diff options
| author | julian <julian@FreeBSD.org> | 1998-05-25 10:37:48 +0000 |
|---|---|---|
| committer | julian <julian@FreeBSD.org> | 1998-05-25 10:37:48 +0000 |
| commit | 8c304384d07abcd64cb1542078a26c103aca8a0c (patch) | |
| tree | 86945df8f3fb0f7337ec7ff3582e6b50d430cb7c /sys/netinet/ip_var.h | |
| parent | bf79f2c5a4a882aa62556198a11b4823281da1f7 (diff) | |
| download | FreeBSD-src-8c304384d07abcd64cb1542078a26c103aca8a0c.zip FreeBSD-src-8c304384d07abcd64cb1542078a26c103aca8a0c.tar.gz | |
Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.
The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)
To enable the new code use
option IPFW_DIVERT_RESTART
This should become the default as soon as people have looked at it a bit
Diffstat (limited to 'sys/netinet/ip_var.h')
| -rw-r--r-- | sys/netinet/ip_var.h | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 985e17e..a0aaeef 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_var.h 8.2 (Berkeley) 1/9/95 - * $Id: ip_var.h,v 1.36 1998/05/19 14:19:03 dg Exp $ + * $Id: ip_var.h,v 1.37 1998/05/19 15:53:50 pb Exp $ */ #ifndef _NETINET_IP_VAR_H_ @@ -65,6 +65,9 @@ struct ipq { struct in_addr ipq_src,ipq_dst; #ifdef IPDIVERT u_short ipq_divert; /* divert protocol port */ +#ifdef IPFW_DIVERT_RESTART + u_short ipq_div_cookie; /* divert protocol cookie */ +#endif /* IPFW_DIVERT_RESTART */ #endif }; @@ -207,7 +210,13 @@ void div_init __P((void)); void div_input __P((struct mbuf *, int)); extern struct pr_usrreqs div_usrreqs; extern u_short ip_divert_port; +#ifndef IPFW_DIVERT_RESTART extern u_short ip_divert_ignore; +#else +extern u_short ip_divert_in_cookie; +extern u_short ip_divert_out_cookie; + +#endif /* IPFW_DIVERT_RESTART */ #endif /* IPDIVERT */ #endif /* KERNEL */ |
