ipfw2 (was Re: Hard-coded M_* flags)
YONETANI Tomokazu
qhwt+dfly at les.ath.cx
Sun Jun 11 08:13:55 PDT 2006
On Sun, Jun 11, 2006 at 02:32:11PM +0200, joerg at xxxxxxxxxxxxxxxxx wrote:
> Can you work on a patch to put it into fw_flags instead? That would
> resolve the problem in a better way IMO.
Sure. I've replaced the kernel on my router with patched one.
Index: sys/sys/mbuf.h
===================================================================
RCS file: /home/source/dragonfly/cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.35
diff -u -p -r1.35 mbuf.h
--- sys/sys/mbuf.h 21 May 2006 03:43:47 -0000 1.35
+++ sys/sys/mbuf.h 11 Jun 2006 12:48:27 -0000
@@ -234,6 +234,7 @@ struct mbuf {
0x00000008
#define PF_MBUF_FRAGCACHE 0x00000010
#define ALTQ_MBUF_TAGGED 0x00000020 /* altq_qid is valid */
+#define IPFW_MBUF_SKIP_FIREWALL 0x00000040
/*
* mbuf types.
Index: sys/net/ipfw/ip_fw2.c
===================================================================
RCS file: /home/source/dragonfly/cvs/src/sys/net/ipfw/ip_fw2.c,v
retrieving revision 1.17
diff -u -p -r1.17 ip_fw2.c
--- sys/net/ipfw/ip_fw2.c 17 Jun 2005 19:12:19 -0000 1.17
+++ sys/net/ipfw/ip_fw2.c 11 Jun 2006 13:01:38 -0000
@@ -78,14 +78,6 @@
#include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
/*
- * XXX This one should go in sys/mbuf.h. It is used to avoid that
- * a firewall-generated packet loops forever through the firewall.
- */
-#ifndef M_SKIP_FIREWALL
-#define M_SKIP_FIREWALL 0x4000
-#endif
-
-/*
* set_disable contains one bit per set value (0..31).
* If the bit is set, all rules with the corresponding set
* are disabled. Set 31 is reserved for the default rule
@@ -1120,7 +1112,7 @@ send_pkt(struct ipfw_flow_id *id, u_int3
ip->ip_len = m->m_pkthdr.len;
bzero (&sro, sizeof (sro));
ip_rtaddr(ip->ip_dst, &sro);
- m->m_flags |= M_SKIP_FIREWALL;
+ m->m_pkthdr.fw_flags |= IPFW_MBUF_SKIP_FIREWALL;
ip_output(m, NULL, &sro, 0, NULL, NULL);
if (sro.ro_rt)
RTFREE(sro.ro_rt);
@@ -1296,7 +1288,7 @@ ipfw_chk(struct ip_fw_args *args)
int dyn_dir = MATCH_UNKNOWN;
ipfw_dyn_rule *q = NULL;
- if (m->m_flags & M_SKIP_FIREWALL)
+ if (m->m_pkthdr.fw_flags & IPFW_MBUF_SKIP_FIREWALL)
return 0; /* accept */
/*
* dyn_dir = MATCH_UNKNOWN when rules unchecked,
More information about the Submit
mailing list