Hi, As documented in sysctl(2) net.inet.ip.forwarding can be 2.
netinet/ip_output.c:448 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && Current input validation prevents this. # sysctl net.inet.ip.forwarding=2 sysctl: net.inet.ip.forwarding: Invalid argument Also change bool check to integer comparison consistently. ip6_forwarding misses the feature, but that is a different story. ok? bluhm Index: netinet/ip_input.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v retrieving revision 1.353 diff -u -p -r1.353 ip_input.c --- netinet/ip_input.c 11 Jan 2021 13:28:53 -0000 1.353 +++ netinet/ip_input.c 15 Jan 2021 12:45:41 -0000 @@ -115,7 +115,7 @@ const struct sysctl_bounded_args ipctl_v #ifdef MROUTING { IPCTL_MRTPROTO, &ip_mrtproto, 1, 0 }, #endif - { IPCTL_FORWARDING, &ipforwarding, 0, 1 }, + { IPCTL_FORWARDING, &ipforwarding, 0, 2 }, { IPCTL_SENDREDIRECTS, &ipsendredirects, 0, 1 }, { IPCTL_DEFTTL, &ip_defttl, 0, 255 }, { IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 }, @@ -1251,7 +1251,7 @@ ip_dooptions(struct mbuf *m, struct ifne } } KERNEL_UNLOCK(); - if (forward && ipforwarding) { + if (forward && ipforwarding > 0) { ip_forward(m, ifp, NULL, 1); return (1); }