diff options
author | sam <sam@FreeBSD.org> | 2003-10-16 18:57:45 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2003-10-16 18:57:45 +0000 |
commit | 104396b82e345d5a0940c3e056b20484c180e6fa (patch) | |
tree | 453095359ecced6dd614dc3b3a39ec3ec9dcd103 /sys/netinet6/ip6_input.c | |
parent | 73482347f601196c9e6981ac8547def8a1057243 (diff) | |
download | FreeBSD-src-104396b82e345d5a0940c3e056b20484c180e6fa.zip FreeBSD-src-104396b82e345d5a0940c3e056b20484c180e6fa.tar.gz |
pfil hooks can modify packet contents so check if the destination
address has been changed when PFIL_HOOKS is enabled and, if it has,
arrange for the proper action by ip*_forward.
Submitted by: Pyun YongHyeon
Supported by: FreeBSD Foundation
Diffstat (limited to 'sys/netinet6/ip6_input.c')
-rw-r--r-- | sys/netinet6/ip6_input.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index cc6f842..3f2c9cb 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -247,6 +247,10 @@ ip6_input(m) int nxt, ours = 0; struct ifnet *deliverifp = NULL; +#ifdef PFIL_HOOKS + struct in6_addr odst; +#endif + int srcrt = 0; #ifdef IPSEC /* * should the inner packet be considered authentic? @@ -346,7 +350,12 @@ ip6_input(m) return; if (m == NULL) /* consumed by filter */ return; + * + * NB: Beware of the destination address changing + * (e.g. by NAT rewriting). When this happens, + * tell ip6_forward to do the right thing. ip6 = mtod(m, struct ip6_hdr *); + odst = ip6->ip6_dst; #endif /* PFIL_HOOKS */ ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; @@ -356,6 +365,7 @@ ip6_input(m) */ if (ip6_fw_enable && ip6_fw_chk_ptr) { u_short port = 0; + srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); /* If ipfw says divert, we have to just drop packet */ /* use port as a dummy argument */ if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { @@ -710,7 +720,7 @@ ip6_input(m) return; } } else if (!ours) { - ip6_forward(m, 0); + ip6_forward(m, srcrt); return; } |