diff options
author | green <green@FreeBSD.org> | 2004-10-03 00:26:35 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2004-10-03 00:26:35 +0000 |
commit | 4f70622005bf8214002abf3a3dcd4f7614f2dd59 (patch) | |
tree | 1f56ba6706068a376e7a3a3579fc28b31fa13cd0 /sys/netinet/ip_fw2.c | |
parent | 4454a09917934bccea925f619fa53ec38b25a5d7 (diff) | |
download | FreeBSD-src-4f70622005bf8214002abf3a3dcd4f7614f2dd59.zip FreeBSD-src-4f70622005bf8214002abf3a3dcd4f7614f2dd59.tar.gz |
Add support to IPFW for classification based on "diverted" status
(that is, input via a divert socket).
Diffstat (limited to 'sys/netinet/ip_fw2.c')
-rw-r--r-- | sys/netinet/ip_fw2.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 9108d7b..854e2d9 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -1718,6 +1718,14 @@ ipfw_chk(struct ip_fw_args *args) int ugid_lookup = 0; /* + * divinput_flags If non-zero, set to the IP_FW_DIVERT_*_FLAG + * associated with a packet input on a divert socket. This + * will allow to distinguish traffic and its direction when + * it originates from a divert socket. + */ + u_int divinput_flags = 0; + + /* * oif | args->oif If NULL, ipfw_chk has been called on the * inbound path (ether_input, bdg_forward, ip_input). * If non-NULL, ipfw_chk has been called on the outbound path @@ -1893,8 +1901,11 @@ after_ip_checks: } } /* reset divert rule to avoid confusion later */ - if (mtag) + if (mtag) { + divinput_flags = divert_info(mtag) & + (IP_FW_DIVERT_OUTPUT_FLAG | IP_FW_DIVERT_LOOPBACK_FLAG); m_tag_delete(m, mtag); + } /* * Now scan the rules, and parse microinstructions for each rule. @@ -2027,6 +2038,13 @@ check_body: match = (args->eh != NULL); break; + case O_DIVERTED: + match = (cmd->arg1 & 1 && divinput_flags & + IP_FW_DIVERT_LOOPBACK_FLAG) || + (cmd->arg1 & 2 && divinput_flags & + IP_FW_DIVERT_OUTPUT_FLAG); + break; + case O_PROTO: /* * We do not allow an arg of 0 so the @@ -2912,6 +2930,7 @@ check_ipfw_struct(struct ip_fw *rule, int size) case O_LAYER2: case O_IN: case O_FRAG: + case O_DIVERTED: case O_IPOPT: case O_IPTOS: case O_IPPRECEDENCE: |