From owner-freebsd-ipfw Mon Oct 28 8:51:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FBC037B401; Mon, 28 Oct 2002 08:51:47 -0800 (PST) Received: from mta4.srv.hcvlny.cv.net (mta4.srv.hcvlny.cv.net [167.206.5.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FCAD43E77; Mon, 28 Oct 2002 08:51:44 -0800 (PST) (envelope-from avg@icyb.net.ua) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta4.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4P00A3YANKPZ@mta4.srv.hcvlny.cv.net>; Mon, 28 Oct 2002 11:47:45 -0500 (EST) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9SGlfpg076395; Mon, 28 Oct 2002 11:47:42 -0500 (EST envelope-from avg@icyb.net.ua) Date: Mon, 28 Oct 2002 11:47:41 -0500 (EST) From: Andriy Gapon Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface In-reply-to: <200210231810.g9NIA15C037636@freefall.freebsd.org> X-X-Sender: avg@edge.foundation.invalid To: FreeBSD-gnats-submit@FreeBSD.org Cc: freebsd-ipfw@freebsd.org Message-id: <20021028114346.T76307-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Here's a patch that I think fixes this problem, it works for me. If anybody else could test this that would be great. --- if_ethersubr.c.orig Wed Oct 23 15:27:08 2002 +++ if_ethersubr.c Wed Oct 23 15:28:06 2002 @@ -388,9 +388,6 @@ if (m->m_flags == PACKET_TAG_DUMMYNET) rule = ((struct dn_pkt *)m)->rule; - if (rule) /* packet was already bridged */ - goto no_bridge; - if (BDG_ACTIVE(ifp) ) { struct ether_header *eh; /* a ptr suffices */ --- bridge.c.orig Wed Oct 23 15:28:16 2002 +++ bridge.c Wed Oct 23 15:29:06 2002 @@ -857,11 +857,11 @@ * Additional restrictions may apply e.g. non-IP, short packets, * and pkts already gone through a pipe. */ - if (src != NULL && ( + if ( #ifdef PFIL_HOOKS ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || #endif - (IPFW_LOADED && bdg_ipfw != 0))) { + (IPFW_LOADED && bdg_ipfw != 0)) { int i; -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message