Remove the IPFIREWALL_FORWARD_EXTENDED option and make it on by default as it always was

in older versions of FreeBSD. This option is pointless as it is needed in just about every interesting usage of forward that I have ever seen. It doesn't make the system any safer and just wastes huge amounts of develper time when the system doesn't behave as expected when code is moved from 4.x to 6.x It doesn't make the system any safer and just wastes huge amounts of develper time when the system doesn't behave as expected when code is moved from 4.x to 6.x or 7.x Reviewed by: glebius MFC after: 1 week
author: julian <julian@FreeBSD.org> 2006-08-17 00:37:03 +0000
committer: julian <julian@FreeBSD.org> 2006-08-17 00:37:03 +0000
commit: 4fb1f1e2022c76cd6d80c4c885312f56e2d0a596 (patch)
tree: 226aa6adc40051f20816908fd88ce4cd31043f82
parent: b3160d204fc81f13c71edebc9d67009715c26bac (diff)
download: FreeBSD-src-4fb1f1e2022c76cd6d80c4c885312f56e2d0a596.zip
FreeBSD-src-4fb1f1e2022c76cd6d80c4c885312f56e2d0a596.tar.gz
5 files changed, 9 insertions, 31 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 203eeb9..5cab4b0 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -720,12 +720,9 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 #
 # IPFIREWALL_FORWARD enables changing of the packet destination either
 # to do some sort of policy routing or transparent proxying.  Used by
-# ``ipfw forward''.
-#
-# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing
-# including redirecting packets to local IP addresses and ports.  All
-# redirections apply to locally generated packets too.  Because of this
-# great care is required when crafting the ruleset.
+# ``ipfw forward''. All  redirections apply to locally generated
+# packets too.  Because of this great care is required when
+# crafting the ruleset.
 #
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
@@ -742,7 +739,6 @@ options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPFIREWALL_FORWARD	#packet destination changes
-options 	IPFIREWALL_FORWARD_EXTENDED	#all packet dest changes
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
diff --git a/sys/conf/options b/sys/conf/options
index 50d7f45..ff7f233 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -369,7 +369,6 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD	opt_ipfw.h
-IPFIREWALL_FORWARD_EXTENDED	opt_ipfw.h
 IPSTEALTH
 IPX
 IPXIP			opt_ipx.h
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 3b0496b..ce017d9 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -476,11 +476,7 @@ forwardlocal:
 		 */
 #ifdef IPFIREWALL_FORWARD
 		if (fwd_tag) {
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-			if (!in_localip(ip->ip_src) &&
-			    !in_localaddr(ip->ip_dst))
-#endif
-				dest.s_addr = ((struct sockaddr_in *)
+			dest.s_addr = ((struct sockaddr_in *)
 				    (fwd_tag + 1))->sin_addr.s_addr;
 			m_tag_delete(m, fwd_tag);
 		}
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index a860074..84768a7 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -423,9 +423,6 @@ tooshort:
 		m->m_flags &= ~M_FASTFWD_OURS;
 		goto ours;
 	}
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
-#else
 	if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
 		/*
 		 * Directly ship on the packet.  This allows to forward packets
@@ -435,7 +432,6 @@ tooshort:
 		ip_forward(m, dchg);
 		return;
 	}
-#endif /* IPFIREWALL_FORWARD_EXTENDED */
 #endif /* IPFIREWALL_FORWARD */
 
 passin:
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index dcdc635..8efc288 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -457,20 +457,11 @@ sendit:
 	/* Or forward to some other address? */
 	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (fwd_tag) {
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-		if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
-#endif
-			dst = (struct sockaddr_in *)&ro->ro_dst;
-			bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
-			m->m_flags |= M_SKIP_FIREWALL;
-			m_tag_delete(m, fwd_tag);
-			goto again;
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-		} else {
-			m_tag_delete(m, fwd_tag);
-			/* Continue. */
-		}
-#endif
+		dst = (struct sockaddr_in *)&ro->ro_dst;
+		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
+		m->m_flags |= M_SKIP_FIREWALL;
+		m_tag_delete(m, fwd_tag);
+		goto again;
 	}
 #endif /* IPFIREWALL_FORWARD */
author	julian <julian@FreeBSD.org>	2006-08-17 00:37:03 +0000
committer	julian <julian@FreeBSD.org>	2006-08-17 00:37:03 +0000
commit	4fb1f1e2022c76cd6d80c4c885312f56e2d0a596 (patch)
tree	226aa6adc40051f20816908fd88ce4cd31043f82
parent	b3160d204fc81f13c71edebc9d67009715c26bac (diff)
download	FreeBSD-src-4fb1f1e2022c76cd6d80c4c885312f56e2d0a596.zip FreeBSD-src-4fb1f1e2022c76cd6d80c4c885312f56e2d0a596.tar.gz