From 6714d7c75165129bf673d8329524afdb0c53c8fb Mon Sep 17 00:00:00 2001 From: Sam Leffler Date: Mon, 24 Nov 2003 03:57:03 +0000 Subject: [PATCH] Correct a problem where ipfw-generated packets were being returned for ipfw processing w/o an indication the packets were generated by ipfw--and so should not be processed (this manifested itself as a LOR.) The flag bit in the mbuf that was used to mark the packets was not listed in M_COPYFLAGS so if a packet had a header prepended (as done by IPsec) the flag was lost. Correct this by defining a new M_PROTO6 flag and use it to mark packets that need this processing. Reviewed by: bms Approved by: re (rwatson) MFC after: 2 weeks --- sys/netinet/ip_fw2.c | 14 +++++++++----- sys/sys/mbuf.h | 5 +++-- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 19799bc8ecd..a532a6d8e18 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -82,12 +82,16 @@ #include /* XXX for in_cksum */ /* - * XXX This one should go in sys/mbuf.h. It is used to avoid that - * a firewall-generated packet loops forever through the firewall. + * This is used to avoid that a firewall-generated packet + * loops forever through the firewall. Note that it must + * be a flag that is unused by other protocols that might + * be called from ip_output (e.g. IPsec) and it must be + * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain + * is altered on the way through ip_output it is not lost. + * It might be better to add an m_tag since the this happens + * infrequently. */ -#ifndef M_SKIP_FIREWALL -#define M_SKIP_FIREWALL 0x4000 -#endif +#define M_SKIP_FIREWALL M_PROTO6 /* * set_disable contains one bit per set value (0..31). diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 2d7b1f97f3a..0b84e1f804e 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -153,6 +153,7 @@ struct mbuf { #define M_PROTO3 0x0040 /* protocol-specific */ #define M_PROTO4 0x0080 /* protocol-specific */ #define M_PROTO5 0x0100 /* protocol-specific */ +#define M_PROTO6 0x4000 /* protocol-specific (avoid M_BCAST conflict) */ #define M_FREELIST 0x8000 /* mbuf is on the free list */ /* @@ -178,8 +179,8 @@ struct mbuf { * Flags copied when copying m_pkthdr. */ #define M_COPYFLAGS (M_PKTHDR|M_EOR|M_RDONLY|M_PROTO1|M_PROTO1|M_PROTO2|\ - M_PROTO3|M_PROTO4|M_PROTO5|M_BCAST|M_MCAST|\ - M_FRAG|M_FIRSTFRAG|M_LASTFRAG) + M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|\ + M_BCAST|M_MCAST|M_FRAG|M_FIRSTFRAG|M_LASTFRAG) /* * Flags indicating hw checksum support and sw checksum requirements.