Date: Tue, 13 Oct 2009 20:01:37 +0000 (UTC) From: Ermal Luçi <eri@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r198047 - user/eri/pf45/head/sys/contrib/pf/net Message-ID: <200910132001.n9DK1buS015049@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eri Date: Tue Oct 13 20:01:37 2009 New Revision: 198047 URL: http://svn.freebsd.org/changeset/base/198047 Log: Prevent pf(4) from handling ipfw(4) tagged packets. This is based on the following assumption that ipfw puts the rule number in the divert cookie while pf itself just puts zero. Should the same check be done in ipfw(4) divert!? Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c ============================================================================== --- user/eri/pf45/head/sys/contrib/pf/net/pf.c Tue Oct 13 19:51:31 2009 (r198046) +++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Tue Oct 13 20:01:37 2009 (r198047) @@ -6487,8 +6487,16 @@ pf_test(int dir, struct ifnet *ifp, stru #ifdef __FreeBSD__ if (ip_divert_ptr != NULL && ((dvtag = m_tag_find(m, PACKET_TAG_DIVERT, NULL)) != NULL)) { - pd.pf_mtag->flags |= PF_TAG_DIVERTED; - m_tag_delete(m, dvtag); + /* + * Ipfw puts the rule number in the divert cookie + * while pf itself just puts zero. + * Use this fact to detect if this is pf created divert tag + * or ipfw one. + */ + if (!divert_cookie(dvtag)) { + pd.pf_mtag->flags |= PF_TAG_DIVERTED; + m_tag_delete(m, dvtag); + } } else #endif /* We do IP header normalization and packet reassembly here */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910132001.n9DK1buS015049>