diff options
author | ae <ae@FreeBSD.org> | 2012-10-25 09:39:14 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2012-10-25 09:39:14 +0000 |
commit | 71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch) | |
tree | 74b574e44bf5e980b33dbec1477301fa3513db78 /sys/netpfil | |
parent | ae88b227912c0ec48a0dde46fe47f423ca864059 (diff) | |
download | FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks
Diffstat (limited to 'sys/netpfil')
-rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 9 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_pfil.c | 6 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_sockopt.c | 9 |
3 files changed, 7 insertions, 17 deletions
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index f452222..69d975b 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/route.h> #include <net/pf_mtag.h> +#include <net/pfil.h> #include <net/vnet.h> #include <netinet/in.h> @@ -2534,12 +2535,7 @@ ipfw_init(void) "(+ipv6) " #endif "initialized, divert %s, nat %s, " - "rule-based forwarding " -#ifdef IPFIREWALL_FORWARD - "enabled, " -#else - "disabled, " -#endif + "rule-based forwarding turned %s, " "default to %s, logging ", #ifdef IPDIVERT "enabled", @@ -2551,6 +2547,7 @@ ipfw_init(void) #else "loadable", #endif + V_pfilforward ? "on": "off", default_to_accept ? "accept" : "deny"); /* diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c index a2d29da..c34650d 100644 --- a/sys/netpfil/ipfw/ip_fw_pfil.c +++ b/sys/netpfil/ipfw/ip_fw_pfil.c @@ -159,7 +159,9 @@ again: /* next_hop may be set by ipfw_chk */ if (args.next_hop == NULL && args.next_hop6 == NULL) break; /* pass */ -#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET)) + if (V_pfilforward == 0) + break; +#if (!defined(INET6) && !defined(INET)) ret = EACCES; #else { @@ -210,7 +212,7 @@ again: #endif m_tag_prepend(*m0, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ +#endif /* INET || INET6 */ break; case IP_FW_DENY: diff --git a/sys/netpfil/ipfw/ip_fw_sockopt.c b/sys/netpfil/ipfw/ip_fw_sockopt.c index a412eb0..e71019a 100644 --- a/sys/netpfil/ipfw/ip_fw_sockopt.c +++ b/sys/netpfil/ipfw/ip_fw_sockopt.c @@ -708,23 +708,14 @@ check_ipfw_struct(struct ip_fw *rule, int size) goto check_action; case O_FORWARD_IP: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa)) goto bad_size; goto check_action; -#else - return EINVAL; -#endif - #ifdef INET6 case O_FORWARD_IP6: -#ifdef IPFIREWALL_FORWARD if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6)) goto bad_size; goto check_action; -#else - return (EINVAL); -#endif #endif /* INET6 */ case O_DIVERT: |