From owner-freebsd-stable@FreeBSD.ORG  Wed Mar 16 14:33:35 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A044116A4CE
	for <freebsd-stable@freebsd.org>;
	Wed, 16 Mar 2005 14:33:35 +0000 (GMT)
Received: from nulis.lt (81-7-82-170.ip.takas.lt [81.7.82.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BB69143D49
	for <freebsd-stable@freebsd.org>;
	Wed, 16 Mar 2005 14:33:32 +0000 (GMT)	(envelope-from bob@nulis.lt)
Received: from highland.tamsa ([10.0.1.1])
	by nulis.lt with esmtp (Exim 4.50 (FreeBSD))
	id 1DBZb6-0001EP-A4
	for freebsd-stable@freebsd.org; Wed, 16 Mar 2005 16:34:08 +0200
Message-ID: <423843B8.6000601@nulis.lt>
Date: Wed, 16 Mar 2005 16:33:28 +0200
From: Saulius Menkevicius <bob@nulis.lt>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
Content-Type: text/plain; charset=ISO-8859-13; format=flowed
Content-Transfer-Encoding: 7bit
Subject: kern/71910 and IPFIREWALL_FORWARD_EXTENDED
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2005 14:33:35 -0000

Hello,

I wonder if the config setting IPFIREWALL_FORWARD_EXTENDED was meant to 
fix kern/71910?

It adds #ifdef's around the following code in ip_output.c:
-----------------8<-----------------
        /* Or forward to some other address? */
        fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
        if (fwd_tag) {
#ifndef IPFIREWALL_FORWARD_EXTENDED
                if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
#endif
                        dst = (struct sockaddr_in *)&ro->ro_dst;
                        bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
                        m->m_flags |= M_SKIP_FIREWALL;
                        m_tag_delete(m, fwd_tag);
                        goto again;
#ifndef IPFIREWALL_FORWARD_EXTENDED
                } else {
                        m_tag_delete(m, fwd_tag);
                        /* Continue. */
                }
#endif
        }
-----------------8<-----------------

Where the workaround for kern/71910 (at least it works for me) was:

-----------------8<-----------------
Index: ip_output.c
===================================================================
RCS file: /FreeBSD-CVS/src/sys/netinet/ip_output.c,v
retrieving revision 1.225.2.3
diff -u -b -r1.225.2.3 ip_output.c
--- ip_output.c	15 Sep 2004 15:07:09 -0000	1.225.2.3
+++ ip_output.c	19 Sep 2004 15:51:42 -0000
@@ -713,7 +713,7 @@
 	/* Or forward to some other address? */
 	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (fwd_tag) {
-		if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
+		if (!in_localaddr(ip->ip_dst)) {
 			dst = (struct sockaddr_in *)&ro->ro_dst;
 			bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
 			m->m_flags |= M_SKIP_FIREWALL;
-----------------8<-----------------

Thanks,

Respectfully,
Saulius Menkevicius