Permalink
Browse files

Allow the user to arbitrarily change the packet

Rename the filter function record members and allow the functions to
return a new IPv6 packet.
  • Loading branch information...
1 parent 6920bd2 commit 166604400fd062d626501bcc80ebb688162128e1 @msantos committed Apr 6, 2012
Showing with 31 additions and 22 deletions.
  1. +13 −12 README.md
  2. +2 −2 examples/basic_firewall.erl
  3. +2 −2 include/sut.hrl
  4. +14 −6 src/sut_fw.erl
View
@@ -46,8 +46,8 @@ sut, an IPv6 in IPv4 Userlspace Tunnel (RFC 4213)
| {serverv4, IPv4Address}
| {clientv4, IPv4Address}
| {clientv6, IPv6Address}
- | {out, Fun}
- | {in, Fun}
+ | {filter_out, Fun}
+ | {filter_in, Fun}
Ifname = string() | binary()
IPv4Address = string() | tuple()
IPv6Address = string() | tuple()
@@ -69,12 +69,13 @@ sut, an IPv6 in IPv4 Userlspace Tunnel (RFC 4213)
{clientv6, Client6} is the IPv6 address of the local end. This
address will usually be assigned by the tunnel broker.
- {in, Fun} allows filtering of IPv6 packets received from the
- network. All packets undergo the mandatory checks specified by
- RFC 4213 before being passed to user checks.
+ {filter_in, Fun} allows filtering and arbititrary transformation
+ of IPv6 packets received from the network. All packets undergo
+ the mandatory checks specified by RFC 4213 before being passed
+ to user checks.
- {out, Fun} allows filtering of IPv6 packets received from the
- tun device.
+ {filter_out, Fun} allows filtering and manipulation of IPv6
+ packets received from the tun device.
Filtering functions take 2 argments: the packet payload (a binary)
and the tunnel state:
@@ -87,9 +88,11 @@ sut, an IPv6 in IPv4 Userlspace Tunnel (RFC 4213)
clientv6
}.
- Filtering functions return ok to allow the packet. Any other
- return value causes the packet to be dropped. The default filter
- for both incoming and outgoing packets is a noop:
+ Filtering functions should return ok to allow the packet or {ok,
+ binary()} if the packet has been altered by the function.
+
+ Any other return value causes the packet to be dropped. The
+ default filter for both incoming and outgoing packets is a noop:
fun(_Packet, _State) -> ok end.
@@ -105,8 +108,6 @@ sut, an IPv6 in IPv4 Userlspace Tunnel (RFC 4213)
* Support other checks required by RFC
-* Support inbound/outbound IPv6 firewalling
-
* Decide how to handle write failures to the network and tun device
* possible packets may fail before interface is fully configured
@@ -42,8 +42,8 @@
%%% Then start using:
%%%
%%% sut:start([
-%%% {out, fun(Packet, State) -> basic_firewall:out(Packet, State) end},
-%%% {in, fun(Packet, State) -> basic_firewall:in(Packet, State) end},
+%%% {filter_out, fun(Packet, State) -> basic_firewall:out(Packet, State) end},
+%%% {filter_in, fun(Packet, State) -> basic_firewall:in(Packet, State) end},
%%%
%%% {serverv4, Server4},
%%% {clientv4, Client4},
View
@@ -44,8 +44,8 @@
serverv4,
clientv4,
clientv6,
- out = fun(_Packet, _State) -> ok end,
- in = fun(_Packet, _State) -> ok end,
+ filter_out = fun(_Packet, _State) -> ok end,
+ filter_in = fun(_Packet, _State) -> ok end,
s,
fd,
View
@@ -41,21 +41,29 @@
%% tun device -> socket
out(Packet, #sut_state{
- out = Fun,
+ filter_out = Fun,
s = Socket,
serverv4 = Server
} = State) ->
- ok = Fun(Packet, State),
- ok = gen_udp:send(Socket, Server, 0, Packet).
+ {ok, Packet1} = case Fun(Packet, State) of
+ ok -> {ok, Packet};
+ {ok, N} -> {ok, N};
+ Err -> Err
+ end,
+ ok = gen_udp:send(Socket, Server, 0, Packet1).
%% socket -> tun device
in(Packet, #sut_state{
- in = Fun,
+ filter_in = Fun,
dev = Dev
} = State) ->
ok = valid(Packet),
- ok = Fun(Packet, State),
- ok = tuncer:send(Dev, Packet).
+ {ok, Packet1} = case Fun(Packet, State) of
+ ok -> {ok, Packet};
+ {ok, N} -> {ok, N};
+ Err -> Err
+ end,
+ ok = tuncer:send(Dev, Packet1).
%%

0 comments on commit 1666044

Please sign in to comment.