Re: ipfw2 (was Re: Hard-coded M_* flags)

Sun, 11 Jun 2006 08:15:23 -0700 

On Sun, Jun 11, 2006 at 02:32:11PM +0200, [EMAIL PROTECTED] wrote:
> Can you work on a patch to put it into fw_flags instead? That would
> resolve the problem in a better way IMO.

Sure.  I've replaced the kernel on my router with patched one.

Index: sys/sys/mbuf.h
===================================================================
RCS file: /home/source/dragonfly/cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.35
diff -u -p -r1.35 mbuf.h
--- sys/sys/mbuf.h      21 May 2006 03:43:47 -0000      1.35
+++ sys/sys/mbuf.h      11 Jun 2006 12:48:27 -0000
@@ -234,6 +234,7 @@ struct mbuf {
                                0x00000008
 #define        PF_MBUF_FRAGCACHE       0x00000010
 #define        ALTQ_MBUF_TAGGED        0x00000020      /* altq_qid is valid */
+#define        IPFW_MBUF_SKIP_FIREWALL 0x00000040
 
 /*
  * mbuf types.
Index: sys/net/ipfw/ip_fw2.c
===================================================================
RCS file: /home/source/dragonfly/cvs/src/sys/net/ipfw/ip_fw2.c,v
retrieving revision 1.17
diff -u -p -r1.17 ip_fw2.c
--- sys/net/ipfw/ip_fw2.c       17 Jun 2005 19:12:19 -0000      1.17
+++ sys/net/ipfw/ip_fw2.c       11 Jun 2006 13:01:38 -0000
@@ -78,14 +78,6 @@
 #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
 
 /*
- * XXX This one should go in sys/mbuf.h. It is used to avoid that
- * a firewall-generated packet loops forever through the firewall.
- */
-#ifndef        M_SKIP_FIREWALL
-#define M_SKIP_FIREWALL         0x4000
-#endif
-
-/*
  * set_disable contains one bit per set value (0..31).
  * If the bit is set, all rules with the corresponding set
  * are disabled. Set 31 is reserved for the default rule
@@ -1120,7 +1112,7 @@ send_pkt(struct ipfw_flow_id *id, u_int3
        ip->ip_len = m->m_pkthdr.len;
        bzero (&sro, sizeof (sro));
        ip_rtaddr(ip->ip_dst, &sro);
-       m->m_flags |= M_SKIP_FIREWALL;
+       m->m_pkthdr.fw_flags |= IPFW_MBUF_SKIP_FIREWALL;
        ip_output(m, NULL, &sro, 0, NULL, NULL);
        if (sro.ro_rt)
                RTFREE(sro.ro_rt);
@@ -1296,7 +1288,7 @@ ipfw_chk(struct ip_fw_args *args)
        int dyn_dir = MATCH_UNKNOWN;
        ipfw_dyn_rule *q = NULL;
 
-       if (m->m_flags & M_SKIP_FIREWALL)
+       if (m->m_pkthdr.fw_flags & IPFW_MBUF_SKIP_FIREWALL)
                return 0;       /* accept */
        /*
         * dyn_dir = MATCH_UNKNOWN when rules unchecked,

Reply via email to