IPPPD_FILTER option to filter packets for the HUPTIMEOUT; need kernel patch

2003-06-30 22:30:57 +00:00 · 2003-06-30 22:30:57 +00:00 · ef1228bd93
parent 884dab4f1e
commit ef1228bd93
7 changed files with 117 additions and 6 deletions
--- a/ipppd/.Config.in
+++ b/ipppd/.Config.in
@ -1,6 +1,7 @@
 mainmenu_option next_comment
 comment 'Options for ipppd'
 bool 'Support for MS chap secrets' CONFIG_IPPPD_MSCHAP
+bool 'Support for PPP filtering (need kernel patch)' CONFIG_IPPP_FILTER
 bool 'Support for RADIUS protocol' CONFIG_IPPPD_RADIUS
 bool 'Support for RADIUS wtmp logging' CONFIG_RADIUS_WTMP_LOGGING
 string 'radiusclient config file path' RADIUS_CLIENT_CONFIG_FILE
--- a/ipppd/Makefile.in
+++ b/ipppd/Makefile.in
@ -1,12 +1,13 @@
 #
 # ipppd makefile for Linux
-# $Id: Makefile.in,v 1.16 2002/07/19 19:03:53 keil Exp $
+# $Id: Makefile.in,v 1.17 2003/06/30 22:30:57 keil Exp $
 #

 HAVE_LIBDES   := @HAVE_LIBDES@
 HAVE_LIBCRYPT := @HAVE_LIBCRYPT@
 HAVE_SHADOW_H := @HAVE_SHADOW_H@
 HAVE_LZSCOMP_H:= @HAVE_LZSCOMP_H@
+IPPP_FILTER   := @CONFIG_IPPP_FILTER@
 SBINDIR       := @CONFIG_SBINDIR@
 MANDIR        := @CONFIG_MANDIR@
 CC            := @CC@
@ -77,6 +78,10 @@ ifeq ($(HAVE_LIBCRYPT),1)
 LIBS        = -lcrypt -lutil
 endif

+ifeq ($(IPPP_FILTER),y)
+CFLAGS     += -DIPPP_FILTER
+LIBS       += -lpcap
+endif

 SOURCE = RELNOTES configure *.in $(PPPDSRCS) $(HEADERS) $(MANPAGES)

--- a/ipppd/configure.in
+++ b/ipppd/configure.in
@ -9,6 +9,7 @@ CONFIG_SBINDIR=`eval echo ${CONFIG_SBINDIR:-"/sbin"}`
 CONFIG_RUNDIR=`eval echo ${CONFIG_RUNDIR:-"/var/run"}`
 CONFIG_IPPPD_MSCHAP=${CONFIG_IPPPD_MSCHAP:-"n"}
 CONFIG_IPPPD_RADIUS=${CONFIG_IPPPD_RADIUS:-"n"}
+CONFIG_IPPP_FILTER=${CONFIG_IPPP_FILTER:-"n"}
 CONFIG_RADIUS_WTMP_LOGGING=${CONFIG_RADIUS_WTMP_LOGGING:-"n"}
 RADIUS_CLIENT_CONFIG_FILE=`eval echo ${RADIUS_CLIENT_CONFIG_FILE:-"/usr/local/lib/radiusclient/radiusclient.conf"}`
 dnl Checks for programs.
@ -98,6 +99,12 @@ AC_ARG_ENABLE(debug,
 	AC_DEFINE(CONFIG_IPPPD_DEBUGFLAGS,"-DDEBUGALL"),
 )

+AC_ARG_ENABLE(ippp-filter,
+	[  --enable-ippp-filter    Enable IPPP Filters (needs kernel supports) [no]],
+	CONFIG_IPPP_FILTER="y"
+	AC_DEFINE(CONFIG_IPPP_FILTER,"y"),
+)
+
 AC_SUBST(I4LVERSION)
 AC_SUBST(MANDATE)
 AC_SUBST(HAVE_LIBDES)
@ -113,4 +120,5 @@ AC_SUBST(CONFIG_IPPPD_RADIUS)
 AC_SUBST(RADIUS_CLIENT_CONFIG_FILE)
 AC_SUBST(CONFIG_RADIUS_WTMP_LOGGING)
 AC_SUBST(CONFIG_IPPPD_DEBUGFLAGS)
+AC_SUBST(CONFIG_IPPP_FILTER)
 AC_OUTPUT(Makefile ipppd.man pathnames.h)
--- a/ipppd/ipppd.h
+++ b/ipppd/ipppd.h
@ -18,7 +18,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: ipppd.h,v 1.22 2002/07/06 00:34:08 keil Exp $
+ * $Id: ipppd.h,v 1.23 2003/06/30 22:30:57 keil Exp $
 */

 /*
@ -215,6 +215,11 @@ extern int	cryptpap;	/* Others' PAP passwords are encrypted */
 #ifdef __linux__
 extern int      hostroute;      /* Add a route to the host at the other end? */
 #endif
+#ifdef IPPP_FILTER
+#include <net/bpf.h>
+extern struct   bpf_program pass_filter;   /* Filter for pkts to pass */
+extern struct   bpf_program active_filter; /* Filter for link-active pkts */
+#endif /* IPPP_FILTER */

 /*
 * Values for phase.
@ -288,6 +293,9 @@ void link_required(int);
 void link_terminated(int);
 void link_down(int);
 void link_established(int unit);
+#ifdef IPPP_FILTER
+int set_filters(int, struct bpf_program *, struct bpf_program *);
+#endif /* IPPP_FILTER */
 int device_script(char *program,int in,int out);
 void check_auth_options(void);
 void setipdefault(void);
--- a/ipppd/main.c
+++ b/ipppd/main.c
@ -25,7 +25,7 @@
 * PATCHLEVEL 9
 */

-char main_rcsid[] = "$Id: main.c,v 1.24 2002/07/18 00:06:21 keil Exp $";
+char main_rcsid[] = "$Id: main.c,v 1.25 2003/06/30 22:30:57 keil Exp $";

 #include <stdio.h>
 #include <stdarg.h>
@ -564,6 +564,9 @@ static int init_unit(int linkunit)
 	lns[linkunit].upap_unit = lns[linkunit].chap_unit = lns[linkunit].lcp_unit;
 	upap[lns[linkunit].upap_unit].us_unit = chap[lns[linkunit].chap_unit].unit = linkunit;
 	lcp_lowerup(lns[linkunit].lcp_unit);
+#ifdef IPPP_FILTER
+	set_filters(linkunit, &pass_filter, &active_filter);
+#endif /* IPPP_FILTER */

 	return 0;
 }
--- a/ipppd/options.c
+++ b/ipppd/options.c
@ -17,7 +17,7 @@
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 */

-char options_rcsid[] = "$Id: options.c,v 1.23 2003/01/20 02:23:28 keil Exp $";
+char options_rcsid[] = "$Id: options.c,v 1.24 2003/06/30 22:30:57 keil Exp $";

 #include <stdio.h>
 #include <errno.h>
@ -39,6 +39,10 @@ char options_rcsid[] = "$Id: options.c,v 1.23 2003/01/20 02:23:28 keil Exp $";
 #include <radiusclient.h>
 #endif

+#ifdef IPPP_FILTER
+#include <pcap.h>
+#endif /* IPPP_FILTER */
+
 #include "fsm.h"
 #include "ipppd.h"
 #include "pathnames.h"
@ -140,6 +144,10 @@ int force_driver = 0;
 struct option_info auth_req_info;
 struct option_info devnam_info;

+#ifdef IPPP_FILTER
+struct  bpf_program pass_filter;/* Filter program for packets to pass */
+struct  bpf_program active_filter; /* Filter program for link-active pkts */
+#endif /* IPPP_FILTER */

 /*
 * Prototypes
@ -292,6 +300,11 @@ char *make_username_realm ( char * );
 int __P (radius_init ( void ));
 #endif

+#ifdef IPPP_FILTER
+static int setpassfilter __P((int,char **));
+static int setactivefilter __P((int,char **));
+#endif /* IPPP_FILTER */
+
 /*
 * Valid arguments.
 */
@ -470,7 +483,10 @@ static struct cmd {
    {"nohostroute", 0, setnohostroute}, /* Don't add host route */
 #endif
    {"+force-driver",0,setforcedriver},
-
+#ifdef IPPP_FILTER
+    { "pass-filter", 1, setpassfilter},		/* pass filter */
+    { "active-filter", 1, setactivefilter},	/* link-active filter */
+#endif /* IPPP_FILTER */
    {NULL, 0, NULL}
 };

@ -2614,3 +2630,33 @@ static int setforcedriver(int dummy)
    force_driver = 1;
    return 1;
 }
+
+#ifdef IPPP_FILTER
+/*
+ * setpassfilter - Set the pass filter for packets
+ */
+static int
+setpassfilter(argc, argv)
+    int argc;
+    char **argv;
+{
+    if (pcap_compile_nopcap(PPP_HDRLEN, DLT_PPP, &pass_filter, *argv, 1, netmask) == 0)
+        return 1;
+    option_error("error in pass-filter expression.\n");
+    return 0;
+}
+
+/*
+ * setactivefilter - Set the active filter for packets
+ */
+static int
+setactivefilter(argc, argv)
+    int argc;
+    char **argv;
+{
+    if (pcap_compile_nopcap(PPP_HDRLEN, DLT_PPP, &active_filter, *argv, 1, netmask) == 0)
+        return 1;
+    option_error("error in active-filter expression.\n");
+    return 0;
+}
+#endif /* IPPP_FILTER */
--- a/ipppd/sys-linux.c
+++ b/ipppd/sys-linux.c
@ -22,7 +22,7 @@
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 */

-char sys_rcsid[] = "$Id: sys-linux.c,v 1.25 2000/07/25 20:23:51 kai Exp $";
+char sys_rcsid[] = "$Id: sys-linux.c,v 1.26 2003/06/30 22:30:57 keil Exp $";

 #define _LINUX_STRING_H_

@ -57,6 +57,7 @@ char sys_rcsid[] = "$Id: sys-linux.c,v 1.25 2000/07/25 20:23:51 kai Exp $";
 #if defined __GLIBC__ && __GLIBC__ >= 2
 # include </usr/include/net/ppp_defs.h>
 # include </usr/include/net/if_ppp.h>
+# include "ippp-filter-compat.h"
 # include </usr/include/net/ethernet.h>
 # include "route.h"
 #else
@ -70,6 +71,11 @@ char sys_rcsid[] = "$Id: sys-linux.c,v 1.25 2000/07/25 20:23:51 kai Exp $";
 # include <netipx/ipx.h>
 #endif

+#ifdef IPPP_FILTER
+#include <net/bpf.h>
+#include <linux/filter.h>
+#endif /* IPPP_FILTER */
+
 #include "fsm.h"
 #include "ipppd.h"
 #include "ipcp.h"
@ -515,6 +521,40 @@ int sifvjcomp (int unit, int vjcomp, int cidcomp, int maxcid)
 	return 1;
 }

+#ifdef IPPP_FILTER
+/*
+ * set_filters - set the active and pass filters in the kernel driver.
+ */
+int set_filters(int u, struct bpf_program *pass, struct bpf_program *active)
+{       
+        struct sock_fprog fp;
+
+	/*
+	 *  unfortunately there is no way of checking for kernel support. the
+	 *  driver just returns 0 for unsupported ioctls, which means without
+	 *  kernel support we won't even notice the error.
+	 */
+
+	if (pass) {
+		fp.len = pass->bf_len;
+		fp.filter = (struct sock_filter *) pass->bf_insns;
+		if (ioctl(lns[u].fd, PPPIOCSPASS, &fp) < 0) {
+			syslog(LOG_ERR, "Couldn't set pass-filter in kernel.");
+			return 0;
+		}
+	}
+	if (active) {
+		fp.len = active->bf_len;
+		fp.filter = (struct sock_filter *) active->bf_insns;
+		if (ioctl(lns[u].fd, PPPIOCSACTIVE, &fp) < 0) {
+			syslog(LOG_ERR, "Couldn't set active-filter in kernel.");
+	        	return 0;
+		}
+	}
+	return 1;
+}
+#endif /* IPPP_FILTER */
+
 /*
 * sifup - Config the interface up and enable IP packets to pass.
 */