Date: Wed, 04 Dec 2002 13:11:24 -0500 From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> To: Eric Masson <e-masson@kisoft-services.com>, stable@freebsd.org Subject: Re: Cjc's Ipfilter/Bridge patch Message-ID: <3DEE454C.5080308@georgiacenter.org> References: <86y975znsw.fsf@notbsdems.nantes.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------080304090807020500070001 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit last time i checked that patch was obsolete and will not patch against -STABLE. I cannot remember where I found this updated patch, but it works...Hope this helps. Eric Masson wrote: > Hello, > > I'd like to know whether the ipf/bridge patch located at : > http://people.freebsd.org/~cjc/ > > could be merged in the tree (-current then MFC) ? > > Is there any showstopper ? > > TIA > > Eric Masson > -- ---------------------------------------- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 ---------------------------------------- --------------080304090807020500070001 Content-Type: text/plain; name="ipf_bridge_c_diff.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipf_bridge_c_diff.txt" Index: sys/net/bridge.c =================================================================== RCS file: /export/freebsd/ncvs/src/sys/net/bridge.c,v retrieving revision 1.16.2.20 diff -u -r1.16.2.20 bridge.c --- sys/net/bridge.c 9 Jul 2002 09:11:41 -0000 1.16.2.20 +++ sys/net/bridge.c 3 Oct 2002 20:16:03 -0000 @@ -91,16 +91,12 @@ #include <sys/param.h> #include <sys/mbuf.h> #include <sys/malloc.h> -#include <sys/protosw.h> #include <sys/systm.h> #include <sys/socket.h> /* for net/if.h */ #include <sys/ctype.h> /* string functions */ #include <sys/kernel.h> #include <sys/sysctl.h> -#if 0 /* XXX does not work yet */ -#include <net/pfil.h> /* for ipfilter */ -#endif #include <net/if.h> #include <net/if_types.h> #include <net/if_var.h> @@ -206,6 +202,11 @@ static int bdg_ipf; /* IPFilter enabled in bridge */ static int bdg_ipfw; +/* + * For IPFilter, declared in ip_input.c + */ +extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **); + #if 0 /* debugging only */ static char *bdg_dst_names[] = { "BDG_NULL ", @@ -801,10 +802,6 @@ int once = 0; /* loop only once */ struct ifnet *real_dst = dst ; /* real dst from ether_output */ struct ip_fw_args args; -#ifdef PFIL_HOOKS - struct packet_filter_hook *pfh; - int rv; -#endif /* PFIL_HOOKS */ /* * XXX eh is usually a pointer within the mbuf (some ethernet drivers @@ -857,10 +854,8 @@ * Additional restrictions may apply e.g. non-IP, short packets, * and pkts already gone through a pipe. */ - if (src != NULL && ( -#ifdef PFIL_HOOKS - ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || -#endif + if (src != NULL && + ((fr_checkp != NULL && bdg_ipf != 0) || (IPFW_LOADED && bdg_ipfw != 0))) { int i; @@ -880,38 +875,35 @@ } } -#ifdef PFIL_HOOKS /* - * NetBSD-style generic packet filter, pfil(9), hooks. - * Enables ipf(8) in bridging. + * IP Filter hook. */ - if (m0->m_pkthdr.len >= sizeof(struct ip) && - ntohs(save_eh.ether_type) == ETHERTYPE_IP) { - /* - * before calling the firewall, swap fields the same as IP does. - * here we assume the pkt is an IP one and the header is contiguous - */ - struct ip *ip = mtod(m0, struct ip *); + if (fr_checkp != NULL && bdg_ipf && + m0->m_pkthdr.len >= sizeof(struct ip) && + ntohs(save_eh.ether_type) == ETHERTYPE_IP) { + /* + * Before calling the firewall, swap fields the same + * as IP does. here we assume the pkt is an IP one and + * the header is contiguous + */ + struct ip *ip = mtod(m0, struct ip *); - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); - for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) - if (pfh->pfil_func) { - rv = pfh->pfil_func(ip, ip->ip_hl << 2, src, 0, &m0); - if (rv != 0 || m0 == NULL) + if ((*fr_checkp)(ip, ip->ip_hl << 2, src, 0, &m0) + || m0 == NULL) return m0; - ip = mtod(m0, struct ip *); - } - /* - * If we get here, the firewall has passed the pkt, but the mbuf - * pointer might have changed. Restore ip and the fields ntohs()'d. - */ - ip = mtod(m0, struct ip *); - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); + + /* + * If we get here, the firewall has passed the pkt, + * but the mbuf pointer might have changed. Restore + * ip and the fields ntohs()'d. + */ + ip = mtod(m0, struct ip *); + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); } -#endif /* PFIL_HOOKS */ /* * Prepare arguments and call the firewall. --------------080304090807020500070001-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DEE454C.5080308>