From owner-freebsd-current@FreeBSD.ORG Mon Apr 6 22:00:32 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F4AD10656F0 for ; Mon, 6 Apr 2009 22:00:32 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.186]) by mx1.freebsd.org (Postfix) with ESMTP id EAD808FC12 for ; Mon, 6 Apr 2009 22:00:31 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so1008523fka.11 for ; Mon, 06 Apr 2009 15:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=XRm+qSjvv4fdr00UaoYVccpk9SRHWG5oxdVL2SJ3iqM=; b=ukdJJ4KJPTLuAUODM2DHDEWtkenCEx6ZX9CxZROs5dT9jp1QupoQyfIKX3bOUYoA+b nU8ouzEvTO0kmnLEsVXDcUtnU8qFIHtSoLUfXvQPVguxM0zXv22szOSqIpar/DaYYzZQ OdBYZBN2EbnCOi++U3aUNVNay6lq1HDiI6X5I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=J9FSxTEOeSQPt4TUcKljjZbj1KYbL8dWSbOuQCcHkyw10KdBrEo+6nDQK4oLkrXsVE C4cqBcOMtKS18o2dnRcfN8RRfxdxIObCWndTtgWQgAO8NzxTRm21zltM9ycqzGy9ZHSJ PjTBw93pbfAEmYAqhJ1VbsKWL0PiUu6i3uZjA= MIME-Version: 1.0 Received: by 10.204.55.13 with SMTP id s13mr2072744bkg.180.1239055230669; Mon, 06 Apr 2009 15:00:30 -0700 (PDT) In-Reply-To: References: Date: Tue, 7 Apr 2009 01:00:30 +0300 Message-ID: From: Maxim Ignatenko To: freebsd-current@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [patch] matching IPv4 broadcast packets in ipfw X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2009 22:00:33 -0000 Sorry, I'm feeling really stupid... I've used | instead of & when verifying IFF_BROADCAST bit... Here is corrected patch: --- sys/netinet/ip_fw2.c.orig 2009-04-05 20:43:08.000000000 +0300 +++ sys/netinet/ip_fw2.c 2009-04-06 09:55:04.000000000 +0300 @@ -3131,6 +3131,27 @@ mtag->m_tag_id <= p[1]; } break; + case O_BROADCAST: + if (is_ipv4) + { + struct ifnet *ifp; + ifp=(oif ? oif : m->m_pkthdr.rcvif); + if (ifp == NULL || + (ifp->if_flags & IFF_BROADCAST) == 0) + break; + struct ifaddr *ia; + TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { + if (ia->ifa_broadaddr == NULL || + ia->ifa_broadaddr->sa_family != AF_INET) + continue; + if (((struct sockaddr_in *)(ia->ifa_broadaddr))-> + sin_addr.s_addr == dst_ip.s_addr) { + match=1; + break; + } + } + } + break; } /* @@ -3897,6 +3918,7 @@ case O_IN: case O_FRAG: case O_DIVERTED: + case O_BROADCAST: case O_IPOPT: case O_IPTOS: case O_IPPRECEDENCE: --- sys/netinet/ip_fw.h.orig 2009-04-05 21:41:08.000000000 +0300 +++ sys/netinet/ip_fw.h 2009-04-05 21:46:23.000000000 +0300 @@ -179,6 +179,8 @@ O_SETFIB, /* arg1=FIB number */ O_FIB, /* arg1=FIB desired fib number */ + O_BROADCAST, /* matches IP packets sent on broadcast address */ + O_LAST_OPCODE /* not an opcode! */ }; --- sbin/ipfw/ipfw2.c.orig 2009-04-05 21:23:38.000000000 +0300 +++ sbin/ipfw/ipfw2.c 2009-04-06 09:25:39.000000000 +0300 @@ -291,6 +291,7 @@ { "src-ipv6", TOK_SRCIP6}, { "src-ip6", TOK_SRCIP6}, { "//", TOK_COMMENT }, + { "broadcast", TOK_BROADCAST}, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ @@ -1506,6 +1507,10 @@ print_newports((ipfw_insn_u16 *)cmd, 0, O_TAGGED); break; + + case O_BROADCAST: + printf(" broadcast"); + break; default: printf(" [opcode %d len %d]", @@ -3455,6 +3460,10 @@ ac = 0; break; + case TOK_BROADCAST: + fill_cmd(cmd, O_BROADCAST, 0, 0); + break; + case TOK_TAGGED: if (ac > 0 && strpbrk(*av, "-,")) { if (!add_ports(cmd, *av, 0, O_TAGGED)) --- sbin/ipfw/ipfw2.h.orig 2009-04-05 21:23:47.000000000 +0300 +++ sbin/ipfw/ipfw2.h 2009-04-05 21:27:22.000000000 +0300 @@ -141,6 +141,7 @@ TOK_ANTISPOOF, TOK_IPSEC, TOK_COMMENT, + TOK_BROADCAST, TOK_PLR, TOK_NOERROR, --- sbin/ipfw/ipfw.8.orig 2009-04-06 02:10:47.000000000 +0300 +++ sbin/ipfw/ipfw.8 2009-04-06 02:13:54.000000000 +0300 @@ -1135,6 +1135,8 @@ .It Cm bridged Alias for .Cm layer2 . +.It Cm broadcast +Matches broadcast packets on non-point-to-point interfaces. .It Cm diverted Matches only packets generated by a divert socket. .It Cm diverted-loopback