Add IP Filter hooks (from patches).

svn path=/head/; revision=22531
1997-02-10 11:45:37 +00:00 · 1997-02-10 11:45:37 +00:00 · afed1b4988 · 2020-12-20 02:59:44 +00:00
commit afed1b4988
parent 97daf05001
3 changed files with 45 additions and 0 deletions
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@ -89,6 +89,12 @@ int	tp_ctloutput(), tp_usrreq();
 void	eoninput(), eonctlinput(), eonprotoinit();
 #endif /* EON */

+#ifdef        IPFILTER
+void	iplinit();
+#define	ip_init	iplinit
+#endif
+
+
 extern	struct domain inetdomain;

 struct protosw inetsw[] = {
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -134,6 +134,12 @@ ip_nat_t *ip_nat_ptr;
 ip_nat_ctl_t *ip_nat_ctl_ptr;
 #endif

+#if defined(IPFILTER_LKM) || defined(IPFILTER)
+int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
+#endif
+
+
 /*
 * We need to save the IP options in case a protocol wants to respond
 * to an incoming packet over the same route if the packet got here
@ -341,6 +347,19 @@ ip_input(struct mbuf *m)
 		return;
 #endif

+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+    {
+	struct	mbuf	*m0 = m;
+	/*
+	 * Check if we want to allow this packet to be processed.
+	 * Consider it to be bad if not.
+	 */
+	if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0))
+		goto next;
+	ip = mtod(m = m0, struct ip *);
+    }
+#endif
+
 	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@ -80,6 +80,12 @@ static int	ip_pcbopts __P((struct mbuf **, struct mbuf *));
 static int	ip_setmoptions
 	__P((int, struct ip_moptions **, struct mbuf *));

+#if defined(IPFILTER_LKM) || defined(IPFILTER)
+extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+#endif
+
+
 extern	struct protosw inetsw[];

 /*
@ -331,6 +337,20 @@ ip_output(m0, opt, ro, flags, imo)
 		m->m_flags &= ~M_BCAST;
 	}

+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+    {
+	struct	mbuf	*m0 = m;
+	/*
+	 * looks like most checking has been done now...do a filter check
+	 */
+	if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0))
+	{
+		error = EHOSTUNREACH;
+		goto done;
+	}
+	ip = mtod(m = m0, struct ip *);
+    }
+#endif
 sendit:
        /*
 	 * IpHack's section.