From owner-svn-src-head@FreeBSD.ORG Thu Oct 25 09:39:15 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BB41CE26; Thu, 25 Oct 2012 09:39:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A135E8FC0C; Thu, 25 Oct 2012 09:39:15 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9P9dFde022989; Thu, 25 Oct 2012 09:39:15 GMT (envelope-from ae@svn.freebsd.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9P9dF0q022970; Thu, 25 Oct 2012 09:39:15 GMT (envelope-from ae@svn.freebsd.org) Message-Id: <201210250939.q9P9dF0q022970@svn.freebsd.org> From: "Andrey V. Elsukov" Date: Thu, 25 Oct 2012 09:39:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r242079 - in head: sbin/ipfw share/man/man4 sys/conf sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2012 09:39:15 -0000 Author: ae Date: Thu Oct 25 09:39:14 2012 New Revision: 242079 URL: http://svn.freebsd.org/changeset/base/242079 Log: Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks Modified: head/sbin/ipfw/ipfw.8 head/share/man/man4/ipfirewall.4 head/sys/conf/NOTES head/sys/conf/options head/sys/net/pfil.c head/sys/net/pfil.h head/sys/netinet/ip_fastfwd.c head/sys/netinet/ip_input.c head/sys/netinet/ip_output.c head/sys/netinet/tcp_input.c head/sys/netinet/udp_usrreq.c head/sys/netinet6/ip6_forward.c head/sys/netinet6/ip6_input.c head/sys/netinet6/ip6_output.c head/sys/netinet6/udp6_usrreq.c head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_pfil.c head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sbin/ipfw/ipfw.8 ============================================================================== --- head/sbin/ipfw/ipfw.8 Thu Oct 25 09:05:21 2012 (r242078) +++ head/sbin/ipfw/ipfw.8 Thu Oct 25 09:39:14 2012 (r242079) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 16, 2012 +.Dd October 25, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -777,8 +777,11 @@ use with transparent proxy servers. .Pp To enable .Cm fwd -a custom kernel needs to be compiled with the option -.Cd "options IPFIREWALL_FORWARD" . +the +.Xr sysctl 8 +variable +.Va net.pfil.forward +should be set to 1. .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance Modified: head/share/man/man4/ipfirewall.4 ============================================================================== --- head/share/man/man4/ipfirewall.4 Thu Oct 25 09:05:21 2012 (r242078) +++ head/share/man/man4/ipfirewall.4 Thu Oct 25 09:39:14 2012 (r242079) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 1, 2006 +.Dd October 25, 2012 .Dt IPFW 4 .Os .Sh NAME @@ -20,7 +20,6 @@ Other related kernel options which may also be useful are: .Bd -ragged -offset indent .Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" -.Cd "options IPFIREWALL_FORWARD" .Cd "options IPFIREWALL_VERBOSE" .Cd "options IPFIREWALL_VERBOSE_LIMIT=100" .Ed @@ -71,12 +70,6 @@ from flooding system logs or causing loc This option may be set to the number of packets which will be logged on a per-entry basis before the entry is rate-limited. .Pp -Policy routing and transparent forwarding features of -.Nm -can be enabled by -.Dv IPFIREWALL_FORWARD -kernel option. -.Pp The user interface for .Nm is implemented by the Modified: head/sys/conf/NOTES ============================================================================== --- head/sys/conf/NOTES Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/conf/NOTES Thu Oct 25 09:39:14 2012 (r242079) @@ -897,12 +897,6 @@ device lagg # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It # depends on IPFIREWALL if compiled into the kernel. # -# IPFIREWALL_FORWARD enables changing of the packet destination either -# to do some sort of policy routing or transparent proxying. Used by -# ``ipfw forward''. All redirections apply to locally generated -# packets too. Because of this great care is required when -# crafting the ruleset. -# # IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires # LIBALIAS. # @@ -923,7 +917,6 @@ options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default -options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets options IPFILTER #ipfilter support Modified: head/sys/conf/options ============================================================================== --- head/sys/conf/options Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/conf/options Thu Oct 25 09:39:14 2012 (r242079) @@ -398,7 +398,6 @@ IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h -IPFIREWALL_FORWARD opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h Modified: head/sys/net/pfil.c ============================================================================== --- head/sys/net/pfil.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/net/pfil.c Thu Oct 25 09:39:14 2012 (r242079) @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -64,6 +65,11 @@ VNET_DEFINE(struct pfilheadhead, pfil_he VNET_DEFINE(struct rmlock, pfil_lock); #define V_pfil_lock VNET(pfil_lock) +VNET_DEFINE(int, pfilforward) = 0; +SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface"); +SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW, + &VNET_NAME(pfilforward), 0, + "Enable forwarding performed by packet filters"); /* * pfil_run_hooks() runs the specified packet filter hooks. */ Modified: head/sys/net/pfil.h ============================================================================== --- head/sys/net/pfil.h Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/net/pfil.h Thu Oct 25 09:39:14 2012 (r242079) @@ -38,11 +38,14 @@ #include #include #include +#include struct mbuf; struct ifnet; struct inpcb; +VNET_DECLARE(int, pfilforward); +#define V_pfilforward VNET(pfilforward) /* * The packet filter hooks are designed for anything to call them to * possibly intercept the packet. Modified: head/sys/netinet/ip_fastfwd.c ============================================================================== --- head/sys/netinet/ip_fastfwd.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet/ip_fastfwd.c Thu Oct 25 09:39:14 2012 (r242079) @@ -167,9 +167,7 @@ ip_fastforward(struct mbuf *m) uint16_t sum, ip_len, ip_off; int error = 0; int hlen, mtu; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; /* * Are we active and forwarding packets? @@ -372,14 +370,13 @@ ip_fastforward(struct mbuf *m) * Go on with new destination address */ } -#ifdef IPFIREWALL_FORWARD + if (m->m_flags & M_FASTFWD_OURS) { /* * ipfw changed it for a local address on this host. */ goto forwardlocal; } -#endif /* IPFIREWALL_FORWARD */ passin: /* @@ -449,20 +446,13 @@ passin: /* * Destination address changed? */ -#ifndef IPFIREWALL_FORWARD - if (odest.s_addr != dest.s_addr) { -#else - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); + if (V_pfilforward != 0) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (odest.s_addr != dest.s_addr || fwd_tag != NULL) { -#endif /* IPFIREWALL_FORWARD */ /* * Is it now for a local address on this host? */ -#ifndef IPFIREWALL_FORWARD - if (in_localip(dest)) { -#else if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) { -#endif /* IPFIREWALL_FORWARD */ forwardlocal: /* * Return packet for processing by ip_input(). @@ -475,13 +465,11 @@ forwardlocal: /* * Redo route lookup with new destination address */ -#ifdef IPFIREWALL_FORWARD if (fwd_tag) { dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ RTFREE(ro.ro_rt); if ((dst = ip_findroute(&ro, dest, m)) == NULL) return NULL; /* icmp unreach already sent */ Modified: head/sys/netinet/ip_input.c ============================================================================== --- head/sys/netinet/ip_input.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet/ip_input.c Thu Oct 25 09:39:14 2012 (r242079) @@ -509,7 +509,9 @@ tooshort: dchg = (odst.s_addr != ip->ip_dst.s_addr); ifp = m->m_pkthdr.rcvif; -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passin; + if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto ours; @@ -523,7 +525,6 @@ tooshort: ip_forward(m, dchg); return; } -#endif /* IPFIREWALL_FORWARD */ passin: Modified: head/sys/netinet/ip_output.c ============================================================================== --- head/sys/netinet/ip_output.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet/ip_output.c Thu Oct 25 09:39:14 2012 (r242079) @@ -129,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *o struct route iproute; struct rtentry *rte; /* cache for ro->ro_rt */ struct in_addr odst; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag = NULL; -#endif #ifdef IPSEC int no_route_but_check_spd = 0; #endif @@ -218,11 +216,7 @@ again: ro->ro_lle = NULL; rte = NULL; } -#ifdef IPFIREWALL_FORWARD if (rte == NULL && fwd_tag == NULL) { -#else - if (rte == NULL) { -#endif bzero(dst, sizeof(*dst)); dst->sin_family = AF_INET; dst->sin_len = sizeof(*dst); @@ -543,7 +537,9 @@ sendit: } } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passout; + /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -574,7 +570,6 @@ sendit: ifa_free(&ia->ia_ifa); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* 127/8 must not appear on wire - RFC1122. */ Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet/tcp_input.c Thu Oct 25 09:39:14 2012 (r242079) @@ -75,6 +75,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include @@ -544,9 +545,7 @@ tcp_input(struct mbuf *m, int off0) uint8_t sig_checked = 0; #endif uint8_t iptos = 0; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; #ifdef INET6 struct ip6_hdr *ip6 = NULL; int isipv6; @@ -754,15 +753,13 @@ findpcb: } #endif -#ifdef IPFIREWALL_FORWARD /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); -#endif /* IPFIREWALL_FORWARD */ + if (V_pfilforward != 0) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); #ifdef INET6 -#ifdef IPFIREWALL_FORWARD if (isipv6 && fwd_tag != NULL) { struct sockaddr_in6 *next_hop6; @@ -788,9 +785,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); - } else -#endif /* IPFIREWALL_FORWARD */ - if (isipv6) { + } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, @@ -801,7 +796,6 @@ findpcb: else #endif #ifdef INET -#ifdef IPFIREWALL_FORWARD if (fwd_tag != NULL) { struct sockaddr_in *next_hop; @@ -828,7 +822,6 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, Modified: head/sys/netinet/udp_usrreq.c ============================================================================== --- head/sys/netinet/udp_usrreq.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet/udp_usrreq.c Thu Oct 25 09:39:14 2012 (r242079) @@ -65,6 +65,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include @@ -341,9 +342,7 @@ udp_input(struct mbuf *m, int off) uint16_t len, ip_len; struct ip save_ip; struct sockaddr_in udp_in; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ifp = m->m_pkthdr.rcvif; UDPSTAT_INC(udps_ipackets); @@ -546,12 +545,12 @@ udp_input(struct mbuf *m, int off) /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if (V_pfilforward != 0 && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in *next_hop; next_hop = (struct sockaddr_in *)(fwd_tag + 1); @@ -577,7 +576,6 @@ udp_input(struct mbuf *m, int off) /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport, ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, ifp, m); Modified: head/sys/netinet6/ip6_forward.c ============================================================================== --- head/sys/netinet6/ip6_forward.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet6/ip6_forward.c Thu Oct 25 09:39:14 2012 (r242079) @@ -108,9 +108,7 @@ ip6_forward(struct mbuf *m, int srcrt) #ifdef SCTP int sw_csum; #endif -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; #ifdef IPSEC @@ -359,9 +357,7 @@ again: dst->sin6_len = sizeof(struct sockaddr_in6); dst->sin6_family = AF_INET6; dst->sin6_addr = ip6->ip6_dst; -#ifdef IPFIREWALL_FORWARD again2: -#endif rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m)); if (rin6.ro_rt != NULL) RT_UNLOCK(rin6.ro_rt); @@ -596,7 +592,8 @@ skip_routing: goto again; /* Redo the routing table lookup. */ } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto pass; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -622,7 +619,6 @@ skip_routing: m_tag_delete(m, fwd_tag); goto again2; } -#endif /* IPFIREWALL_FORWARD */ pass: error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); Modified: head/sys/netinet6/ip6_input.c ============================================================================== --- head/sys/netinet6/ip6_input.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet6/ip6_input.c Thu Oct 25 09:39:14 2012 (r242079) @@ -628,7 +628,8 @@ ip6_input(struct mbuf *m) ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passin; if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; ours = 1; @@ -644,7 +645,6 @@ ip6_input(struct mbuf *m) ip6_forward(m, 1); goto out; } -#endif /* IPFIREWALL_FORWARD */ passin: /* Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet6/ip6_output.c Thu Oct 25 09:39:14 2012 (r242079) @@ -257,9 +257,7 @@ ip6_output(struct mbuf *m0, struct ip6_p int segleft_org = 0; struct secpolicy *sp = NULL; #endif /* IPSEC */ -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ip6 = mtod(m, struct ip6_hdr *); if (ip6 == NULL) { @@ -915,7 +913,8 @@ again: goto again; /* Redo the routing table lookup. */ } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passout; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -941,7 +940,6 @@ again: m_tag_delete(m, fwd_tag); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* Modified: head/sys/netinet6/udp6_usrreq.c ============================================================================== --- head/sys/netinet6/udp6_usrreq.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netinet6/udp6_usrreq.c Thu Oct 25 09:39:14 2012 (r242079) @@ -92,6 +92,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include @@ -182,9 +183,7 @@ udp6_input(struct mbuf **mp, int *offp, int off = *offp; int plen, ulen; struct sockaddr_in6 fromsa; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif uint16_t uh_sum; ifp = m->m_pkthdr.rcvif; @@ -393,12 +392,12 @@ udp6_input(struct mbuf **mp, int *offp, /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if (V_pfilforward != 0 && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in6 *next_hop6; next_hop6 = (struct sockaddr_in6 *)(fwd_tag + 1); @@ -425,7 +424,6 @@ udp6_input(struct mbuf **mp, int *offp, /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src, uh->uh_sport, &ip6->ip6_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, Modified: head/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw2.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netpfil/ipfw/ip_fw2.c Thu Oct 25 09:39:14 2012 (r242079) @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -2534,12 +2535,7 @@ ipfw_init(void) "(+ipv6) " #endif "initialized, divert %s, nat %s, " - "rule-based forwarding " -#ifdef IPFIREWALL_FORWARD - "enabled, " -#else - "disabled, " -#endif + "rule-based forwarding turned %s, " "default to %s, logging ", #ifdef IPDIVERT "enabled", @@ -2551,6 +2547,7 @@ ipfw_init(void) #else "loadable", #endif + V_pfilforward ? "on": "off", default_to_accept ? "accept" : "deny"); /* Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_pfil.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netpfil/ipfw/ip_fw_pfil.c Thu Oct 25 09:39:14 2012 (r242079) @@ -159,7 +159,9 @@ again: /* next_hop may be set by ipfw_chk */ if (args.next_hop == NULL && args.next_hop6 == NULL) break; /* pass */ -#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET)) + if (V_pfilforward == 0) + break; +#if (!defined(INET6) && !defined(INET)) ret = EACCES; #else { @@ -210,7 +212,7 @@ again: #endif m_tag_prepend(*m0, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ +#endif /* INET || INET6 */ break; case IP_FW_DENY: Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Thu Oct 25 09:05:21 2012 (r242078) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Thu Oct 25 09:39:14 2012 (r242079) @@ -708,23 +708,14 @@ check_ipfw_struct(struct ip_fw *rule, in goto check_action; case O_FORWARD_IP: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa)) goto bad_size; goto check_action; -#else - return EINVAL; -#endif - #ifdef INET6 case O_FORWARD_IP6: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6)) goto bad_size; goto check_action; -#else - return (EINVAL); -#endif #endif /* INET6 */ case O_DIVERT: