From fe1a128aa72f12a56dbdc77cb919d718687025ad Mon Sep 17 00:00:00 2001 From: jasoni Date: Sat, 29 Sep 2001 08:02:08 +0000 Subject: filter forwarded ipv6 packets; checked by itojun, tested by mcbride@countersiege.com --- sys/netinet6/ip6_forward.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'sys/netinet6/ip6_forward.c') diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 4cae2928d24..dab86d9c8ae 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.16 2001/07/18 09:56:49 itojun Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.17 2001/09/29 08:02:07 jasoni Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -30,6 +30,8 @@ * SUCH DAMAGE. */ +#include "pf.h" + #include #include #include @@ -53,6 +55,10 @@ #include #include +#if NPF > 0 +#include +#endif + #ifdef IPSEC_IPV6FWD #include #include @@ -480,6 +486,14 @@ ip6_forward(m, srcrt) if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) ip6->ip6_dst.s6_addr16[1] = 0; +#if NPF > 0 + if (pf_test6(PF_OUT, rt->rt_ifp, &m) != PF_PASS) { + m_freem(m); + goto senderr; + } + ip6 = mtod(m, struct ip6_hdr *); +#endif + #ifdef OLDIP6OUTPUT error = (*rt->rt_ifp->if_output)(rt->rt_ifp, m, (struct sockaddr *)dst, @@ -500,6 +514,10 @@ ip6_forward(m, srcrt) goto freecopy; } } + +#if NPF > 0 +senderr: +#endif if (mcopy == NULL) return; -- cgit v1.2.3