ipfw2 (was Re: Hard-coded M_* flags)

YONETANI Tomokazu qhwt+dfly at les.ath.cx
Sun Jun 11 08:13:55 PDT 2006


On Sun, Jun 11, 2006 at 02:32:11PM +0200, joerg at xxxxxxxxxxxxxxxxx wrote:
> Can you work on a patch to put it into fw_flags instead? That would
> resolve the problem in a better way IMO.

Sure.  I've replaced the kernel on my router with patched one.
Index: sys/sys/mbuf.h
===================================================================
RCS file: /home/source/dragonfly/cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.35
diff -u -p -r1.35 mbuf.h
--- sys/sys/mbuf.h	21 May 2006 03:43:47 -0000	1.35
+++ sys/sys/mbuf.h	11 Jun 2006 12:48:27 -0000
@@ -234,6 +234,7 @@ struct mbuf {
 				0x00000008
 #define	PF_MBUF_FRAGCACHE	0x00000010
 #define	ALTQ_MBUF_TAGGED	0x00000020	/* altq_qid is valid */
+#define	IPFW_MBUF_SKIP_FIREWALL	0x00000040
 
 /*
  * mbuf types.
Index: sys/net/ipfw/ip_fw2.c
===================================================================
RCS file: /home/source/dragonfly/cvs/src/sys/net/ipfw/ip_fw2.c,v
retrieving revision 1.17
diff -u -p -r1.17 ip_fw2.c
--- sys/net/ipfw/ip_fw2.c	17 Jun 2005 19:12:19 -0000	1.17
+++ sys/net/ipfw/ip_fw2.c	11 Jun 2006 13:01:38 -0000
@@ -78,14 +78,6 @@
 #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
 
 /*
- * XXX This one should go in sys/mbuf.h. It is used to avoid that
- * a firewall-generated packet loops forever through the firewall.
- */
-#ifndef	M_SKIP_FIREWALL
-#define M_SKIP_FIREWALL         0x4000
-#endif
-
-/*
  * set_disable contains one bit per set value (0..31).
  * If the bit is set, all rules with the corresponding set
  * are disabled. Set 31 is reserved for the default rule
@@ -1120,7 +1112,7 @@ send_pkt(struct ipfw_flow_id *id, u_int3
 	ip->ip_len = m->m_pkthdr.len;
 	bzero (&sro, sizeof (sro));
 	ip_rtaddr(ip->ip_dst, &sro);
-	m->m_flags |= M_SKIP_FIREWALL;
+	m->m_pkthdr.fw_flags |= IPFW_MBUF_SKIP_FIREWALL;
 	ip_output(m, NULL, &sro, 0, NULL, NULL);
 	if (sro.ro_rt)
 		RTFREE(sro.ro_rt);
@@ -1296,7 +1288,7 @@ ipfw_chk(struct ip_fw_args *args)
 	int dyn_dir = MATCH_UNKNOWN;
 	ipfw_dyn_rule *q = NULL;
 
-	if (m->m_flags & M_SKIP_FIREWALL)
+	if (m->m_pkthdr.fw_flags & IPFW_MBUF_SKIP_FIREWALL)
 		return 0;	/* accept */
 	/*
 	 * dyn_dir = MATCH_UNKNOWN when rules unchecked,




More information about the Submit mailing list