summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_fw2.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/ip_fw2.c')
-rw-r--r--sys/netinet/ip_fw2.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 19799bc..a532a6d 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -82,12 +82,16 @@
#include <machine/in_cksum.h> /* XXX for in_cksum */
/*
- * XXX This one should go in sys/mbuf.h. It is used to avoid that
- * a firewall-generated packet loops forever through the firewall.
+ * This is used to avoid that a firewall-generated packet
+ * loops forever through the firewall. Note that it must
+ * be a flag that is unused by other protocols that might
+ * be called from ip_output (e.g. IPsec) and it must be
+ * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain
+ * is altered on the way through ip_output it is not lost.
+ * It might be better to add an m_tag since the this happens
+ * infrequently.
*/
-#ifndef M_SKIP_FIREWALL
-#define M_SKIP_FIREWALL 0x4000
-#endif
+#define M_SKIP_FIREWALL M_PROTO6
/*
* set_disable contains one bit per set value (0..31).
OpenPOWER on IntegriCloud