diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c --- a/sys/netinet/siftr.c +++ b/sys/netinet/siftr.c @@ -853,6 +853,24 @@ if (ip->ip_p != IPPROTO_TCP) goto ret; + /* + * Create a tcphdr struct starting at the correct offset + * in the IP packet. ip->ip_hl gives the ip header length + * in 4-byte words, so multiply it to get the size in bytes. + */ + ip_hl = (ip->ip_hl << 2); + th = (struct tcphdr *)((caddr_t)ip + ip_hl); + + /* + * Only pkts selected by the tcp port filter + * can be inserted into the pkt_queue + */ + if ((siftr_port_filter != 0) && + (siftr_port_filter != ntohs(th->th_sport)) && + (siftr_port_filter != ntohs(th->th_dport))) { + goto ret; + } + /* * If a kernel subsystem reinjects packets into the stack, our pfil * hook will be called multiple times for the same packet. @@ -866,14 +884,6 @@ else ss->n_out++; - /* - * Create a tcphdr struct starting at the correct offset - * in the IP packet. ip->ip_hl gives the ip header length - * in 4-byte words, so multiply it to get the size in bytes. - */ - ip_hl = (ip->ip_hl << 2); - th = (struct tcphdr *)((caddr_t)ip + ip_hl); - /* * If the pfil hooks don't provide a pointer to the * inpcb, we need to find it ourselves and lock it. @@ -908,15 +918,6 @@ goto inp_unlock; } - /* - * Only pkts selected by the tcp port filter - * can be inserted into the pkt_queue - */ - if ((siftr_port_filter != 0) && - (siftr_port_filter != ntohs(inp->inp_lport)) && - (siftr_port_filter != ntohs(inp->inp_fport))) { - goto inp_unlock; - } pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO); @@ -1039,6 +1040,23 @@ if (ip6->ip6_nxt != IPPROTO_TCP) goto ret6; + /* + * Create a tcphdr struct starting at the correct offset + * in the ipv6 packet. + */ + ip6_hl = sizeof(struct ip6_hdr); + th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl); + + /* + * Only pkts selected by the tcp port filter + * can be inserted into the pkt_queue + */ + if ((siftr_port_filter != 0) && + (siftr_port_filter != ntohs(th->th_sport)) && + (siftr_port_filter != ntohs(th->th_dport))) { + goto ret6; + } + /* * If a kernel subsystem reinjects packets into the stack, our pfil * hook will be called multiple times for the same packet. @@ -1052,15 +1070,6 @@ else ss->n_out++; - ip6_hl = sizeof(struct ip6_hdr); - - /* - * Create a tcphdr struct starting at the correct offset - * in the ipv6 packet. ip->ip_hl gives the ip header length - * in 4-byte words, so multiply it to get the size in bytes. - */ - th = (struct tcphdr *)((caddr_t)ip6 + ip6_hl); - /* * For inbound packets, the pfil hooks don't provide a pointer to the * inpcb, so we need to find it ourselves and lock it. @@ -1093,15 +1102,6 @@ goto inp_unlock6; } - /* - * Only pkts selected by the tcp port filter - * can be inserted into the pkt_queue - */ - if ((siftr_port_filter != 0) && - (siftr_port_filter != ntohs(inp->inp_lport)) && - (siftr_port_filter != ntohs(inp->inp_fport))) { - goto inp_unlock6; - } pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO);