Make M_SKIP_FIREWALL a global (and semantic) flag, preventing anything from

using M_PROTO6 and possibly shooting someone's foot, as well as allowing the
firewall to be used in multiple passes, or with a packet classifier frontend,
that may need to explicitly allow a certain packet.  Presently this is handled
in the ipfw_chk code as before, though I have run with it moved to upper
layers, and possibly it should apply to ipfilter and pf as well, though this
has not been investigated.

Discussed with:	luigi, rwatson

sys/netinet/ip_fw2.c

@@ -85,18 +85,6 @@
 
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
 
-/*
- * This is used to avoid that a firewall-generated packet
- * loops forever through the firewall.  Note that it must
- * be a flag that is unused by other protocols that might
- * be called from ip_output (e.g. IPsec) and it must be
- * listed in M_COPYFLAGS in mbuf.h so that if the mbuf chain
- * is altered on the way through ip_output it is not lost.
- * It might be better to add an m_tag since the this happens
- * infrequently.
- */
-#define M_SKIP_FIREWALL         M_PROTO6
-
 /*
  * set_disable contains one bit per set value (0..31).
  * If the bit is set, all rules with the corresponding set

sys/sys/mbuf.h

@@ -165,7 +165,7 @@ struct mbuf {
 #define	M_PROTO3	0x0040	/* protocol-specific */
 #define	M_PROTO4	0x0080	/* protocol-specific */
 #define	M_PROTO5	0x0100	/* protocol-specific */
-#define	M_PROTO6	0x4000	/* protocol-specific (avoid M_BCAST conflict) */
+#define	M_SKIP_FIREWALL	0x4000	/* skip firewall processing */
 #define	M_FREELIST	0x8000	/* mbuf is on the free list */
 
 /*
@@ -192,7 +192,7 @@ struct mbuf {
  * Flags copied when copying m_pkthdr.
  */
 #define	M_COPYFLAGS	(M_PKTHDR|M_EOR|M_RDONLY|M_PROTO1|M_PROTO1|M_PROTO2|\
-			    M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|\
+			    M_PROTO3|M_PROTO4|M_PROTO5|M_SKIP_FIREWALL|\
 			    M_BCAST|M_MCAST|M_FRAG|M_FIRSTFRAG|M_LASTFRAG)
 
 /*