Remove the IPFIREWALL_FORWARD kernel option and make possible to turn

on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.

Sponsored by:	Yandex LLC
Discussed with:	net@
MFC after:	2 weeks

2 files changed, 9 insertions, 0 deletions

diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index 06da0be..8d36999 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -37,6 +37,7 @@
 #include <sys/rmlock.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/sysctl.h>
 #include <sys/systm.h>
 #include <sys/condvar.h>
 #include <sys/lock.h>
@@ -64,6 +65,11 @@ VNET_DEFINE(struct pfilheadhead, pfil_head_list);
 VNET_DEFINE(struct rmlock, pfil_lock);
 #define	V_pfil_lock	VNET(pfil_lock)
 
+VNET_DEFINE(int, pfilforward) = 0;
+SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface");
+SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW,
+    &VNET_NAME(pfilforward), 0,
+    "Enable forwarding performed by packet filters");
 /*
  * pfil_run_hooks() runs the specified packet filter hooks.
  */
diff --git a/sys/net/pfil.h b/sys/net/pfil.h
index fabfe9a..9c45f10 100644
--- a/sys/net/pfil.h
+++ b/sys/net/pfil.h
@@ -38,11 +38,14 @@
 #include <sys/_mutex.h>
 #include <sys/lock.h>
 #include <sys/rmlock.h>
+#include <net/vnet.h>
 
 struct mbuf;
 struct ifnet;
 struct inpcb;
 
+VNET_DECLARE(int, pfilforward);
+#define	V_pfilforward		VNET(pfilforward)
 /*
  * The packet filter hooks are designed for anything to call them to
  * possibly intercept the packet.