Hello,
I wonder if the config setting IPFIREWALL_FORWARD_EXTENDED was meant to
fix kern/71910?
It adds #ifdef's around the following code in ip_output.c:
-----------------8<-----------------
/* Or forward to some other address? */
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (fwd_tag) {
#ifndef IPFIREWALL_FORWARD_EXTENDED
if (!in_localip(ip->ip_src) &&
!in_localaddr(ip->ip_dst)) {
#endif
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
m_tag_delete(m, fwd_tag);
goto again;
#ifndef IPFIREWALL_FORWARD_EXTENDED
} else {
m_tag_delete(m, fwd_tag);
/* Continue. */
}
#endif
}
-----------------8<-----------------
Where the workaround for kern/71910 (at least it works for me) was:
-----------------8<-----------------
Index: ip_output.c
==================================================================RCS file:
/FreeBSD-CVS/src/sys/netinet/ip_output.c,v
retrieving revision 1.225.2.3
diff -u -b -r1.225.2.3 ip_output.c
--- ip_output.c 15 Sep 2004 15:07:09 -0000 1.225.2.3
+++ ip_output.c 19 Sep 2004 15:51:42 -0000
@@ -713,7 +713,7 @@
/* Or forward to some other address? */
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (fwd_tag) {
- if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
+ if (!in_localaddr(ip->ip_dst)) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
-----------------8<-----------------
Thanks,
Respectfully,
Saulius Menkevicius