5 files changed, 38 insertions, 2 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 6c053da..3f4bc9a 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 22, 2004
+.Dd February 22, 2005
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -672,6 +672,19 @@ This makes the
 .Xr netstat 1
 entry look rather weird but is intended for
 use with transparent proxy servers.
+.Pp
+To enable
+.Cm fwd
+a custom kernel needs to be compiled with the option
+.Cd "options IPFIREWALL_FORWARD" .
+With the additional option
+.Cd "options IPFIREWALL_FORWARD_EXTENDED"
+all safeguards are removed and it also makes it possible to redirect
+packets destined to locally configured IP addresses.
+Please note that such rules apply to locally generated packets as
+well and great care is required to ensure proper behaviour for
+automatically generated packets like ICMP message size exceeded
+and others.
 .It Cm pipe Ar pipe_nr
 Pass packet to a
 .Xr dummynet 4
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index edf03b9..12f0c02 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -661,6 +661,11 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 # to do some sort of policy routing or transparent proxying.  Used by
 # ``ipfw forward''.
 #
+# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing
+# including redirecting packets to local IP addresses and ports.  All
+# redirections apply to locally generated packets too.  Because of this
+# great care is required when crafting the ruleset.
+#
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
 # from traceroute and similar tools.
@@ -676,6 +681,7 @@ options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPFIREWALL_FORWARD	#packet destination changes
+options		IPFIREWALL_FORWARD_EXTENDED	#all packet dest changes
 options 	IPV6FIREWALL		#firewall for IPv6
 options 	IPV6FIREWALL_VERBOSE
 options 	IPV6FIREWALL_VERBOSE_LIMIT=100
diff --git a/sys/conf/options b/sys/conf/options
index 008c932..347362d 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -351,6 +351,7 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD	opt_ipfw.h
+IPFIREWALL_FORWARD_EXTENDED	opt_ifpw.h
 IPV6FIREWALL		opt_ip6fw.h
 IPV6FIREWALL_VERBOSE	opt_ip6fw.h
 IPV6FIREWALL_VERBOSE_LIMIT	opt_ip6fw.h
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index ecf79ae..6eaf3eb 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -468,7 +468,19 @@ tooshort:
 		m->m_flags &= ~M_FASTFWD_OURS;
 		goto ours;
 	}
+#ifndef IPFIREWALL_FORWARD_EXTENDED
 	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
+#else
+	if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
+		/*
+		 * Directly ship on the packet.  This allows to forward packets
+		 * that were destined for us to some other directly connected
+		 * host.
+		 */
+		ip_forward(m, dchg);
+		return;
+	}
+#endif /* IPFIREWALL_FORWARD_EXTENDED */
 #endif /* IPFIREWALL_FORWARD */
 
 passin:
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 59b8aef..056ffb6 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -706,18 +706,22 @@ spd_done:
 	/* Or forward to some other address? */
 	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (fwd_tag) {
+#ifndef IPFIREWALL_FORWARD_EXTENDED
 		if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
+#endif
 			dst = (struct sockaddr_in *)&ro->ro_dst;
 			bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
 			m->m_flags |= M_SKIP_FIREWALL;
 			m_tag_delete(m, fwd_tag);
 			goto again;
+#ifndef IPFIREWALL_FORWARD_EXTENDED
 		} else {
 			m_tag_delete(m, fwd_tag);
 			/* Continue. */
 		}
-	}
 #endif
+	}
+#endif /* IPFIREWALL_FORWARD */
 
 passout:
 	/* 127/8 must not appear on wire - RFC1122. */