filter forwarded ipv6 packets; checked by itojun, tested by

mcbride@countersiege.com

1 files changed, 19 insertions, 1 deletions

diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 4cae2928d24..dab86d9c8ae 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_forward.c,v 1.16 2001/07/18 09:56:49 itojun Exp $	*/
+/*	$OpenBSD: ip6_forward.c,v 1.17 2001/09/29 08:02:07 jasoni Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $	*/
 
 /*
@@ -30,6 +30,8 @@
  * SUCH DAMAGE.
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
@@ -53,6 +55,10 @@
 #include <netinet/icmp6.h>
 #include <netinet6/nd6.h>
 
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
 #ifdef IPSEC_IPV6FWD
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
@@ -480,6 +486,14 @@ ip6_forward(m, srcrt)
 	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
 		ip6->ip6_dst.s6_addr16[1] = 0;
 
+#if NPF > 0 
+        if (pf_test6(PF_OUT, rt->rt_ifp, &m) != PF_PASS) {
+		m_freem(m);
+		goto senderr;
+	}
+	ip6 = mtod(m, struct ip6_hdr *);
+#endif 
+
 #ifdef OLDIP6OUTPUT
 	error = (*rt->rt_ifp->if_output)(rt->rt_ifp, m,
 					 (struct sockaddr *)dst,
@@ -500,6 +514,10 @@ ip6_forward(m, srcrt)
 				goto freecopy;
 		}
 	}
+
+#if NPF > 0
+senderr:
+#endif
 	if (mcopy == NULL)
 		return;