diff options
| author | Julian Elischer <julian@FreeBSD.org> | 1997-06-02 05:02:37 +0000 |
|---|---|---|
| committer | Julian Elischer <julian@FreeBSD.org> | 1997-06-02 05:02:37 +0000 |
| commit | e4676ba603826ca933e03f6d4154cf8e1ea88c3c (patch) | |
| tree | 1eb10ea545a2bd29353a635a423791c43b3ca089 /sys/netinet/ip_output.c | |
| parent | 939c19614c3c5c2a7c657c0b6f010153258babcd (diff) | |
| download | src-e4676ba603826ca933e03f6d4154cf8e1ea88c3c.tar.gz src-e4676ba603826ca933e03f6d4154cf8e1ea88c3c.zip | |
Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...
see the man page for a complete description.
Notes
Notes:
svn path=/head/; revision=26359
Diffstat (limited to 'sys/netinet/ip_output.c')
| -rw-r--r-- | sys/netinet/ip_output.c | 29 |
1 files changed, 13 insertions, 16 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index defc06a4d430..4401f6bf8a94 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 - * $Id: ip_output.c,v 1.55 1997/04/27 20:01:07 wollman Exp $ + * $Id: ip_output.c,v 1.56 1997/05/06 21:22:04 fenner Exp $ */ #define _IP_VHL @@ -357,7 +357,7 @@ sendit: /* * IpHack's section. * - Xlate: translate packet's addr/port (NAT). - * - Firewall: deny/allow + * - Firewall: deny/allow/etc. * - Wrap: fake packet's addr/port <unimpl.> * - Encapsulate: put it in another IP and send out. <unimp.> */ @@ -372,27 +372,24 @@ sendit: * Check with the firewall... */ if (ip_fw_chk_ptr) { - int action; - #ifdef IPDIVERT - action = (*ip_fw_chk_ptr)(&ip, - hlen, ifp, (~0 << 16) | ip_divert_ignore, &m); + ip_divert_port = (*ip_fw_chk_ptr)(&ip, + hlen, ifp, ip_divert_ignore, &m); ip_divert_ignore = 0; -#else - action = (*ip_fw_chk_ptr)(&ip, hlen, ifp, (~0 << 16), &m); -#endif - if (action == -1) { - error = EACCES; /* XXX is this appropriate? */ - goto done; - } else if (action != 0) { -#ifdef IPDIVERT - ip_divert_port = action; /* divert to port */ + if (ip_divert_port) { /* Divert packet */ (*inetsw[ip_protox[IPPROTO_DIVERT]].pr_input)(m, 0); goto done; + } #else - m_freem(m); /* ipfw says divert, but we can't */ + /* If ipfw says divert, we have to just drop packet */ + if ((*ip_fw_chk_ptr)(&ip, hlen, ifp, 0, &m)) { + m_freem(m); goto done; + } #endif + if (!m) { + error = EACCES; + goto done; } } #endif /* COMPAT_IPFW */ |