diff options
author | Jason Wright <jason@cvs.openbsd.org> | 2001-06-24 20:12:51 +0000 |
---|---|---|
committer | Jason Wright <jason@cvs.openbsd.org> | 2001-06-24 20:12:51 +0000 |
commit | cce28f3f21812d1d97559f73acdbd81f05f4e8d2 (patch) | |
tree | 751be61523e92a2222f0a358abb56894d7583674 /sys | |
parent | fb68fc9bebb3607b38b531eeca6c2789f7fdad13 (diff) |
pf mods for bridge; not yet tested
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/if_bridge.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index 655fde475ee..502ddfd49cf 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.63 2001/06/23 07:08:51 angelos Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.64 2001/06/24 20:12:50 jason Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -50,6 +50,9 @@ #include <net/if_llc.h> #include <net/route.h> #include <net/netisr.h> +#ifdef PACKETFILTER +#include <net/pfvar.h> +#endif #ifdef INET #include <netinet/in.h> @@ -141,7 +144,7 @@ u_int8_t bridge_filterrule __P((struct brl_head *, struct ether_header *)); (a)->ether_addr_octet[2] == 0x5e) -#if defined(INET) && defined(IPFILTER) +#ifdef PACKETFILTER /* * Filter hooks */ @@ -1862,8 +1865,7 @@ bridge_flushrule(bif) return (0); } -#if defined(INET) && defined(IPFILTER) - +#ifdef PACKETFILTER /* * Filter IP packets by peeking into the ethernet frame. This violates * the ISO model, but allows us to act as a IP filter at the data link @@ -1880,11 +1882,9 @@ bridge_filter(sc, ifp, eh, m) struct llc llc; int hassnap = 0; struct ip *ip; + struct mbuf *m1; int hlen; - if (fr_checkp == NULL) - return (m); - if (eh->ether_type != htons(ETHERTYPE_IP)) { if (eh->ether_type > ETHERMTU || m->m_pkthdr.len < (LLC_SNAPFRAMELEN + @@ -1950,10 +1950,10 @@ bridge_filter(sc, ifp, eh, m) } /* Finally, we get to filter the packet! */ - if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) - return (NULL); - if (m == NULL) /* in case of 'fastroute' */ - return (NULL); + m1 = m; + if (pf_test(PF_IN, m->m_pkthdr.rcvif, &m1) != PF_PASS) + goto dropit; + m = m1; /* Rebuild the IP header */ if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) |