Hi,
As documented in sysctl(2) net.inet.ip.forwarding can be 2.
netinet/ip_output.c:448
if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) &&
Current input validation prevents this.
# sysctl net.inet.ip.forwarding=2
sysctl: net.inet.ip.forwarding: Invalid argument
Also change bool check to integer comparison consistently.
ip6_forwarding misses the feature, but that is a different story.
ok?
bluhm
Index: netinet/ip_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.353
diff -u -p -r1.353 ip_input.c
--- netinet/ip_input.c 11 Jan 2021 13:28:53 -0000 1.353
+++ netinet/ip_input.c 15 Jan 2021 12:45:41 -0000
@@ -115,7 +115,7 @@ const struct sysctl_bounded_args ipctl_v
#ifdef MROUTING
{ IPCTL_MRTPROTO, &ip_mrtproto, 1, 0 },
#endif
- { IPCTL_FORWARDING, &ipforwarding, 0, 1 },
+ { IPCTL_FORWARDING, &ipforwarding, 0, 2 },
{ IPCTL_SENDREDIRECTS, &ipsendredirects, 0, 1 },
{ IPCTL_DEFTTL, &ip_defttl, 0, 255 },
{ IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 },
@@ -1251,7 +1251,7 @@ ip_dooptions(struct mbuf *m, struct ifne
}
}
KERNEL_UNLOCK();
- if (forward && ipforwarding) {
+ if (forward && ipforwarding > 0) {
ip_forward(m, ifp, NULL, 1);
return (1);
}
