tech-net: make bridge interfaces filter IPv4 packets depend on "option INET"?

Subject: make bridge interfaces filter IPv4 packets depend on "option INET"?
To: None <tech-net@netbsd.org>
From: Christoph Badura <bad@bsd.de>
List: tech-net
Date: 10/14/2004 22:42:24
When compiling a kernel with bridge devices and option BRIDGE_IPF, the
current behaviour is that ARP packets are passed unconditionally over the
bridge, IPv4 packets are run through the inet_pfil_hooks and, if the kernel was
configured with "option INET6", IPv6 packets are run through the
inet6_pfil_hooks and all other packets are blocked.

It seems inconsistent to me that ARP and IPv4 packets are not blocked when
the kernel isn't configured with "option INET".  Does anyone mind if if I
commit the following diffs?  As a side effect, they'd avoid calling
pfil_run_hooks on an un-initialised inet_pfil_hook if the kernel isn't
configured with "option INET".

And shouldn't the code use pfil_head_get to get the pfil hook lists for
the AF_INET and AF_INET6 protocols instead of using COMMON variables?

--chris

Index: if_bridge.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_bridge.c,v
retrieving revision 1.26
diff -u -r1.26 if_bridge.c
--- if_bridge.c	6 Oct 2004 10:01:00 -0000	1.26
+++ if_bridge.c	14 Oct 2004 20:03:28 -0000
@@ -231,7 +231,9 @@
 int	bridge_ioctl_gfilt(struct bridge_softc *, void *);
 int	bridge_ioctl_sfilt(struct bridge_softc *, void *);
 static int bridge_ipf(void *, struct mbuf **, struct ifnet *, int);
+# ifdef INET
 static int bridge_ip_checkbasic(struct mbuf **mp);
+# endif /* INET */
 # ifdef INET6
 static int bridge_ip6_checkbasic(struct mbuf **mp);
 # endif /* INET6 */
@@ -1922,8 +1924,12 @@
 }
 
 #if defined(BRIDGE_IPF) && defined(PFIL_HOOKS)
+#ifdef INET
 extern struct pfil_head inet_pfil_hook;                 /* XXX */
+#endif
+#ifdef INET6
 extern struct pfil_head inet6_pfil_hook;                /* XXX */
+#endif
 
 /*
  * Send bridge packets through IPF if they are one of the types IPF can deal
@@ -1967,10 +1973,12 @@
 	 * ARP traffic.)
 	 */
 	switch (ether_type) {
+# ifdef INET
 		case ETHERTYPE_ARP:
 		case ETHERTYPE_REVARP:
 			return 0; /* Automatically pass */
 		case ETHERTYPE_IP:
+# endif /* INET */
 # ifdef INET6
 		case ETHERTYPE_IPV6:
 # endif /* INET6 */
@@ -1994,11 +2002,13 @@
 	 */
 	switch (ether_type)
 	{
+# ifdef INET
 	case ETHERTYPE_IP :
 		error = (dir == PFIL_IN) ? bridge_ip_checkbasic(mp) : 0;
 		if (error == 0)
 			error = pfil_run_hooks(&inet_pfil_hook, mp, ifp, dir);
 		break;
+# endif
 # ifdef INET6
 	case ETHERTYPE_IPV6 :
 		error = (dir == PFIL_IN) ? bridge_ip6_checkbasic(mp) : 0;
@@ -2041,6 +2051,7 @@
 	return error;
 }
 
+# ifdef INET
 /*
  * Perform basic checks on header size since
  * IPF assumes ip_input has already processed
@@ -2146,6 +2157,7 @@
 	*mp = m;
 	return -1;
 }
+# endif /* INET */
 
 # ifdef INET6
 /*