From 15f18a5ce3e8c7bc5a9604d5378609441f680b10 Mon Sep 17 00:00:00 2001
From: Luiz Otavio O Souza <luiz@netgate.com>
Date: Tue, 3 May 2016 10:05:29 -0500
Subject: Revive the sysctl net.inet.ip.fastforward to control the tryforward
 use.

This is mainly provided for debug aid and should not be used in common cases.

The fastforward sysctl is enabled by default.
---
 sys/netinet/ip_input.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'sys/netinet/ip_input.c')

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 1eefadc..5adc173 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -99,6 +99,11 @@ SYSCTL_VNET_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
     &VNET_NAME(ipforwarding), 0,
     "Enable IP forwarding between interfaces");
 
+static VNET_DEFINE(int, ipfastforward) = 1;
+#define	V_ipfastforward		VNET(ipfastforward)
+SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_RW,
+    &VNET_NAME(ipfastforward), 0, "Enable fast IP forwarding");
+
 static VNET_DEFINE(int, ipsendredirects) = 1;	/* XXX */
 #define	V_ipsendredirects	VNET(ipsendredirects)
 SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
@@ -473,7 +478,7 @@ tooshort:
 #ifdef IPSEC
 	/* For now we do not handle IPSEC in tryforward. */
 	if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) &&
-	    (V_ipforwarding == 1))
+	    (V_ipforwarding == 1 && V_ipfastforward == 1))
 		if (ip_tryforward(m) == NULL)
 			return;
 	/*
@@ -482,7 +487,7 @@ tooshort:
 	if (ip_ipsec_filtertunnel(m))
 		goto passin;
 #else
-	if (V_ipforwarding == 1)
+	if (V_ipforwarding == 1 && V_ipfastforward == 1)
 		if (ip_tryforward(m) == NULL)
 			return;
 #endif /* IPSEC */
-- 
cgit v1.1