Remove the IPFIREWALL_FORWARD kernel option and make possible to turn

on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
author: ae <ae@FreeBSD.org> 2012-10-25 09:39:14 +0000
committer: ae <ae@FreeBSD.org> 2012-10-25 09:39:14 +0000
commit: 71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch)
tree: 74b574e44bf5e980b33dbec1477301fa3513db78 /sys/netpfil/ipfw/ip_fw_pfil.c
parent: ae88b227912c0ec48a0dde46fe47f423ca864059 (diff)
download: FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip
FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c
index a2d29da..c34650d 100644
--- a/sys/netpfil/ipfw/ip_fw_pfil.c
+++ b/sys/netpfil/ipfw/ip_fw_pfil.c
@@ -159,7 +159,9 @@ again:
 		/* next_hop may be set by ipfw_chk */
 		if (args.next_hop == NULL && args.next_hop6 == NULL)
 			break; /* pass */
-#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET))
+		if (V_pfilforward == 0)
+			break;
+#if (!defined(INET6) && !defined(INET))
 		ret = EACCES;
 #else
 	    {
@@ -210,7 +212,7 @@ again:
 #endif
 		m_tag_prepend(*m0, fwd_tag);
 	    }
-#endif /* IPFIREWALL_FORWARD */
+#endif /* INET || INET6 */
 		break;
 
 	case IP_FW_DENY:
author	ae <ae@FreeBSD.org>	2012-10-25 09:39:14 +0000
committer	ae <ae@FreeBSD.org>	2012-10-25 09:39:14 +0000
commit	71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch)
tree	74b574e44bf5e980b33dbec1477301fa3513db78 /sys/netpfil/ipfw/ip_fw_pfil.c
parent	ae88b227912c0ec48a0dde46fe47f423ca864059 (diff)
download	FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz