From 765d141c78dfb9ae7d5033ef58edbbc5cd4f9981 Mon Sep 17 00:00:00 2001 From: Juli Mallett Date: Sat, 17 Jul 2004 02:40:13 +0000 Subject: [PATCH] Make M_SKIP_FIREWALL a global (and semantic) flag, preventing anything from using M_PROTO6 and possibly shooting someone's foot, as well as allowing the firewall to be used in multiple passes, or with a packet classifier frontend, that may need to explicitly allow a certain packet. Presently this is handled in the ipfw_chk code as before, though I have run with it moved to upper layers, and possibly it should apply to ipfilter and pf as well, though this has not been investigated. Discussed with: luigi, rwatson --- sys/netinet/ip_fw2.c | 12 ------------ sys/sys/mbuf.h | 4 ++-- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 19f54caf547..0b6f754a6e4 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -85,18 +85,6 @@ #include /* XXX for in_cksum */ -/* - * This is used to avoid that a firewall-generated packet - * loops forever through the firewall. Note that it must - * be a flag that is unused by other protocols that might - * be called from ip_output (e.g. IPsec) and it must be - * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain - * is altered on the way through ip_output it is not lost. - * It might be better to add an m_tag since the this happens - * infrequently. - */ -#define M_SKIP_FIREWALL M_PROTO6 - /* * set_disable contains one bit per set value (0..31). * If the bit is set, all rules with the corresponding set diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index e8b668208d7..ad443fe05a2 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -165,7 +165,7 @@ struct mbuf { #define M_PROTO3 0x0040 /* protocol-specific */ #define M_PROTO4 0x0080 /* protocol-specific */ #define M_PROTO5 0x0100 /* protocol-specific */ -#define M_PROTO6 0x4000 /* protocol-specific (avoid M_BCAST conflict) */ +#define M_SKIP_FIREWALL 0x4000 /* skip firewall processing */ #define M_FREELIST 0x8000 /* mbuf is on the free list */ /* @@ -192,7 +192,7 @@ struct mbuf { * Flags copied when copying m_pkthdr. */ #define M_COPYFLAGS (M_PKTHDR|M_EOR|M_RDONLY|M_PROTO1|M_PROTO1|M_PROTO2|\ - M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|\ + M_PROTO3|M_PROTO4|M_PROTO5|M_SKIP_FIREWALL|\ M_BCAST|M_MCAST|M_FRAG|M_FIRSTFRAG|M_LASTFRAG) /*