1 files changed, 25 insertions, 8 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 450b0d6..a5dd111 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -41,6 +41,7 @@
 #include "opt_ipdivert.h"
 #include "opt_ipfilter.h"
 #include "opt_ipsec.h"
+#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -106,7 +107,6 @@ static int	ip_setmoptions
 	__P((struct sockopt *, struct ip_moptions **));
 
 int	ip_optcopy __P((struct ip *, struct ip *));
-extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
 
 
 extern	struct protosw inetsw[];
@@ -139,6 +139,11 @@ ip_output(m0, opt, ro, flags, imo)
 	struct secpolicy *sp = NULL;
 #endif
 	u_int16_t divert_cookie;		/* firewall cookie */
+#ifdef PFIL_HOOKS
+	struct packet_filter_hook *pfh;
+	struct mbuf *m1;
+	int rv;
+#endif /* PFIL_HOOKS */
 #ifdef IPFIREWALL_FORWARD
 	int fwd_rewrite_src = 0;
 #endif
@@ -431,13 +436,25 @@ sendit:
 	 * - Wrap: fake packet's addr/port <unimpl.>
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
 	 */ 
-	if (fr_checkp) {
-		struct  mbuf    *m1 = m;
-
-		if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
-			goto done;
-		ip = mtod(m = m1, struct ip *);
-	}
+#ifdef PFIL_HOOKS
+	/*
+	 * Run through list of hooks for output packets.
+	 */
+	m1 = m;
+	pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+	for (; pfh; pfh = pfh->pfil_link.tqe_next)
+		if (pfh->pfil_func) {
+			rv = pfh->pfil_func(ip, hlen, ifp, 1, &m1);
+			if (rv) {
+				error = EHOSTUNREACH;
+				goto done;
+			}
+			m = m1;
+			if (m == NULL)
+				goto done;
+			ip = mtod(m, struct ip *);
+		}
+#endif /* PFIL_HOOKS */
 
 	/*
 	 * Check with the firewall...