diff options
author | thompsa <thompsa@FreeBSD.org> | 2007-09-16 21:09:15 +0000 |
---|---|---|
committer | thompsa <thompsa@FreeBSD.org> | 2007-09-16 21:09:15 +0000 |
commit | 1498d5a44d5bf57a91f76520cd6dc26d0a2dc269 (patch) | |
tree | 88fb02daca4e1b5da69c8211cb48c382b00c2bd1 /sys | |
parent | ad840660932b3ea60a4a7a995abe548ca1df57d0 (diff) | |
download | FreeBSD-src-1498d5a44d5bf57a91f76520cd6dc26d0a2dc269.zip FreeBSD-src-1498d5a44d5bf57a91f76520cd6dc26d0a2dc269.tar.gz |
Allow additional packet filtering on the physical interface for locally
destined packets, disabled by default.
PR: kern/116051
Submitted by: Eygene Ryabinkin
Approved by: re (bmah)
MFC after: 2 weeks
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/if_bridge.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index 6c96cbb..e464d96 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -340,6 +340,8 @@ static int pfil_bridge = 1; /* run pfil hooks on the bridge interface */ static int pfil_member = 1; /* run pfil hooks on the member interface */ static int pfil_ipfw = 0; /* layer2 filter with ipfw */ static int pfil_ipfw_arp = 0; /* layer2 filter with ipfw */ +static int pfil_local_phys = 0; /* run pfil hooks on the physical interface for + locally destined packets */ static int log_stp = 0; /* log STP state changes */ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW, &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled"); @@ -349,6 +351,9 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge, CTLFLAG_RW, &pfil_bridge, 0, "Packet filter on the bridge interface"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW, &pfil_member, 0, "Packet filter on the member interface"); +SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_local_phys, CTLFLAG_RW, + &pfil_local_phys, 0, + "Packet filter on the physical interface for locally destined packets"); SYSCTL_INT(_net_link_bridge, OID_AUTO, log_stp, CTLFLAG_RW, &log_stp, 0, "Log STP state changes"); @@ -2070,6 +2075,21 @@ bridge_input(struct ifnet *ifp, struct mbuf *m) if (memcmp(eh->ether_dhost, IF_LLADDR(bifp), ETHER_ADDR_LEN) == 0) { /* + * Filter on the physical interface. + */ + if (pfil_local_phys && (PFIL_HOOKED(&inet_pfil_hook) +#ifdef INET6 + || PFIL_HOOKED(&inet6_pfil_hook) +#endif + )) { + if (bridge_pfil(&m, NULL, ifp, PFIL_IN) != 0 || + m == NULL) { + BRIDGE_UNLOCK(sc); + return (NULL); + } + } + + /* * If the packet is for us, set the packets source as the * bridge, and return the packet back to ether_input for * local processing. |