From owner-freebsd-stable Wed Dec 4 10:11:41 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D15D37B401 for ; Wed, 4 Dec 2002 10:11:36 -0800 (PST) Received: from mail.gactr.uga.edu (mail.gactr.uga.edu [128.192.37.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49C8843EC2 for ; Wed, 4 Dec 2002 10:11:32 -0800 (PST) (envelope-from robin.blanchard@georgiacenter.org) Received: (qmail 49209 invoked from network); 4 Dec 2002 18:11:25 -0000 Received: from unknown (HELO georgiacenter.org) ([10.10.25.125]) (envelope-sender ) by mail.servers.gactr.gc.nat (qmail-ldap-1.03) with SMTP for ; 4 Dec 2002 18:11:25 -0000 Message-ID: <3DEE454C.5080308@georgiacenter.org> Date: Wed, 04 Dec 2002 13:11:24 -0500 From: "Robin P. Blanchard" Organization: Georgia Center for Continuing Education User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021025 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Eric Masson , stable@freebsd.org Subject: Re: Cjc's Ipfilter/Bridge patch References: <86y975znsw.fsf@notbsdems.nantes.kisoft-services.com> Content-Type: multipart/mixed; boundary="------------080304090807020500070001" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------080304090807020500070001 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit last time i checked that patch was obsolete and will not patch against -STABLE. I cannot remember where I found this updated patch, but it works...Hope this helps. Eric Masson wrote: > Hello, > > I'd like to know whether the ipf/bridge patch located at : > http://people.freebsd.org/~cjc/ > > could be merged in the tree (-current then MFC) ? > > Is there any showstopper ? > > TIA > > Eric Masson > -- ---------------------------------------- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 ---------------------------------------- --------------080304090807020500070001 Content-Type: text/plain; name="ipf_bridge_c_diff.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipf_bridge_c_diff.txt" Index: sys/net/bridge.c =================================================================== RCS file: /export/freebsd/ncvs/src/sys/net/bridge.c,v retrieving revision 1.16.2.20 diff -u -r1.16.2.20 bridge.c --- sys/net/bridge.c 9 Jul 2002 09:11:41 -0000 1.16.2.20 +++ sys/net/bridge.c 3 Oct 2002 20:16:03 -0000 @@ -91,16 +91,12 @@ #include #include #include -#include #include #include /* for net/if.h */ #include /* string functions */ #include #include -#if 0 /* XXX does not work yet */ -#include /* for ipfilter */ -#endif #include #include #include @@ -206,6 +202,11 @@ static int bdg_ipf; /* IPFilter enabled in bridge */ static int bdg_ipfw; +/* + * For IPFilter, declared in ip_input.c + */ +extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **); + #if 0 /* debugging only */ static char *bdg_dst_names[] = { "BDG_NULL ", @@ -801,10 +802,6 @@ int once = 0; /* loop only once */ struct ifnet *real_dst = dst ; /* real dst from ether_output */ struct ip_fw_args args; -#ifdef PFIL_HOOKS - struct packet_filter_hook *pfh; - int rv; -#endif /* PFIL_HOOKS */ /* * XXX eh is usually a pointer within the mbuf (some ethernet drivers @@ -857,10 +854,8 @@ * Additional restrictions may apply e.g. non-IP, short packets, * and pkts already gone through a pipe. */ - if (src != NULL && ( -#ifdef PFIL_HOOKS - ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || -#endif + if (src != NULL && + ((fr_checkp != NULL && bdg_ipf != 0) || (IPFW_LOADED && bdg_ipfw != 0))) { int i; @@ -880,38 +875,35 @@ } } -#ifdef PFIL_HOOKS /* - * NetBSD-style generic packet filter, pfil(9), hooks. - * Enables ipf(8) in bridging. + * IP Filter hook. */ - if (m0->m_pkthdr.len >= sizeof(struct ip) && - ntohs(save_eh.ether_type) == ETHERTYPE_IP) { - /* - * before calling the firewall, swap fields the same as IP does. - * here we assume the pkt is an IP one and the header is contiguous - */ - struct ip *ip = mtod(m0, struct ip *); + if (fr_checkp != NULL && bdg_ipf && + m0->m_pkthdr.len >= sizeof(struct ip) && + ntohs(save_eh.ether_type) == ETHERTYPE_IP) { + /* + * Before calling the firewall, swap fields the same + * as IP does. here we assume the pkt is an IP one and + * the header is contiguous + */ + struct ip *ip = mtod(m0, struct ip *); - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); - for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) - if (pfh->pfil_func) { - rv = pfh->pfil_func(ip, ip->ip_hl << 2, src, 0, &m0); - if (rv != 0 || m0 == NULL) + if ((*fr_checkp)(ip, ip->ip_hl << 2, src, 0, &m0) + || m0 == NULL) return m0; - ip = mtod(m0, struct ip *); - } - /* - * If we get here, the firewall has passed the pkt, but the mbuf - * pointer might have changed. Restore ip and the fields ntohs()'d. - */ - ip = mtod(m0, struct ip *); - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); + + /* + * If we get here, the firewall has passed the pkt, + * but the mbuf pointer might have changed. Restore + * ip and the fields ntohs()'d. + */ + ip = mtod(m0, struct ip *); + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); } -#endif /* PFIL_HOOKS */ /* * Prepare arguments and call the firewall. --------------080304090807020500070001-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message