summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/net/if_bridge.c568
-rw-r--r--sys/net/if_bridge.h35
-rw-r--r--sys/sys/sockio.h6
3 files changed, 466 insertions, 143 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 961f7c2f448..51b76ba0ddc 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: if_bridge.c,v 1.24 2000/01/15 20:02:36 angelos Exp $ */
+/* $OpenBSD: if_bridge.c,v 1.25 2000/01/25 22:06:27 jason Exp $ */
/*
- * Copyright (c) 1999 Jason L. Wright (jason@thought.net)
+ * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -104,10 +104,23 @@
extern int ifqmaxlen;
/*
+ * Bridge filtering rules
+ */
+struct brl_node {
+ SIMPLEQ_ENTRY(brl_node) brl_next; /* next rule */
+ struct ether_addr brl_src; /* source mac address */
+ struct ether_addr brl_dst; /* destination mac address */
+ u_int8_t brl_action; /* what to do with match */
+ u_int8_t brl_flags; /* comparision flags */
+};
+
+/*
* Bridge interface list
*/
struct bridge_iflist {
LIST_ENTRY(bridge_iflist) next; /* next in list */
+ SIMPLEQ_HEAD(, brl_node) bif_brlin; /* input rules */
+ SIMPLEQ_HEAD(, brl_node) bif_brlout; /* output rules */
struct ifnet *ifp; /* member interface */
u_int32_t bif_flags; /* member flags */
};
@@ -148,6 +161,7 @@ struct bridge_softc bridgectl[NBRIDGE];
void bridgeattach __P((int));
int bridge_ioctl __P((struct ifnet *, u_long, caddr_t));
void bridge_start __P((struct ifnet *));
+void bridgeintr_frame __P((struct bridge_softc *, struct mbuf *));
void bridge_broadcast __P((struct bridge_softc *, struct ifnet *,
struct ether_header *, struct mbuf *));
void bridge_stop __P((struct bridge_softc *));
@@ -166,6 +180,11 @@ struct ifnet * bridge_rtlookup __P((struct bridge_softc *,
struct ether_addr *));
u_int32_t bridge_hash __P((struct ether_addr *));
struct mbuf *bridge_blocknonip __P((struct mbuf *));
+int bridge_addrule __P((struct bridge_iflist *,
+ struct ifbrlreq *, int out));
+int bridge_flushrule __P((struct bridge_iflist *));
+int bridge_brlconf __P((struct bridge_softc *, struct ifbrlconf *));
+u_int8_t bridge_filterrule __P((struct brl_node *, struct ether_header *));
#define ETHERADDR_IS_IP_MCAST(a) \
/* struct etheraddr *a; */ \
@@ -173,6 +192,7 @@ struct mbuf *bridge_blocknonip __P((struct mbuf *));
(a)->ether_addr_octet[1] == 0x00 && \
(a)->ether_addr_octet[2] == 0x5e)
+
#if defined(INET) && (defined(IPFILTER) || defined(IPFILTER_LKM))
/*
* Filter hooks
@@ -227,6 +247,8 @@ bridge_ioctl(ifp, cmd, data)
struct ifbcachereq *bcachereq = (struct ifbcachereq *)data;
struct ifbifconf *bifconf = (struct ifbifconf *)data;
struct ifbcachetoreq *bcacheto = (struct ifbcachetoreq *)data;
+ struct ifbrlreq *brlreq = (struct ifbrlreq *)data;
+ struct ifbrlconf *brlconf = (struct ifbrlconf *)data;
struct ifreq ifreq;
int error = 0, s;
struct bridge_iflist *p;
@@ -310,6 +332,8 @@ bridge_ioctl(ifp, cmd, data)
p->ifp = ifs;
p->bif_flags = IFBIF_LEARNING | IFBIF_DISCOVER;
+ SIMPLEQ_INIT(&p->bif_brlin);
+ SIMPLEQ_INIT(&p->bif_brlout);
LIST_INSERT_HEAD(&sc->sc_iflist, p, next);
ifs->if_bridge = (caddr_t)sc;
break;
@@ -327,6 +351,7 @@ bridge_ioctl(ifp, cmd, data)
LIST_REMOVE(p, next);
bridge_rtdelete(sc, p->ifp);
+ bridge_flushrule(p);
free(p, M_DEVBUF);
break;
}
@@ -445,6 +470,70 @@ bridge_ioctl(ifp, cmd, data)
bridge_stop(sc);
break;
+ case SIOCBRDGARL:
+ if ((error = suser(prc->p_ucred, &prc->p_acflag)) != 0)
+ break;
+ ifs = ifunit(brlreq->ifbr_ifsname);
+ if (ifs == NULL) {
+ error = ENOENT;
+ break;
+ }
+ if (ifs->if_bridge == NULL ||
+ ifs->if_bridge != (caddr_t)sc) {
+ error = ESRCH;
+ break;
+ }
+ p = LIST_FIRST(&sc->sc_iflist);
+ while (p != NULL && p->ifp != ifs) {
+ p = LIST_NEXT(p, next);
+ }
+ if (p == NULL) {
+ error = ESRCH;
+ break;
+ }
+ if ((brlreq->ifbr_action != BRL_ACTION_BLOCK &&
+ brlreq->ifbr_action != BRL_ACTION_PASS) ||
+ (brlreq->ifbr_flags & (BRL_FLAG_IN|BRL_FLAG_OUT)) == 0) {
+ error = EINVAL;
+ break;
+ }
+ if (brlreq->ifbr_flags & BRL_FLAG_IN) {
+ error = bridge_addrule(p, brlreq, 0);
+ if (error)
+ break;
+ }
+ if (brlreq->ifbr_flags & BRL_FLAG_OUT) {
+ error = bridge_addrule(p, brlreq, 1);
+ if (error)
+ break;
+ }
+ break;
+ case SIOCBRDGFRL:
+ if ((error = suser(prc->p_ucred, &prc->p_acflag)) != 0)
+ break;
+ ifs = ifunit(brlreq->ifbr_ifsname);
+ if (ifs == NULL) {
+ error = ENOENT;
+ break;
+ }
+ if (ifs->if_bridge == NULL ||
+ ifs->if_bridge != (caddr_t)sc) {
+ error = ESRCH;
+ break;
+ }
+ p = LIST_FIRST(&sc->sc_iflist);
+ while (p != NULL && p->ifp != ifs) {
+ p = LIST_NEXT(p, next);
+ }
+ if (p == NULL) {
+ error = ESRCH;
+ break;
+ }
+ error = bridge_flushrule(p);
+ break;
+ case SIOCBRDGGRL:
+ error = bridge_brlconf(sc, brlconf);
+ break;
default:
error = EINVAL;
}
@@ -465,6 +554,7 @@ bridge_ifdetach(ifp)
if (bif->ifp == ifp) {
LIST_REMOVE(bif, next);
bridge_rtdelete(bsc, ifp);
+ bridge_flushrule(bif);
free(bif, M_DEVBUF);
break;
}
@@ -514,6 +604,93 @@ done:
return (error);
}
+int
+bridge_brlconf(sc, bc)
+ struct bridge_softc *sc;
+ struct ifbrlconf *bc;
+{
+ struct ifnet *ifp;
+ struct bridge_iflist *ifl;
+ struct brl_node *n;
+ struct ifbrlreq req;
+ int error = 0;
+ u_int32_t i, total;
+
+ ifp = ifunit(bc->ifbrl_ifsname);
+ if (ifp == NULL)
+ return (ENOENT);
+ if (ifp->if_bridge == NULL || ifp->if_bridge != (caddr_t)sc)
+ return (ESRCH);
+ ifl = LIST_FIRST(&sc->sc_iflist);
+ while (ifl != NULL && ifl->ifp != ifp)
+ ifl = LIST_NEXT(ifl, next);
+ if (ifl == NULL)
+ return (ESRCH);
+
+ n = SIMPLEQ_FIRST(&ifl->bif_brlin);
+ while (n != NULL) {
+ total++;
+ n = SIMPLEQ_NEXT(n, brl_next);
+ }
+ n = SIMPLEQ_FIRST(&ifl->bif_brlout);
+ while (n != NULL) {
+ total++;
+ n = SIMPLEQ_NEXT(n, brl_next);
+ }
+
+ if (bc->ifbrl_len == 0) {
+ i = total;
+ goto done;
+ }
+
+ i = 0;
+ n = SIMPLEQ_FIRST(&ifl->bif_brlin);
+ while (n != NULL && bc->ifbrl_len > i * sizeof(req)) {
+ strncpy(req.ifbr_name, sc->sc_if.if_xname,
+ sizeof(req.ifbr_name) - 1);
+ req.ifbr_name[sizeof(req.ifbr_name) - 1] = '\0';
+ strncpy(req.ifbr_ifsname, ifl->ifp->if_xname,
+ sizeof(req.ifbr_ifsname) - 1);
+ req.ifbr_ifsname[sizeof(req.ifbr_ifsname) - 1] = '\0';
+ req.ifbr_action = n->brl_action;
+ req.ifbr_flags = n->brl_flags;
+ req.ifbr_src = n->brl_src;
+ req.ifbr_dst = n->brl_dst;
+ error = copyout((caddr_t)&req,
+ (caddr_t)(bc->ifbrl_buf + (i * sizeof(req))), sizeof(req));
+ if (error)
+ goto done;
+ n = SIMPLEQ_NEXT(n, brl_next);
+ i++;
+ bc->ifbrl_len -= sizeof(req);
+ }
+
+ n = SIMPLEQ_FIRST(&ifl->bif_brlout);
+ while (n != NULL && bc->ifbrl_len > i * sizeof(req)) {
+ strncpy(req.ifbr_name, sc->sc_if.if_xname,
+ sizeof(req.ifbr_name) - 1);
+ req.ifbr_name[sizeof(req.ifbr_name) - 1] = '\0';
+ strncpy(req.ifbr_ifsname, ifl->ifp->if_xname,
+ sizeof(req.ifbr_ifsname) - 1);
+ req.ifbr_ifsname[sizeof(req.ifbr_ifsname) - 1] = '\0';
+ req.ifbr_action = n->brl_action;
+ req.ifbr_flags = n->brl_flags;
+ req.ifbr_src = n->brl_src;
+ req.ifbr_dst = n->brl_dst;
+ error = copyout((caddr_t)&req,
+ (caddr_t)(bc->ifbrl_buf + (i * sizeof(req))), sizeof(req));
+ if (error)
+ goto done;
+ n = SIMPLEQ_NEXT(n, brl_next);
+ i++;
+ bc->ifbrl_len -= sizeof(req);
+ }
+
+done:
+ bc->ifbrl_len = i * sizeof(req);
+ return (error);
+}
+
void
bridge_init(sc)
struct bridge_softc *sc;
@@ -670,171 +847,195 @@ bridge_start(ifp)
{
}
-/*
- * Loop through each bridge interface and process their input queues.
- */
void
bridgeintr(void)
{
- int i, s;
struct bridge_softc *sc;
- struct ifnet *bifp, *src_if, *dst_if;
- struct bridge_iflist *ifl;
- struct ether_addr *dst, *src;
- struct ether_header *eh;
struct mbuf *m;
+ int i, s;
for (i = 0; i < NBRIDGE; i++) {
sc = &bridgectl[i];
- bifp = &sc->sc_if;
for (;;) {
s = splimp();
- IF_DEQUEUE(&bifp->if_snd, m);
+ IF_DEQUEUE(&sc->sc_if.if_snd, m);
splx(s);
if (m == NULL)
break;
+ bridgeintr_frame(sc, m);
+ }
+ }
+}
- src_if = m->m_pkthdr.rcvif;
- if ((sc->sc_if.if_flags & IFF_RUNNING) == 0) {
- m_freem(m);
- continue;
- }
+/*
+ * Loop through each bridge interface and process their input queues.
+ */
+void
+bridgeintr_frame(sc, m)
+ struct bridge_softc *sc;
+ struct mbuf *m;
+{
+ int s;
+ struct ifnet *src_if, *dst_if;
+ struct bridge_iflist *ifl;
+ struct ether_addr *dst, *src;
+ struct ether_header *eh;
+
+ if ((sc->sc_if.if_flags & IFF_RUNNING) == 0) {
+ m_freem(m);
+ return;
+ }
+
+ src_if = m->m_pkthdr.rcvif;
#if NBPFILTER > 0
- if (sc->sc_if.if_bpf)
- bpf_mtap(sc->sc_if.if_bpf, m);
+ if (sc->sc_if.if_bpf)
+ bpf_mtap(sc->sc_if.if_bpf, m);
#endif
- sc->sc_if.if_lastchange = time;
- sc->sc_if.if_ipackets++;
- sc->sc_if.if_ibytes += m->m_pkthdr.len;
+ sc->sc_if.if_lastchange = time;
+ sc->sc_if.if_ipackets++;
+ sc->sc_if.if_ibytes += m->m_pkthdr.len;
- ifl = LIST_FIRST(&sc->sc_iflist);
- while (ifl != NULL && ifl->ifp != src_if) {
- ifl = LIST_NEXT(ifl, next);
- }
- if (ifl == NULL) {
- m_freem(m);
- continue;
- }
+ ifl = LIST_FIRST(&sc->sc_iflist);
+ while (ifl != NULL && ifl->ifp != src_if) {
+ ifl = LIST_NEXT(ifl, next);
+ }
+ if (ifl == NULL) {
+ m_freem(m);
+ return;
+ }
- if (m->m_len < sizeof(*eh)) {
- m = m_pullup(m, sizeof(*eh));
- if (m == NULL)
- continue;
- }
- eh = mtod(m, struct ether_header *);
- dst = (struct ether_addr *)&eh->ether_dhost[0];
- src = (struct ether_addr *)&eh->ether_shost[0];
-
- /*
- * If interface is learning, and if source address
- * is not broadcast or multicast, record it's address.
- */
- if ((ifl->bif_flags & IFBIF_LEARNING) &&
- (eh->ether_shost[0] & 1) == 0 &&
- !(eh->ether_shost[0] == 0 &&
- eh->ether_shost[1] == 0 &&
- eh->ether_shost[2] == 0 &&
- eh->ether_shost[3] == 0 &&
- eh->ether_shost[4] == 0 &&
- eh->ether_shost[5] == 0))
- bridge_rtupdate(sc, src, src_if, 0, IFBAF_DYNAMIC);
-
- /*
- * If packet is unicast, destined for someone on "this"
- * side of the bridge, drop it.
- */
- dst_if = bridge_rtlookup(sc, dst);
- if ((m->m_flags & (M_BCAST | M_MCAST)) == 0 &&
- dst_if == src_if) {
- m_freem(m);
- continue;
- }
+ if (m->m_len < sizeof(*eh)) {
+ m = m_pullup(m, sizeof(*eh));
+ if (m == NULL)
+ return;
+ }
+ eh = mtod(m, struct ether_header *);
+ dst = (struct ether_addr *)&eh->ether_dhost[0];
+ src = (struct ether_addr *)&eh->ether_shost[0];
- /*
- * Multicast packets get handled a little differently:
- * If interface is:
- * -link0,-link1 (default) Forward all multicast
- * as broadcast.
- * -link0,link1 Drop non-IP multicast, forward
- * as broadcast IP multicast.
- * link0,-link1 Drop IP multicast, forward as
- * broadcast non-IP multicast.
- * link0,link1 Drop all multicast.
- */
- if (m->m_flags & M_MCAST) {
- if ((sc->sc_if.if_flags &
- (IFF_LINK0 | IFF_LINK1)) ==
- (IFF_LINK0 | IFF_LINK1)) {
- m_freem(m);
- continue;
- }
- if (sc->sc_if.if_flags & IFF_LINK0 &&
- ETHERADDR_IS_IP_MCAST(dst)) {
- m_freem(m);
- continue;
- }
- if (sc->sc_if.if_flags & IFF_LINK1 &&
- !ETHERADDR_IS_IP_MCAST(dst)) {
- m_freem(m);
- continue;
- }
- }
+ /*
+ * If interface is learning, and if source address
+ * is not broadcast or multicast, record it's address.
+ */
+ if ((ifl->bif_flags & IFBIF_LEARNING) &&
+ (eh->ether_shost[0] & 1) == 0 &&
+ !(eh->ether_shost[0] == 0 &&
+ eh->ether_shost[1] == 0 &&
+ eh->ether_shost[2] == 0 &&
+ eh->ether_shost[3] == 0 &&
+ eh->ether_shost[4] == 0 &&
+ eh->ether_shost[5] == 0))
+ bridge_rtupdate(sc, src, src_if, 0, IFBAF_DYNAMIC);
- if (ifl->bif_flags & IFBIF_BLOCKNONIP) {
- m = bridge_blocknonip(m);
- if (m == NULL)
- continue;
- eh = mtod(m, struct ether_header *);
- dst = (struct ether_addr *)&eh->ether_dhost[0];
- src = (struct ether_addr *)&eh->ether_shost[0];
- }
+ /*
+ * If packet is unicast, destined for someone on "this"
+ * side of the bridge, drop it.
+ */
+ if (m->m_flags & (M_BCAST | M_MCAST)) {
+ dst_if = bridge_rtlookup(sc, dst);
+ if (dst_if == src_if) {
+ m_freem(m);
+ return;
+ }
+ } else
+ dst_if = NULL;
+
+ /*
+ * Multicast packets get handled a little differently:
+ * If interface is:
+ * -link0,-link1 (default) Forward all multicast
+ * as broadcast.
+ * -link0,link1 Drop non-IP multicast, forward
+ * as broadcast IP multicast.
+ * link0,-link1 Drop IP multicast, forward as
+ * broadcast non-IP multicast.
+ * link0,link1 Drop all multicast.
+ */
+ if (m->m_flags & M_MCAST) {
+ if ((sc->sc_if.if_flags &
+ (IFF_LINK0 | IFF_LINK1)) ==
+ (IFF_LINK0 | IFF_LINK1)) {
+ m_freem(m);
+ return;
+ }
+ if (sc->sc_if.if_flags & IFF_LINK0 &&
+ ETHERADDR_IS_IP_MCAST(dst)) {
+ m_freem(m);
+ return;
+ }
+ if (sc->sc_if.if_flags & IFF_LINK1 &&
+ !ETHERADDR_IS_IP_MCAST(dst)) {
+ m_freem(m);
+ return;
+ }
+ }
+
+ if (ifl->bif_flags & IFBIF_BLOCKNONIP) {
+ m = bridge_blocknonip(m);
+ if (m == NULL)
+ return;
+ eh = mtod(m, struct ether_header *);
+ dst = (struct ether_addr *)&eh->ether_dhost[0];
+ src = (struct ether_addr *)&eh->ether_shost[0];
+ }
+
+ if (SIMPLEQ_FIRST(&ifl->bif_brlin) &&
+ bridge_filterrule(SIMPLEQ_FIRST(&ifl->bif_brlin), eh) ==
+ BRL_ACTION_BLOCK) {
+ m_freem(m);
+ return;
+ }
#if defined(INET) && (defined(IPFILTER) || defined(IPFILTER_LKM))
- if (bridge_filter(sc, src_if, eh, &m) ==
- BRIDGE_FILTER_DROP) {
- if (m != NULL)
- m_freem(m);
- continue;
- }
+ if (bridge_filter(sc, src_if, eh, &m) == BRIDGE_FILTER_DROP) {
+ if (m != NULL)
+ m_freem(m);
+ return;
+ }
#endif
- /*
- * If the packet is a multicast or broadcast, then
- * forward it to all interfaces.
- */
- if (m->m_flags & (M_BCAST | M_MCAST)) {
- bifp->if_imcasts++;
- bridge_broadcast(sc, src_if, eh, m);
- continue;
- }
-
- if (dst_if != NULL) {
- if ((dst_if->if_flags & IFF_RUNNING) == 0) {
- m_freem(m);
- continue;
- }
- s = splimp();
- if (IF_QFULL(&dst_if->if_snd)) {
- sc->sc_if.if_oerrors++;
- m_freem(m);
- splx(s);
- continue;
- }
- sc->sc_if.if_opackets++;
- sc->sc_if.if_obytes += m->m_pkthdr.len;
- IF_ENQUEUE(&dst_if->if_snd, m);
- if ((dst_if->if_flags & IFF_OACTIVE) == 0)
- (*dst_if->if_start)(dst_if);
- splx(s);
- continue;
- }
+ /*
+ * If the packet is a multicast or broadcast OR if we don't
+ * know any better, forward it to all interfaces.
+ */
+ if ((m->m_flags & (M_BCAST | M_MCAST)) || dst_if == NULL) {
+ sc->sc_if.if_imcasts++;
+ bridge_broadcast(sc, src_if, eh, m);
+ return;
+ }
- bridge_broadcast(sc, src_if, eh, m);
- dst_if = NULL;
- }
+ /*
+ * At this point, we're dealing with a unicast frame going to a
+ * different interface
+ */
+ if ((dst_if->if_flags & IFF_RUNNING) == 0) {
+ m_freem(m);
+ return;
+ }
+ ifl = LIST_FIRST(&sc->sc_iflist);
+ while (ifl != NULL && ifl->ifp != dst_if)
+ ifl = LIST_NEXT(ifl, next);
+ if (SIMPLEQ_FIRST(&ifl->bif_brlout) &&
+ bridge_filterrule(SIMPLEQ_FIRST(&ifl->bif_brlout), eh) ==
+ BRL_ACTION_BLOCK) {
+ m_freem(m);
+ return;
}
+ s = splimp();
+ if (IF_QFULL(&dst_if->if_snd)) {
+ sc->sc_if.if_oerrors++;
+ m_freem(m);
+ splx(s);
+ return;
+ }
+ sc->sc_if.if_opackets++;
+ sc->sc_if.if_obytes += m->m_pkthdr.len;
+ IF_ENQUEUE(&dst_if->if_snd, m);
+ if ((dst_if->if_flags & IFF_OACTIVE) == 0)
+ (*dst_if->if_start)(dst_if);
+ splx(s);
}
/*
@@ -965,6 +1166,12 @@ bridge_broadcast(sc, ifp, eh, m)
continue;
}
+ if (SIMPLEQ_FIRST(&p->bif_brlout) &&
+ bridge_filterrule(SIMPLEQ_FIRST(&p->bif_brlout), eh) ==
+ BRL_ACTION_BLOCK) {
+ continue;
+ }
+
/* If last one, reuse the passed-in mbuf */
if (LIST_NEXT(p, next) == NULL) {
mc = m;
@@ -1491,6 +1698,89 @@ notip:
return (NULL);
}
+u_int8_t
+bridge_filterrule(n, eh)
+ struct brl_node *n;
+ struct ether_header *eh;
+{
+ u_int8_t flags;
+
+ for (; n != NULL; n = SIMPLEQ_NEXT(n, brl_next)) {
+ flags = n->brl_flags & (BRL_FLAG_SRCVALID|BRL_FLAG_DSTVALID);
+ if (flags == 0)
+ return (n->brl_action);
+ if (flags == (BRL_FLAG_SRCVALID|BRL_FLAG_DSTVALID)) {
+ if (bcmp(eh->ether_shost, &n->brl_src, ETHER_ADDR_LEN))
+ continue;
+ if (bcmp(eh->ether_dhost, &n->brl_src, ETHER_ADDR_LEN))
+ continue;
+ return (n->brl_action);
+ }
+ if (flags == BRL_FLAG_SRCVALID) {
+ if (bcmp(eh->ether_shost, &n->brl_src, ETHER_ADDR_LEN))
+ continue;
+ return (n->brl_action);
+ }
+ if (flags == BRL_FLAG_DSTVALID) {
+ if (bcmp(eh->ether_dhost, &n->brl_dst, ETHER_ADDR_LEN))
+ continue;
+ return (n->brl_action);
+ }
+ }
+ return (BRL_ACTION_PASS);
+}
+
+int
+bridge_addrule(bif, req, out)
+ struct bridge_iflist *bif;
+ struct ifbrlreq *req;
+ int out;
+{
+ struct brl_node *n;
+
+ n = (struct brl_node *)malloc(sizeof(struct brl_node), M_DEVBUF, M_NOWAIT);
+ if (n == NULL)
+ return (ENOMEM);
+ bcopy(&req->ifbr_src, &n->brl_src, sizeof(struct ether_addr));
+ bcopy(&req->ifbr_dst, &n->brl_dst, sizeof(struct ether_addr));
+ n->brl_action = req->ifbr_action;
+ n->brl_flags = req->ifbr_flags;
+ if (out) {
+ n->brl_flags &= ~BRL_FLAG_IN;
+ n->brl_flags |= BRL_FLAG_OUT;
+ SIMPLEQ_INSERT_TAIL(&bif->bif_brlout, n, brl_next);
+ }
+ else {
+ n->brl_flags &= ~BRL_FLAG_OUT;
+ n->brl_flags |= BRL_FLAG_IN;
+ SIMPLEQ_INSERT_TAIL(&bif->bif_brlin, n, brl_next);
+ }
+ return (0);
+}
+
+int
+bridge_flushrule(bif)
+ struct bridge_iflist *bif;
+{
+ struct brl_node *p, *q;
+
+ p = SIMPLEQ_FIRST(&bif->bif_brlin);
+ while (p != NULL) {
+ q = SIMPLEQ_NEXT(p, brl_next);
+ SIMPLEQ_REMOVE_HEAD(&bif->bif_brlin, p, brl_next);
+ free(p, M_DEVBUF);
+ p = q;
+ }
+ p = SIMPLEQ_FIRST(&bif->bif_brlout);
+ while (p != NULL) {
+ q = SIMPLEQ_NEXT(p, brl_next);
+ SIMPLEQ_REMOVE_HEAD(&bif->bif_brlout, p, brl_next);
+ free(p, M_DEVBUF);
+ p = q;
+ }
+ return (0);
+}
+
#if defined(INET) && (defined(IPFILTER) || defined(IPFILTER_LKM))
/*
diff --git a/sys/net/if_bridge.h b/sys/net/if_bridge.h
index fe6aa8e8fa1..209c6113752 100644
--- a/sys/net/if_bridge.h
+++ b/sys/net/if_bridge.h
@@ -1,7 +1,7 @@
-/* $OpenBSD: if_bridge.h,v 1.11 2000/01/10 22:18:29 angelos Exp $ */
+/* $OpenBSD: if_bridge.h,v 1.12 2000/01/25 22:06:27 jason Exp $ */
/*
- * Copyright (c) 1999 Jason L. Wright (jason@thought.net)
+ * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -42,7 +42,7 @@ struct ifbreq {
/* SIOCBRDGIFFLGS, SIOCBRDGIFFLGS */
#define IFBIF_LEARNING 0x1 /* ifs can learn */
#define IFBIF_DISCOVER 0x2 /* ifs sends packets w/unknown dest */
-#define IFBIF_BLOCKNONIP 0x04 /* ifs does not allow non-IP/ARP traffic in/out */
+#define IFBIF_BLOCKNONIP 0x04 /* ifs blocks non-IP/ARP traffic in/out */
/* SIOCBRDGFLUSH */
#define IFBF_FLUSHDYN 0x0 /* flush dynamic addresses only */
#define IFBF_FLUSHALL 0x1 /* flush all addresses from cache */
@@ -103,6 +103,35 @@ struct ifbcachetoreq {
u_int32_t ifbct_time; /* cache time (sec) */
};
+/*
+ * Bridge mac rules
+ */
+struct ifbrlreq {
+ char ifbr_name[IFNAMSIZ]; /* bridge ifs name */
+ char ifbr_ifsname[IFNAMSIZ]; /* member ifs name */
+ u_int8_t ifbr_action; /* disposition */
+ u_int8_t ifbr_flags; /* flags */
+ struct ether_addr ifbr_src; /* source mac */
+ struct ether_addr ifbr_dst; /* destination mac */
+};
+#define BRL_ACTION_BLOCK 0x01 /* block frame */
+#define BRL_ACTION_PASS 0x02 /* pass frame */
+#define BRL_FLAG_IN 0x08 /* input rule */
+#define BRL_FLAG_OUT 0x04 /* output rule */
+#define BRL_FLAG_SRCVALID 0x02 /* src valid */
+#define BRL_FLAG_DSTVALID 0x01 /* dst valid */
+
+struct ifbrlconf {
+ char ifbrl_name[IFNAMSIZ]; /* bridge ifs name */
+ char ifbrl_ifsname[IFNAMSIZ];/* member ifs name */
+ u_int32_t ifbrl_len; /* buffer size */
+ union {
+ caddr_t ifbrlu_buf;
+ struct ifbrlreq *ifbrlu_req;
+ } ifbrl_ifbrlu;
+#define ifbrl_buf ifbrl_ifbrlu.ifbrlu_buf
+#define ifbrl_req ifbrl_ifbrlu.ifbrlu_req
+};
#ifdef _KERNEL
void bridge_ifdetach __P((struct ifnet *));
diff --git a/sys/sys/sockio.h b/sys/sys/sockio.h
index 420d88fac9d..d4a3721aa76 100644
--- a/sys/sys/sockio.h
+++ b/sys/sys/sockio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sockio.h,v 1.14 2000/01/08 05:40:39 angelos Exp $ */
+/* $OpenBSD: sockio.h,v 1.15 2000/01/25 22:06:28 jason Exp $ */
/* $NetBSD: sockio.h,v 1.5 1995/08/23 00:40:47 thorpej Exp $ */
/*-
@@ -112,6 +112,10 @@
#define SIOCSENCSRCSA _IOW('i', 75, struct ifsa) /* set enc sa */
#define SIOCSENCCLEARSA _IOW('i', 76, struct ifsa) /* set enc sa */
+#define SIOCBRDGARL _IOWR('i', 77, struct ifbrlreq) /* add bridge rule */
+#define SIOCBRDGFRL _IOWR('i', 78, struct ifbrlreq) /* flush brdg rules */
+#define SIOCBRDGGRL _IOWR('i', 79, struct ifbrlconf)/* get bridge rules */
+
#define GRESADDRS _IOW('i', 101, struct ifreq)
#define GRESADDRD _IOW('i', 102, struct ifreq)
#define GREGADDRS _IOWR('i', 103, struct ifreq)