diff options
author | phk <phk@FreeBSD.org> | 1996-02-23 15:47:58 +0000 |
---|---|---|
committer | phk <phk@FreeBSD.org> | 1996-02-23 15:47:58 +0000 |
commit | 37d6472c4f2c7b8e39635fc5494ab71a47e41caa (patch) | |
tree | 97c7360219d204b89bc15ace01e53279c1509f40 /sys/netinet/ip_input.c | |
parent | 8b3d623d7962824ee462d964e5374d96532e5807 (diff) | |
download | FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.zip FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.tar.gz |
Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.
Code in -current & -stable is now the same.
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 3ce8640..6d6b464 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.34 1996/01/05 20:46:53 wollman Exp $ + * $Id: ip_input.c,v 1.35 1996/02/05 20:36:02 wollman Exp $ */ #include <sys/param.h> @@ -106,6 +106,24 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW, #endif /* + * The dummy IP-firewall function, and the pointer we access it through + */ +static int +dummy_ip_fw_chk(m, ip, rif, dir) + struct mbuf *m; + struct ip *ip; + struct ifnet *rif; + int dir; +{ + return 1; +} + +int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *, struct ifnet *, int dir) = + dummy_ip_fw_chk; + +int (*ip_fw_ctl_ptr)(int, struct mbuf *); + +/* * We need to save the IP options in case a protocol wants to respond * to an incoming packet over the same route if the packet got here * using IP source routing. This allows connection establishment and @@ -248,10 +266,8 @@ ip_input(struct mbuf *m) * - Encapsulate: put it in another IP and send out. <unimp.> */ - if (ip_fw_chk_ptr!=NULL) - if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,ip_fw_chain) ) { - return; - } + if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,0)) + return; /* * Process options and, if not destined for us, @@ -364,16 +380,6 @@ ip_input(struct mbuf *m) ours: - /* - * If packet came to us we count it... - * This way we count all incoming packets which has - * not been forwarded... - * Do not convert ip_len to host byte order when - * counting,ppl already made it for us before.. - */ - if (ip_acct_cnt_ptr!=NULL) - (*ip_acct_cnt_ptr)(ip,m->m_pkthdr.rcvif,ip_acct_chain,0); - /* * If offset or IP_MF are set, must reassemble. * Otherwise, nothing need be done. |