From owner-svn-src-stable@FreeBSD.ORG Tue Nov 27 01:59:52 2012 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2E9943E5; Tue, 27 Nov 2012 01:59:52 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 11C9C8FC13; Tue, 27 Nov 2012 01:59:52 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qAR1xqkl041028; Tue, 27 Nov 2012 01:59:52 GMT (envelope-from ae@svn.freebsd.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qAR1xpsX041008; Tue, 27 Nov 2012 01:59:51 GMT (envelope-from ae@svn.freebsd.org) Message-Id: <201211270159.qAR1xpsX041008@svn.freebsd.org> From: "Andrey V. Elsukov" Date: Tue, 27 Nov 2012 01:59:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r243586 - in stable/9: . sbin/ipfw share/man/man4 sys/conf sys/netinet sys/netinet6 sys/netpfil/ipfw X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2012 01:59:52 -0000 Author: ae Date: Tue Nov 27 01:59:51 2012 New Revision: 243586 URL: http://svnweb.freebsd.org/changeset/base/243586 Log: MFC r242079: Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. MFC r242082: Note the removal of the IPFIREWALL_FORWARD kernel option. MFC r242463: Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Modified: stable/9/UPDATING (contents, props changed) stable/9/sbin/ipfw/ipfw.8 stable/9/share/man/man4/ipfirewall.4 stable/9/sys/conf/NOTES stable/9/sys/conf/options stable/9/sys/netinet/ip_fastfwd.c stable/9/sys/netinet/ip_input.c stable/9/sys/netinet/ip_output.c stable/9/sys/netinet/ip_var.h stable/9/sys/netinet/tcp_input.c stable/9/sys/netinet/udp_usrreq.c stable/9/sys/netinet6/ip6_forward.c stable/9/sys/netinet6/ip6_input.c stable/9/sys/netinet6/ip6_output.c stable/9/sys/netinet6/ip6_var.h stable/9/sys/netinet6/udp6_usrreq.c stable/9/sys/netpfil/ipfw/ip_fw2.c stable/9/sys/netpfil/ipfw/ip_fw_pfil.c stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Directory Properties: stable/9/sbin/ipfw/ (props changed) stable/9/share/man/man4/ (props changed) stable/9/sys/ (props changed) stable/9/sys/conf/ (props changed) Modified: stable/9/UPDATING ============================================================================== --- stable/9/UPDATING Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/UPDATING Tue Nov 27 01:59:51 2012 (r243586) @@ -10,6 +10,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20121102: + The IPFIREWALL_FORWARD kernel option has been removed. Its + functionality now turned on by default. + 20120913: The random(4) support for the VIA hardware random number generator (`PADLOCK') is no longer enabled unconditionally. Modified: stable/9/sbin/ipfw/ipfw.8 ============================================================================== --- stable/9/sbin/ipfw/ipfw.8 Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sbin/ipfw/ipfw.8 Tue Nov 27 01:59:51 2012 (r243586) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 3, 2012 +.Dd October 25, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -764,11 +764,6 @@ This makes the .Xr netstat 1 entry look rather weird but is intended for use with transparent proxy servers. -.Pp -To enable -.Cm fwd -a custom kernel needs to be compiled with the option -.Cd "options IPFIREWALL_FORWARD" . .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance Modified: stable/9/share/man/man4/ipfirewall.4 ============================================================================== --- stable/9/share/man/man4/ipfirewall.4 Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/share/man/man4/ipfirewall.4 Tue Nov 27 01:59:51 2012 (r243586) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 1, 2006 +.Dd October 25, 2012 .Dt IPFW 4 .Os .Sh NAME @@ -21,7 +21,6 @@ Other kernel options related to which may also be useful are: .Bd -ragged -offset indent .Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" -.Cd "options IPFIREWALL_FORWARD" .Cd "options IPFIREWALL_VERBOSE" .Cd "options IPFIREWALL_VERBOSE_LIMIT=100" .Ed @@ -72,12 +71,6 @@ from flooding system logs or causing loc This option may be set to the number of packets which will be logged on a per-entry basis before the entry is rate-limited. .Pp -Policy routing and transparent forwarding features of -.Nm -can be enabled by -.Dv IPFIREWALL_FORWARD -kernel option. -.Pp The user interface for .Nm is implemented by the Modified: stable/9/sys/conf/NOTES ============================================================================== --- stable/9/sys/conf/NOTES Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/conf/NOTES Tue Nov 27 01:59:51 2012 (r243586) @@ -903,12 +903,6 @@ device lagg # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It # depends on IPFIREWALL if compiled into the kernel. # -# IPFIREWALL_FORWARD enables changing of the packet destination either -# to do some sort of policy routing or transparent proxying. Used by -# ``ipfw forward''. All redirections apply to locally generated -# packets too. Because of this great care is required when -# crafting the ruleset. -# # IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires # LIBALIAS. # @@ -925,7 +919,6 @@ options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default -options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets options IPFILTER #ipfilter support Modified: stable/9/sys/conf/options ============================================================================== --- stable/9/sys/conf/options Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/conf/options Tue Nov 27 01:59:51 2012 (r243586) @@ -405,7 +405,7 @@ IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h -IPFIREWALL_FORWARD opt_ipfw.h +IPFIREWALL_FORWARD IPFIREWALL_NAT opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h Modified: stable/9/sys/netinet/ip_fastfwd.c ============================================================================== --- stable/9/sys/netinet/ip_fastfwd.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet/ip_fastfwd.c Tue Nov 27 01:59:51 2012 (r243586) @@ -167,9 +167,7 @@ ip_fastforward(struct mbuf *m) u_short sum, ip_len; int error = 0; int hlen, mtu; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; /* * Are we active and forwarding packets? @@ -378,14 +376,13 @@ ip_fastforward(struct mbuf *m) * Go on with new destination address */ } -#ifdef IPFIREWALL_FORWARD + if (m->m_flags & M_FASTFWD_OURS) { /* * ipfw changed it for a local address on this host. */ goto forwardlocal; } -#endif /* IPFIREWALL_FORWARD */ passin: /* @@ -455,20 +452,13 @@ passin: /* * Destination address changed? */ -#ifndef IPFIREWALL_FORWARD - if (odest.s_addr != dest.s_addr) { -#else - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); + if (m->m_flags & M_IP_NEXTHOP) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (odest.s_addr != dest.s_addr || fwd_tag != NULL) { -#endif /* IPFIREWALL_FORWARD */ /* * Is it now for a local address on this host? */ -#ifndef IPFIREWALL_FORWARD - if (in_localip(dest)) { -#else if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) { -#endif /* IPFIREWALL_FORWARD */ forwardlocal: /* * Return packet for processing by ip_input(). @@ -483,13 +473,12 @@ forwardlocal: /* * Redo route lookup with new destination address */ -#ifdef IPFIREWALL_FORWARD if (fwd_tag) { dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } -#endif /* IPFIREWALL_FORWARD */ RTFREE(ro.ro_rt); if ((dst = ip_findroute(&ro, dest, m)) == NULL) return NULL; /* icmp unreach already sent */ Modified: stable/9/sys/netinet/ip_input.c ============================================================================== --- stable/9/sys/netinet/ip_input.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet/ip_input.c Tue Nov 27 01:59:51 2012 (r243586) @@ -516,22 +516,22 @@ tooshort: dchg = (odst.s_addr != ip->ip_dst.s_addr); ifp = m->m_pkthdr.rcvif; -#ifdef IPFIREWALL_FORWARD if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto ours; } - if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { - /* - * Directly ship the packet on. This allows forwarding - * packets originally destined to us to some other directly - * connected host. - */ - ip_forward(m, dchg); - return; + if (m->m_flags & M_IP_NEXTHOP) { + dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); + if (dchg != 0) { + /* + * Directly ship the packet on. This allows + * forwarding packets originally destined to us + * to some other directly connected host. + */ + ip_forward(m, 1); + return; + } } -#endif /* IPFIREWALL_FORWARD */ - passin: /* * Process options and, if not destined for us, Modified: stable/9/sys/netinet/ip_output.c ============================================================================== --- stable/9/sys/netinet/ip_output.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet/ip_output.c Tue Nov 27 01:59:51 2012 (r243586) @@ -129,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *o struct route iproute; struct rtentry *rte; /* cache for ro->ro_rt */ struct in_addr odst; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag = NULL; -#endif #ifdef IPSEC int no_route_but_check_spd = 0; #endif @@ -216,11 +214,7 @@ again: ro->ro_lle = NULL; rte = NULL; } -#ifdef IPFIREWALL_FORWARD if (rte == NULL && fwd_tag == NULL) { -#else - if (rte == NULL) { -#endif bzero(dst, sizeof(*dst)); dst->sin_family = AF_INET; dst->sin_len = sizeof(*dst); @@ -541,7 +535,6 @@ sendit: } } -#ifdef IPFIREWALL_FORWARD /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -562,17 +555,17 @@ sendit: goto done; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP_NEXTHOP; m_tag_delete(m, fwd_tag); if (ia != NULL) ifa_free(&ia->ia_ifa); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* 127/8 must not appear on wire - RFC1122. */ Modified: stable/9/sys/netinet/ip_var.h ============================================================================== --- stable/9/sys/netinet/ip_var.h Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet/ip_var.h Tue Nov 27 01:59:51 2012 (r243586) @@ -162,6 +162,7 @@ void kmod_ipstat_dec(int statnum); * mbuf flag used by ip_fastfwd */ #define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */ +#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop */ #ifdef __NO_STRICT_ALIGNMENT #define IP_HDR_ALIGNED_P(ip) 1 Modified: stable/9/sys/netinet/tcp_input.c ============================================================================== --- stable/9/sys/netinet/tcp_input.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet/tcp_input.c Tue Nov 27 01:59:51 2012 (r243586) @@ -575,9 +575,7 @@ tcp_input(struct mbuf *m, int off0) uint8_t sig_checked = 0; #endif uint8_t iptos = 0; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; #ifdef INET6 struct ip6_hdr *ip6 = NULL; int isipv6; @@ -791,15 +789,13 @@ findpcb: } #endif -#ifdef IPFIREWALL_FORWARD /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); -#endif /* IPFIREWALL_FORWARD */ + if (m->m_flags & M_IP_NEXTHOP) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); #ifdef INET6 -#ifdef IPFIREWALL_FORWARD if (isipv6 && fwd_tag != NULL) { struct sockaddr_in6 *next_hop6; @@ -825,9 +821,8 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); - } else -#endif /* IPFIREWALL_FORWARD */ - if (isipv6) { + m->m_flags &= ~M_IP_NEXTHOP; + } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, @@ -838,7 +833,6 @@ findpcb: else #endif #ifdef INET -#ifdef IPFIREWALL_FORWARD if (fwd_tag != NULL) { struct sockaddr_in *next_hop; @@ -864,8 +858,8 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, Modified: stable/9/sys/netinet/udp_usrreq.c ============================================================================== --- stable/9/sys/netinet/udp_usrreq.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet/udp_usrreq.c Tue Nov 27 01:59:51 2012 (r243586) @@ -341,9 +341,7 @@ udp_input(struct mbuf *m, int off) int len; struct ip save_ip; struct sockaddr_in udp_in; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ifp = m->m_pkthdr.rcvif; UDPSTAT_INC(udps_ipackets); @@ -546,12 +544,12 @@ udp_input(struct mbuf *m, int off) /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if ((m->m_flags & M_IP_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in *next_hop; next_hop = (struct sockaddr_in *)(fwd_tag + 1); @@ -576,8 +574,8 @@ udp_input(struct mbuf *m, int off) } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport, ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, ifp, m); Modified: stable/9/sys/netinet6/ip6_forward.c ============================================================================== --- stable/9/sys/netinet6/ip6_forward.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet6/ip6_forward.c Tue Nov 27 01:59:51 2012 (r243586) @@ -108,9 +108,7 @@ ip6_forward(struct mbuf *m, int srcrt) #ifdef SCTP int sw_csum; #endif -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; #ifdef IPSEC @@ -359,9 +357,7 @@ again: dst->sin6_len = sizeof(struct sockaddr_in6); dst->sin6_family = AF_INET6; dst->sin6_addr = ip6->ip6_dst; -#ifdef IPFIREWALL_FORWARD again2: -#endif rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m)); if (rin6.ro_rt != NULL) RT_UNLOCK(rin6.ro_rt); @@ -596,7 +592,6 @@ skip_routing: goto again; /* Redo the routing table lookup. */ } -#ifdef IPFIREWALL_FORWARD /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -614,15 +609,15 @@ skip_routing: goto out; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in6 *)&rin6.ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP6_NEXTHOP; m_tag_delete(m, fwd_tag); goto again2; } -#endif /* IPFIREWALL_FORWARD */ pass: error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); Modified: stable/9/sys/netinet6/ip6_input.c ============================================================================== --- stable/9/sys/netinet6/ip6_input.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet6/ip6_input.c Tue Nov 27 01:59:51 2012 (r243586) @@ -626,14 +626,14 @@ ip6_input(struct mbuf *m) ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); -#ifdef IPFIREWALL_FORWARD if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; ours = 1; deliverifp = m->m_pkthdr.rcvif; goto hbhcheck; } - if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { + if ((m->m_flags & M_IP6_NEXTHOP) && + m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly @@ -642,7 +642,6 @@ ip6_input(struct mbuf *m) ip6_forward(m, 1); goto out; } -#endif /* IPFIREWALL_FORWARD */ passin: /* Modified: stable/9/sys/netinet6/ip6_output.c ============================================================================== --- stable/9/sys/netinet6/ip6_output.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet6/ip6_output.c Tue Nov 27 01:59:51 2012 (r243586) @@ -257,9 +257,7 @@ ip6_output(struct mbuf *m0, struct ip6_p int segleft_org = 0; struct secpolicy *sp = NULL; #endif /* IPSEC */ -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ip6 = mtod(m, struct ip6_hdr *); if (ip6 == NULL) { @@ -915,7 +913,6 @@ again: goto again; /* Redo the routing table lookup. */ } -#ifdef IPFIREWALL_FORWARD /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -933,15 +930,15 @@ again: goto done; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in6 *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP6_NEXTHOP; m_tag_delete(m, fwd_tag); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* Modified: stable/9/sys/netinet6/ip6_var.h ============================================================================== --- stable/9/sys/netinet6/ip6_var.h Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet6/ip6_var.h Tue Nov 27 01:59:51 2012 (r243586) @@ -285,6 +285,8 @@ struct ip6aux { #define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */ #define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ +#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop */ + #ifdef __NO_STRICT_ALIGNMENT #define IP6_HDR_ALIGNED_P(ip) 1 #else Modified: stable/9/sys/netinet6/udp6_usrreq.c ============================================================================== --- stable/9/sys/netinet6/udp6_usrreq.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netinet6/udp6_usrreq.c Tue Nov 27 01:59:51 2012 (r243586) @@ -182,9 +182,7 @@ udp6_input(struct mbuf **mp, int *offp, int off = *offp; int plen, ulen; struct sockaddr_in6 fromsa; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif uint16_t uh_sum; ifp = m->m_pkthdr.rcvif; @@ -393,12 +391,12 @@ udp6_input(struct mbuf **mp, int *offp, /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in6 *next_hop6; next_hop6 = (struct sockaddr_in6 *)(fwd_tag + 1); @@ -424,8 +422,8 @@ udp6_input(struct mbuf **mp, int *offp, } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP6_NEXTHOP; } else -#endif /* IPFIREWALL_FORWARD */ inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src, uh->uh_sport, &ip6->ip6_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw2.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netpfil/ipfw/ip_fw2.c Tue Nov 27 01:59:51 2012 (r243586) @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -2532,12 +2533,6 @@ ipfw_init(void) "(+ipv6) " #endif "initialized, divert %s, nat %s, " - "rule-based forwarding " -#ifdef IPFIREWALL_FORWARD - "enabled, " -#else - "disabled, " -#endif "default to %s, logging ", #ifdef IPDIVERT "enabled", Modified: stable/9/sys/netpfil/ipfw/ip_fw_pfil.c ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw_pfil.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netpfil/ipfw/ip_fw_pfil.c Tue Nov 27 01:59:51 2012 (r243586) @@ -153,7 +153,7 @@ again: /* next_hop may be set by ipfw_chk */ if (args.next_hop == NULL && args.next_hop6 == NULL) break; /* pass */ -#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET)) +#if (!defined(INET6) && !defined(INET)) ret = EACCES; #else { @@ -193,6 +193,7 @@ again: bcopy(args.next_hop6, (fwd_tag+1), len); if (in6_localip(&args.next_hop6->sin6_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; + (*m0)->m_flags |= M_IP6_NEXTHOP; } #endif #ifdef INET @@ -200,11 +201,12 @@ again: bcopy(args.next_hop, (fwd_tag+1), len); if (in_localip(args.next_hop->sin_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; + (*m0)->m_flags |= M_IP_NEXTHOP; } #endif m_tag_prepend(*m0, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ +#endif /* INET || INET6 */ break; case IP_FW_DENY: Modified: stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Tue Nov 27 01:35:29 2012 (r243585) +++ stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Tue Nov 27 01:59:51 2012 (r243586) @@ -710,23 +710,14 @@ check_ipfw_struct(struct ip_fw *rule, in goto check_action; case O_FORWARD_IP: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa)) goto bad_size; goto check_action; -#else - return EINVAL; -#endif - #ifdef INET6 case O_FORWARD_IP6: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6)) goto bad_size; goto check_action; -#else - return (EINVAL); -#endif #endif /* INET6 */ case O_DIVERT: