Changeset 57904 in vbox for trunk/src/VBox/HostDrivers/VBoxNetFlt

Timestamp:

Sep 25, 2015 7:57:12 PM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

102876

Message:

VBoxNetFlt/darwin, VBoxNetAdp/darwin: Don't leak host-guest traffic to
the wire when the interface is in promiscuous mode. Call bpf_tap_in
and bpf_tap_out in the filter. Adjust VBoxNetAdp accordingly.

File:

• trunk/src/VBox/HostDrivers/VBoxNetFlt/darwin/VBoxNetFlt-darwin.cpp (modified) (5 diffs)

trunk/src/VBox/HostDrivers/VBoxNetFlt/darwin/VBoxNetFlt-darwin.cpp

@@ -59 +59 @@
 #include <net/if.h>
 #include <net/if_var.h>
+RT_C_DECLS_BEGIN
+#include <net/bpf.h>
+RT_C_DECLS_END
 #include <netinet/in.h>
 #include <netinet/in_var.h>
@@ -924 +927 @@
         {
             /*
-             * Check if this interface is in promiscuous mode. We should not drop
-             * any packets before they get to the driver as it passes them to tap
-             * callbacks in order for BPF to work properly.
+             * If the interface is in promiscuous mode we should let
+             * all inbound packets (this one was for a bridged guest)
+             * reach the driver as it passes them to tap callbacks in
+             * order for BPF to work properly.
              */
-            if (vboxNetFltDarwinIsPromiscuous(pThis))
+            if (   fSrc == INTNETTRUNKDIR_WIRE
+                && vboxNetFltDarwinIsPromiscuous(pThis))
+            {
                 fDropIt = false;
+            }
+
+            /*
+             * A packet from the host to a guest.  As we won't pass it
+             * to the drvier/wire we need to feed it to bpf ourselves.
+             */
+            if (fSrc == INTNETTRUNKDIR_HOST)
+            {
+                bpf_tap_out(pThis->u.s.pIfNet, DLT_EN10MB, pMBuf, NULL, 0);
+            }
         }
     }
@@ -1088 +1104 @@
             Assert(pThis->pSwitchPort);
             pThis->pSwitchPort->pfnReportMacAddress(pThis->pSwitchPort, &pThis->u.s.MacAddr);
+#if 0
+            /* 
+             * XXX: Don't tell SrvIntNetR0 if the interface is
+             * promiscuous, because there's no code yet to update that
+             * information and we don't want it stuck, spamming all
+             * traffic to the host.
+             */
             pThis->pSwitchPort->pfnReportPromiscuousMode(pThis->pSwitchPort, vboxNetFltDarwinIsPromiscuous(pThis));
+#endif
             pThis->pSwitchPort->pfnReportGsoCapabilities(pThis->pSwitchPort, 0,  INTNETTRUNKDIR_WIRE | INTNETTRUNKDIR_HOST);
             pThis->pSwitchPort->pfnReportNoPreemptDsts(pThis->pSwitchPort, 0 /* none */);
@@ -1127 +1151 @@
         /*
          * Create a mbuf for the gather list and push it onto the wire.
-         *
-         * Note! If the interface is in the promiscuous mode we need to send the
-         *       packet down the stack so it reaches the driver and Berkeley
-         *       Packet Filter (see @bugref{5817}).
          */
-        if ((fDst & INTNETTRUNKDIR_WIRE) || vboxNetFltDarwinIsPromiscuous(pThis))
+        if (fDst & INTNETTRUNKDIR_WIRE)
         {
             mbuf_t pMBuf = vboxNetFltDarwinMBufFromSG(pThis, pSG);
@@ -1153 +1173 @@
             if (pMBuf)
             {
-                /* This is what IONetworkInterface::inputPacket does. */
+                void *pvEthHdr = mbuf_data(pMBuf);
                 unsigned const cbEthHdr = 14;
-                mbuf_pkthdr_setheader(pMBuf, mbuf_data(pMBuf));
-                mbuf_pkthdr_setlen(pMBuf, mbuf_pkthdr_len(pMBuf) - cbEthHdr);
-                mbuf_setdata(pMBuf, (uint8_t *)mbuf_data(pMBuf) + cbEthHdr, mbuf_len(pMBuf) - cbEthHdr);
-                mbuf_pkthdr_setrcvif(pMBuf, pIfNet); /* will crash without this. */
-
+
+                mbuf_pkthdr_setrcvif(pMBuf, pIfNet);
+                mbuf_pkthdr_setheader(pMBuf, pvEthHdr); /* link-layer header */
+                mbuf_adj(pMBuf, cbEthHdr);              /* move to payload */
+
+                bpf_tap_in(pIfNet, DLT_EN10MB, pMBuf, pvEthHdr, cbEthHdr);
                 errno_t err = ifnet_input(pIfNet, pMBuf, NULL);
                 if (err)