From patchwork Sat Nov 11 05:18:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 66 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director6.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 22QAGCkjB1rJEgAAgoeIoA for ; Sat, 11 Nov 2017 11:19:53 -0500 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director6.mail.ord1d.rsapps.net (Dovecot) with LMTP id WXDzACkjB1qbLgAAhgvE6Q ; Sat, 11 Nov 2017 11:19:53 -0500 Received: from smtp48.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net (Dovecot) with LMTP id yu+VFikjB1q7eQAATCaURg ; Sat, 11 Nov 2017 11:19:53 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp48.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Classification-ID: 260e2bc6-c6fc-11e7-879b-b8ca3a5fc420-1-1 Received: from [216.34.181.88] ([216.34.181.88:56018] helo=lists.sourceforge.net) by smtp48.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E6/75-02352-923270A5; Sat, 11 Nov 2017 11:19:53 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eDYVA-0000dO-P9; Sat, 11 Nov 2017 16:19:24 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eDYV9-0000dI-SE for openvpn-devel@lists.sourceforge.net; Sat, 11 Nov 2017 16:19:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JwTiHA+ibJnRZ6HcqmDPJzf778jRw9cxMGs1dhlq3tI=; b=ea+4odBEhv+lehZESS7V93fRTM i3pLwP9g7qRqutHadfrBcDOBchwtfwVInCAC18tS6YXHfHEqTLSrYFmCHITmy3MZ8Nde7PdGOXjSd xJpBhrdkPlBY0sT2MGMu++LkmWtiN9VYGd4O/8kq3E4pzUQbcjvAhSPx4Hv1MUoUpMkA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JwTiHA+ibJnRZ6HcqmDPJzf778jRw9cxMGs1dhlq3tI=; b=aL0InnRr7bBEHDsYTqrhKHGzuS sAQJJaHZXwL2741Xla5SznvEVVpqM2zMxvIbsCaDL4EMWLK7SxY6sPFHZ1P5/L+5q80ptuVwYp9EY om3A1RT1iK6QEJmjX5ErNSA96HxgmD94PX0GPQq/lbTRyGpSYQJpX6upqvTLDvCe/rXI=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1eDYV8-0003rT-9m for openvpn-devel@lists.sourceforge.net; Sat, 11 Nov 2017 16:19:23 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sun, 12 Nov 2017 00:18:34 +0800 Message-Id: <20171111161836.23356-1-a@unstable.cc> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [5.148.176.60 listed in list.dnswl.org] 0.3 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eDYV8-0003rT-9m Subject: [Openvpn-devel] [PATCH v5 1/3] pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In the attempt of getting rid of any pf-inline.h file, we need to make sure that inline functions do not trigger any circular include dependency. For this reason, avoid pf_c2c/addr_test() to be 'struct context' aware, so that pf-inline.h does not need to rely on the content of openvpn.h. Cc: Steffan Karger Signed-off-by: Antonio Quartulli Reviewed-by: Steffan Karger Acked-by: Steffan Karger --- v1-v3: skipped v4: this is the first version of this patch, but named v4 for convenience v5: follow Steffan's suggestion and make pf_c2c_test() take tls_multi as argument src/openvpn/multi.c | 28 +++++++++++++++++++++------- src/openvpn/pf-inline.h | 14 +++++++++----- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 82a0b9d9..5c2c8e69 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2230,7 +2230,11 @@ multi_bcast(struct multi_context *m, #ifdef ENABLE_PF if (sender_instance) { - if (!pf_c2c_test(&sender_instance->context, &mi->context, "bcast_c2c")) + if (!pf_c2c_test(&sender_instance->context.c2.pf, + sender_instance->context.c2.tls_multi, + &mi->context.c2.pf, + mi->context.c2.tls_multi, + "bcast_c2c")) { msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter", mi_prefix(sender_instance), @@ -2240,7 +2244,8 @@ multi_bcast(struct multi_context *m, } if (sender_addr) { - if (!pf_addr_test(&mi->context, sender_addr, "bcast_src_addr")) + if (!pf_addr_test(&mi->context.c2.pf, &mi->context, + sender_addr, "bcast_src_addr")) { struct gc_arena gc = gc_new(); msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter", @@ -2599,7 +2604,10 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst if (mi) { #ifdef ENABLE_PF - if (!pf_c2c_test(c, &mi->context, "tun_c2c")) + if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi, + &mi->context.c2.pf, + mi->context.c2.tls_multi, + "tun_c2c")) { msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter", mi_prefix(mi)); @@ -2615,7 +2623,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst } } #ifdef ENABLE_PF - if (c->c2.to_tun.len && !pf_addr_test(c, &dest, "tun_dest_addr")) + if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest, + "tun_dest_addr")) { msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter", mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc)); @@ -2660,7 +2669,10 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst if (mi) { #ifdef ENABLE_PF - if (!pf_c2c_test(c, &mi->context, "tap_c2c")) + if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi, + &mi->context.c2.pf, + mi->context.c2.tls_multi, + "tap_c2c")) { msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter", mi_prefix(mi)); @@ -2676,7 +2688,9 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst } } #ifdef ENABLE_PF - if (c->c2.to_tun.len && !pf_addr_test(c, &edest, "tap_dest_addr")) + if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, + &edest, + "tap_dest_addr")) { msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter", mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc)); @@ -2789,7 +2803,7 @@ multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags set_prefix(m->pending); #ifdef ENABLE_PF - if (!pf_addr_test(c, e2, "tun_tap_src_addr")) + if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr")) { msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter", mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc)); diff --git a/src/openvpn/pf-inline.h b/src/openvpn/pf-inline.h index ac19ac4c..3ba90ccf 100644 --- a/src/openvpn/pf-inline.h +++ b/src/openvpn/pf-inline.h @@ -31,20 +31,24 @@ #define PCT_SRC 1 #define PCT_DEST 2 static inline bool -pf_c2c_test(const struct context *src, const struct context *dest, const char *prefix) +pf_c2c_test(const struct pf_context *src_pf, const struct tls_multi *src, + const struct pf_context *dest_pf, const struct tls_multi *dest, + const char *prefix) { bool pf_cn_test(struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix); - return (!src->c2.pf.enabled || pf_cn_test(src->c2.pf.pfs, dest->c2.tls_multi, PCT_DEST, prefix)) - && (!dest->c2.pf.enabled || pf_cn_test(dest->c2.pf.pfs, src->c2.tls_multi, PCT_SRC, prefix)); + return (!src_pf->enabled || pf_cn_test(src_pf->pfs, dest, PCT_DEST, prefix)) + && (!dest_pf->enabled || pf_cn_test(dest_pf->pfs, src, PCT_SRC, + prefix)); } static inline bool -pf_addr_test(const struct context *src, const struct mroute_addr *dest, const char *prefix) +pf_addr_test(const struct pf_context *src_pf, const struct context *src, + const struct mroute_addr *dest, const char *prefix) { bool pf_addr_test_dowork(const struct context *src, const struct mroute_addr *dest, const char *prefix); - if (src->c2.pf.enabled) + if (src_pf->enabled) { return pf_addr_test_dowork(src, dest, prefix); }