diff options
| author | Andre Oppermann <andre@FreeBSD.org> | 2005-02-22 17:40:40 +0000 |
|---|---|---|
| committer | Andre Oppermann <andre@FreeBSD.org> | 2005-02-22 17:40:40 +0000 |
| commit | 099dd0430b6d2f75cad64e00b7283f4e7ab9602c (patch) | |
| tree | 27e1404f31af0c65be78d4fe952e2b86a85ad18d /sys/netinet/ip_input.c | |
| parent | 6035a641e28a78c435267c0ad64a7aa5139409cd (diff) | |
| download | src-099dd0430b6d2f75cad64e00b7283f4e7ab9602c.tar.gz src-099dd0430b6d2f75cad64e00b7283f4e7ab9602c.zip | |
Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:
options IPFIREWALL_FORWARD_EXTENDED
This option has to be specified in addition to IPFIRWALL_FORWARD.
With this option even packets targeted for an IP address local
to the host can be redirected. All restrictions to ensure proper
behaviour for locally generated packets are turned off. Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.
Document the two kernel options.
PR: kern/71910
PR: kern/73129
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=142248
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index ecf79aef7041..6eaf3ebf378c 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -468,7 +468,19 @@ tooshort: m->m_flags &= ~M_FASTFWD_OURS; goto ours; } +#ifndef IPFIREWALL_FORWARD_EXTENDED dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); +#else + if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { + /* + * Directly ship on the packet. This allows to forward packets + * that were destined for us to some other directly connected + * host. + */ + ip_forward(m, dchg); + return; + } +#endif /* IPFIREWALL_FORWARD_EXTENDED */ #endif /* IPFIREWALL_FORWARD */ passin: |