diff options
author | phk <phk@FreeBSD.org> | 1996-02-23 15:47:58 +0000 |
---|---|---|
committer | phk <phk@FreeBSD.org> | 1996-02-23 15:47:58 +0000 |
commit | 37d6472c4f2c7b8e39635fc5494ab71a47e41caa (patch) | |
tree | 97c7360219d204b89bc15ace01e53279c1509f40 /sys/netinet/ip_output.c | |
parent | 8b3d623d7962824ee462d964e5374d96532e5807 (diff) | |
download | FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.zip FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.tar.gz |
Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.
Code in -current & -stable is now the same.
Diffstat (limited to 'sys/netinet/ip_output.c')
-rw-r--r-- | sys/netinet/ip_output.c | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 58220b8..614ffc5 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 - * $Id: ip_output.c,v 1.27 1995/12/19 21:24:19 wollman Exp $ + * $Id: ip_output.c,v 1.28 1996/02/22 21:32:23 peter Exp $ */ #include <sys/param.h> @@ -337,6 +337,14 @@ ip_output(m0, opt, ro, flags, imo) sendit: /* + * Check with the firewall... + */ + if (!(*ip_fw_chk_ptr)(m,ip,ifp,1)) { + error = 0; + goto done; + } + + /* * If small enough for interface, can just send directly. */ if ((u_short)ip->ip_len <= ifp->if_mtu) { @@ -454,16 +462,6 @@ sendorfree: done: if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) RTFREE(ro->ro_rt); - /* - * Count outgoing packet,here we count both our packets and - * those we forward. - * Here we want to convert ip_len to host byte order when counting - * so we set 3rd arg to 1. - * This is locally generated packet so it has not - * incoming interface. - */ - if (ip_acct_cnt_ptr!=NULL) - (*ip_acct_cnt_ptr)(ip,NULL,ip_acct_chain,1); return (error); bad: |