Date: Wed, 30 Oct 2002 12:37:15 -0500 (EST) From: Andriy Gapon <avg@icyb.net.ua> To: Luigi Rizzo <rizzo@icir.org> Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface Message-ID: <20021030123045.D8706-100000@edge.foundation.invalid> In-Reply-To: <20021029095521.A12933@carp.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi,
you are right - my patch is incorrect, firewall rules are checked at the
wrong place.
This one should be better:
391,406d390
< if (rule) /* packet was already bridged */
< goto no_bridge;
<
< if (BDG_ACTIVE(ifp) ) {
< struct ether_header *eh; /* a ptr suffices */
<
< m->m_pkthdr.rcvif = NULL;
< eh = mtod(m, struct ether_header *);
< m_adj(m, ETHER_HDR_LEN);
< m = bdg_forward_ptr(m, eh, ifp);
< if (m != NULL)
< m_freem(m);
< return (0);
< }
<
< no_bridge:
432a417,429
> }
>
> if (BDG_ACTIVE(ifp) ) {
> splx(s); /* XXX */
> struct ether_header *eh; /* a ptr suffices */
>
> m->m_pkthdr.rcvif = NULL;
> eh = mtod(m, struct ether_header *);
> m_adj(m, ETHER_HDR_LEN);
> m = bdg_forward_ptr(m, eh, ifp);
> if (m != NULL)
> m_freem(m);
> return (0);
basically it moves check for bridging to after ipfw stuff.
What do you think ?
Thank you.
--
Andriy Gapon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021030123045.D8706-100000>