From owner-p4-projects@FreeBSD.ORG Sun Jun 22 17:13:26 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 3832C1065674; Sun, 22 Jun 2008 17:13:26 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE006106564A for ; Sun, 22 Jun 2008 17:13:25 +0000 (UTC) (envelope-from gk@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id E36028FC27 for ; Sun, 22 Jun 2008 17:13:25 +0000 (UTC) (envelope-from gk@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m5MHDPd4079120 for ; Sun, 22 Jun 2008 17:13:25 GMT (envelope-from gk@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m5MHDPK9079118 for perforce@freebsd.org; Sun, 22 Jun 2008 17:13:25 GMT (envelope-from gk@FreeBSD.org) Date: Sun, 22 Jun 2008 17:13:25 GMT Message-Id: <200806221713.m5MHDPK9079118@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gk@FreeBSD.org using -f From: Gleb Kurtsou To: Perforce Change Reviews Cc: Subject: PERFORCE change 143921 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jun 2008 17:13:26 -0000 http://perforce.freebsd.org/chv.cgi?CH=143921 Change 143921 by gk@gk_h1 on 2008/06/22 17:12:47 When perform filtering on bridge interface mark packets as received from bridge interface. Without this hack ipfw can't distinguish filtering on bridge from filtering on member interface. Note. Possibly there are similar bugs in the tree. Generic fix is to change ipfw's handling of interfaces the may other firewalls do, but this will make rules like this meaningless: allow from any to any out recv if1 xmit if2 Affected files ... .. //depot/projects/soc2008/gk_l2filter/sys-net/if_bridge.c#6 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sys-net/if_bridge.c#6 (text+ko) ==== @@ -2998,8 +2998,25 @@ break; if (pfil_bridge && dir == PFIL_IN && bifp != NULL) +#ifdef IPFIREWALL + { + /* + * Mark packets as received from bridge interface. + * Without this hack ipfw can't distinguish filtering + * on bridge from filtering on member interface. + */ + struct ifnet *orig_rcvif; + + orig_rcvif = (*mp)->m_pkthdr.rcvif; + (*mp)->m_pkthdr.rcvif = bifp; +#endif error = pfil_run_hooks(&inet_pfil_hook, mp, bifp, dir, NULL); +#ifdef IPFIREWALL + if (*mp) + (*mp)->m_pkthdr.rcvif = orig_rcvif; + } +#endif if (*mp == NULL || error != 0) /* filter may consume */ break; @@ -3052,8 +3069,25 @@ break; if (pfil_bridge && dir == PFIL_IN && bifp != NULL) +#ifdef IPFIREWALL + { + /* + * Mark packets as received from bridge interface. + * Without this hack ipfw can't distinguish filtering + * on bridge from filtering on member interface. + */ + struct ifnet *orig_rcvif; + + orig_rcvif = (*mp)->m_pkthdr.rcvif; + (*mp)->m_pkthdr.rcvif = bifp; +#endif error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp, dir, NULL); +#ifdef IPFIREWALL + if (*mp) + (*mp)->m_pkthdr.rcvif = orig_rcvif; + } +#endif break; #endif default: