summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--UPDATING5
-rw-r--r--sbin/ipfw/ipfw.88
-rw-r--r--sys/net/pfil.c6
-rw-r--r--sys/net/pfil.h3
-rw-r--r--sys/netinet/ip_fastfwd.c3
-rw-r--r--sys/netinet/ip_input.c23
-rw-r--r--sys/netinet/ip_output.c8
-rw-r--r--sys/netinet/ip_var.h1
-rw-r--r--sys/netinet/tcp_input.c5
-rw-r--r--sys/netinet/udp_usrreq.c4
-rw-r--r--sys/netinet6/ip6_forward.c7
-rw-r--r--sys/netinet6/ip6_input.c5
-rw-r--r--sys/netinet6/ip6_output.c7
-rw-r--r--sys/netinet6/ip6_var.h2
-rw-r--r--sys/netinet6/udp6_usrreq.c4
-rw-r--r--sys/netpfil/ipfw/ip_fw2.c2
-rw-r--r--sys/netpfil/ipfw/ip_fw_pfil.c4
17 files changed, 38 insertions, 59 deletions
diff --git a/UPDATING b/UPDATING
index 4960ef8..0db0c5c 100644
--- a/UPDATING
+++ b/UPDATING
@@ -24,10 +24,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10.x IS SLOW:
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
-20121025:
+20121102:
The IPFIREWALL_FORWARD kernel option has been removed. Its
- functionality now can be turned on using the net.pfil.forward
- sysctl variable.
+ functionality now turned on by default.
20121023:
The ZERO_COPY_SOCKET kernel option has been removed and
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 5542ddc..db0dfc0 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -774,14 +774,6 @@ This makes the
.Xr netstat 1
entry look rather weird but is intended for
use with transparent proxy servers.
-.Pp
-To enable
-.Cm fwd
-the
-.Xr sysctl 8
-variable
-.Va net.pfil.forward
-should be set to 1.
.It Cm nat Ar nat_nr | tablearg
Pass packet to a
nat instance
diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index 8d36999..06da0be 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -37,7 +37,6 @@
#include <sys/rmlock.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
-#include <sys/sysctl.h>
#include <sys/systm.h>
#include <sys/condvar.h>
#include <sys/lock.h>
@@ -65,11 +64,6 @@ VNET_DEFINE(struct pfilheadhead, pfil_head_list);
VNET_DEFINE(struct rmlock, pfil_lock);
#define V_pfil_lock VNET(pfil_lock)
-VNET_DEFINE(int, pfilforward) = 0;
-SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface");
-SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW,
- &VNET_NAME(pfilforward), 0,
- "Enable forwarding performed by packet filters");
/*
* pfil_run_hooks() runs the specified packet filter hooks.
*/
diff --git a/sys/net/pfil.h b/sys/net/pfil.h
index 9c45f10..fabfe9a 100644
--- a/sys/net/pfil.h
+++ b/sys/net/pfil.h
@@ -38,14 +38,11 @@
#include <sys/_mutex.h>
#include <sys/lock.h>
#include <sys/rmlock.h>
-#include <net/vnet.h>
struct mbuf;
struct ifnet;
struct inpcb;
-VNET_DECLARE(int, pfilforward);
-#define V_pfilforward VNET(pfilforward)
/*
* The packet filter hooks are designed for anything to call them to
* possibly intercept the packet.
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 2ef163b..3a228ca 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -446,7 +446,7 @@ passin:
/*
* Destination address changed?
*/
- if (V_pfilforward != 0)
+ if (m->m_flags & M_IP_NEXTHOP)
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
/*
@@ -469,6 +469,7 @@ forwardlocal:
dest.s_addr = ((struct sockaddr_in *)
(fwd_tag + 1))->sin_addr.s_addr;
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
}
RTFREE(ro.ro_rt);
if ((dst = ip_findroute(&ro, dest, m)) == NULL)
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index e0e98a2..033c03d 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -509,23 +509,22 @@ tooshort:
dchg = (odst.s_addr != ip->ip_dst.s_addr);
ifp = m->m_pkthdr.rcvif;
- if (V_pfilforward == 0)
- goto passin;
-
if (m->m_flags & M_FASTFWD_OURS) {
m->m_flags &= ~M_FASTFWD_OURS;
goto ours;
}
- if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
- /*
- * Directly ship the packet on. This allows forwarding
- * packets originally destined to us to some other directly
- * connected host.
- */
- ip_forward(m, dchg);
- return;
+ if (m->m_flags & M_IP_NEXTHOP) {
+ dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
+ if (dchg != 0) {
+ /*
+ * Directly ship the packet on. This allows
+ * forwarding packets originally destined to us
+ * to some other directly connected host.
+ */
+ ip_forward(m, 1);
+ return;
+ }
}
-
passin:
/*
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 96faf47..40785bb 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -537,9 +537,6 @@ sendit:
}
}
- if (V_pfilforward == 0)
- goto passout;
-
/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -560,11 +557,12 @@ sendit:
goto done;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP_NEXTHOP;
m_tag_delete(m, fwd_tag);
if (ia != NULL)
ifa_free(&ia->ia_ifa);
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index 6b2f86e..cc3eff8 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -163,6 +163,7 @@ void kmod_ipstat_dec(int statnum);
* mbuf flag used by ip_fastfwd
*/
#define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */
+#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop */
#ifdef __NO_STRICT_ALIGNMENT
#define IP_HDR_ALIGNED_P(ip) 1
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index ba642a6..a89257e 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -75,7 +75,6 @@ __FBSDID("$FreeBSD$");
#include <vm/uma.h>
#include <net/if.h>
-#include <net/pfil.h>
#include <net/route.h>
#include <net/vnet.h>
@@ -781,7 +780,7 @@ findpcb:
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- if (V_pfilforward != 0)
+ if (m->m_flags & M_IP_NEXTHOP)
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
#ifdef INET6
@@ -810,6 +809,7 @@ findpcb:
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else if (isipv6) {
inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
th->th_sport, &ip6->ip6_dst, th->th_dport,
@@ -846,6 +846,7 @@ findpcb:
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else
inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
th->th_sport, ip->ip_dst, th->th_dport,
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index cd08468..45e2693 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$");
#include <vm/uma.h>
#include <net/if.h>
-#include <net/pfil.h>
#include <net/route.h>
#include <netinet/in.h>
@@ -549,7 +548,7 @@ udp_input(struct mbuf *m, int off)
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- if (V_pfilforward != 0 &&
+ if ((m->m_flags & M_IP_NEXTHOP) &&
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
struct sockaddr_in *next_hop;
@@ -575,6 +574,7 @@ udp_input(struct mbuf *m, int off)
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP_NEXTHOP;
} else
inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport,
ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD |
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index c1ea400..6bdf55a 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -592,8 +592,6 @@ skip_routing:
goto again; /* Redo the routing table lookup. */
}
- if (V_pfilforward == 0)
- goto pass;
/* See if local, if yes, send it to netisr. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -611,11 +609,12 @@ skip_routing:
goto out;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in6 *)&rin6.ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP6_NEXTHOP;
m_tag_delete(m, fwd_tag);
goto again2;
}
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index bbb6fdd..3b50143 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -628,15 +628,14 @@ ip6_input(struct mbuf *m)
ip6 = mtod(m, struct ip6_hdr *);
srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
- if (V_pfilforward == 0)
- goto passin;
if (m->m_flags & M_FASTFWD_OURS) {
m->m_flags &= ~M_FASTFWD_OURS;
ours = 1;
deliverifp = m->m_pkthdr.rcvif;
goto hbhcheck;
}
- if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
/*
* Directly ship the packet on. This allows forwarding
* packets originally destined to us to some other directly
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index e7254a6..0d762e9 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -913,8 +913,6 @@ again:
goto again; /* Redo the routing table lookup. */
}
- if (V_pfilforward == 0)
- goto passout;
/* See if local, if yes, send it to netisr. */
if (m->m_flags & M_FASTFWD_OURS) {
if (m->m_pkthdr.rcvif == NULL)
@@ -932,11 +930,12 @@ again:
goto done;
}
/* Or forward to some other address? */
- fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
- if (fwd_tag) {
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
+ (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
dst = (struct sockaddr_in6 *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP6_NEXTHOP;
m_tag_delete(m, fwd_tag);
goto again;
}
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index a725188..e4afc6f 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -285,6 +285,8 @@ struct ip6aux {
#define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */
#define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */
+#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop */
+
#ifdef __NO_STRICT_ALIGNMENT
#define IP6_HDR_ALIGNED_P(ip) 1
#else
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index d7040c4..952905a 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -92,7 +92,6 @@ __FBSDID("$FreeBSD$");
#include <net/if.h>
#include <net/if_types.h>
-#include <net/pfil.h>
#include <net/route.h>
#include <netinet/in.h>
@@ -396,7 +395,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
/*
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
*/
- if (V_pfilforward != 0 &&
+ if ((m->m_flags & M_IP6_NEXTHOP) &&
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
struct sockaddr_in6 *next_hop6;
@@ -423,6 +422,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
}
/* Remove the tag from the packet. We don't need it anymore. */
m_tag_delete(m, fwd_tag);
+ m->m_flags &= ~M_IP6_NEXTHOP;
} else
inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src,
uh->uh_sport, &ip6->ip6_dst, uh->uh_dport,
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 69d975b..01ef4e1 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -2535,7 +2535,6 @@ ipfw_init(void)
"(+ipv6) "
#endif
"initialized, divert %s, nat %s, "
- "rule-based forwarding turned %s, "
"default to %s, logging ",
#ifdef IPDIVERT
"enabled",
@@ -2547,7 +2546,6 @@ ipfw_init(void)
#else
"loadable",
#endif
- V_pfilforward ? "on": "off",
default_to_accept ? "accept" : "deny");
/*
diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c
index c34650d..5d6c1bd 100644
--- a/sys/netpfil/ipfw/ip_fw_pfil.c
+++ b/sys/netpfil/ipfw/ip_fw_pfil.c
@@ -159,8 +159,6 @@ again:
/* next_hop may be set by ipfw_chk */
if (args.next_hop == NULL && args.next_hop6 == NULL)
break; /* pass */
- if (V_pfilforward == 0)
- break;
#if (!defined(INET6) && !defined(INET))
ret = EACCES;
#else
@@ -201,6 +199,7 @@ again:
bcopy(args.next_hop6, (fwd_tag+1), len);
if (in6_localip(&args.next_hop6->sin6_addr))
(*m0)->m_flags |= M_FASTFWD_OURS;
+ (*m0)->m_flags |= M_IP6_NEXTHOP;
}
#endif
#ifdef INET
@@ -208,6 +207,7 @@ again:
bcopy(args.next_hop, (fwd_tag+1), len);
if (in_localip(args.next_hop->sin_addr))
(*m0)->m_flags |= M_FASTFWD_OURS;
+ (*m0)->m_flags |= M_IP_NEXTHOP;
}
#endif
m_tag_prepend(*m0, fwd_tag);
OpenPOWER on IntegriCloud