[Midnightbsd-cvs] src [8462] trunk: remove the IPFIREWALL_FOWARD kernel option and make it possible to turn on via sysctl.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Sep 18 18:01:30 EDT 2016
Revision: 8462
http://svnweb.midnightbsd.org/src/?rev=8462
Author: laffer1
Date: 2016-09-18 18:01:30 -0400 (Sun, 18 Sep 2016)
Log Message:
-----------
remove the IPFIREWALL_FOWARD kernel option and make it possible to turn on via sysctl.
Modified Paths:
--------------
trunk/sbin/ipfw/ipfw.8
trunk/share/man/man4/ipfirewall.4
trunk/sys/conf/NOTES
trunk/sys/conf/options
trunk/sys/netinet/ip_fastfwd.c
trunk/sys/netinet/ip_input.c
trunk/sys/netinet/ip_output.c
trunk/sys/netinet/ip_var.h
trunk/sys/netinet/tcp_input.c
trunk/sys/netinet/udp_usrreq.c
trunk/sys/netinet6/ip6_forward.c
trunk/sys/netinet6/ip6_input.c
trunk/sys/netinet6/ip6_output.c
trunk/sys/netinet6/ip6_var.h
trunk/sys/netinet6/udp6_usrreq.c
trunk/sys/netpfil/ipfw/ip_fw2.c
trunk/sys/netpfil/ipfw/ip_fw_pfil.c
trunk/sys/netpfil/ipfw/ip_fw_sockopt.c
Modified: trunk/sbin/ipfw/ipfw.8
===================================================================
--- trunk/sbin/ipfw/ipfw.8 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sbin/ipfw/ipfw.8 2016-09-18 22:01:30 UTC (rev 8462)
@@ -1,7 +1,7 @@
.\"
.\" $MidnightBSD$
.\"
-.Dd July 3, 2012
+.Dd October 25, 2012
.Dt IPFW 8
.Os
.Sh NAME
@@ -764,11 +764,6 @@
.Xr netstat 1
entry look rather weird but is intended for
use with transparent proxy servers.
-.Pp
-To enable
-.Cm fwd
-a custom kernel needs to be compiled with the option
-.Cd "options IPFIREWALL_FORWARD" .
.It Cm nat Ar nat_nr | tablearg
Pass packet to a
nat instance
Modified: trunk/share/man/man4/ipfirewall.4
===================================================================
--- trunk/share/man/man4/ipfirewall.4 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/share/man/man4/ipfirewall.4 2016-09-18 22:01:30 UTC (rev 8462)
@@ -1,7 +1,7 @@
.\"
.\" $MidnightBSD$
.\"
-.Dd September 1, 2006
+.Dd October 25, 2012
.Dt IPFW 4
.Os
.Sh NAME
@@ -21,7 +21,6 @@
which may also be useful are:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
-.Cd "options IPFIREWALL_FORWARD"
.Cd "options IPFIREWALL_VERBOSE"
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
.Ed
@@ -72,12 +71,6 @@
This option may be set to the number of packets which will be logged on
a per-entry basis before the entry is rate-limited.
.Pp
-Policy routing and transparent forwarding features of
-.Nm
-can be enabled by
-.Dv IPFIREWALL_FORWARD
-kernel option.
-.Pp
The user interface for
.Nm
is implemented by the
Modified: trunk/sys/conf/NOTES
===================================================================
--- trunk/sys/conf/NOTES 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/conf/NOTES 2016-09-18 22:01:30 UTC (rev 8462)
@@ -906,12 +906,6 @@
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It
# depends on IPFIREWALL if compiled into the kernel.
#
-# IPFIREWALL_FORWARD enables changing of the packet destination either
-# to do some sort of policy routing or transparent proxying. Used by
-# ``ipfw forward''. All redirections apply to locally generated
-# packets too. Because of this great care is required when
-# crafting the ruleset.
-#
# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
# LIBALIAS.
#
@@ -928,7 +922,6 @@
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
-options IPFIREWALL_FORWARD #packet destination changes
options IPFIREWALL_NAT #ipfw kernel nat support
options IPDIVERT #divert sockets
options IPFILTER #ipfilter support
Modified: trunk/sys/conf/options
===================================================================
--- trunk/sys/conf/options 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/conf/options 2016-09-18 22:01:30 UTC (rev 8462)
@@ -407,7 +407,7 @@
IPFILTER_LOOKUP opt_ipfilter.h
IPFIREWALL opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
-IPFIREWALL_FORWARD opt_ipfw.h
+IPFIREWALL_FORWARD
IPFIREWALL_NAT opt_ipfw.h
IPFIREWALL_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
Modified: trunk/sys/netinet/ip_fastfwd.c
===================================================================
--- trunk/sys/netinet/ip_fastfwd.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet/ip_fastfwd.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -167,9 +167,7 @@
u_short sum, ip_len;
int error = 0;
int hlen, mtu;
-#ifdef IPFIREWALL_FORWARD
- struct m_tag *fwd_tag;
-#endif
+ struct m_tag *fwd_tag = NULL;
/*
* Are we active and forwarding packets?
@@ -378,7 +376,7 @@
* Go on with new destination address
*/
}
-#ifdef IPFIREWALL_FORWARD
+
if (m->m_flags & M_FASTFWD_OURS) {
/*
* ipfw changed it for a local address on this host.
@@ -385,7 +383,6 @@
*/
goto forwardlocal;
}
-#endif /* IPFIREWALL_FORWARD */
passin:
/*
@@ -455,20 +452,13 @@
/*
* Destination address changed?
*/
-#ifndef IPFIREWALL_FORWARD
- if (odest.s_addr != dest.s_addr) {
-#else
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
+ if (m->m_flags & M_IP_NEXTHOP)
+ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
-#endif /* IPFIREWALL_FORWARD */
/*
* Is it now for a local address on this host?
*/
-#ifndef IPFIREWALL_FORWARD
- if (in_localip(dest)) {
-#else
if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) {
-#endif /* IPFIREWALL_FORWARD */
forwardlocal:
/*
* Return packet for processing by ip_input().
@@ -483,13 +473,12 @@
/*
* Redo route lookup with new destination address
*/
-#ifdef IPFIREWALL_FORWARD
if (fwd_tag) {
dest.s_addr = ((struct sockaddr_in *)
(fwd_tag + 1))->sin_addr.s_addr;
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
}
-#endif /* IPFIREWALL_FORWARD */
RTFREE(ro.ro_rt);
if ((dst = ip_findroute(&ro, dest, m)) == NULL)
return NULL; /* icmp unreach already sent */
Modified: trunk/sys/netinet/ip_input.c
===================================================================
--- trunk/sys/netinet/ip_input.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet/ip_input.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -516,22 +516,22 @@
dchg = (odst.s_addr != ip->ip_dst.s_addr);
ifp = m->m_pkthdr.rcvif;
-#ifdef IPFIREWALL_FORWARD
if (m->m_flags & M_FASTFWD_OURS) {
m->m_flags &= ~M_FASTFWD_OURS;
goto ours;
}
- if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
- /*
- * Directly ship the packet on. This allows forwarding
- * packets originally destined to us to some other directly
- * connected host.
- */
- ip_forward(m, dchg);
- return;
+ if (m->m_flags & M_IP_NEXTHOP) {
+ dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
+ if (dchg != 0) {
+ /*
+ * Directly ship the packet on. This allows
+ * forwarding packets originally destined to us
+ * to some other directly connected host.
+ */
+ ip_forward(m, 1);
+ return;
+ }
}
-#endif /* IPFIREWALL_FORWARD */
-
passin:
/*
* Process options and, if not destined for us,
Modified: trunk/sys/netinet/ip_output.c
===================================================================
--- trunk/sys/netinet/ip_output.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet/ip_output.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -129,9 +129,7 @@
struct route iproute;
struct rtentry *rte; /* cache for ro->ro_rt */
struct in_addr odst;
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag = NULL;
-#endif
#ifdef IPSEC
int no_route_but_check_spd = 0;
#endif
@@ -216,11 +214,7 @@
ro->ro_lle = NULL;
rte = NULL;
}
-#ifdef IPFIREWALL_FORWARD
if (rte == NULL && fwd_tag == NULL) {
-#else
- if (rte == NULL) {
-#endif
bzero(dst, sizeof(*dst));
dst->sin_family = AF_INET;
dst->sin_len = sizeof(*dst);
@@ -541,7 +535,6 @@
}
}
-#ifdef IPFIREWALL_FORWARD
/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -562,17 +555,17 @@
goto done;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP_NEXTHOP;
m_tag_delete(m, fwd_tag);
if (ia != NULL)
ifa_free(&ia->ia_ifa);
goto again;
}
-#endif /* IPFIREWALL_FORWARD */
passout:
/* 127/8 must not appear on wire - RFC1122. */
Modified: trunk/sys/netinet/ip_var.h
===================================================================
--- trunk/sys/netinet/ip_var.h 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet/ip_var.h 2016-09-18 22:01:30 UTC (rev 8462)
@@ -162,6 +162,7 @@
* mbuf flag used by ip_fastfwd
*/
#define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */
+#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop */
#ifdef __NO_STRICT_ALIGNMENT
#define IP_HDR_ALIGNED_P(ip) 1
Modified: trunk/sys/netinet/tcp_input.c
===================================================================
--- trunk/sys/netinet/tcp_input.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet/tcp_input.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -581,9 +581,7 @@
uint8_t sig_checked = 0;
#endif
uint8_t iptos = 0;
-#ifdef IPFIREWALL_FORWARD
- struct m_tag *fwd_tag;
-#endif
+ struct m_tag *fwd_tag = NULL;
#ifdef INET6
struct ip6_hdr *ip6 = NULL;
int isipv6;
@@ -797,15 +795,13 @@
}
#endif
-#ifdef IPFIREWALL_FORWARD
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
-#endif /* IPFIREWALL_FORWARD */
+ if (m->m_flags & M_IP_NEXTHOP)
+ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
#ifdef INET6
-#ifdef IPFIREWALL_FORWARD
if (isipv6 && fwd_tag != NULL) {
struct sockaddr_in6 *next_hop6;
@@ -831,9 +827,8 @@
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
- } else
-#endif /* IPFIREWALL_FORWARD */
- if (isipv6) {
+ m->m_flags &= ~M_IP_NEXTHOP;
+ } else if (isipv6) {
inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
th->th_sport, &ip6->ip6_dst, th->th_dport,
INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB,
@@ -844,7 +839,6 @@
else
#endif
#ifdef INET
-#ifdef IPFIREWALL_FORWARD
if (fwd_tag != NULL) {
struct sockaddr_in *next_hop;
@@ -870,8 +864,8 @@
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else
-#endif /* IPFIREWALL_FORWARD */
inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
th->th_sport, ip->ip_dst, th->th_dport,
INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB,
Modified: trunk/sys/netinet/udp_usrreq.c
===================================================================
--- trunk/sys/netinet/udp_usrreq.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet/udp_usrreq.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -341,9 +341,7 @@
int len;
struct ip save_ip;
struct sockaddr_in udp_in;
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
ifp = m->m_pkthdr.rcvif;
UDPSTAT_INC(udps_ipackets);
@@ -546,12 +544,12 @@
/*
* Locate pcb for datagram.
*/
-#ifdef IPFIREWALL_FORWARD
+
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag != NULL) {
+ if ((m->m_flags & M_IP_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
struct sockaddr_in *next_hop;
next_hop = (struct sockaddr_in *)(fwd_tag + 1);
@@ -576,8 +574,8 @@
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else
-#endif /* IPFIREWALL_FORWARD */
inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport,
ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD |
INPLOOKUP_RLOCKPCB, ifp, m);
Modified: trunk/sys/netinet6/ip6_forward.c
===================================================================
--- trunk/sys/netinet6/ip6_forward.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet6/ip6_forward.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -108,9 +108,7 @@
#ifdef SCTP
int sw_csum;
#endif
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
#ifdef IPSEC
@@ -359,9 +357,7 @@
dst->sin6_len = sizeof(struct sockaddr_in6);
dst->sin6_family = AF_INET6;
dst->sin6_addr = ip6->ip6_dst;
-#ifdef IPFIREWALL_FORWARD
again2:
-#endif
rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m));
if (rin6.ro_rt != NULL)
RT_UNLOCK(rin6.ro_rt);
@@ -596,7 +592,6 @@
goto again; /* Redo the routing table lookup. */
}
-#ifdef IPFIREWALL_FORWARD
/* See if local, if yes, send it to netisr. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -614,15 +609,15 @@
goto out;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in6 *)&rin6.ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP6_NEXTHOP;
m_tag_delete(m, fwd_tag);
goto again2;
}
-#endif /* IPFIREWALL_FORWARD */
pass:
error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
Modified: trunk/sys/netinet6/ip6_input.c
===================================================================
--- trunk/sys/netinet6/ip6_input.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet6/ip6_input.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -626,7 +626,6 @@
ip6 = mtod(m, struct ip6_hdr *);
srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
-#ifdef IPFIREWALL_FORWARD
if (m->m_flags & M_FASTFWD_OURS) {
m->m_flags &= ~M_FASTFWD_OURS;
ours = 1;
@@ -633,7 +632,8 @@
deliverifp = m->m_pkthdr.rcvif;
goto hbhcheck;
}
- if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
/*
* Directly ship the packet on. This allows forwarding
* packets originally destined to us to some other directly
@@ -642,7 +642,6 @@
ip6_forward(m, 1);
goto out;
}
-#endif /* IPFIREWALL_FORWARD */
passin:
/*
Modified: trunk/sys/netinet6/ip6_output.c
===================================================================
--- trunk/sys/netinet6/ip6_output.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet6/ip6_output.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -257,9 +257,7 @@
int segleft_org = 0;
struct secpolicy *sp = NULL;
#endif /* IPSEC */
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
ip6 = mtod(m, struct ip6_hdr *);
if (ip6 == NULL) {
@@ -915,7 +913,6 @@
goto again; /* Redo the routing table lookup. */
}
-#ifdef IPFIREWALL_FORWARD
/* See if local, if yes, send it to netisr. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -933,15 +930,15 @@
goto done;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in6 *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP6_NEXTHOP;
m_tag_delete(m, fwd_tag);
goto again;
}
-#endif /* IPFIREWALL_FORWARD */
passout:
/*
Modified: trunk/sys/netinet6/ip6_var.h
===================================================================
--- trunk/sys/netinet6/ip6_var.h 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet6/ip6_var.h 2016-09-18 22:01:30 UTC (rev 8462)
@@ -285,6 +285,8 @@
#define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */
#define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */
+#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop */
+
#ifdef __NO_STRICT_ALIGNMENT
#define IP6_HDR_ALIGNED_P(ip) 1
#else
Modified: trunk/sys/netinet6/udp6_usrreq.c
===================================================================
--- trunk/sys/netinet6/udp6_usrreq.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netinet6/udp6_usrreq.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -182,9 +182,7 @@
int off = *offp;
int plen, ulen;
struct sockaddr_in6 fromsa;
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
uint16_t uh_sum;
ifp = m->m_pkthdr.rcvif;
@@ -393,12 +391,12 @@
/*
* Locate pcb for datagram.
*/
-#ifdef IPFIREWALL_FORWARD
+
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag != NULL) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
struct sockaddr_in6 *next_hop6;
next_hop6 = (struct sockaddr_in6 *)(fwd_tag + 1);
@@ -424,8 +422,8 @@
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP6_NEXTHOP;
} else
-#endif /* IPFIREWALL_FORWARD */
inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src,
uh->uh_sport, &ip6->ip6_dst, uh->uh_dport,
INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB,
Modified: trunk/sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- trunk/sys/netpfil/ipfw/ip_fw2.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netpfil/ipfw/ip_fw2.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -61,6 +61,7 @@
#include <net/if.h>
#include <net/route.h>
#include <net/pf_mtag.h>
+#include <net/pfil.h>
#include <net/vnet.h>
#include <netinet/in.h>
@@ -2532,12 +2533,6 @@
"(+ipv6) "
#endif
"initialized, divert %s, nat %s, "
- "rule-based forwarding "
-#ifdef IPFIREWALL_FORWARD
- "enabled, "
-#else
- "disabled, "
-#endif
"default to %s, logging ",
#ifdef IPDIVERT
"enabled",
Modified: trunk/sys/netpfil/ipfw/ip_fw_pfil.c
===================================================================
--- trunk/sys/netpfil/ipfw/ip_fw_pfil.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netpfil/ipfw/ip_fw_pfil.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -153,7 +153,7 @@
/* next_hop may be set by ipfw_chk */
if (args.next_hop == NULL && args.next_hop6 == NULL)
break; /* pass */
-#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET))
+#if (!defined(INET6) && !defined(INET))
ret = EACCES;
#else
{
@@ -193,6 +193,7 @@
bcopy(args.next_hop6, (fwd_tag+1), len);
if (in6_localip(&args.next_hop6->sin6_addr))
(*m0)->m_flags |= M_FASTFWD_OURS;
+ (*m0)->m_flags |= M_IP6_NEXTHOP;
}
#endif
#ifdef INET
@@ -200,11 +201,12 @@
bcopy(args.next_hop, (fwd_tag+1), len);
if (in_localip(args.next_hop->sin_addr))
(*m0)->m_flags |= M_FASTFWD_OURS;
+ (*m0)->m_flags |= M_IP_NEXTHOP;
}
#endif
m_tag_prepend(*m0, fwd_tag);
}
-#endif /* IPFIREWALL_FORWARD */
+#endif /* INET || INET6 */
break;
case IP_FW_DENY:
Modified: trunk/sys/netpfil/ipfw/ip_fw_sockopt.c
===================================================================
--- trunk/sys/netpfil/ipfw/ip_fw_sockopt.c 2016-09-18 21:59:55 UTC (rev 8461)
+++ trunk/sys/netpfil/ipfw/ip_fw_sockopt.c 2016-09-18 22:01:30 UTC (rev 8462)
@@ -710,23 +710,14 @@
goto check_action;
case O_FORWARD_IP:
-#ifdef IPFIREWALL_FORWARD
if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
goto bad_size;
goto check_action;
-#else
- return EINVAL;
-#endif
-
#ifdef INET6
case O_FORWARD_IP6:
-#ifdef IPFIREWALL_FORWARD
if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6))
goto bad_size;
goto check_action;
-#else
- return (EINVAL);
-#endif
#endif /* INET6 */
case O_DIVERT:
More information about the Midnightbsd-cvs
mailing list