diff options
| author | darrenr <darrenr@FreeBSD.org> | 2000-07-31 13:11:42 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2000-07-31 13:11:42 +0000 |
| commit | d18ce92d580ccae82a3d998f6127986ad1690a09 (patch) | |
| tree | 16f6dbf24b21c74396eb07b8e0a16ea1e30c777a /sys/netinet/ip_input.c | |
| parent | cc221d575afd5334c5ac8e02eeaaa48fec13df38 (diff) | |
| download | FreeBSD-src-d18ce92d580ccae82a3d998f6127986ad1690a09.zip FreeBSD-src-d18ce92d580ccae82a3d998f6127986ad1690a09.tar.gz | |
activate pfil_hooks and covert ipfilter to use it
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 6647622..387abd1 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -43,12 +43,14 @@ #include "opt_ipfilter.h" #include "opt_ipstealth.h" #include "opt_ipsec.h" +#include "opt_pfil_hooks.h" #include <stddef.h> #include <sys/param.h> #include <sys/systm.h> #include <sys/mbuf.h> +#include <sys/pfil.h> #include <sys/malloc.h> #include <sys/domain.h> #include <sys/protosw.h> @@ -175,8 +177,6 @@ int fw_enable = 1 ; ip_dn_ctl_t *ip_dn_ctl_ptr; #endif -int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL; - /* * We need to save the IP options in case a protocol wants to respond @@ -261,6 +261,11 @@ ip_input(struct mbuf *m) u_int32_t divert_info = 0; /* packet divert/tee info */ #endif struct ip_fw_chain *rule = NULL; +#ifdef PFIL_HOOKS + struct packet_filter_hook *pfh; + struct mbuf *m0; + int rv; +#endif /* PFIL_HOOKS */ #ifdef IPDIVERT /* Get and reset firewall cookie */ @@ -377,17 +382,30 @@ tooshort: #if defined(IPFIREWALL) && defined(DUMMYNET) iphack: #endif + +#ifdef PFIL_HOOKS /* - * Check if we want to allow this packet to be processed. - * Consider it to be bad if not. + * Run through list of hooks for input packets. If there are any + * filters which require that additional packets in the flow are + * not fast-forwarded, they must clear the M_CANFASTFWD flag. + * Note that filters must _never_ set this flag, as another filter + * in the list may have previously cleared it. */ - if (fr_checkp) { - struct mbuf *m1 = m; + m0 = m; + pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); + for (; pfh; pfh = pfh->pfil_link.tqe_next) + if (pfh->pfil_func) { + rv = pfh->pfil_func(ip, hlen, + m->m_pkthdr.rcvif, 0, &m0); + if (rv) + return; + m = m0; + if (m == NULL) + return; + ip = mtod(m, struct ip *); + } +#endif /* PFIL_HOOKS */ - if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) - return; - ip = mtod(m = m1, struct ip *); - } if (fw_enable && ip_fw_chk_ptr) { #ifdef IPFIREWALL_FORWARD /* |
