Adding changes to ipfw and the kernel to support ip packet diversion..

This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.

1 files changed, 27 insertions, 6 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 7777114bbbf7..bb30a9fc8589 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- *	$Id: ip_output.c,v 1.39 1996/05/22 17:23:08 wollman Exp $
+ *	$Id: ip_output.c,v 1.40 1996/06/08 08:18:59 bde Exp $
  */
 
 #define _IP_VHL
@@ -80,6 +80,8 @@ static int	ip_pcbopts __P((struct mbuf **, struct mbuf *));
 static int	ip_setmoptions
 	__P((int, struct ip_moptions **, struct mbuf *));
 
+extern	struct protosw inetsw[];
+
 /*
  * IP output.  The packet in mbuf chain m contains a skeletal IP
  * header (with len, off, ttl, proto, tos, src, dst).
@@ -329,15 +331,34 @@ ip_output(m0, opt, ro, flags, imo)
 	}
 
 sendit:
+#ifdef COMPAT_IPFW
 	/*
 	 * Check with the firewall...
 	 */
-#ifdef COMPAT_IPFW
-	if (ip_fw_chk_ptr && !(*ip_fw_chk_ptr)(&ip, hlen, ifp, 1, &m)) {
-		error = EACCES;
-		goto done;
-	}
+	if (ip_fw_chk_ptr) {
+		int action;
+
+#ifdef IPDIVERT
+		action = (*ip_fw_chk_ptr)(&ip,
+				hlen, ifp, (~0 << 16) | ip_divert_ignore, &m);
+#else
+		action = (*ip_fw_chk_ptr)(&ip, hlen, ifp, (~0 << 16), &m);
 #endif
+		if (action == -1) {
+			error = EACCES;		/* XXX is this appropriate? */
+			goto done;
+		} else if (action != 0) {
+#ifdef IPDIVERT
+			ip_divert_port = action;	/* divert to port */
+			(*inetsw[ip_protox[IPPROTO_DIVERT]].pr_input)(m, 0);
+			goto done;
+#else
+			m_freem(m);	/* ipfw says divert, but we can't */
+			goto done;
+#endif
+		}
+	}
+#endif /* COMPAT_IPFW */
 
 	/*
 	 * If small enough for interface, can just send directly.