diff options
| author | jmallett <jmallett@FreeBSD.org> | 2004-07-17 02:40:13 +0000 |
|---|---|---|
| committer | jmallett <jmallett@FreeBSD.org> | 2004-07-17 02:40:13 +0000 |
| commit | 111d2dd1159354d54660b7275a9d1e2fd35dd227 (patch) | |
| tree | 392cef56c71ac33e390c5c4e9f00d4a2b73b6808 /sys | |
| parent | e2c3152e77cba6cc168ce99880e6b6bef9921e4e (diff) | |
| download | FreeBSD-src-111d2dd1159354d54660b7275a9d1e2fd35dd227.zip FreeBSD-src-111d2dd1159354d54660b7275a9d1e2fd35dd227.tar.gz | |
Make M_SKIP_FIREWALL a global (and semantic) flag, preventing anything from
using M_PROTO6 and possibly shooting someone's foot, as well as allowing the
firewall to be used in multiple passes, or with a packet classifier frontend,
that may need to explicitly allow a certain packet. Presently this is handled
in the ipfw_chk code as before, though I have run with it moved to upper
layers, and possibly it should apply to ipfilter and pf as well, though this
has not been investigated.
Discussed with: luigi, rwatson
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_fw2.c | 12 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 4 |
2 files changed, 2 insertions, 14 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 19f54ca..0b6f754 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -86,18 +86,6 @@ #include <machine/in_cksum.h> /* XXX for in_cksum */ /* - * This is used to avoid that a firewall-generated packet - * loops forever through the firewall. Note that it must - * be a flag that is unused by other protocols that might - * be called from ip_output (e.g. IPsec) and it must be - * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain - * is altered on the way through ip_output it is not lost. - * It might be better to add an m_tag since the this happens - * infrequently. - */ -#define M_SKIP_FIREWALL M_PROTO6 - -/* * set_disable contains one bit per set value (0..31). * If the bit is set, all rules with the corresponding set * are disabled. Set RESVD_SET(31) is reserved for the default rule diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index e8b6682..ad443fe 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -165,7 +165,7 @@ struct mbuf { #define M_PROTO3 0x0040 /* protocol-specific */ #define M_PROTO4 0x0080 /* protocol-specific */ #define M_PROTO5 0x0100 /* protocol-specific */ -#define M_PROTO6 0x4000 /* protocol-specific (avoid M_BCAST conflict) */ +#define M_SKIP_FIREWALL 0x4000 /* skip firewall processing */ #define M_FREELIST 0x8000 /* mbuf is on the free list */ /* @@ -192,7 +192,7 @@ struct mbuf { * Flags copied when copying m_pkthdr. */ #define M_COPYFLAGS (M_PKTHDR|M_EOR|M_RDONLY|M_PROTO1|M_PROTO1|M_PROTO2|\ - M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|\ + M_PROTO3|M_PROTO4|M_PROTO5|M_SKIP_FIREWALL|\ M_BCAST|M_MCAST|M_FRAG|M_FIRSTFRAG|M_LASTFRAG) /* |
