diff options
author | ae <ae@FreeBSD.org> | 2012-10-25 09:39:14 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2012-10-25 09:39:14 +0000 |
commit | 71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch) | |
tree | 74b574e44bf5e980b33dbec1477301fa3513db78 | |
parent | ae88b227912c0ec48a0dde46fe47f423ca864059 (diff) | |
download | FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks
-rw-r--r-- | sbin/ipfw/ipfw.8 | 9 | ||||
-rw-r--r-- | share/man/man4/ipfirewall.4 | 9 | ||||
-rw-r--r-- | sys/conf/NOTES | 7 | ||||
-rw-r--r-- | sys/conf/options | 1 | ||||
-rw-r--r-- | sys/net/pfil.c | 6 | ||||
-rw-r--r-- | sys/net/pfil.h | 3 | ||||
-rw-r--r-- | sys/netinet/ip_fastfwd.c | 20 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 5 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 11 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 17 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 10 | ||||
-rw-r--r-- | sys/netinet6/ip6_forward.c | 8 | ||||
-rw-r--r-- | sys/netinet6/ip6_input.c | 4 | ||||
-rw-r--r-- | sys/netinet6/ip6_output.c | 6 | ||||
-rw-r--r-- | sys/netinet6/udp6_usrreq.c | 10 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 9 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_pfil.c | 6 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_sockopt.c | 9 |
18 files changed, 52 insertions, 98 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index af4a2c5..5542ddc 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 16, 2012 +.Dd October 25, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -777,8 +777,11 @@ use with transparent proxy servers. .Pp To enable .Cm fwd -a custom kernel needs to be compiled with the option -.Cd "options IPFIREWALL_FORWARD" . +the +.Xr sysctl 8 +variable +.Va net.pfil.forward +should be set to 1. .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance diff --git a/share/man/man4/ipfirewall.4 b/share/man/man4/ipfirewall.4 index f19d024..40c77a1 100644 --- a/share/man/man4/ipfirewall.4 +++ b/share/man/man4/ipfirewall.4 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 1, 2006 +.Dd October 25, 2012 .Dt IPFW 4 .Os .Sh NAME @@ -20,7 +20,6 @@ Other related kernel options which may also be useful are: .Bd -ragged -offset indent .Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" -.Cd "options IPFIREWALL_FORWARD" .Cd "options IPFIREWALL_VERBOSE" .Cd "options IPFIREWALL_VERBOSE_LIMIT=100" .Ed @@ -71,12 +70,6 @@ from flooding system logs or causing local Denial of Service. This option may be set to the number of packets which will be logged on a per-entry basis before the entry is rate-limited. .Pp -Policy routing and transparent forwarding features of -.Nm -can be enabled by -.Dv IPFIREWALL_FORWARD -kernel option. -.Pp The user interface for .Nm is implemented by the diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 6d4ea53..aaf4c98 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -897,12 +897,6 @@ device lagg # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It # depends on IPFIREWALL if compiled into the kernel. # -# IPFIREWALL_FORWARD enables changing of the packet destination either -# to do some sort of policy routing or transparent proxying. Used by -# ``ipfw forward''. All redirections apply to locally generated -# packets too. Because of this great care is required when -# crafting the ruleset. -# # IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires # LIBALIAS. # @@ -923,7 +917,6 @@ options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default -options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets options IPFILTER #ipfilter support diff --git a/sys/conf/options b/sys/conf/options index dac30e6..c0b262a 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -398,7 +398,6 @@ IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h -IPFIREWALL_FORWARD opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h diff --git a/sys/net/pfil.c b/sys/net/pfil.c index 06da0be..8d36999 100644 --- a/sys/net/pfil.c +++ b/sys/net/pfil.c @@ -37,6 +37,7 @@ #include <sys/rmlock.h> #include <sys/socket.h> #include <sys/socketvar.h> +#include <sys/sysctl.h> #include <sys/systm.h> #include <sys/condvar.h> #include <sys/lock.h> @@ -64,6 +65,11 @@ VNET_DEFINE(struct pfilheadhead, pfil_head_list); VNET_DEFINE(struct rmlock, pfil_lock); #define V_pfil_lock VNET(pfil_lock) +VNET_DEFINE(int, pfilforward) = 0; +SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface"); +SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW, + &VNET_NAME(pfilforward), 0, + "Enable forwarding performed by packet filters"); /* * pfil_run_hooks() runs the specified packet filter hooks. */ diff --git a/sys/net/pfil.h b/sys/net/pfil.h index fabfe9a..9c45f10 100644 --- a/sys/net/pfil.h +++ b/sys/net/pfil.h @@ -38,11 +38,14 @@ #include <sys/_mutex.h> #include <sys/lock.h> #include <sys/rmlock.h> +#include <net/vnet.h> struct mbuf; struct ifnet; struct inpcb; +VNET_DECLARE(int, pfilforward); +#define V_pfilforward VNET(pfilforward) /* * The packet filter hooks are designed for anything to call them to * possibly intercept the packet. diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 0eaaafe..b8d04ec 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -167,9 +167,7 @@ ip_fastforward(struct mbuf *m) uint16_t sum, ip_len, ip_off; int error = 0; int hlen, mtu; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; /* * Are we active and forwarding packets? @@ -372,14 +370,13 @@ ip_fastforward(struct mbuf *m) * Go on with new destination address */ } -#ifdef IPFIREWALL_FORWARD + if (m->m_flags & M_FASTFWD_OURS) { /* * ipfw changed it for a local address on this host. */ goto forwardlocal; } -#endif /* IPFIREWALL_FORWARD */ passin: /* @@ -449,20 +446,13 @@ passin: /* * Destination address changed? */ -#ifndef IPFIREWALL_FORWARD - if (odest.s_addr != dest.s_addr) { -#else - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); + if (V_pfilforward != 0) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (odest.s_addr != dest.s_addr || fwd_tag != NULL) { -#endif /* IPFIREWALL_FORWARD */ /* * Is it now for a local address on this host? */ -#ifndef IPFIREWALL_FORWARD - if (in_localip(dest)) { -#else if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) { -#endif /* IPFIREWALL_FORWARD */ forwardlocal: /* * Return packet for processing by ip_input(). @@ -475,13 +465,11 @@ forwardlocal: /* * Redo route lookup with new destination address */ -#ifdef IPFIREWALL_FORWARD if (fwd_tag) { dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ RTFREE(ro.ro_rt); if ((dst = ip_findroute(&ro, dest, m)) == NULL) return NULL; /* icmp unreach already sent */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index baa08a4..e0e98a2 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -509,7 +509,9 @@ tooshort: dchg = (odst.s_addr != ip->ip_dst.s_addr); ifp = m->m_pkthdr.rcvif; -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passin; + if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto ours; @@ -523,7 +525,6 @@ tooshort: ip_forward(m, dchg); return; } -#endif /* IPFIREWALL_FORWARD */ passin: diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 51c8b0e..2df0fe8 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -129,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags, struct route iproute; struct rtentry *rte; /* cache for ro->ro_rt */ struct in_addr odst; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag = NULL; -#endif #ifdef IPSEC int no_route_but_check_spd = 0; #endif @@ -218,11 +216,7 @@ again: ro->ro_lle = NULL; rte = NULL; } -#ifdef IPFIREWALL_FORWARD if (rte == NULL && fwd_tag == NULL) { -#else - if (rte == NULL) { -#endif bzero(dst, sizeof(*dst)); dst->sin_family = AF_INET; dst->sin_len = sizeof(*dst); @@ -543,7 +537,9 @@ sendit: } } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passout; + /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -574,7 +570,6 @@ sendit: ifa_free(&ia->ia_ifa); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* 127/8 must not appear on wire - RFC1122. */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 0341207..1d56dfd 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -75,6 +75,7 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> +#include <net/pfil.h> #include <net/route.h> #include <net/vnet.h> @@ -544,9 +545,7 @@ tcp_input(struct mbuf *m, int off0) uint8_t sig_checked = 0; #endif uint8_t iptos = 0; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; #ifdef INET6 struct ip6_hdr *ip6 = NULL; int isipv6; @@ -754,15 +753,13 @@ findpcb: } #endif -#ifdef IPFIREWALL_FORWARD /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); -#endif /* IPFIREWALL_FORWARD */ + if (V_pfilforward != 0) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); #ifdef INET6 -#ifdef IPFIREWALL_FORWARD if (isipv6 && fwd_tag != NULL) { struct sockaddr_in6 *next_hop6; @@ -788,9 +785,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); - } else -#endif /* IPFIREWALL_FORWARD */ - if (isipv6) { + } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, @@ -801,7 +796,6 @@ findpcb: else #endif #ifdef INET -#ifdef IPFIREWALL_FORWARD if (fwd_tag != NULL) { struct sockaddr_in *next_hop; @@ -828,7 +822,6 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 9a4a682..cd08468 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -65,6 +65,7 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> +#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -341,9 +342,7 @@ udp_input(struct mbuf *m, int off) uint16_t len, ip_len; struct ip save_ip; struct sockaddr_in udp_in; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ifp = m->m_pkthdr.rcvif; UDPSTAT_INC(udps_ipackets); @@ -546,12 +545,12 @@ udp_input(struct mbuf *m, int off) /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if (V_pfilforward != 0 && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in *next_hop; next_hop = (struct sockaddr_in *)(fwd_tag + 1); @@ -577,7 +576,6 @@ udp_input(struct mbuf *m, int off) /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport, ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, ifp, m); diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 3321a95..c1ea400 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -108,9 +108,7 @@ ip6_forward(struct mbuf *m, int srcrt) #ifdef SCTP int sw_csum; #endif -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; #ifdef IPSEC @@ -359,9 +357,7 @@ again: dst->sin6_len = sizeof(struct sockaddr_in6); dst->sin6_family = AF_INET6; dst->sin6_addr = ip6->ip6_dst; -#ifdef IPFIREWALL_FORWARD again2: -#endif rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m)); if (rin6.ro_rt != NULL) RT_UNLOCK(rin6.ro_rt); @@ -596,7 +592,8 @@ skip_routing: goto again; /* Redo the routing table lookup. */ } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto pass; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -622,7 +619,6 @@ skip_routing: m_tag_delete(m, fwd_tag); goto again2; } -#endif /* IPFIREWALL_FORWARD */ pass: error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index f5ec27a..bbb6fdd 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -628,7 +628,8 @@ ip6_input(struct mbuf *m) ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passin; if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; ours = 1; @@ -644,7 +645,6 @@ ip6_input(struct mbuf *m) ip6_forward(m, 1); goto out; } -#endif /* IPFIREWALL_FORWARD */ passin: /* diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index bb1a673..e7254a6 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -257,9 +257,7 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, int segleft_org = 0; struct secpolicy *sp = NULL; #endif /* IPSEC */ -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ip6 = mtod(m, struct ip6_hdr *); if (ip6 == NULL) { @@ -915,7 +913,8 @@ again: goto again; /* Redo the routing table lookup. */ } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passout; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -941,7 +940,6 @@ again: m_tag_delete(m, fwd_tag); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 1afe67b..d7040c4 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -92,6 +92,7 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/if_types.h> +#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -182,9 +183,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) int off = *offp; int plen, ulen; struct sockaddr_in6 fromsa; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif uint16_t uh_sum; ifp = m->m_pkthdr.rcvif; @@ -393,12 +392,12 @@ udp6_input(struct mbuf **mp, int *offp, int proto) /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if (V_pfilforward != 0 && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in6 *next_hop6; next_hop6 = (struct sockaddr_in6 *)(fwd_tag + 1); @@ -425,7 +424,6 @@ udp6_input(struct mbuf **mp, int *offp, int proto) /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src, uh->uh_sport, &ip6->ip6_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index f452222..69d975b 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/route.h> #include <net/pf_mtag.h> +#include <net/pfil.h> #include <net/vnet.h> #include <netinet/in.h> @@ -2534,12 +2535,7 @@ ipfw_init(void) "(+ipv6) " #endif "initialized, divert %s, nat %s, " - "rule-based forwarding " -#ifdef IPFIREWALL_FORWARD - "enabled, " -#else - "disabled, " -#endif + "rule-based forwarding turned %s, " "default to %s, logging ", #ifdef IPDIVERT "enabled", @@ -2551,6 +2547,7 @@ ipfw_init(void) #else "loadable", #endif + V_pfilforward ? "on": "off", default_to_accept ? "accept" : "deny"); /* diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c index a2d29da..c34650d 100644 --- a/sys/netpfil/ipfw/ip_fw_pfil.c +++ b/sys/netpfil/ipfw/ip_fw_pfil.c @@ -159,7 +159,9 @@ again: /* next_hop may be set by ipfw_chk */ if (args.next_hop == NULL && args.next_hop6 == NULL) break; /* pass */ -#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET)) + if (V_pfilforward == 0) + break; +#if (!defined(INET6) && !defined(INET)) ret = EACCES; #else { @@ -210,7 +212,7 @@ again: #endif m_tag_prepend(*m0, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ +#endif /* INET || INET6 */ break; case IP_FW_DENY: diff --git a/sys/netpfil/ipfw/ip_fw_sockopt.c b/sys/netpfil/ipfw/ip_fw_sockopt.c index a412eb0..e71019a 100644 --- a/sys/netpfil/ipfw/ip_fw_sockopt.c +++ b/sys/netpfil/ipfw/ip_fw_sockopt.c @@ -708,23 +708,14 @@ check_ipfw_struct(struct ip_fw *rule, int size) goto check_action; case O_FORWARD_IP: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa)) goto bad_size; goto check_action; -#else - return EINVAL; -#endif - #ifdef INET6 case O_FORWARD_IP6: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6)) goto bad_size; goto check_action; -#else - return (EINVAL); -#endif #endif /* INET6 */ case O_DIVERT: |