Attachment #239803 for bug #268717

Lines 135-140 SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation, Link Here

(-)b/sys/netinet/ip_input.c (+20 lines)
135	CTLFLAG_VNET \| CTLFLAG_RW, &VNET_NAME(ip_sav), true,	135	CTLFLAG_VNET \| CTLFLAG_RW, &VNET_NAME(ip_sav), true,
136	"Drop incoming packets with source address that is a local address");	136	"Drop incoming packets with source address that is a local address");
137		137
		138	VNET_DEFINE_STATIC(bool, ip_filter_local_output) = false;
		139	#define V_ip_filter_local_output VNET(ip_filter_local_output)
		140	SYSCTL_BOOL(_net_inet_ip, OID_AUTO, filter_local_output,
		141	CTLFLAG_VNET \| CTLFLAG_RW, &VNET_NAME(ip_filter_local_output), false,
		142	"Generate filter output events for packets delivered for local processing");
		143
138	VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */	144	VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */
139		145
140	static struct netisr_handler ip_nh = {	146	static struct netisr_handler ip_nh = {
Lines 810-815 ip_input(struct mbuf *m) Link Here
810	return;	816	return;
811	#endif /* IPSTEALTH */	817	#endif /* IPSTEALTH */
812		818
		819	/*
		820	* We are going to ship the packet to the local protocol stack. Call the
		821	* filter again for this 'output' action, allowing redirect-like rules
		822	* to adjust the source address.
		823	*/
		824	if (PFIL_HOOKED_OUT(V_inet_pfil_head) && V_ip_filter_local_output) {
		825	if (pfil_mbuf_out(V_inet_pfil_head, &m, V_loif, NULL) !=
		826	PFIL_PASS)
		827	return;
		828	if (m == NULL) /* consumed by filter */
		829	return;
		830	ip = mtod(m, struct ip *);
		831	}
		832
813	/*	833	/*
814	* Attempt reassembly; if it succeeds, proceed.	834	* Attempt reassembly; if it succeeds, proceed.
815	* ip_reass() will return a different mbuf.	835	* ip_reass() will return a different mbuf.

Lines 176-181 SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO, source_address_validation, Link Here

(-)b/sys/netinet6/ip6_input.c (+20 lines)
176	CTLFLAG_VNET \| CTLFLAG_RW, &VNET_NAME(ip6_sav), true,	176	CTLFLAG_VNET \| CTLFLAG_RW, &VNET_NAME(ip6_sav), true,
177	"Drop incoming packets with source address that is a local address");	177	"Drop incoming packets with source address that is a local address");
178		178
		179	VNET_DEFINE_STATIC(bool, ip6_filter_local_output) = false;
		180	#define V_ip6_filter_local_output VNET(ip6_filter_local_output)
		181	SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO, filter_local_output,
		182	CTLFLAG_VNET \| CTLFLAG_RW, &VNET_NAME(ip6_filter_local_output), false,
		183	"Generate filter output events for packets delivered for local processing");
		184
179	#ifdef RSS	185	#ifdef RSS
180	static struct netisr_handler ip6_direct_nh = {	186	static struct netisr_handler ip6_direct_nh = {
181	.nh_name = "ip6_direct",	187	.nh_name = "ip6_direct",
Lines 883-888 ip6_input(struct mbuf *m) Link Here
883	return;	889	return;
884	}	890	}
885		891
		892	/*
		893	* We are going to ship the packet to the local protocol stack. Call the
		894	* filter again for this 'output' action, allowing redirect-like rules
		895	* to adjust the source address.
		896	*/
		897	if (PFIL_HOOKED_OUT(V_inet_pfil_head) && V_ip6_filter_local_output) {
		898	if (pfil_mbuf_out(V_inet6_pfil_head, &m, V_loif, NULL) !=
		899	PFIL_PASS)
		900	return;
		901	if (m == NULL) /* consumed by filter */
		902	return;
		903	ip6 = mtod(m, struct ip6_hdr *);
		904	}
		905
886	/*	906	/*
887	* Tell launch routine the next header	907	* Tell launch routine the next header
888	*/	908	*/

Return to bug 268717