Make M_SKIP_FIREWALL a global (and semantic) flag, preventing anything from

using M_PROTO6 and possibly shooting someone's foot, as well as allowing the
firewall to be used in multiple passes, or with a packet classifier frontend,
that may need to explicitly allow a certain packet.  Presently this is handled
in the ipfw_chk code as before, though I have run with it moved to upper
layers, and possibly it should apply to ipfilter and pf as well, though this
has not been investigated.

Discussed with:	luigi, rwatson

1 files changed, 0 insertions, 12 deletions

diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 19f54ca..0b6f754 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -86,18 +86,6 @@
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
 
 /*
- * This is used to avoid that a firewall-generated packet
- * loops forever through the firewall.  Note that it must
- * be a flag that is unused by other protocols that might
- * be called from ip_output (e.g. IPsec) and it must be
- * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain
- * is altered on the way through ip_output it is not lost.
- * It might be better to add an m_tag since the this happens
- * infrequently.
- */
-#define M_SKIP_FIREWALL         M_PROTO6
-
-/*
  * set_disable contains one bit per set value (0..31).
  * If the bit is set, all rules with the corresponding set
  * are disabled. Set RESVD_SET(31) is reserved for the default rule