diff options
| author | Jason Wright <jason@cvs.openbsd.org> | 2001-07-25 03:43:42 +0000 |
|---|---|---|
| committer | Jason Wright <jason@cvs.openbsd.org> | 2001-07-25 03:43:42 +0000 |
| commit | a461320a28ef587a3e11b253153e0e71519bef40 (patch) | |
| tree | aac92470538bb0f052ad14a55b9be0c18fbc4d15 /sys | |
| parent | d67bd8974e4ca41f19e547c704834dcc0f2be6d5 (diff) | |
- unconditionalize call to bridge_input() (fewer #ifdef's and NPF>0 is default case anyway).
- add support for filtering on interface output (and call pf_test() appropriately)
What all this means: nonstateful and stateful PF filtering now works with the bridge.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/if_bridge.c | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index e3b09ba0bf9..328cac741c6 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.71 2001/07/17 20:34:51 provos Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.72 2001/07/25 03:43:41 jason Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -134,6 +134,9 @@ int bridge_addrule __P((struct bridge_iflist *, int bridge_flushrule __P((struct bridge_iflist *)); int bridge_brlconf __P((struct bridge_softc *, struct ifbrlconf *)); u_int8_t bridge_filterrule __P((struct brl_head *, struct ether_header *)); +struct mbuf *bridge_filter __P((struct bridge_softc *, int, struct ifnet *, + struct ether_header *, struct mbuf *m)); + #define ETHERADDR_IS_IP_MCAST(a) \ /* struct etheraddr *a; */ \ @@ -142,14 +145,6 @@ u_int8_t bridge_filterrule __P((struct brl_head *, struct ether_header *)); (a)->ether_addr_octet[2] == 0x5e) -#if NPF > 0 -/* - * Filter hooks - */ -struct mbuf *bridge_filter __P((struct bridge_softc *, struct ifnet *, - struct ether_header *, struct mbuf *m)); -#endif - void bridgeattach(n) int n; @@ -1043,11 +1038,9 @@ bridgeintr_frame(sc, m) return; } -#if NPF > 0 - m = bridge_filter(sc, src_if, &eh, m); + m = bridge_filter(sc, PF_IN, src_if, &eh, m); if (m == NULL) return; -#endif /* * If the packet is a multicast or broadcast OR if we don't @@ -1087,6 +1080,10 @@ bridgeintr_frame(sc, m) m_freem(m); return; } + m = bridge_filter(sc, PF_OUT, dst_if, &eh, m); + if (m == NULL) + return; + #ifdef ALTQ if (ALTQ_IS_ENABLED(&dst_if->if_snd)) altq_etherclassify(&dst_if->if_snd, m, &pktattr); @@ -1323,6 +1320,10 @@ bridge_broadcast(sc, ifp, eh, m) } } + mc = bridge_filter(sc, PF_OUT, dst_if, eh, mc); + if (mc == NULL) + continue; + #ifdef ALTQ if (ALTQ_IS_ENABLED(&dst_if->if_snd)) altq_etherclassify(&dst_if->if_snd, mc, &pktattr); @@ -1908,12 +1909,16 @@ bridge_flushrule(bif) * who've read net/if_ethersubr.c and netinet/ip_input.c */ struct mbuf * -bridge_filter(sc, ifp, eh, m) +bridge_filter(sc, dir, ifp, eh, m) struct bridge_softc *sc; + int dir; struct ifnet *ifp; struct ether_header *eh; struct mbuf *m; { +#if NPF == 0 + return (m); +#else struct llc llc; int hassnap = 0; struct ip *ip; @@ -1984,7 +1989,7 @@ bridge_filter(sc, ifp, eh, m) } /* Finally, we get to filter the packet! */ - if (pf_test(PF_IN, m->m_pkthdr.rcvif, &m) != PF_PASS) + if (pf_test(dir, m->m_pkthdr.rcvif, &m) != PF_PASS) goto dropit; /* Rebuild the IP header */ @@ -2019,5 +2024,6 @@ dropit: if (m != NULL) m_freem(m); return (NULL); +#endif /* NPF == 0 */ } #endif |