svn commit: r198047 - user/eri/pf45/head/sys/contrib/pf/net
Ermal Luçi
eri at FreeBSD.org
Tue Oct 13 20:01:37 UTC 2009
Author: eri
Date: Tue Oct 13 20:01:37 2009
New Revision: 198047
URL: http://svn.freebsd.org/changeset/base/198047
Log:
Prevent pf(4) from handling ipfw(4) tagged packets.
This is based on the following assumption that
ipfw puts the rule number in the divert cookie
while pf itself just puts zero.
Should the same check be done in ipfw(4) divert!?
Modified:
user/eri/pf45/head/sys/contrib/pf/net/pf.c
Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c
==============================================================================
--- user/eri/pf45/head/sys/contrib/pf/net/pf.c Tue Oct 13 19:51:31 2009 (r198046)
+++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Tue Oct 13 20:01:37 2009 (r198047)
@@ -6487,8 +6487,16 @@ pf_test(int dir, struct ifnet *ifp, stru
#ifdef __FreeBSD__
if (ip_divert_ptr != NULL &&
((dvtag = m_tag_find(m, PACKET_TAG_DIVERT, NULL)) != NULL)) {
- pd.pf_mtag->flags |= PF_TAG_DIVERTED;
- m_tag_delete(m, dvtag);
+ /*
+ * Ipfw puts the rule number in the divert cookie
+ * while pf itself just puts zero.
+ * Use this fact to detect if this is pf created divert tag
+ * or ipfw one.
+ */
+ if (!divert_cookie(dvtag)) {
+ pd.pf_mtag->flags |= PF_TAG_DIVERTED;
+ m_tag_delete(m, dvtag);
+ }
} else
#endif
/* We do IP header normalization and packet reassembly here */
More information about the svn-src-user
mailing list