Initial import of pf, an all-new ipf-compatable packet filter.

Insane amounts of work done my dhartmei. Great work!

2 files changed, 24 insertions, 2 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 78a1e5d2a97..abe015b0fd7 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.83 2001/06/24 18:24:56 provos Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.84 2001/06/24 19:48:58 kjell Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -48,6 +48,7 @@
 #include <net/if.h>
 #include <net/if_dl.h>
 #include <net/route.h>
+#include <net/pfvar.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -377,6 +378,16 @@ ipv4_input(m)
 	}
 
 	/*
+	 * Packet filter
+	 */
+	{
+		struct mbuf *m1 = m;
+		if (pf_test(PF_IN, m->m_pkthdr.rcvif, &m1) != PF_PASS)
+			goto bad;
+		ip = mtod(m = m1, struct ip *);
+	}
+
+	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
 	 * error was detected (causing an icmp message
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 3a5b2e85452..73a3d71295f 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.113 2001/06/24 18:24:11 provos Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.114 2001/06/24 19:48:58 kjell Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -47,6 +47,7 @@
 
 #include <net/if.h>
 #include <net/route.h>
+#include <net/pfvar.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -641,6 +642,16 @@ sendit:
 	}
 #endif /* IPSEC */
 
+	/*
+	 * Packet filter
+	 */
+	{
+		struct mbuf *m1 = m;
+		if (pf_test(PF_OUT, ifp, &m1) != PF_PASS)
+			goto done;
+		ip = mtod(m = m1, struct ip *);
+	}
+
 	/* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
 	if (m->m_pkthdr.csum & M_TCPV4_CSUM_OUT &&
 	    !(ifp->if_capabilities & IFCAP_CSUM_TCPv4)) {