From bda337d05e62fa4d849011086cf7a637b5e96b68 Mon Sep 17 00:00:00 2001
From: Andre Oppermann <andre@FreeBSD.org>
Date: Mon, 13 Sep 2004 19:27:23 +0000
Subject: [PATCH] Do not allow 'ipfw fwd' command when IPFIREWALL_FORWARD is
 not compiled into the kernel.  Return EINVAL instead.

---
 sys/netinet/ip_fw2.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 9a46ce752659..a33b361649bb 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -2955,9 +2955,13 @@ check_ipfw_struct(struct ip_fw *rule, int size)
 			goto check_action;
 
 		case O_FORWARD_IP:
+#ifdef	IPFIREWALL_FORWARD
 			if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
 				goto bad_size;
 			goto check_action;
+#else
+			return EINVAL;
+#endif
 
 		case O_DIVERT:
 		case O_TEE: