Author: ae
Date: Tue Nov 27 01:59:51 2012
New Revision: 243586
URL: http://svnweb.freebsd.org/changeset/base/243586
Log:
MFC r242079:
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
MFC r242082:
Note the removal of the IPFIREWALL_FORWARD kernel option.
MFC r242463:
Remove the recently added sysctl variable net.pfil.forward.
Instead, add protocol specific mbuf flags M_IP_NEXTHOP and
M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain
contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup
only when this flag is set.
Modified:
stable/9/UPDATING (contents, props changed)
stable/9/sbin/ipfw/ipfw.8
stable/9/share/man/man4/ipfirewall.4
stable/9/sys/conf/NOTES
stable/9/sys/conf/options
stable/9/sys/netinet/ip_fastfwd.c
stable/9/sys/netinet/ip_input.c
stable/9/sys/netinet/ip_output.c
stable/9/sys/netinet/ip_var.h
stable/9/sys/netinet/tcp_input.c
stable/9/sys/netinet/udp_usrreq.c
stable/9/sys/netinet6/ip6_forward.c
stable/9/sys/netinet6/ip6_input.c
stable/9/sys/netinet6/ip6_output.c
stable/9/sys/netinet6/ip6_var.h
stable/9/sys/netinet6/udp6_usrreq.c
stable/9/sys/netpfil/ipfw/ip_fw2.c
stable/9/sys/netpfil/ipfw/ip_fw_pfil.c
stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c
Directory Properties:
stable/9/sbin/ipfw/ (props changed)
stable/9/share/man/man4/ (props changed)
stable/9/sys/ (props changed)
stable/9/sys/conf/ (props changed)
Modified: stable/9/UPDATING
==============================================================================
--- stable/9/UPDATING Tue Nov 27 01:35:29 2012 (r243585)
+++ stable/9/UPDATING Tue Nov 27 01:59:51 2012 (r243586)
@@ -10,6 +10,10 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20121102:
+ The IPFIREWALL_FORWARD kernel option has been removed. Its
+ functionality now turned on by default.
+
20120913:
The random(4) support for the VIA hardware random number
generator (`PADLOCK') is no longer enabled unconditionally.
Modified: stable/9/sbin/ipfw/ipfw.8
==============================================================================
--- stable/9/sbin/ipfw/ipfw.8 Tue Nov 27 01:35:29 2012 (r243585)
+++ stable/9/sbin/ipfw/ipfw.8 Tue Nov 27 01:59:51 2012 (r243586)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 3, 2012
+.Dd October 25, 2012
.Dt IPFW 8
.Os
.Sh NAME
@@ -764,11 +764,6 @@ This makes the
.Xr netstat 1
entry look rather weird but is intended for
use with transparent proxy servers.
-.Pp
-To enable
-.Cm fwd
-a custom kernel needs to be compiled with the option
-.Cd "options IPFIREWALL_FORWARD" .
.It Cm nat Ar nat_nr | tablearg
Pass packet to a
nat instance
Modified: stable/9/share/man/man4/ipfirewall.4
==============================================================================
--- stable/9/share/man/man4/ipfirewall.4 Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/share/man/man4/ipfirewall.4 Tue Nov 27 01:59:51 2012
(r243586)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 1, 2006
+.Dd October 25, 2012
.Dt IPFW 4
.Os
.Sh NAME
@@ -21,7 +21,6 @@ Other kernel options related to
which may also be useful are:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
-.Cd "options IPFIREWALL_FORWARD"
.Cd "options IPFIREWALL_VERBOSE"
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
.Ed
@@ -72,12 +71,6 @@ from flooding system logs or causing loc
This option may be set to the number of packets which will be logged on
a per-entry basis before the entry is rate-limited.
.Pp
-Policy routing and transparent forwarding features of
-.Nm
-can be enabled by
-.Dv IPFIREWALL_FORWARD
-kernel option.
-.Pp
The user interface for
.Nm
is implemented by the
Modified: stable/9/sys/conf/NOTES
==============================================================================
--- stable/9/sys/conf/NOTES Tue Nov 27 01:35:29 2012 (r243585)
+++ stable/9/sys/conf/NOTES Tue Nov 27 01:59:51 2012 (r243586)
@@ -903,12 +903,6 @@ device lagg
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It
# depends on IPFIREWALL if compiled into the kernel.
#
-# IPFIREWALL_FORWARD enables changing of the packet destination either
-# to do some sort of policy routing or transparent proxying. Used by
-# ``ipfw forward''. All redirections apply to locally generated
-# packets too. Because of this great care is required when
-# crafting the ruleset.
-#
# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
# LIBALIAS.
#
@@ -925,7 +919,6 @@ options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
-options IPFIREWALL_FORWARD #packet destination changes
options IPFIREWALL_NAT #ipfw kernel nat support
options IPDIVERT #divert sockets
options IPFILTER #ipfilter support
Modified: stable/9/sys/conf/options
==============================================================================
--- stable/9/sys/conf/options Tue Nov 27 01:35:29 2012 (r243585)
+++ stable/9/sys/conf/options Tue Nov 27 01:59:51 2012 (r243586)
@@ -405,7 +405,7 @@ IPFILTER_LOG opt_ipfilter.h
IPFILTER_LOOKUP opt_ipfilter.h
IPFIREWALL opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
-IPFIREWALL_FORWARD opt_ipfw.h
+IPFIREWALL_FORWARD
IPFIREWALL_NAT opt_ipfw.h
IPFIREWALL_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
Modified: stable/9/sys/netinet/ip_fastfwd.c
==============================================================================
--- stable/9/sys/netinet/ip_fastfwd.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet/ip_fastfwd.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -167,9 +167,7 @@ ip_fastforward(struct mbuf *m)
u_short sum, ip_len;
int error = 0;
int hlen, mtu;
-#ifdef IPFIREWALL_FORWARD
- struct m_tag *fwd_tag;
-#endif
+ struct m_tag *fwd_tag = NULL;
/*
* Are we active and forwarding packets?
@@ -378,14 +376,13 @@ ip_fastforward(struct mbuf *m)
* Go on with new destination address
*/
}
-#ifdef IPFIREWALL_FORWARD
+
if (m->m_flags & M_FASTFWD_OURS) {
/*
* ipfw changed it for a local address on this host.
*/
goto forwardlocal;
}
-#endif /* IPFIREWALL_FORWARD */
passin:
/*
@@ -455,20 +452,13 @@ passin:
/*
* Destination address changed?
*/
-#ifndef IPFIREWALL_FORWARD
- if (odest.s_addr != dest.s_addr) {
-#else
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
+ if (m->m_flags & M_IP_NEXTHOP)
+ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
-#endif /* IPFIREWALL_FORWARD */
/*
* Is it now for a local address on this host?
*/
-#ifndef IPFIREWALL_FORWARD
- if (in_localip(dest)) {
-#else
if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) {
-#endif /* IPFIREWALL_FORWARD */
forwardlocal:
/*
* Return packet for processing by ip_input().
@@ -483,13 +473,12 @@ forwardlocal:
/*
* Redo route lookup with new destination address
*/
-#ifdef IPFIREWALL_FORWARD
if (fwd_tag) {
dest.s_addr = ((struct sockaddr_in *)
(fwd_tag + 1))->sin_addr.s_addr;
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
}
-#endif /* IPFIREWALL_FORWARD */
RTFREE(ro.ro_rt);
if ((dst = ip_findroute(&ro, dest, m)) == NULL)
return NULL; /* icmp unreach already sent */
Modified: stable/9/sys/netinet/ip_input.c
==============================================================================
--- stable/9/sys/netinet/ip_input.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet/ip_input.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -516,22 +516,22 @@ tooshort:
dchg = (odst.s_addr != ip->ip_dst.s_addr);
ifp = m->m_pkthdr.rcvif;
-#ifdef IPFIREWALL_FORWARD
if (m->m_flags & M_FASTFWD_OURS) {
m->m_flags &= ~M_FASTFWD_OURS;
goto ours;
}
- if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
- /*
- * Directly ship the packet on. This allows forwarding
- * packets originally destined to us to some other directly
- * connected host.
- */
- ip_forward(m, dchg);
- return;
+ if (m->m_flags & M_IP_NEXTHOP) {
+ dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
+ if (dchg != 0) {
+ /*
+ * Directly ship the packet on. This allows
+ * forwarding packets originally destined to us
+ * to some other directly connected host.
+ */
+ ip_forward(m, 1);
+ return;
+ }
}
-#endif /* IPFIREWALL_FORWARD */
-
passin:
/*
* Process options and, if not destined for us,
Modified: stable/9/sys/netinet/ip_output.c
==============================================================================
--- stable/9/sys/netinet/ip_output.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet/ip_output.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -129,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *o
struct route iproute;
struct rtentry *rte; /* cache for ro->ro_rt */
struct in_addr odst;
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag = NULL;
-#endif
#ifdef IPSEC
int no_route_but_check_spd = 0;
#endif
@@ -216,11 +214,7 @@ again:
ro->ro_lle = NULL;
rte = NULL;
}
-#ifdef IPFIREWALL_FORWARD
if (rte == NULL && fwd_tag == NULL) {
-#else
- if (rte == NULL) {
-#endif
bzero(dst, sizeof(*dst));
dst->sin_family = AF_INET;
dst->sin_len = sizeof(*dst);
@@ -541,7 +535,6 @@ sendit:
}
}
-#ifdef IPFIREWALL_FORWARD
/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -562,17 +555,17 @@ sendit:
goto done;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP_NEXTHOP;
m_tag_delete(m, fwd_tag);
if (ia != NULL)
ifa_free(&ia->ia_ifa);
goto again;
}
-#endif /* IPFIREWALL_FORWARD */
passout:
/* 127/8 must not appear on wire - RFC1122. */
Modified: stable/9/sys/netinet/ip_var.h
==============================================================================
--- stable/9/sys/netinet/ip_var.h Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet/ip_var.h Tue Nov 27 01:59:51 2012
(r243586)
@@ -162,6 +162,7 @@ void kmod_ipstat_dec(int statnum);
* mbuf flag used by ip_fastfwd
*/
#define M_FASTFWD_OURS M_PROTO1 /* changed dst to local
*/
+#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop
*/
#ifdef __NO_STRICT_ALIGNMENT
#define IP_HDR_ALIGNED_P(ip) 1
Modified: stable/9/sys/netinet/tcp_input.c
==============================================================================
--- stable/9/sys/netinet/tcp_input.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet/tcp_input.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -575,9 +575,7 @@ tcp_input(struct mbuf *m, int off0)
uint8_t sig_checked = 0;
#endif
uint8_t iptos = 0;
-#ifdef IPFIREWALL_FORWARD
- struct m_tag *fwd_tag;
-#endif
+ struct m_tag *fwd_tag = NULL;
#ifdef INET6
struct ip6_hdr *ip6 = NULL;
int isipv6;
@@ -791,15 +789,13 @@ findpcb:
}
#endif
-#ifdef IPFIREWALL_FORWARD
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
-#endif /* IPFIREWALL_FORWARD */
+ if (m->m_flags & M_IP_NEXTHOP)
+ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
#ifdef INET6
-#ifdef IPFIREWALL_FORWARD
if (isipv6 && fwd_tag != NULL) {
struct sockaddr_in6 *next_hop6;
@@ -825,9 +821,8 @@ findpcb:
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
- } else
-#endif /* IPFIREWALL_FORWARD */
- if (isipv6) {
+ m->m_flags &= ~M_IP_NEXTHOP;
+ } else if (isipv6) {
inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
th->th_sport, &ip6->ip6_dst, th->th_dport,
INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB,
@@ -838,7 +833,6 @@ findpcb:
else
#endif
#ifdef INET
-#ifdef IPFIREWALL_FORWARD
if (fwd_tag != NULL) {
struct sockaddr_in *next_hop;
@@ -864,8 +858,8 @@ findpcb:
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else
-#endif /* IPFIREWALL_FORWARD */
inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
th->th_sport, ip->ip_dst, th->th_dport,
INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB,
Modified: stable/9/sys/netinet/udp_usrreq.c
==============================================================================
--- stable/9/sys/netinet/udp_usrreq.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet/udp_usrreq.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -341,9 +341,7 @@ udp_input(struct mbuf *m, int off)
int len;
struct ip save_ip;
struct sockaddr_in udp_in;
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
ifp = m->m_pkthdr.rcvif;
UDPSTAT_INC(udps_ipackets);
@@ -546,12 +544,12 @@ udp_input(struct mbuf *m, int off)
/*
* Locate pcb for datagram.
*/
-#ifdef IPFIREWALL_FORWARD
+
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag != NULL) {
+ if ((m->m_flags & M_IP_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
struct sockaddr_in *next_hop;
next_hop = (struct sockaddr_in *)(fwd_tag + 1);
@@ -576,8 +574,8 @@ udp_input(struct mbuf *m, int off)
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else
-#endif /* IPFIREWALL_FORWARD */
inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport,
ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD |
INPLOOKUP_RLOCKPCB, ifp, m);
Modified: stable/9/sys/netinet6/ip6_forward.c
==============================================================================
--- stable/9/sys/netinet6/ip6_forward.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet6/ip6_forward.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -108,9 +108,7 @@ ip6_forward(struct mbuf *m, int srcrt)
#ifdef SCTP
int sw_csum;
#endif
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
#ifdef IPSEC
@@ -359,9 +357,7 @@ again:
dst->sin6_len = sizeof(struct sockaddr_in6);
dst->sin6_family = AF_INET6;
dst->sin6_addr = ip6->ip6_dst;
-#ifdef IPFIREWALL_FORWARD
again2:
-#endif
rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m));
if (rin6.ro_rt != NULL)
RT_UNLOCK(rin6.ro_rt);
@@ -596,7 +592,6 @@ skip_routing:
goto again; /* Redo the routing table lookup. */
}
-#ifdef IPFIREWALL_FORWARD
/* See if local, if yes, send it to netisr. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -614,15 +609,15 @@ skip_routing:
goto out;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in6 *)&rin6.ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP6_NEXTHOP;
m_tag_delete(m, fwd_tag);
goto again2;
}
-#endif /* IPFIREWALL_FORWARD */
pass:
error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
Modified: stable/9/sys/netinet6/ip6_input.c
==============================================================================
--- stable/9/sys/netinet6/ip6_input.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet6/ip6_input.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -626,14 +626,14 @@ ip6_input(struct mbuf *m)
ip6 = mtod(m, struct ip6_hdr *);
srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
-#ifdef IPFIREWALL_FORWARD
if (m->m_flags & M_FASTFWD_OURS) {
m->m_flags &= ~M_FASTFWD_OURS;
ours = 1;
deliverifp = m->m_pkthdr.rcvif;
goto hbhcheck;
}
- if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
/*
* Directly ship the packet on. This allows forwarding
* packets originally destined to us to some other directly
@@ -642,7 +642,6 @@ ip6_input(struct mbuf *m)
ip6_forward(m, 1);
goto out;
}
-#endif /* IPFIREWALL_FORWARD */
passin:
/*
Modified: stable/9/sys/netinet6/ip6_output.c
==============================================================================
--- stable/9/sys/netinet6/ip6_output.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet6/ip6_output.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -257,9 +257,7 @@ ip6_output(struct mbuf *m0, struct ip6_p
int segleft_org = 0;
struct secpolicy *sp = NULL;
#endif /* IPSEC */
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
ip6 = mtod(m, struct ip6_hdr *);
if (ip6 == NULL) {
@@ -915,7 +913,6 @@ again:
goto again; /* Redo the routing table lookup. */
}
-#ifdef IPFIREWALL_FORWARD
/* See if local, if yes, send it to netisr. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -933,15 +930,15 @@ again:
goto done;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in6 *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP6_NEXTHOP;
m_tag_delete(m, fwd_tag);
goto again;
}
-#endif /* IPFIREWALL_FORWARD */
passout:
/*
Modified: stable/9/sys/netinet6/ip6_var.h
==============================================================================
--- stable/9/sys/netinet6/ip6_var.h Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet6/ip6_var.h Tue Nov 27 01:59:51 2012
(r243586)
@@ -285,6 +285,8 @@ struct ip6aux {
#define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */
#define IPV6_MINMTU 0x04 /* use minimum MTU
(IPV6_USE_MIN_MTU) */
+#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop
*/
+
#ifdef __NO_STRICT_ALIGNMENT
#define IP6_HDR_ALIGNED_P(ip) 1
#else
Modified: stable/9/sys/netinet6/udp6_usrreq.c
==============================================================================
--- stable/9/sys/netinet6/udp6_usrreq.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netinet6/udp6_usrreq.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -182,9 +182,7 @@ udp6_input(struct mbuf **mp, int *offp,
int off = *offp;
int plen, ulen;
struct sockaddr_in6 fromsa;
-#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag;
-#endif
uint16_t uh_sum;
ifp = m->m_pkthdr.rcvif;
@@ -393,12 +391,12 @@ udp6_input(struct mbuf **mp, int *offp,
/*
* Locate pcb for datagram.
*/
-#ifdef IPFIREWALL_FORWARD
+
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag != NULL) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
struct sockaddr_in6 *next_hop6;
next_hop6 = (struct sockaddr_in6 *)(fwd_tag + 1);
@@ -424,8 +422,8 @@ udp6_input(struct mbuf **mp, int *offp,
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP6_NEXTHOP;
} else
-#endif /* IPFIREWALL_FORWARD */
inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src,
uh->uh_sport, &ip6->ip6_dst, uh->uh_dport,
INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB,
Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- stable/9/sys/netpfil/ipfw/ip_fw2.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netpfil/ipfw/ip_fw2.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
#include <net/if.h>
#include <net/route.h>
#include <net/pf_mtag.h>
+#include <net/pfil.h>
#include <net/vnet.h>
#include <netinet/in.h>
@@ -2532,12 +2533,6 @@ ipfw_init(void)
"(+ipv6) "
#endif
"initialized, divert %s, nat %s, "
- "rule-based forwarding "
-#ifdef IPFIREWALL_FORWARD
- "enabled, "
-#else
- "disabled, "
-#endif
"default to %s, logging ",
#ifdef IPDIVERT
"enabled",
Modified: stable/9/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- stable/9/sys/netpfil/ipfw/ip_fw_pfil.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netpfil/ipfw/ip_fw_pfil.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -153,7 +153,7 @@ again:
/* next_hop may be set by ipfw_chk */
if (args.next_hop == NULL && args.next_hop6 == NULL)
break; /* pass */
-#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET))
+#if (!defined(INET6) && !defined(INET))
ret = EACCES;
#else
{
@@ -193,6 +193,7 @@ again:
bcopy(args.next_hop6, (fwd_tag+1), len);
if (in6_localip(&args.next_hop6->sin6_addr))
(*m0)->m_flags |= M_FASTFWD_OURS;
+ (*m0)->m_flags |= M_IP6_NEXTHOP;
}
#endif
#ifdef INET
@@ -200,11 +201,12 @@ again:
bcopy(args.next_hop, (fwd_tag+1), len);
if (in_localip(args.next_hop->sin_addr))
(*m0)->m_flags |= M_FASTFWD_OURS;
+ (*m0)->m_flags |= M_IP_NEXTHOP;
}
#endif
m_tag_prepend(*m0, fwd_tag);
}
-#endif /* IPFIREWALL_FORWARD */
+#endif /* INET || INET6 */
break;
case IP_FW_DENY:
Modified: stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c
==============================================================================
--- stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Tue Nov 27 01:35:29 2012
(r243585)
+++ stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Tue Nov 27 01:59:51 2012
(r243586)
@@ -710,23 +710,14 @@ check_ipfw_struct(struct ip_fw *rule, in
goto check_action;
case O_FORWARD_IP:
-#ifdef IPFIREWALL_FORWARD
if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
goto bad_size;
goto check_action;
-#else
- return EINVAL;
-#endif
-
#ifdef INET6
case O_FORWARD_IP6:
-#ifdef IPFIREWALL_FORWARD
if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6))
goto bad_size;
goto check_action;
-#else
- return (EINVAL);
-#endif
#endif /* INET6 */
case O_DIVERT:
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
