1 files changed, 13 insertions, 16 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index defc06a..4401f6b 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- *	$Id: ip_output.c,v 1.55 1997/04/27 20:01:07 wollman Exp $
+ *	$Id: ip_output.c,v 1.56 1997/05/06 21:22:04 fenner Exp $
  */
 
 #define _IP_VHL
@@ -357,7 +357,7 @@ sendit:
         /*
 	 * IpHack's section.
 	 * - Xlate: translate packet's addr/port (NAT).
-	 * - Firewall: deny/allow
+	 * - Firewall: deny/allow/etc.
 	 * - Wrap: fake packet's addr/port <unimpl.>
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
 	 */ 
@@ -372,27 +372,24 @@ sendit:
 	 * Check with the firewall...
 	 */
 	if (ip_fw_chk_ptr) {
-		int action;
-
 #ifdef IPDIVERT
-		action = (*ip_fw_chk_ptr)(&ip,
-				hlen, ifp, (~0 << 16) | ip_divert_ignore, &m);
+		ip_divert_port = (*ip_fw_chk_ptr)(&ip,
+		    hlen, ifp, ip_divert_ignore, &m);
 		ip_divert_ignore = 0;
-#else
-		action = (*ip_fw_chk_ptr)(&ip, hlen, ifp, (~0 << 16), &m);
-#endif
-		if (action == -1) {
-			error = EACCES;		/* XXX is this appropriate? */
-			goto done;
-		} else if (action != 0) {
-#ifdef IPDIVERT
-			ip_divert_port = action;	/* divert to port */
+		if (ip_divert_port) {		/* Divert packet */
 			(*inetsw[ip_protox[IPPROTO_DIVERT]].pr_input)(m, 0);
 			goto done;
+		}
 #else
-			m_freem(m);	/* ipfw says divert, but we can't */
+		/* If ipfw says divert, we have to just drop packet */
+		if ((*ip_fw_chk_ptr)(&ip, hlen, ifp, 0, &m)) {
+			m_freem(m);
 			goto done;
+		}
 #endif
+		if (!m) {
+			error = EACCES;
+			goto done;
 		}
 	}
 #endif /* COMPAT_IPFW */