Index: 3.2-sys-diffs
===================================================================
RCS file: /devel/CVS/IP-Filter/OpenBSD-3/Attic/3.2-sys-diffs,v
retrieving revision 1.1.2.3
retrieving revision 1.1.2.4
diff -c -r1.1.2.3 -r1.1.2.4
*** 3.2-sys-diffs	2002/12/02 13:58:51	1.1.2.3
--- 3.2-sys-diffs	2002/12/10 22:45:43	1.1.2.4
***************
*** 628,633 ****
--- 628,671 ----
    		if (mc == NULL)
    			continue;
  ***************
+ *** 2220,2226 ****
+   			 * We don't need to do loop detection, the
+   			 * bridge will do that for us.
+   			 */
+ ! #if NFP > 0
+   			switch (af) {
+   #ifdef INET
+   			case AF_INET:
+ --- 2224,2236 ----
+   			 * We don't need to do loop detection, the
+   			 * bridge will do that for us.
+   			 */
+ ! #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ ! 			if (dir == BRIDGE_OUT && fr_checkp &&
+ ! 			    ((*fr_checkp)(ip, hlen, &encif[0].sc_if,
+ ! 					  dir, &m) || !m))
+ ! 				return 1;
+ ! #endif
+ ! #if NPF > 0
+   			switch (af) {
+   #ifdef INET
+   			case AF_INET:
+ ***************
+ *** 2244,2249 ****
+ --- 2254,2265 ----
+   			if (m == NULL)
+   				return (1);
+   #endif /* NPF */
+ + #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ + 			if (dir == BRIDGE_IN && fr_checkp &&
+ + 			    ((*fr_checkp)(ip, hlen, &encif[0].sc_if,
+ + 					  dir, &m) || !m))
+ + 				return 1;
+ + #endif
+   #ifdef INET
+   			if (af == AF_INET) {
+   				ip = mtod(m, struct ip *);
+ ***************
  *** 2262,2268 ****
    }
    #endif /* IPSEC */
***************
*** 636,642 ****
    /*
     * Filter IP packets by peeking into the ethernet frame.  This violates
     * the ISO model, but allows us to act as a IP filter at the data link
! --- 2266,2272 ----
    }
    #endif /* IPSEC */
    
--- 674,680 ----
    /*
     * Filter IP packets by peeking into the ethernet frame.  This violates
     * the ISO model, but allows us to act as a IP filter at the data link
! --- 2278,2284 ----
    }
    #endif /* IPSEC */
    
***************
*** 645,662 ****
     * Filter IP packets by peeking into the ethernet frame.  This violates
     * the ISO model, but allows us to act as a IP filter at the data link
  ***************
! *** 2377,2382 ****
! --- 2381,2390 ----
    		m->m_pkthdr.rcvif = ifp;
!   		if (pf_test(dir, ifp, &m) != PF_PASS)
    			goto dropit;
  + #if defined(IPFILTER) || defined(IPFILTER_LKM)
! + 		if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m))
! + 			goto dropit;
  + #endif
!   		if (m == NULL)
    			goto dropit;
    #endif /* NPF */
  ***************
  *** 2460,2466 ****
    		m_freem(m);
--- 683,752 ----
     * Filter IP packets by peeking into the ethernet frame.  This violates
     * the ISO model, but allows us to act as a IP filter at the data link
  ***************
! *** 2372,2377 ****
! --- 2388,2401 ----
!   			return (NULL);
!   #endif /* IPSEC */
!   
! + #if defined(IPFILTER) || defined(IPFILTER_LKM)
! + 		if (dir == BRIDGE_OUT) {
! + 			if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m))
! + 				goto dropit;
! + 			if (m == NULL)
! + 				goto dropit;
! + 		}
! + #endif
!   #if NPF > 0
!   		/* Finally, we get to filter the packet! */
    		m->m_pkthdr.rcvif = ifp;
! ***************
! *** 2380,2385 ****
! --- 2404,2417 ----
!   		if (m == NULL)
    			goto dropit;
+   #endif /* NPF */
  + #if defined(IPFILTER) || defined(IPFILTER_LKM)
! + 		if (dir == BRIDGE_IN) {
! + 			if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m))
! + 				goto dropit;
! + 			if (m == NULL)
! + 				goto dropit;
! + 		}
  + #endif
!   
!   		/* Rebuild the IP header */
!   		if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL))
! ***************
! *** 2423,2434 ****
! --- 2455,2482 ----
!   			return (NULL);
!   #endif /* IPSEC */
!   
! + #if defined(IPFILTER) || defined(IPFILTER_LKM)
! + 		if (dir == BRIDGE_OUT) {
! + 			if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m))
! + 				goto dropit;
! + 			if (m == NULL)
! + 				return (NULL);
! + 		}
! + #endif
!   #if NPF > 0
!   		if (pf_test6(dir, ifp, &m) != PF_PASS)
    			goto dropit;
+   		if (m == NULL)
+   			return (NULL);
    #endif /* NPF */
+ + #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ + 		if (dir == BRIDGE_IN) {
+ + 			if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m))
+ + 				goto dropit;
+ + 			if (m == NULL)
+ + 				return (NULL);
+ + 		}
+ + #endif
+   
+   		break;
+   	}
  ***************
  *** 2460,2466 ****
    		m_freem(m);
***************
*** 666,672 ****
    
    void
    bridge_fragment(sc, ifp, eh, m)
! --- 2468,2474 ----
    		m_freem(m);
    	return (NULL);
    }
--- 756,762 ----
    
    void
    bridge_fragment(sc, ifp, eh, m)
! --- 2508,2514 ----
    		m_freem(m);
    	return (NULL);
    }