From 781dd9ae05790c6f7821b5b6b4f209fe64b55538 Mon Sep 17 00:00:00 2001
From: Andrew Thompson <thompsa@FreeBSD.org>
Date: Sun, 17 Sep 2006 08:20:56 +0000
Subject: [PATCH] Rearrange things so that ARP packets can be filtered or rate
 limited with IPFW.

Requested by:	Jon Otterholm
Tested by:	Jon Otterholm
---
 sys/net/if_bridge.c | 44 ++++++++++++++------------------------------
 1 file changed, 14 insertions(+), 30 deletions(-)

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index dbb75f3b826b..ca4ddf5f9e88 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -2736,34 +2736,6 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir)
 		}
 	}
 
-	/*
-	 * If we're trying to filter bridge traffic, don't look at anything
-	 * other than IP and ARP traffic.  If the filter doesn't understand
-	 * IPv6, don't allow IPv6 through the bridge either.  This is lame
-	 * since if we really wanted, say, an AppleTalk filter, we are hosed,
-	 * but of course we don't have an AppleTalk filter to begin with.
-	 * (Note that since pfil doesn't understand ARP it will pass *ALL*
-	 * ARP traffic.)
-	 */
-	switch (ether_type) {
-		case ETHERTYPE_ARP:
-		case ETHERTYPE_REVARP:
-			return (0); /* Automatically pass */
-		case ETHERTYPE_IP:
-#ifdef INET6
-		case ETHERTYPE_IPV6:
-#endif /* INET6 */
-			break;
-		default:
-			/*
-			 * Check to see if the user wants to pass non-ip
-			 * packets, these will not be checked by pfil(9) and
-			 * passed unconditionally so the default is to drop.
-			 */
-			if (pfil_onlyip)
-				goto bad;
-	}
-
 	/* Strip off the Ethernet header and keep a copy. */
 	m_copydata(*mp, 0, ETHER_HDR_LEN, (caddr_t) &eh2);
 	m_adj(*mp, ETHER_HDR_LEN);
@@ -2836,9 +2808,14 @@ ipfwpass:
 	error = 0;
 
 	/*
-	 * Run the packet through pfil
+	 * Run the packet through pfil. Note that since pfil doesn't understand
+	 * ARP it will pass all ARP traffic.
 	 */
 	switch (ether_type) {
+	case ETHERTYPE_ARP:
+	case ETHERTYPE_REVARP:
+		return (0); /* Automatically pass */
+
 	case ETHERTYPE_IP:
 		/*
 		 * before calling the firewall, swap fields the same as
@@ -2930,7 +2907,14 @@ ipfwpass:
 		break;
 #endif
 	default:
-		error = 0;
+		/*
+		 * Check to see if the user wants to pass non-ip
+		 * packets.
+		 */
+		if (pfil_onlyip) {
+			error = -1;
+			goto bad;
+		}
 		break;
 	}