diff options
| author | jlemon <jlemon@FreeBSD.org> | 2001-02-27 19:43:14 +0000 |
|---|---|---|
| committer | jlemon <jlemon@FreeBSD.org> | 2001-02-27 19:43:14 +0000 |
| commit | dd84ad82bfc07defd02defecf83a70f54b2ec5a5 (patch) | |
| tree | b6c7e18a2e8e29ab9e33458402359787c85fe6fa /sys/netinet/ip_input.c | |
| parent | 0b306b40dfef62f6bdfc9f744bf87ee27753005d (diff) | |
| download | FreeBSD-src-dd84ad82bfc07defd02defecf83a70f54b2ec5a5.zip FreeBSD-src-dd84ad82bfc07defd02defecf83a70f54b2ec5a5.tar.gz | |
When iterating over our list of interface addresses in order to determine
if an arriving packet belongs to us, also check that the packet arrived
through the correct interface. Skip this check if the packet was locally
generated.
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 7625a66..ae60dec 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -256,6 +256,7 @@ ip_input(struct mbuf *m) int i, hlen; u_short sum; u_int16_t divert_cookie; /* firewall cookie */ + struct in_addr pkt_dst; #ifdef IPDIVERT u_int32_t divert_info = 0; /* packet divert/tee info */ #endif @@ -494,6 +495,13 @@ pass: (m->m_flags & (M_MCAST|M_BCAST)) == 0) goto ours; + /* + * Cache the destination address of the packet; this may be + * changed by use of 'ipfw fwd'. + */ + pkt_dst = ip_fw_fwd_addr == NULL ? + ip->ip_dst : ip_fw_fwd_addr->sin_addr; + TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) { #define satosin(sa) ((struct sockaddr_in *)(sa)) @@ -501,26 +509,22 @@ pass: if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY) goto ours; #endif -#ifdef IPFIREWALL_FORWARD /* - * If the addr to forward to is one of ours, we pretend to - * be the destination for this packet. + * check that the packet is either arriving from the + * correct interface or is locally generated. */ - if (ip_fw_fwd_addr == NULL) { - if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr) - goto ours; - } else if (IA_SIN(ia)->sin_addr.s_addr == - ip_fw_fwd_addr->sin_addr.s_addr) - goto ours; -#else - if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr) + if (ia->ia_ifp != m->m_pkthdr.rcvif && + (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) + continue; + + if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr) goto ours; -#endif + if (ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) { if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr == - ip->ip_dst.s_addr) + pkt_dst.s_addr) goto ours; - if (ip->ip_dst.s_addr == ia->ia_netbroadcast.s_addr) + if (ia->ia_netbroadcast.s_addr == pkt_dst.s_addr) goto ours; } } |
