Remove the IPFIREWALL_FORWARD kernel option and make possible to turn

on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
author: ae <ae@FreeBSD.org> 2012-10-25 09:39:14 +0000
committer: ae <ae@FreeBSD.org> 2012-10-25 09:39:14 +0000
commit: 71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch)
tree: 74b574e44bf5e980b33dbec1477301fa3513db78 /sys/net/pfil.c
parent: ae88b227912c0ec48a0dde46fe47f423ca864059 (diff)
download: FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip
FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index 06da0be..8d36999 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -37,6 +37,7 @@
 #include <sys/rmlock.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/sysctl.h>
 #include <sys/systm.h>
 #include <sys/condvar.h>
 #include <sys/lock.h>
@@ -64,6 +65,11 @@ VNET_DEFINE(struct pfilheadhead, pfil_head_list);
 VNET_DEFINE(struct rmlock, pfil_lock);
 #define	V_pfil_lock	VNET(pfil_lock)
 
+VNET_DEFINE(int, pfilforward) = 0;
+SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface");
+SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW,
+    &VNET_NAME(pfilforward), 0,
+    "Enable forwarding performed by packet filters");
 /*
  * pfil_run_hooks() runs the specified packet filter hooks.
  */
author	ae <ae@FreeBSD.org>	2012-10-25 09:39:14 +0000
committer	ae <ae@FreeBSD.org>	2012-10-25 09:39:14 +0000
commit	71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch)
tree	74b574e44bf5e980b33dbec1477301fa3513db78 /sys/net/pfil.c
parent	ae88b227912c0ec48a0dde46fe47f423ca864059 (diff)
download	FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz