Submitted by: Whistle Communications (archie Cobbs)

these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.

1 files changed, 18 insertions, 5 deletions

diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index dab1864..0c941a3 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: ip_divert.c,v 1.10 1997/05/26 03:33:48 peter Exp $
+ *	$Id: ip_divert.c,v 1.11 1997/06/01 15:58:44 peter Exp $
  */
 
 #include <sys/param.h>
@@ -124,13 +124,20 @@ div_init(void)
 void
 div_input(struct mbuf *m, int hlen)
 {
-	register struct ip *ip = mtod(m, struct ip *);
-	register struct inpcb *inp;
-	register struct socket *sa;
+	struct ip *ip;
+	struct inpcb *inp;
+	struct socket *sa;
 
 	/* Sanity check */
 	if (ip_divert_port == 0)
-		panic("div_input");
+		panic("div_input: port is 0");
+
+	/* Assure header */
+	if (m->m_len < sizeof(struct ip) &&
+	    (m = m_pullup(m, sizeof(struct ip))) == 0) {
+		return;
+	}
+	ip = mtod(m, struct ip *);
 
 	/* Record divert port */
 	divsrc.sin_port = htons(ip_divert_port);
@@ -145,6 +152,12 @@ div_input(struct mbuf *m, int hlen)
 	if (hlen) {
 		struct ifaddr *ifa;
 
+#ifdef DIAGNOSTIC
+		/* Sanity check */
+		if (!(m->m_flags & M_PKTHDR))
+			panic("div_input: no pkt hdr");
+#endif
+
 		/* More fields affected by ip_input() */
 		HTONS(ip->ip_id);