summaryrefslogtreecommitdiff
path: root/sys/netinet6
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet6')
-rw-r--r--sys/netinet6/ip6_input.c16
-rw-r--r--sys/netinet6/ip6_output.c15
2 files changed, 29 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 1ae9ff7183d..d2dd44d14f8 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip6_input.c,v 1.32 2001/06/27 05:50:07 kjc Exp $ */
+/* $OpenBSD: ip6_input.c,v 1.33 2001/09/15 03:54:40 frantzen Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -65,6 +65,8 @@
* @(#)ip_input.c 8.2 (Berkeley) 1/4/94
*/
+#include "pf.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
@@ -108,6 +110,10 @@
#include "gif.h"
#include "bpfilter.h"
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
@@ -255,6 +261,14 @@ ip6_input(m)
IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /*nothing*/);
#endif
+#if NPF > 0
+ /*
+ * Packet filter
+ */
+ if (pf_test6(PF_IN, m->m_pkthdr.rcvif, &m) != PF_PASS)
+ goto bad;
+#endif
+
if (m->m_len < sizeof(struct ip6_hdr)) {
struct ifnet *inifp;
inifp = m->m_pkthdr.rcvif;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 939533952b5..c195c1fc38a 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip6_output.c,v 1.49 2001/08/22 14:18:36 niklas Exp $ */
+/* $OpenBSD: ip6_output.c,v 1.50 2001/09/15 03:54:40 frantzen Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -65,6 +65,8 @@
* @(#)ip_output.c 8.3 (Berkeley) 1/21/94
*/
+#include "pf.h"
+
#include <sys/param.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
@@ -89,6 +91,10 @@
#include <netinet6/ip6_var.h>
#include <netinet6/nd6.h>
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
#ifdef IPSEC
#include <netinet/ip_ah.h>
#include <netinet/ip_esp.h>
@@ -874,6 +880,13 @@ skip_ipsec2:;
m->m_pkthdr.rcvif = NULL;
}
+#if NPF > 0
+ if (pf_test6(PF_OUT, ifp, &m) != PF_PASS) {
+ error = EHOSTUNREACH;
+ goto done;
+ }
+#endif
+
/*
* Send the packet to the outgoing interface.
* If necessary, do IPv6 fragmentation before sending.