Date: Wed, 04 Dec 2002 13:13:25 -0500 From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> To: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> Cc: Eric Masson <e-masson@kisoft-services.com>, stable@freebsd.org Subject: Re: Cjc's Ipfilter/Bridge patch Message-ID: <3DEE45C5.9020302@georgiacenter.org> References: <86y975znsw.fsf@notbsdems.nantes.kisoft-services.com> <3DEE454C.5080308@georgiacenter.org>
next in thread | previous in thread | raw e-mail | index | archive | help
found it after all... http://raisdorf.net/?page=publications&sub=bridge Robin P. Blanchard wrote: > last time i checked that patch was obsolete and will not patch against > -STABLE. I cannot remember where I found this updated patch, but it > works...Hope this helps. > > > Eric Masson wrote: > >> Hello, >> >> I'd like to know whether the ipf/bridge patch located at : >> http://people.freebsd.org/~cjc/ >> >> could be merged in the tree (-current then MFC) ? >> >> Is there any showstopper ? >> >> TIA >> >> Eric Masson >> > > > ------------------------------------------------------------------------ > > Index: sys/net/bridge.c > =================================================================== > RCS file: /export/freebsd/ncvs/src/sys/net/bridge.c,v > retrieving revision 1.16.2.20 > diff -u -r1.16.2.20 bridge.c > --- sys/net/bridge.c 9 Jul 2002 09:11:41 -0000 1.16.2.20 > +++ sys/net/bridge.c 3 Oct 2002 20:16:03 -0000 > @@ -91,16 +91,12 @@ > #include <sys/param.h> > #include <sys/mbuf.h> > #include <sys/malloc.h> > -#include <sys/protosw.h> > #include <sys/systm.h> > #include <sys/socket.h> /* for net/if.h */ > #include <sys/ctype.h> /* string functions */ > #include <sys/kernel.h> > #include <sys/sysctl.h> > > -#if 0 /* XXX does not work yet */ > -#include <net/pfil.h> /* for ipfilter */ > -#endif > #include <net/if.h> > #include <net/if_types.h> > #include <net/if_var.h> > @@ -206,6 +202,11 @@ > static int bdg_ipf; /* IPFilter enabled in bridge */ > static int bdg_ipfw; > > +/* > + * For IPFilter, declared in ip_input.c > + */ > +extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **); > + > #if 0 /* debugging only */ > static char *bdg_dst_names[] = { > "BDG_NULL ", > @@ -801,10 +802,6 @@ > int once = 0; /* loop only once */ > struct ifnet *real_dst = dst ; /* real dst from ether_output */ > struct ip_fw_args args; > -#ifdef PFIL_HOOKS > - struct packet_filter_hook *pfh; > - int rv; > -#endif /* PFIL_HOOKS */ > > /* > * XXX eh is usually a pointer within the mbuf (some ethernet drivers > @@ -857,10 +854,8 @@ > * Additional restrictions may apply e.g. non-IP, short packets, > * and pkts already gone through a pipe. > */ > - if (src != NULL && ( > -#ifdef PFIL_HOOKS > - ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || > -#endif > + if (src != NULL && > + ((fr_checkp != NULL && bdg_ipf != 0) || > (IPFW_LOADED && bdg_ipfw != 0))) { > > int i; > @@ -880,38 +875,35 @@ > } > } > > -#ifdef PFIL_HOOKS > /* > - * NetBSD-style generic packet filter, pfil(9), hooks. > - * Enables ipf(8) in bridging. > + * IP Filter hook. > */ > - if (m0->m_pkthdr.len >= sizeof(struct ip) && > - ntohs(save_eh.ether_type) == ETHERTYPE_IP) { > - /* > - * before calling the firewall, swap fields the same as IP does. > - * here we assume the pkt is an IP one and the header is contiguous > - */ > - struct ip *ip = mtod(m0, struct ip *); > + if (fr_checkp != NULL && bdg_ipf && > + m0->m_pkthdr.len >= sizeof(struct ip) && > + ntohs(save_eh.ether_type) == ETHERTYPE_IP) { > + /* > + * Before calling the firewall, swap fields the same > + * as IP does. here we assume the pkt is an IP one and > + * the header is contiguous > + */ > + struct ip *ip = mtod(m0, struct ip *); > > - ip->ip_len = ntohs(ip->ip_len); > - ip->ip_off = ntohs(ip->ip_off); > + ip->ip_len = ntohs(ip->ip_len); > + ip->ip_off = ntohs(ip->ip_off); > > - for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) > - if (pfh->pfil_func) { > - rv = pfh->pfil_func(ip, ip->ip_hl << 2, src, 0, &m0); > - if (rv != 0 || m0 == NULL) > + if ((*fr_checkp)(ip, ip->ip_hl << 2, src, 0, &m0) > + || m0 == NULL) > return m0; > - ip = mtod(m0, struct ip *); > - } > - /* > - * If we get here, the firewall has passed the pkt, but the mbuf > - * pointer might have changed. Restore ip and the fields ntohs()'d. > - */ > - ip = mtod(m0, struct ip *); > - ip->ip_len = htons(ip->ip_len); > - ip->ip_off = htons(ip->ip_off); > + > + /* > + * If we get here, the firewall has passed the pkt, > + * but the mbuf pointer might have changed. Restore > + * ip and the fields ntohs()'d. > + */ > + ip = mtod(m0, struct ip *); > + ip->ip_len = htons(ip->ip_len); > + ip->ip_off = htons(ip->ip_off); > } > -#endif /* PFIL_HOOKS */ > > /* > * Prepare arguments and call the firewall. > -- ---------------------------------------- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DEE45C5.9020302>