diff options
| -rw-r--r-- | sys/conf/NOTES | 10 | ||||
| -rw-r--r-- | sys/conf/options | 1 | ||||
| -rw-r--r-- | sys/netinet/ip_fastfwd.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 19 |
5 files changed, 9 insertions, 31 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 203eeb9..5cab4b0 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -720,12 +720,9 @@ device stf #6to4 IPv6 over IPv4 encapsulation # # IPFIREWALL_FORWARD enables changing of the packet destination either # to do some sort of policy routing or transparent proxying. Used by -# ``ipfw forward''. -# -# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing -# including redirecting packets to local IP addresses and ports. All -# redirections apply to locally generated packets too. Because of this -# great care is required when crafting the ruleset. +# ``ipfw forward''. All redirections apply to locally generated +# packets too. Because of this great care is required when +# crafting the ruleset. # # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls @@ -742,7 +739,6 @@ options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes -options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes options IPDIVERT #divert sockets options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging diff --git a/sys/conf/options b/sys/conf/options index 50d7f45..ff7f233 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -369,7 +369,6 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h -IPFIREWALL_FORWARD_EXTENDED opt_ipfw.h IPSTEALTH IPX IPXIP opt_ipx.h diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 3b0496b..ce017d9 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -476,11 +476,7 @@ forwardlocal: */ #ifdef IPFIREWALL_FORWARD if (fwd_tag) { -#ifndef IPFIREWALL_FORWARD_EXTENDED - if (!in_localip(ip->ip_src) && - !in_localaddr(ip->ip_dst)) -#endif - dest.s_addr = ((struct sockaddr_in *) + dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); } diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index a860074..84768a7 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -423,9 +423,6 @@ tooshort: m->m_flags &= ~M_FASTFWD_OURS; goto ours; } -#ifndef IPFIREWALL_FORWARD_EXTENDED - dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); -#else if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { /* * Directly ship on the packet. This allows to forward packets @@ -435,7 +432,6 @@ tooshort: ip_forward(m, dchg); return; } -#endif /* IPFIREWALL_FORWARD_EXTENDED */ #endif /* IPFIREWALL_FORWARD */ passin: diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index dcdc635..8efc288 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -457,20 +457,11 @@ sendit: /* Or forward to some other address? */ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (fwd_tag) { -#ifndef IPFIREWALL_FORWARD_EXTENDED - if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) { -#endif - dst = (struct sockaddr_in *)&ro->ro_dst; - bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); - m->m_flags |= M_SKIP_FIREWALL; - m_tag_delete(m, fwd_tag); - goto again; -#ifndef IPFIREWALL_FORWARD_EXTENDED - } else { - m_tag_delete(m, fwd_tag); - /* Continue. */ - } -#endif + dst = (struct sockaddr_in *)&ro->ro_dst; + bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); + m->m_flags |= M_SKIP_FIREWALL; + m_tag_delete(m, fwd_tag); + goto again; } #endif /* IPFIREWALL_FORWARD */ |
