Index: ip_input.c =================================================================== RCS file: /prod/cvsroot/usr.src/sys/netinet/ip_input.c,v retrieving revision 1.1.1.3 diff -c -b -r1.1.1.3 ip_input.c *** ip_input.c 1995/06/27 01:20:26 1.1.1.3 --- ip_input.c 1995/06/29 08:06:17 *************** *** 57,62 **** --- 57,66 ---- #include #include + #ifdef IPFIREWALL + #include "ip_firewall.h" + #endif + #ifndef IPFORWARDING #ifdef GATEWAY #define IPFORWARDING 1 /* forward IP packets not for us */ *************** *** 216,221 **** --- 220,231 ---- m_adj(m, ip->ip_len - m->m_pkthdr.len); } + #ifdef IPFIREWALL + if ( (m = ip_firewall_check_mbuf(m,ip_firewall_blocking_chain)) == 0 ) { + goto next; + } + ip = mtod(m, struct ip *); + #endif /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an *************** *** 230,237 **** * Check our list of addresses, to see if the packet is for us. */ for (ia = in_ifaddr.tqh_first; ia; ia = ia->ia_list.tqe_next) { ! if (ip->ip_dst.s_addr == ia->ia_addr.sin_addr.s_addr) goto ours; if ( #ifdef DIRECTED_BROADCAST ia->ia_ifp == m->m_pkthdr.rcvif && --- 240,262 ---- * Check our list of addresses, to see if the packet is for us. */ for (ia = in_ifaddr.tqh_first; ia; ia = ia->ia_list.tqe_next) { ! if (ip->ip_dst.s_addr == ia->ia_addr.sin_addr.s_addr) { ! /* one of our addresses */ ! #ifdef IP_IFADDR_ONLY ! /* ! * We are being paranoid, so only accept ! * packets to addresses belonging to the interface, ! * or packets that arrive on a loopback interface. ! */ ! if (ia->ia_ifp != m->m_pkthdr.rcvif && ! (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { ! /* someone playing games with us */ ! ipstat.ips_cantforward++; ! goto bad; ! } ! #endif goto ours; + } if ( #ifdef DIRECTED_BROADCAST ia->ia_ifp == m->m_pkthdr.rcvif && *************** *** 311,317 **** /* * Not for us; forward if possible and desirable. */ ! if (ipforwarding == 0) { ipstat.ips_cantforward++; m_freem(m); } else --- 336,342 ---- /* * Not for us; forward if possible and desirable. */ ! if (ipforwarding <= 0) { ipstat.ips_cantforward++; m_freem(m); } else *************** *** 636,641 **** --- 661,668 ---- ip_dooptions(m) struct mbuf *m; { + #define INA struct in_ifaddr * + #define SA struct sockaddr * register struct ip *ip = mtod(m, struct ip *); register u_char *cp; register struct ip_timestamp *ipt; *************** *** 676,681 **** --- 703,713 ---- */ case IPOPT_LSRR: case IPOPT_SSRR: + #ifdef IP_NO_SRCROUTE + type = ICMP_UNREACH; + code = ICMP_UNREACH_SRCFAIL; + goto bad; + #else /* IP_NO_SRCROUTE */ if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; *************** *** 708,715 **** bcopy((caddr_t)(cp + off), (caddr_t)&ipaddr.sin_addr, sizeof(ipaddr.sin_addr)); if (opt == IPOPT_SSRR) { - #define INA struct in_ifaddr * - #define SA struct sockaddr * if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == 0) ia = (INA)ifa_ifwithnet((SA)&ipaddr); } else --- 740,745 ---- *************** *** 728,733 **** --- 758,764 ---- */ forward = !IN_MULTICAST(ip->ip_dst.s_addr); break; + #endif /* IP_NO_SRCROUTE */ case IPOPT_RR: if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { *************** *** 1008,1013 **** --- 1039,1052 ---- printf("forward: src %x dst %x ttl %x\n", ip->ip_src, ip->ip_dst, ip->ip_ttl); #endif + #ifdef IPFIREWALL + if ( (m = ip_firewall_check_mbuf(m,ip_firewall_forwarding_chain)) == 0 ) { + ipstat.ips_cantforward++; + return; + } + ip = mtod(m, struct ip *); + #endif + if (m->m_flags & M_BCAST || in_canforward(ip->ip_dst) == 0) { ipstat.ips_cantforward++; m_freem(m);