Index: sys/net/bridge.c =================================================================== RCS file: /export/freebsd/ncvs/src/sys/net/bridge.c,v retrieving revision 1.16.2.19 diff -u -r1.16.2.19 bridge.c --- sys/net/bridge.c 7 Mar 2002 09:05:47 -0000 1.16.2.19 +++ sys/net/bridge.c 17 Mar 2002 10:44:43 -0000 @@ -193,8 +193,14 @@ static int bdginit(void); static void parse_bdg_cfg(void); +static int bdg_ipf = 0; /* IPFilter enabled in bridge */ static int bdg_ipfw = 0 ; +/* + * For IPFilter, declared in ip_input.c + */ +extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **); + #if 0 /* debugging only */ static char *bdg_dst_names[] = { "BDG_NULL ", @@ -522,6 +528,9 @@ SYSCTL_INT(_net_link_ether, OID_AUTO, bridge_ipfw, CTLFLAG_RW, &bdg_ipfw,0,"Pass bridged pkts through firewall"); +SYSCTL_INT(_net_link_ether, OID_AUTO, bridge_ipf, CTLFLAG_RW, + &bdg_ipf, 0, "Pass bridged pkts through IPFilter"); + /* * The follow macro declares a variable, and maps it to * a SYSCTL_INT entry with the same name. @@ -838,7 +847,9 @@ * Additional restrictions may apply e.g. non-IP, short packets, * and pkts already gone through a pipe. */ - if (IPFW_LOADED && bdg_ipfw != 0 && src != NULL) { + if (src != NULL && + ((fr_checkp != NULL && bdg_ipf != 0) || + (IPFW_LOADED && bdg_ipfw != 0))) { struct ip *ip ; int i; @@ -870,14 +881,27 @@ NTOHS(ip->ip_off); /* + * IPFilter hook. + */ + if (fr_checkp != NULL && bdg_ipf) { + if ((*fr_checkp)(ip, ip->ip_hl << 2, src, 0, &m0) || m0 == NULL) + return m0; + ip = mtod(m0, struct ip *); + } + + /* * The third parameter to the firewall code is the dst. interface. * Since we apply checks only on input pkts we use NULL. * The firewall knows this is a bridged packet as the cookie ptr * is NULL. */ - i = ip_fw_chk_ptr(&ip, 0, NULL, NULL /* cookie */, &m0, &rule, NULL); - if ( (i & IP_FW_PORT_DENY_FLAG) || m0 == NULL) /* drop */ - return m0 ; + if (IPFW_LOADED && bdg_ipfw != 0) { + i = ip_fw_chk_ptr(&ip, 0, NULL, NULL /* cookie */, &m0, &rule, NULL); + if ( (i & IP_FW_PORT_DENY_FLAG) || m0 == NULL) /* drop */ + return m0 ; + } else + i = 0; /* Treat it as a "pass" when not using ipfw. */ + /* * If we get here, the firewall has passed the pkt, but the mbuf * pointer might have changed. Restore ip and the fields NTOHS()'d.