PERFORCE change 143921 for review
Gleb Kurtsou
gk at FreeBSD.org
Sun Jun 22 17:13:26 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=143921
Change 143921 by gk at gk_h1 on 2008/06/22 17:12:47
When perform filtering on bridge interface mark packets as received from bridge
interface. Without this hack ipfw can't distinguish filtering on bridge from
filtering on member interface.
Note. Possibly there are similar bugs in the tree. Generic fix is to change
ipfw's handling of interfaces the may other firewalls do, but this will make
rules like this meaningless:
allow from any to any out recv if1 xmit if2
Affected files ...
.. //depot/projects/soc2008/gk_l2filter/sys-net/if_bridge.c#6 edit
Differences ...
==== //depot/projects/soc2008/gk_l2filter/sys-net/if_bridge.c#6 (text+ko) ====
@@ -2998,8 +2998,25 @@
break;
if (pfil_bridge && dir == PFIL_IN && bifp != NULL)
+#ifdef IPFIREWALL
+ {
+ /*
+ * Mark packets as received from bridge interface.
+ * Without this hack ipfw can't distinguish filtering
+ * on bridge from filtering on member interface.
+ */
+ struct ifnet *orig_rcvif;
+
+ orig_rcvif = (*mp)->m_pkthdr.rcvif;
+ (*mp)->m_pkthdr.rcvif = bifp;
+#endif
error = pfil_run_hooks(&inet_pfil_hook, mp, bifp,
dir, NULL);
+#ifdef IPFIREWALL
+ if (*mp)
+ (*mp)->m_pkthdr.rcvif = orig_rcvif;
+ }
+#endif
if (*mp == NULL || error != 0) /* filter may consume */
break;
@@ -3052,8 +3069,25 @@
break;
if (pfil_bridge && dir == PFIL_IN && bifp != NULL)
+#ifdef IPFIREWALL
+ {
+ /*
+ * Mark packets as received from bridge interface.
+ * Without this hack ipfw can't distinguish filtering
+ * on bridge from filtering on member interface.
+ */
+ struct ifnet *orig_rcvif;
+
+ orig_rcvif = (*mp)->m_pkthdr.rcvif;
+ (*mp)->m_pkthdr.rcvif = bifp;
+#endif
error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp,
dir, NULL);
+#ifdef IPFIREWALL
+ if (*mp)
+ (*mp)->m_pkthdr.rcvif = orig_rcvif;
+ }
+#endif
break;
#endif
default:
More information about the p4-projects
mailing list