diff options
author | luigi <luigi@FreeBSD.org> | 2002-05-09 10:34:57 +0000 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2002-05-09 10:34:57 +0000 |
commit | 23cf222c8133558823b20c5e939ce537d5099c9e (patch) | |
tree | 290f0a0b2936ec4f8d0958565aefddebe98c19a9 /sys/net | |
parent | b6d1cd6b33e9d941abd387b6b03841797624e220 (diff) | |
download | FreeBSD-src-23cf222c8133558823b20c5e939ce537d5099c9e.zip FreeBSD-src-23cf222c8133558823b20c5e939ce537d5099c9e.tar.gz |
Cleanup the interface to ip_fw_chk, two of the input arguments
were totally useless and have been removed.
ip_input.c, ip_output.c:
Properly initialize the "ip" pointer in case the firewall does an
m_pullup() on the packet.
Remove some debugging code forgotten long ago.
ip_fw.[ch], bridge.c:
Prepare the grounds for matching MAC header fields in bridged packets,
so we can have 'etherfw' functionality without a lot of kernel and
userland bloat.
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/bridge.c | 70 |
1 files changed, 34 insertions, 36 deletions
diff --git a/sys/net/bridge.c b/sys/net/bridge.c index 9b029b2..48a31cc 100644 --- a/sys/net/bridge.c +++ b/sys/net/bridge.c @@ -859,15 +859,10 @@ bdg_forward(struct mbuf *m0, struct ether_header *const eh, struct ifnet *dst) #endif (IPFW_LOADED && bdg_ipfw != 0))) { - struct ip *ip ; int i; if (rule != NULL) /* dummynet packet, already partially processed */ goto forward; /* HACK! I should obey the fw_one_pass */ - if (ntohs(save_eh.ether_type) != ETHERTYPE_IP) - goto forward ; /* not an IP packet, ipfw is not appropriate */ - if (m0->m_pkthdr.len < sizeof(struct ip) ) - goto forward ; /* header too short for an IP pkt, cannot filter */ /* * i need some amt of data to be contiguous, and in case others need * the packet (shared==1) also better be in the first mbuf. @@ -881,48 +876,51 @@ bdg_forward(struct mbuf *m0, struct ether_header *const eh, struct ifnet *dst) } } - /* - * before calling the firewall, swap fields the same as IP does. - * here we assume the pkt is an IP one and the header is contiguous - */ - ip = mtod(m0, struct ip *); - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - +#ifdef PFIL_HOOKS /* * NetBSD-style generic packet filter, pfil(9), hooks. * Enables ipf(8) in bridging. */ -#ifdef PFIL_HOOKS - for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) - if (pfh->pfil_func) { - rv = pfh->pfil_func(ip, ip->ip_hl << 2, src, 0, &m0); - if (rv != 0 || m0 == NULL) - return m0; - ip = mtod(m0, struct ip *); - } + if (m0->m_pkthdr.len >= sizeof(struct ip) && + ntohs(save_eh.ether_type) == ETHERTYPE_IP) { + /* + * before calling the firewall, swap fields the same as IP does. + * here we assume the pkt is an IP one and the header is contiguous + */ + struct ip *ip = mtod(m0, struct ip *); + + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + + for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) + if (pfh->pfil_func) { + rv = pfh->pfil_func(ip, ip->ip_hl << 2, src, 0, &m0); + if (rv != 0 || m0 == NULL) + return m0; + ip = mtod(m0, struct ip *); + } + /* + * If we get here, the firewall has passed the pkt, but the mbuf + * pointer might have changed. Restore ip and the fields ntohs()'d. + */ + ip = mtod(m0, struct ip *); + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); + } #endif /* PFIL_HOOKS */ /* - * The third parameter to the firewall code is the dst. interface. + * The second parameter to the firewall code is the dst. interface. * Since we apply checks only on input pkts we use NULL. * The firewall knows this is a bridged packet as the cookie ptr * is NULL. */ - if (IPFW_LOADED && bdg_ipfw != 0) { - i = ip_fw_chk_ptr(&ip, 0, NULL, NULL /* cookie */, &m0, &rule, NULL); - if ( (i & IP_FW_PORT_DENY_FLAG) || m0 == NULL) /* drop */ - return m0 ; - } else - i = 0; /* Treat it as a "pass" when not using ipfw. */ - - /* - * If we get here, the firewall has passed the pkt, but the mbuf - * pointer might have changed. Restore ip and the fields ntohs()'d. - */ - ip = mtod(m0, struct ip *); - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); + if (!IPFW_LOADED || bdg_ipfw == 0) + goto forward; /* not using ipfw, accept the packet */ + i = ip_fw_chk_ptr(&m0, NULL, NULL /* cookie */, &rule, + (struct sockaddr_in **)&save_eh); + if ( (i & IP_FW_PORT_DENY_FLAG) || m0 == NULL) /* drop */ + return m0 ; if (i == 0) /* a PASS rule. */ goto forward ; |