Date: Sun, 22 Jun 2008 17:13:25 GMT From: Gleb Kurtsou <gk@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 143921 for review Message-ID: <200806221713.m5MHDPK9079118@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=143921 Change 143921 by gk@gk_h1 on 2008/06/22 17:12:47 When perform filtering on bridge interface mark packets as received from bridge interface. Without this hack ipfw can't distinguish filtering on bridge from filtering on member interface. Note. Possibly there are similar bugs in the tree. Generic fix is to change ipfw's handling of interfaces the may other firewalls do, but this will make rules like this meaningless: allow from any to any out recv if1 xmit if2 Affected files ... .. //depot/projects/soc2008/gk_l2filter/sys-net/if_bridge.c#6 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sys-net/if_bridge.c#6 (text+ko) ==== @@ -2998,8 +2998,25 @@ break; if (pfil_bridge && dir == PFIL_IN && bifp != NULL) +#ifdef IPFIREWALL + { + /* + * Mark packets as received from bridge interface. + * Without this hack ipfw can't distinguish filtering + * on bridge from filtering on member interface. + */ + struct ifnet *orig_rcvif; + + orig_rcvif = (*mp)->m_pkthdr.rcvif; + (*mp)->m_pkthdr.rcvif = bifp; +#endif error = pfil_run_hooks(&inet_pfil_hook, mp, bifp, dir, NULL); +#ifdef IPFIREWALL + if (*mp) + (*mp)->m_pkthdr.rcvif = orig_rcvif; + } +#endif if (*mp == NULL || error != 0) /* filter may consume */ break; @@ -3052,8 +3069,25 @@ break; if (pfil_bridge && dir == PFIL_IN && bifp != NULL) +#ifdef IPFIREWALL + { + /* + * Mark packets as received from bridge interface. + * Without this hack ipfw can't distinguish filtering + * on bridge from filtering on member interface. + */ + struct ifnet *orig_rcvif; + + orig_rcvif = (*mp)->m_pkthdr.rcvif; + (*mp)->m_pkthdr.rcvif = bifp; +#endif error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp, dir, NULL); +#ifdef IPFIREWALL + if (*mp) + (*mp)->m_pkthdr.rcvif = orig_rcvif; + } +#endif break; #endif default:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806221713.m5MHDPK9079118>