diff options
| author | andre <andre@FreeBSD.org> | 2005-02-22 17:40:40 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2005-02-22 17:40:40 +0000 |
| commit | 9094f4f16b2edec6f6ff3cad13b2e466bc92e104 (patch) | |
| tree | 27e1404f31af0c65be78d4fe952e2b86a85ad18d /sys/netinet | |
| parent | 67b4f62450af59f85c9b21ddd07ab0a5011d36a4 (diff) | |
| download | FreeBSD-src-9094f4f16b2edec6f6ff3cad13b2e466bc92e104.zip FreeBSD-src-9094f4f16b2edec6f6ff3cad13b2e466bc92e104.tar.gz | |
Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:
options IPFIREWALL_FORWARD_EXTENDED
This option has to be specified in addition to IPFIRWALL_FORWARD.
With this option even packets targeted for an IP address local
to the host can be redirected. All restrictions to ensure proper
behaviour for locally generated packets are turned off. Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.
Document the two kernel options.
PR: kern/71910
PR: kern/73129
MFC after: 1 week
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_input.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 6 |
2 files changed, 17 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index ecf79ae..6eaf3eb 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -468,7 +468,19 @@ tooshort: m->m_flags &= ~M_FASTFWD_OURS; goto ours; } +#ifndef IPFIREWALL_FORWARD_EXTENDED dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); +#else + if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { + /* + * Directly ship on the packet. This allows to forward packets + * that were destined for us to some other directly connected + * host. + */ + ip_forward(m, dchg); + return; + } +#endif /* IPFIREWALL_FORWARD_EXTENDED */ #endif /* IPFIREWALL_FORWARD */ passin: diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 59b8aef..056ffb6 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -706,18 +706,22 @@ spd_done: /* Or forward to some other address? */ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (fwd_tag) { +#ifndef IPFIREWALL_FORWARD_EXTENDED if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) { +#endif dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; m_tag_delete(m, fwd_tag); goto again; +#ifndef IPFIREWALL_FORWARD_EXTENDED } else { m_tag_delete(m, fwd_tag); /* Continue. */ } - } #endif + } +#endif /* IPFIREWALL_FORWARD */ passout: /* 127/8 must not appear on wire - RFC1122. */ |
