IPFW2 layer2 filtering broken - PATCH

Mon Jan 24 11:12:11 PST 2005

Joerg Sonnenberger wrote:
On Mon, Jan 24, 2005 at 09:50:05AM -0800, Matthew Dillon wrote:

   From my read of the code, the 'eh = mtod(...)' is necessary, but 
   most of the time the returned 'm' will be the same as the passed 'm'
   so I am not surprised that you did not see any difference.

The eh = mtod() is necessary, because the ether header might not actually be
part of the passed in header. Because ether_ifpw_chk changes that by
prepending the header, it is necessary to update the pointer in the caller.
This is an interface problem.  When ether_ipfw_chk() does not modify the
mbuf, the recomputed eh pointer is incorrect because the mbuf has already
been adjusted.  An ugly workaround is something like
       if (IPFW_LOADED && ether_ipfw != 0) {
+               struct mbuf *n = m;
+
               if (!ether_ipfw_chk(&m, NULL, &rule, eh, FALSE)) {
                       m_freem(m);
                       return;
               }
-               eh = mtod(m, struct ether_header *);
+               if (m != n)
+                       eh = mtod(m, struct ether_header *);
       }
Alternatively, we could change the 4th parameter to ether_ipfw_chk()
to &eh and update it inside ether_ipfw_chk().