Correct a problem where ipfw-generated packets were being returned

for ipfw processing w/o an indication the packets were generated
by ipfw--and so should not be processed (this manifested itself
as a LOR.)  The flag bit in the mbuf that was used to mark the
packets was not listed in M_COPYFLAGS so if a packet had a header
prepended (as done by IPsec) the flag was lost.  Correct this by
defining a new M_PROTO6 flag and use it to mark packets that need
this processing.

Reviewed by:	bms
Approved by:	re (rwatson)
MFC after:	2 weeks

1 files changed, 9 insertions, 5 deletions

diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 19799bc..a532a6d 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -82,12 +82,16 @@
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
 
 /*
- * XXX This one should go in sys/mbuf.h. It is used to avoid that
- * a firewall-generated packet loops forever through the firewall.
+ * This is used to avoid that a firewall-generated packet
+ * loops forever through the firewall.  Note that it must
+ * be a flag that is unused by other protocols that might
+ * be called from ip_output (e.g. IPsec) and it must be
+ * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain
+ * is altered on the way through ip_output it is not lost.
+ * It might be better to add an m_tag since the this happens
+ * infrequently.
  */
-#ifndef	M_SKIP_FIREWALL
-#define M_SKIP_FIREWALL         0x4000
-#endif
+#define M_SKIP_FIREWALL         M_PROTO6
 
 /*
  * set_disable contains one bit per set value (0..31).