>From my point of view it can be useful only on laptops, where you don't know exact broadcast addresses for all situations, but still want to deny/allow broadcast packets. Maybe I've missed something, then, please, correct me :) P.S.: another idea - maybe would be better to add it as possible value for dst-ip instead of rule option P.P.S.: before adding two "== NULL" in ip_fw2.c I had often kernel panics, even without broadcast option in ruleset. I would be very glad if someone can explain these to me. Patch itself: --- sys/netinet/ip_fw2.c.orig 2009-04-05 20:43:08.000000000 +0300 +++ sys/netinet/ip_fw2.c 2009-04-06 09:55:04.000000000 +0300 _at__at_ -3131,6 +3131,27 _at__at_ mtag->m_tag_id <= p[1]; } break; + case O_BROADCAST: + if (is_ipv4) + { + struct ifnet *ifp; + ifp=(oif ? oif : m->m_pkthdr.rcvif); + if (ifp == NULL || + (ifp->if_flags | IFF_BROADCAST) == 0) + break; + struct ifaddr *ia; + TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { + if (ia->ifa_broadaddr == NULL || + ia->ifa_broadaddr->sa_family != AF_INET) + continue; + if (((struct sockaddr_in *)(ia->ifa_broadaddr))-> + sin_addr.s_addr == dst_ip.s_addr) { + match=1; + break; + } + } + } + break; } /* _at__at_ -3897,6 +3918,7 _at__at_ case O_IN: case O_FRAG: case O_DIVERTED: + case O_BROADCAST: case O_IPOPT: case O_IPTOS: case O_IPPRECEDENCE: --- sys/netinet/ip_fw.h.orig 2009-04-05 21:41:08.000000000 +0300 +++ sys/netinet/ip_fw.h 2009-04-05 21:46:23.000000000 +0300 _at__at_ -179,6 +179,8 _at__at_ O_SETFIB, /* arg1=FIB number */ O_FIB, /* arg1=FIB desired fib number */ + O_BROADCAST, /* matches IP packets sent on broadcast address */ + O_LAST_OPCODE /* not an opcode! */ }; --- sbin/ipfw/ipfw2.c.orig 2009-04-05 21:23:38.000000000 +0300 +++ sbin/ipfw/ipfw2.c 2009-04-06 09:25:39.000000000 +0300 _at__at_ -291,6 +291,7 _at__at_ { "src-ipv6", TOK_SRCIP6}, { "src-ip6", TOK_SRCIP6}, { "//", TOK_COMMENT }, + { "broadcast", TOK_BROADCAST}, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ _at__at_ -1506,6 +1507,10 _at__at_ print_newports((ipfw_insn_u16 *)cmd, 0, O_TAGGED); break; + + case O_BROADCAST: + printf(" broadcast"); + break; default: printf(" [opcode %d len %d]", _at__at_ -3455,6 +3460,10 _at__at_ ac = 0; break; + case TOK_BROADCAST: + fill_cmd(cmd, O_BROADCAST, 0, 0); + break; + case TOK_TAGGED: if (ac > 0 && strpbrk(*av, "-,")) { if (!add_ports(cmd, *av, 0, O_TAGGED)) --- sbin/ipfw/ipfw2.h.orig 2009-04-05 21:23:47.000000000 +0300 +++ sbin/ipfw/ipfw2.h 2009-04-05 21:27:22.000000000 +0300 _at__at_ -141,6 +141,7 _at__at_ TOK_ANTISPOOF, TOK_IPSEC, TOK_COMMENT, + TOK_BROADCAST, TOK_PLR, TOK_NOERROR, --- sbin/ipfw/ipfw.8.orig 2009-04-06 02:10:47.000000000 +0300 +++ sbin/ipfw/ipfw.8 2009-04-06 02:13:54.000000000 +0300 _at__at_ -1135,6 +1135,8 _at__at_ .It Cm bridged Alias for .Cm layer2 . +.It Cm broadcast +Matches broadcast packets on non-point-to-point interfaces. .It Cm diverted Matches only packets generated by a divert socket. .It Cm diverted-loopbackReceived on Mon Apr 06 2009 - 10:21:20 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:45 UTC