Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.93.2.3 retrieving revision 1.93.2.5 diff -u -p -r1.93.2.3 -r1.93.2.5 --- src/sys/netinet/ip_input.c 2000/12/08 09:18:42 1.93.2.3 +++ src/sys/netinet/ip_input.c 2001/02/11 19:17:14 1.93.2.5 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.93.2.3 2000/12/08 09:18:42 bouyer Exp $ */ +/* $NetBSD: ip_input.c,v 1.93.2.5 2001/02/11 19:17:14 bouyer Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -319,8 +319,8 @@ ip_init() #ifdef PFIL_HOOKS /* Register our Packet Filter hook. */ - inet_pfil_hook.ph_key = (void *)(u_long) AF_INET; - inet_pfil_hook.ph_dlt = DLT_RAW; + inet_pfil_hook.ph_type = PFIL_TYPE_AF; + inet_pfil_hook.ph_af = AF_INET; i = pfil_head_register(&inet_pfil_hook); if (i != 0) printf("ip_init: WARNING: unable to register pfil hook, " @@ -471,14 +471,33 @@ ip_input(struct mbuf *m) * Note that filters must _never_ set this flag, as another filter * in the list may have previously cleared it. */ - if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, - PFIL_IN) != 0) - return; - if (m == NULL) + /* + * let ipfilter look at packet on the wire, + * not the decapsulated packet. + */ +#ifdef IPSEC + if (!ipsec_gethist(m, NULL)) +#else + if (1) +#endif + { + if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, + PFIL_IN) != 0) return; - ip = mtod(m, struct ip *); + if (m == NULL) + return; + ip = mtod(m, struct ip *); + } #endif /* PFIL_HOOKS */ +#ifdef ALTQ + /* XXX Temporary until ALTQ is changed to use a pfil hook */ + if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0) { + /* packet dropped by traffic conditioner */ + return; + } +#endif + /* * Convert fields to host representation. */ @@ -1444,7 +1463,7 @@ ip_forward(m, srcrt) #ifdef IPSEC /* Don't lookup socket in forwading case */ - ipsec_setsocket(m, NULL); + (void)ipsec_setsocket(m, NULL); #endif error = ip_output(m, (struct mbuf *)0, &ipforward_rt, (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0);