diff options
Diffstat (limited to 'sys/netinet6')
-rw-r--r-- | sys/netinet6/ip6_input.c | 16 | ||||
-rw-r--r-- | sys/netinet6/ip6_output.c | 15 |
2 files changed, 29 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 1ae9ff7183d..d2dd44d14f8 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.32 2001/06/27 05:50:07 kjc Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.33 2001/09/15 03:54:40 frantzen Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -65,6 +65,8 @@ * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 */ +#include "pf.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/malloc.h> @@ -108,6 +110,10 @@ #include "gif.h" #include "bpfilter.h" +#if NPF > 0 +#include <net/pfvar.h> +#endif + extern struct domain inet6domain; extern struct ip6protosw inet6sw[]; @@ -255,6 +261,14 @@ ip6_input(m) IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /*nothing*/); #endif +#if NPF > 0 + /* + * Packet filter + */ + if (pf_test6(PF_IN, m->m_pkthdr.rcvif, &m) != PF_PASS) + goto bad; +#endif + if (m->m_len < sizeof(struct ip6_hdr)) { struct ifnet *inifp; inifp = m->m_pkthdr.rcvif; diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 939533952b5..c195c1fc38a 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.49 2001/08/22 14:18:36 niklas Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.50 2001/09/15 03:54:40 frantzen Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -65,6 +65,8 @@ * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 */ +#include "pf.h" + #include <sys/param.h> #include <sys/malloc.h> #include <sys/mbuf.h> @@ -89,6 +91,10 @@ #include <netinet6/ip6_var.h> #include <netinet6/nd6.h> +#if NPF > 0 +#include <net/pfvar.h> +#endif + #ifdef IPSEC #include <netinet/ip_ah.h> #include <netinet/ip_esp.h> @@ -874,6 +880,13 @@ skip_ipsec2:; m->m_pkthdr.rcvif = NULL; } +#if NPF > 0 + if (pf_test6(PF_OUT, ifp, &m) != PF_PASS) { + error = EHOSTUNREACH; + goto done; + } +#endif + /* * Send the packet to the outgoing interface. * If necessary, do IPv6 fragmentation before sending. |