diff options
| author | andre <andre@FreeBSD.org> | 2004-09-13 16:46:05 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2004-09-13 16:46:05 +0000 |
| commit | eba7c4085ca0d4e9d8cb9060af0fefc31f734223 (patch) | |
| tree | 3dbfddeb0db67847ed0c24e0d57c9abc91d26ebe /sys/netinet | |
| parent | 578f126aa1a1c761479fe9af84be3fe08f4a03c1 (diff) | |
| download | FreeBSD-src-eba7c4085ca0d4e9d8cb9060af0fefc31f734223.zip FreeBSD-src-eba7c4085ca0d4e9d8cb9060af0fefc31f734223.tar.gz | |
Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied
and sent to the DIVERT socket while the original packet continues with the
next rule. Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.
Note: This will not be MFC'd to 4.x because of major infrastucture changes.
PR: kern/64240 (and many others collapsed into that one)
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_fw_pfil.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c index 77ba4b6..7a326d9 100644 --- a/sys/netinet/ip_fw_pfil.c +++ b/sys/netinet/ip_fw_pfil.c @@ -100,6 +100,7 @@ ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir) m_tag_delete(*m0, dn_tag); } +again: args.m = *m0; ipfw = ipfw_chk(&args); *m0 = args.m; @@ -127,7 +128,7 @@ ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir) *m0 = NULL; return 0; /* packet consumed */ } else - goto pass; /* continue with packet */ + goto again; /* continue with packet */ } #ifdef IPFIREWALL_FORWARD @@ -182,6 +183,7 @@ ipfw_check_out(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir) m_tag_delete(*m0, dn_tag); } +again: args.m = *m0; args.oif = ifp; ipfw = ipfw_chk(&args); @@ -209,7 +211,7 @@ ipfw_check_out(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir) *m0 = NULL; return 0; /* packet consumed */ } else - goto pass; /* continue with packet */ + goto again; /* continue with packet */ } #ifdef IPFIREWALL_FORWARD @@ -243,14 +245,12 @@ static int ipfw_divert(struct mbuf **m, int incoming, int tee) { /* - * ipfw_chk() has already tagged the packet with the divert - * tag. For tee we need to remove the tag. + * ipfw_chk() has already tagged the packet with the divert tag. * If tee is set, copy packet and return original. * If not tee, consume packet and send it to divert socket. */ #ifdef IPDIVERT struct mbuf *clone, *reass; - struct m_tag *mtag; struct ip *ip; int hlen; @@ -307,12 +307,12 @@ ipfw_divert(struct mbuf **m, int incoming, int tee) divert_packet(clone, incoming); teeout: - if (tee) { - mtag = m_tag_find(*m, PACKET_TAG_DIVERT, NULL); - if (mtag != NULL) - m_tag_delete(*m, mtag); - return 0; /* continue with original packet. */ - } + /* + * For tee we leave the divert tag attached to original packet. + * It will then continue rule evaluation after the tee rule. + */ + if (tee) + return 0; /* Packet diverted and consumed */ return 1; |
