-"/usr/local/lib/radiusclient/radiusclient.conf"}`
|
||||
dnl Checks for programs.
|
||||
|
@ -98,6 +99,12 @@ AC_ARG_ENABLE(debug,
|
|||
AC_DEFINE(CONFIG_IPPPD_DEBUGFLAGS,"-DDEBUGALL"),
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(ippp-filter,
|
||||
[ --enable-ippp-filter Enable IPPP Filters (needs kernel supports) [no]],
|
||||
CONFIG_IPPP_FILTER="y"
|
||||
AC_DEFINE(CONFIG_IPPP_FILTER,"y"),
|
||||
)
|
||||
|
||||
AC_SUBST(I4LVERSION)
|
||||
AC_SUBST(MANDATE)
|
||||
AC_SUBST(HAVE_LIBDES)
|
||||
|
@ -113,4 +120,5 @@ AC_SUBST(CONFIG_IPPPD_RADIUS)
|
|||
AC_SUBST(RADIUS_CLIENT_CONFIG_FILE)
|
||||
AC_SUBST(CONFIG_RADIUS_WTMP_LOGGING)
|
||||
AC_SUBST(CONFIG_IPPPD_DEBUGFLAGS)
|
||||
AC_SUBST(CONFIG_IPPP_FILTER)
|
||||
AC_OUTPUT(Makefile ipppd.man pathnames.h)
|
||||
|
|
|
@ -215,6 +215,11 @@ extern int cryptpap; /* Others' PAP passwords are encrypted */
|
|||
#ifdef __linux__
|
||||
extern int hostroute; /* Add a route to the host at the other end? */
|
||||
#endif
|
||||
#ifdef IPPP_FILTER
|
||||
#include <net/bpf.h>
|
||||
extern struct bpf_program pass_filter; /* Filter for pkts to pass */
|
||||
extern struct bpf_program active_filter; /* Filter for link-active pkts */
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
/*
|
||||
* Values for phase.
|
||||
|
@ -288,6 +293,9 @@ void link_required(int);
|
|||
void link_terminated(int);
|
||||
void link_down(int);
|
||||
void link_established(int unit);
|
||||
#ifdef IPPP_FILTER
|
||||
int set_filters(int, struct bpf_program *, struct bpf_program *);
|
||||
#endif /* IPPP_FILTER */
|
||||
int device_script(char *program,int in,int out);
|
||||
void check_auth_options(void);
|
||||
void setipdefault(void);
|
||||
|
|
|
@ -564,6 +564,9 @@ static int init_unit(int linkunit)
|
|||
lns[linkunit].upap_unit = lns[linkunit].chap_unit = lns[linkunit].lcp_unit;
|
||||
upap[lns[linkunit].upap_unit].us_unit = chap[lns[linkunit].chap_unit].unit = linkunit;
|
||||
lcp_lowerup(lns[linkunit].lcp_unit);
|
||||
#ifdef IPPP_FILTER
|
||||
set_filters(linkunit, &pass_filter, &active_filter);
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -39,6 +39,10 @@ char options_rcsid[] = "$Id$";
|
|||
#include <radiusclient.h>
|
||||
#endif
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
#include <pcap.h>
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
#include "fsm.h"
|
||||
#include "ipppd.h"
|
||||
#include "pathnames.h"
|
||||
|
@ -140,6 +144,10 @@ int force_driver = 0;
|
|||
struct option_info auth_req_info;
|
||||
struct option_info devnam_info;
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
struct bpf_program pass_filter;/* Filter program for packets to pass */
|
||||
struct bpf_program active_filter; /* Filter program for link-active pkts */
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
/*
|
||||
* Prototypes
|
||||
|
@ -292,6 +300,11 @@ char *make_username_realm ( char * );
|
|||
int __P (radius_init ( void ));
|
||||
#endif
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
static int setpassfilter __P((int,char **));
|
||||
static int setactivefilter __P((int,char **));
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
/*
|
||||
* Valid arguments.
|
||||
*/
|
||||
|
@ -470,7 +483,10 @@ static struct cmd {
|
|||
{"nohostroute", 0, setnohostroute}, /* Don't add host route */
|
||||
#endif
|
||||
{"+force-driver",0,setforcedriver},
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
{ "pass-filter", 1, setpassfilter}, /* pass filter */
|
||||
{ "active-filter", 1, setactivefilter}, /* link-active filter */
|
||||
#endif /* IPPP_FILTER */
|
||||
{NULL, 0, NULL}
|
||||
};
|
||||
|
||||
|
@ -2614,3 +2630,33 @@ static int setforcedriver(int dummy)
|
|||
force_driver = 1;
|
||||
return 1;
|
||||
}
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
/*
|
||||
* setpassfilter - Set the pass filter for packets
|
||||
*/
|
||||
static int
|
||||
setpassfilter(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
if (pcap_compile_nopcap(PPP_HDRLEN, DLT_PPP, &pass_filter, *argv, 1, netmask) == 0)
|
||||
return 1;
|
||||
option_error("error in pass-filter expression.\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* setactivefilter - Set the active filter for packets
|
||||
*/
|
||||
static int
|
||||
setactivefilter(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
if (pcap_compile_nopcap(PPP_HDRLEN, DLT_PPP, &active_filter, *argv, 1, netmask) == 0)
|
||||
return 1;
|
||||
option_error("error in active-filter expression.\n");
|
||||
return 0;
|
||||
}
|
||||
#endif /* IPPP_FILTER */
|
||||
|
|
|
@ -57,6 +57,7 @@ char sys_rcsid[] = "$Id$";
|
|||
#if defined __GLIBC__ && __GLIBC__ >= 2
|
||||
# include </usr/include/net/ppp_defs.h>
|
||||
# include </usr/include/net/if_ppp.h>
|
||||
# include "ippp-filter-compat.h"
|
||||
# include </usr/include/net/ethernet.h>
|
||||
# include "route.h"
|
||||
#else
|
||||
|
@ -70,6 +71,11 @@ char sys_rcsid[] = "$Id$";
|
|||
# include <netipx/ipx.h>
|
||||
#endif
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
#include <net/bpf.h>
|
||||
#include <linux/filter.h>
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
#include "fsm.h"
|
||||
#include "ipppd.h"
|
||||
#include "ipcp.h"
|
||||
|
@ -515,6 +521,40 @@ int sifvjcomp (int unit, int vjcomp, int cidcomp, int maxcid)
|
|||
return 1;
|
||||
}
|
||||
|
||||
#ifdef IPPP_FILTER
|
||||
/*
|
||||
* set_filters - set the active and pass filters in the kernel driver.
|
||||
*/
|
||||
int set_filters(int u, struct bpf_program *pass, struct bpf_program *active)
|
||||
{
|
||||
struct sock_fprog fp;
|
||||
|
||||
/*
|
||||
* unfortunately there is no way of checking for kernel support. the
|
||||
* driver just returns 0 for unsupported ioctls, which means without
|
||||
* kernel support we won't even notice the error.
|
||||
*/
|
||||
|
||||
if (pass) {
|
||||
fp.len = pass->bf_len;
|
||||
fp.filter = (struct sock_filter *) pass->bf_insns;
|
||||
if (ioctl(lns[u].fd, PPPIOCSPASS, &fp) < 0) {
|
||||
syslog(LOG_ERR, "Couldn't set pass-filter in kernel.");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (active) {
|
||||
fp.len = active->bf_len;
|
||||
fp.filter = (struct sock_filter *) active->bf_insns;
|
||||
if (ioctl(lns[u].fd, PPPIOCSACTIVE, &fp) < 0) {
|
||||
syslog(LOG_ERR, "Couldn't set active-filter in kernel.");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
#endif /* IPPP_FILTER */
|
||||
|
||||
/*
|
||||
* sifup - Config the interface up and enable IP packets to pass.
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue