2 files changed, 12 insertions, 7 deletions

diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 19799bc..a532a6d 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -82,12 +82,16 @@
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
 
 /*
- * XXX This one should go in sys/mbuf.h. It is used to avoid that
- * a firewall-generated packet loops forever through the firewall.
+ * This is used to avoid that a firewall-generated packet
+ * loops forever through the firewall.  Note that it must
+ * be a flag that is unused by other protocols that might
+ * be called from ip_output (e.g. IPsec) and it must be
+ * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain
+ * is altered on the way through ip_output it is not lost.
+ * It might be better to add an m_tag since the this happens
+ * infrequently.
  */
-#ifndef	M_SKIP_FIREWALL
-#define M_SKIP_FIREWALL         0x4000
-#endif
+#define M_SKIP_FIREWALL         M_PROTO6
 
 /*
  * set_disable contains one bit per set value (0..31).
diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h
index 2d7b1f9..0b84e1f 100644
--- a/sys/sys/mbuf.h
+++ b/sys/sys/mbuf.h
@@ -153,6 +153,7 @@ struct mbuf {
 #define	M_PROTO3	0x0040	/* protocol-specific */
 #define	M_PROTO4	0x0080	/* protocol-specific */
 #define	M_PROTO5	0x0100	/* protocol-specific */
+#define M_PROTO6	0x4000	/* protocol-specific (avoid M_BCAST conflict) */
 #define	M_FREELIST	0x8000	/* mbuf is on the free list */
 
 /*
@@ -178,8 +179,8 @@ struct mbuf {
  * Flags copied when copying m_pkthdr.
  */
 #define	M_COPYFLAGS	(M_PKTHDR|M_EOR|M_RDONLY|M_PROTO1|M_PROTO1|M_PROTO2|\
-			    M_PROTO3|M_PROTO4|M_PROTO5|M_BCAST|M_MCAST|\
-			    M_FRAG|M_FIRSTFRAG|M_LASTFRAG)
+			    M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|\
+			    M_BCAST|M_MCAST|M_FRAG|M_FIRSTFRAG|M_LASTFRAG)
 
 /*
  * Flags indicating hw checksum support and sw checksum requirements.