From owner-freebsd-stable Wed Dec 4 10:13:31 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A79337B401 for ; Wed, 4 Dec 2002 10:13:27 -0800 (PST) Received: from mail.gactr.uga.edu (mail.gactr.uga.edu [128.192.37.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBB5A43E9C for ; Wed, 4 Dec 2002 10:13:25 -0800 (PST) (envelope-from robin.blanchard@georgiacenter.org) Received: (qmail 49452 invoked from network); 4 Dec 2002 18:13:25 -0000 Received: from unknown (HELO georgiacenter.org) ([10.10.25.125]) (envelope-sender ) by mail.servers.gactr.gc.nat (qmail-ldap-1.03) with SMTP for ; 4 Dec 2002 18:13:25 -0000 Message-ID: <3DEE45C5.9020302@georgiacenter.org> Date: Wed, 04 Dec 2002 13:13:25 -0500 From: "Robin P. Blanchard" Organization: Georgia Center for Continuing Education User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021025 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Robin P. Blanchard" Cc: Eric Masson , stable@freebsd.org Subject: Re: Cjc's Ipfilter/Bridge patch References: <86y975znsw.fsf@notbsdems.nantes.kisoft-services.com> <3DEE454C.5080308@georgiacenter.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG found it after all... http://raisdorf.net/?page=publications&sub=bridge Robin P. Blanchard wrote: > last time i checked that patch was obsolete and will not patch against > -STABLE. I cannot remember where I found this updated patch, but it > works...Hope this helps. > > > Eric Masson wrote: > >> Hello, >> >> I'd like to know whether the ipf/bridge patch located at : >> http://people.freebsd.org/~cjc/ >> >> could be merged in the tree (-current then MFC) ? >> >> Is there any showstopper ? >> >> TIA >> >> Eric Masson >> > > > ------------------------------------------------------------------------ > > Index: sys/net/bridge.c > =================================================================== > RCS file: /export/freebsd/ncvs/src/sys/net/bridge.c,v > retrieving revision 1.16.2.20 > diff -u -r1.16.2.20 bridge.c > --- sys/net/bridge.c 9 Jul 2002 09:11:41 -0000 1.16.2.20 > +++ sys/net/bridge.c 3 Oct 2002 20:16:03 -0000 > @@ -91,16 +91,12 @@ > #include > #include > #include > -#include > #include > #include /* for net/if.h */ > #include /* string functions */ > #include > #include > > -#if 0 /* XXX does not work yet */ > -#include /* for ipfilter */ > -#endif > #include > #include > #include > @@ -206,6 +202,11 @@ > static int bdg_ipf; /* IPFilter enabled in bridge */ > static int bdg_ipfw; > > +/* > + * For IPFilter, declared in ip_input.c > + */ > +extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **); > + > #if 0 /* debugging only */ > static char *bdg_dst_names[] = { > "BDG_NULL ", > @@ -801,10 +802,6 @@ > int once = 0; /* loop only once */ > struct ifnet *real_dst = dst ; /* real dst from ether_output */ > struct ip_fw_args args; > -#ifdef PFIL_HOOKS > - struct packet_filter_hook *pfh; > - int rv; > -#endif /* PFIL_HOOKS */ > > /* > * XXX eh is usually a pointer within the mbuf (some ethernet drivers > @@ -857,10 +854,8 @@ > * Additional restrictions may apply e.g. non-IP, short packets, > * and pkts already gone through a pipe. > */ > - if (src != NULL && ( > -#ifdef PFIL_HOOKS > - ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || > -#endif > + if (src != NULL && > + ((fr_checkp != NULL && bdg_ipf != 0) || > (IPFW_LOADED && bdg_ipfw != 0))) { > > int i; > @@ -880,38 +875,35 @@ > } > } > > -#ifdef PFIL_HOOKS > /* > - * NetBSD-style generic packet filter, pfil(9), hooks. > - * Enables ipf(8) in bridging. > + * IP Filter hook. > */ > - if (m0->m_pkthdr.len >= sizeof(struct ip) && > - ntohs(save_eh.ether_type) == ETHERTYPE_IP) { > - /* > - * before calling the firewall, swap fields the same as IP does. > - * here we assume the pkt is an IP one and the header is contiguous > - */ > - struct ip *ip = mtod(m0, struct ip *); > + if (fr_checkp != NULL && bdg_ipf && > + m0->m_pkthdr.len >= sizeof(struct ip) && > + ntohs(save_eh.ether_type) == ETHERTYPE_IP) { > + /* > + * Before calling the firewall, swap fields the same > + * as IP does. here we assume the pkt is an IP one and > + * the header is contiguous > + */ > + struct ip *ip = mtod(m0, struct ip *); > > - ip->ip_len = ntohs(ip->ip_len); > - ip->ip_off = ntohs(ip->ip_off); > + ip->ip_len = ntohs(ip->ip_len); > + ip->ip_off = ntohs(ip->ip_off); > > - for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) > - if (pfh->pfil_func) { > - rv = pfh->pfil_func(ip, ip->ip_hl << 2, src, 0, &m0); > - if (rv != 0 || m0 == NULL) > + if ((*fr_checkp)(ip, ip->ip_hl << 2, src, 0, &m0) > + || m0 == NULL) > return m0; > - ip = mtod(m0, struct ip *); > - } > - /* > - * If we get here, the firewall has passed the pkt, but the mbuf > - * pointer might have changed. Restore ip and the fields ntohs()'d. > - */ > - ip = mtod(m0, struct ip *); > - ip->ip_len = htons(ip->ip_len); > - ip->ip_off = htons(ip->ip_off); > + > + /* > + * If we get here, the firewall has passed the pkt, > + * but the mbuf pointer might have changed. Restore > + * ip and the fields ntohs()'d. > + */ > + ip = mtod(m0, struct ip *); > + ip->ip_len = htons(ip->ip_len); > + ip->ip_off = htons(ip->ip_off); > } > -#endif /* PFIL_HOOKS */ > > /* > * Prepare arguments and call the firewall. > -- ---------------------------------------- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message