Date: Tue, 7 Apr 2009 01:00:30 +0300 From: Maxim Ignatenko <gelraen.ua@gmail.com> To: freebsd-current@freebsd.org Subject: Re: [patch] matching IPv4 broadcast packets in ipfw Message-ID: <ac42db050904061500w351a217bwf9d33021b1ce06c8@mail.gmail.com> In-Reply-To: <ac42db050904061054x265d0289xb3d5eb15bc4c86ea@mail.gmail.com> References: <ac42db050904060448v5aa7e4b0q9ee9e85b3c26f129@mail.gmail.com> <ac42db050904061054x265d0289xb3d5eb15bc4c86ea@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, I'm feeling really stupid... I've used | instead of & when
verifying IFF_BROADCAST bit...
Here is corrected patch:
--- sys/netinet/ip_fw2.c.orig 2009-04-05 20:43:08.000000000 +0300
+++ sys/netinet/ip_fw2.c 2009-04-06 09:55:04.000000000 +0300
@@ -3131,6 +3131,27 @@
mtag->m_tag_id <= p[1];
}
break;
+ case O_BROADCAST:
+ if (is_ipv4)
+ {
+ struct ifnet *ifp;
+ ifp=(oif ? oif : m->m_pkthdr.rcvif);
+ if (ifp == NULL ||
+ (ifp->if_flags
& IFF_BROADCAST) == 0)
+ break;
+ struct ifaddr *ia;
+ TAILQ_FOREACH(ia,
&ifp->if_addrhead, ifa_link) {
+ if (ia->ifa_broadaddr == NULL ||
+
ia->ifa_broadaddr->sa_family != AF_INET)
+ continue;
+ if (((struct
sockaddr_in *)(ia->ifa_broadaddr))->
+
sin_addr.s_addr == dst_ip.s_addr) {
+ match=1;
+ break;
+ }
+ }
+ }
+ break;
}
/*
@@ -3897,6 +3918,7 @@
case O_IN:
case O_FRAG:
case O_DIVERTED:
+ case O_BROADCAST:
case O_IPOPT:
case O_IPTOS:
case O_IPPRECEDENCE:
--- sys/netinet/ip_fw.h.orig 2009-04-05 21:41:08.000000000 +0300
+++ sys/netinet/ip_fw.h 2009-04-05 21:46:23.000000000 +0300
@@ -179,6 +179,8 @@
O_SETFIB, /* arg1=FIB number */
O_FIB, /* arg1=FIB desired fib number */
+ O_BROADCAST, /* matches IP packets sent on broadcast address */
+
O_LAST_OPCODE /* not an opcode! */
};
--- sbin/ipfw/ipfw2.c.orig 2009-04-05 21:23:38.000000000 +0300
+++ sbin/ipfw/ipfw2.c 2009-04-06 09:25:39.000000000 +0300
@@ -291,6 +291,7 @@
{ "src-ipv6", TOK_SRCIP6},
{ "src-ip6", TOK_SRCIP6},
{ "//", TOK_COMMENT },
+ { "broadcast", TOK_BROADCAST},
{ "not", TOK_NOT }, /* pseudo option */
{ "!", /* escape ? */ TOK_NOT }, /* pseudo option */
@@ -1506,6 +1507,10 @@
print_newports((ipfw_insn_u16 *)cmd, 0,
O_TAGGED);
break;
+
+ case O_BROADCAST:
+ printf(" broadcast");
+ break;
default:
printf(" [opcode %d len %d]",
@@ -3455,6 +3460,10 @@
ac = 0;
break;
+ case TOK_BROADCAST:
+ fill_cmd(cmd, O_BROADCAST, 0, 0);
+ break;
+
case TOK_TAGGED:
if (ac > 0 && strpbrk(*av, "-,")) {
if (!add_ports(cmd, *av, 0, O_TAGGED))
--- sbin/ipfw/ipfw2.h.orig 2009-04-05 21:23:47.000000000 +0300
+++ sbin/ipfw/ipfw2.h 2009-04-05 21:27:22.000000000 +0300
@@ -141,6 +141,7 @@
TOK_ANTISPOOF,
TOK_IPSEC,
TOK_COMMENT,
+ TOK_BROADCAST,
TOK_PLR,
TOK_NOERROR,
--- sbin/ipfw/ipfw.8.orig 2009-04-06 02:10:47.000000000 +0300
+++ sbin/ipfw/ipfw.8 2009-04-06 02:13:54.000000000 +0300
@@ -1135,6 +1135,8 @@
.It Cm bridged
Alias for
.Cm layer2 .
+.It Cm broadcast
+Matches broadcast packets on non-point-to-point interfaces.
.It Cm diverted
Matches only packets generated by a divert socket.
.It Cm diverted-loopback
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac42db050904061500w351a217bwf9d33021b1ce06c8>