summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_output.c
diff options
context:
space:
mode:
authorandre <andre@FreeBSD.org>2005-02-22 17:40:40 +0000
committerandre <andre@FreeBSD.org>2005-02-22 17:40:40 +0000
commit9094f4f16b2edec6f6ff3cad13b2e466bc92e104 (patch)
tree27e1404f31af0c65be78d4fe952e2b86a85ad18d /sys/netinet/ip_output.c
parent67b4f62450af59f85c9b21ddd07ab0a5011d36a4 (diff)
downloadFreeBSD-src-9094f4f16b2edec6f6ff3cad13b2e466bc92e104.zip
FreeBSD-src-9094f4f16b2edec6f6ff3cad13b2e466bc92e104.tar.gz
Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option: options IPFIREWALL_FORWARD_EXTENDED This option has to be specified in addition to IPFIRWALL_FORWARD. With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break. Document the two kernel options. PR: kern/71910 PR: kern/73129 MFC after: 1 week
Diffstat (limited to 'sys/netinet/ip_output.c')
-rw-r--r--sys/netinet/ip_output.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 59b8aef..056ffb6 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -706,18 +706,22 @@ spd_done:
/* Or forward to some other address? */
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (fwd_tag) {
+#ifndef IPFIREWALL_FORWARD_EXTENDED
if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
+#endif
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
m_tag_delete(m, fwd_tag);
goto again;
+#ifndef IPFIREWALL_FORWARD_EXTENDED
} else {
m_tag_delete(m, fwd_tag);
/* Continue. */
}
- }
#endif
+ }
+#endif /* IPFIREWALL_FORWARD */
passout:
/* 127/8 must not appear on wire - RFC1122. */
OpenPOWER on IntegriCloud