Big sweep over the IPFIREWALL and IPACCT code.

Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.

1 files changed, 9 insertions, 11 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 58220b8..614ffc5 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- *	$Id: ip_output.c,v 1.27 1995/12/19 21:24:19 wollman Exp $
+ *	$Id: ip_output.c,v 1.28 1996/02/22 21:32:23 peter Exp $
  */
 
 #include <sys/param.h>
@@ -337,6 +337,14 @@ ip_output(m0, opt, ro, flags, imo)
 
 sendit:
 	/*
+	 * Check with the firewall...
+	 */
+	if (!(*ip_fw_chk_ptr)(m,ip,ifp,1)) {
+		error = 0;
+		goto done;
+	}
+
+	/*
 	 * If small enough for interface, can just send directly.
 	 */
 	if ((u_short)ip->ip_len <= ifp->if_mtu) {
@@ -454,16 +462,6 @@ sendorfree:
 done:
 	if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt)
 		RTFREE(ro->ro_rt);
-	/*
-	 * Count outgoing packet,here we count both our packets and
-	 * those we forward.
-	 * Here we want to convert ip_len to host byte order when counting
-	 * so we set 3rd arg to 1.
-	 * This is locally generated packet so it has not
-	 * incoming interface.
-	 */
-	if (ip_acct_cnt_ptr!=NULL)
-		(*ip_acct_cnt_ptr)(ip,NULL,ip_acct_chain,1);
 
 	return (error);
 bad: