From d3ede346f9d3bdcbd733922d7a0d69135096756a Mon Sep 17 00:00:00 2001 From: mlaier Date: Tue, 2 Mar 2004 20:29:55 +0000 Subject: Move PFIL_HOOKS and ipfw past the scope checks to allow easy redirection to linklocal. Obtained from: OpenBSD Reviewed by: ume Approved by: bms(mentor) --- sys/netinet6/ip6_input.c | 64 ++++++++++++++++++++++++------------------------ 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 27af922..412d6a3 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -343,41 +343,9 @@ ip6_input(m) goto bad; } -#ifdef PFIL_HOOKS - /* - * Run through list of hooks for input packets. - * - * NB: Beware of the destination address changing - * (e.g. by NAT rewriting). When this happens, - * tell ip6_forward to do the right thing. - */ - odst = ip6->ip6_dst; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN)) - return; - if (m == NULL) /* consumed by filter */ - return; - ip6 = mtod(m, struct ip6_hdr *); - srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); -#endif /* PFIL_HOOKS */ - ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; /* - * Check with the firewall... - */ - if (ip6_fw_enable && ip6_fw_chk_ptr) { - u_short port = 0; - /* If ipfw says divert, we have to just drop packet */ - /* use port as a dummy argument */ - if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { - m_freem(m); - m = NULL; - } - if (!m) - return; - } - - /* * Check against address spoofing/corruption. */ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || @@ -456,6 +424,38 @@ ip6_input(m) } } +#ifdef PFIL_HOOKS + /* + * Run through list of hooks for input packets. + * + * NB: Beware of the destination address changing + * (e.g. by NAT rewriting). When this happens, + * tell ip6_forward to do the right thing. + */ + odst = ip6->ip6_dst; + if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN)) + return; + if (m == NULL) /* consumed by filter */ + return; + ip6 = mtod(m, struct ip6_hdr *); + srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); +#endif /* PFIL_HOOKS */ + + /* + * Check with the firewall... + */ + if (ip6_fw_enable && ip6_fw_chk_ptr) { + u_short port = 0; + /* If ipfw says divert, we have to just drop packet */ + /* use port as a dummy argument */ + if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { + m_freem(m); + m = NULL; + } + if (!m) + return; + } + /* * construct source and destination address structures with * disambiguating their scope zones (if there is ambiguity). -- cgit v1.1