diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2011-04-06 13:18:40 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2011-04-06 13:18:40 +0000 |
| commit | 91627ea8959bf9fbfc90c2468768eecbaff96ded (patch) | |
| tree | 030209d11f8bef9db2eed94c5b26fc157b21c783 /sys/net/pf_ioctl.c | |
| parent | 130e0762f2855e10c5c3953aa723d8fbd4c657d9 (diff) | |
Allow PF to filter on the rdomain a packet belongs to. This allows to
write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
Diffstat (limited to 'sys/net/pf_ioctl.c')
| -rw-r--r-- | sys/net/pf_ioctl.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 43062c18989..5d2f1ae51e2 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.237 2011/03/25 10:54:22 claudio Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.238 2011/04/06 13:18:39 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2517,8 +2517,13 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, to->os_fingerprint = from->os_fingerprint; to->rtableid = from->rtableid; - if (to->rtableid > 0 && !rtable_exists(to->rtableid)) + if (to->rtableid >= 0 && !rtable_exists(to->rtableid)) return (EBUSY); + to->onrdomain = from->onrdomain; + if (to->onrdomain >= 0 && !rtable_exists(to->onrdomain)) + return (EBUSY); + if (to->onrdomain >= 0) /* make sure it is a real rdomain */ + to->onrdomain = rtable_l2(to->onrdomain); for (i = 0; i < PFTM_MAX; i++) to->timeout[i] = from->timeout[i]; |