patch-pre2.0.7 linux/net/ipv4/ip_forward.c

• Lines: 85
• Date: Sun May 19 23:40:50 1996
• Orig file: pre2.0.6/linux/net/ipv4/ip_forward.c
• Orig date: Fri May 17 15:32:20 1996

diff -u --recursive --new-file pre2.0.6/linux/net/ipv4/ip_forward.c linux/net/ipv4/ip_forward.c
@@ -12,6 +12,8 @@
  *		Dave Gregorich	:	NULL ip_rt_put fix for multicast routing.
  *		Jos Vos		:	Add call_out_firewall before sending,
  *					use output device for accounting.
+ *		Jos Vos		:	Call forward firewall after routing
+ *					(always use output device).
  */
 
 #include <linux/config.h>
@@ -105,28 +107,6 @@
 #endif /* CONFIG_IP_MASQUERADE */
 #endif /* CONFIG_FIREWALL */
 	
-	/* 
-	 *	See if we are allowed to forward this.
- 	 *	Note: demasqueraded fragments are always 'back'warded.
-	 */
-	
-#ifdef CONFIG_FIREWALL
-	if(!(is_frag&IPFWD_MASQUERADED))
-	{
-		fw_res=call_fw_firewall(PF_INET, dev, skb->h.iph);
-		switch (fw_res) {
-		case FW_ACCEPT:
-		case FW_MASQUERADE:
-			break;
-		case FW_REJECT:
-			icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, dev);
-			/* fall thru */
-		default:
-			return -1;
-		}
-	}
-#endif
-
 	/*
 	 *	According to the RFC, we must first decrease the TTL field. If
 	 *	that reaches zero, we must reply an ICMP control message telling
@@ -237,6 +217,28 @@
 	}
 #endif	
 	
+	/* 
+	 *	See if we are allowed to forward this.
+ 	 *	Note: demasqueraded fragments are always 'back'warded.
+	 */
+	
+#ifdef CONFIG_FIREWALL
+	if(!(is_frag&IPFWD_MASQUERADED))
+	{
+		fw_res=call_fw_firewall(PF_INET, dev2, iph, NULL);
+		switch (fw_res) {
+		case FW_ACCEPT:
+		case FW_MASQUERADE:
+			break;
+		case FW_REJECT:
+			icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, dev);
+			/* fall thru */
+		default:
+			return -1;
+		}
+	}
+#endif
+
 	/*
 	 * We now may allocate a new buffer, and copy the datagram into it.
 	 * If the indicated interface is up and running, kick it.
@@ -361,7 +363,7 @@
 #endif			
 		}
 #ifdef CONFIG_FIREWALL
-		if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph)) < FW_ACCEPT)
+		if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph, NULL)) < FW_ACCEPT)
 		{
 			/* FW_ACCEPT and FW_MASQUERADE are treated equal:
 			   masquerading is only supported via forward rules */
@@ -444,7 +446,7 @@
 			 *	Count mapping we shortcut
 			 */
 			 
-			ip_fw_chk(iph,dev2,ip_acct_chain,IP_FW_F_ACCEPT,1);
+			ip_fw_chk(iph,dev2,NULL,ip_acct_chain,IP_FW_F_ACCEPT,IP_FW_MODE_ACCT_OUT);
 #endif			
 			
 			/*