diff options
-rw-r--r-- | sys/netinet/in_proto.c | 6 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 19 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 20 |
3 files changed, 45 insertions, 0 deletions
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index 52c3c83..5b66e0d 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -89,6 +89,12 @@ int tp_ctloutput(), tp_usrreq(); void eoninput(), eonctlinput(), eonprotoinit(); #endif /* EON */ +#ifdef IPFILTER +void iplinit(); +#define ip_init iplinit +#endif + + extern struct domain inetdomain; struct protosw inetsw[] = { diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index b1c8165..1fc5299 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -134,6 +134,12 @@ ip_nat_t *ip_nat_ptr; ip_nat_ctl_t *ip_nat_ctl_ptr; #endif +#if defined(IPFILTER_LKM) || defined(IPFILTER) +int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL; +#endif + + /* * We need to save the IP options in case a protocol wants to respond * to an incoming packet over the same route if the packet got here @@ -341,6 +347,19 @@ tooshort: return; #endif +#if defined(IPFILTER) || defined(IPFILTER_LKM) + { + struct mbuf *m0 = m; + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) + goto next; + ip = mtod(m = m0, struct ip *); + } +#endif + /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 81358ba..186598b 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -80,6 +80,12 @@ static int ip_pcbopts __P((struct mbuf **, struct mbuf *)); static int ip_setmoptions __P((int, struct ip_moptions **, struct mbuf *)); +#if defined(IPFILTER_LKM) || defined(IPFILTER) +extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +#endif + + extern struct protosw inetsw[]; /* @@ -331,6 +337,20 @@ ip_output(m0, opt, ro, flags, imo) m->m_flags &= ~M_BCAST; } +#if defined(IPFILTER) || defined(IPFILTER_LKM) + { + struct mbuf *m0 = m; + /* + * looks like most checking has been done now...do a filter check + */ + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) + { + error = EHOSTUNREACH; + goto done; + } + ip = mtod(m = m0, struct ip *); + } +#endif sendit: /* * IpHack's section. |