Remove the IPFIREWALL_FORWARD_EXTENDED option and make it on by default as it always was

in older versions of FreeBSD. This option is pointless as it is needed in just
about every interesting usage of forward that I have ever seen. It doesn't make
the system any safer and just wastes huge amounts of develper time
when the system doesn't behave as expected when code is moved from
4.x to 6.x It doesn't make
the system any safer and just wastes huge amounts of develper time
when the system doesn't behave as expected when code is moved from
4.x to 6.x  or 7.x
Reviewed by:	glebius
MFC after:	1 week

sys/conf/NOTES

@@ -720,12 +720,9 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 #
 # IPFIREWALL_FORWARD enables changing of the packet destination either
 # to do some sort of policy routing or transparent proxying.  Used by
-# ``ipfw forward''.
-#
-# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing
-# including redirecting packets to local IP addresses and ports.  All
-# redirections apply to locally generated packets too.  Because of this
-# great care is required when crafting the ruleset.
+# ``ipfw forward''. All  redirections apply to locally generated
+# packets too.  Because of this great care is required when
+# crafting the ruleset.
 #
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
@@ -742,7 +739,6 @@ options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPFIREWALL_FORWARD	#packet destination changes
-options 	IPFIREWALL_FORWARD_EXTENDED	#all packet dest changes
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging

sys/conf/options

@@ -369,7 +369,6 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD	opt_ipfw.h
-IPFIREWALL_FORWARD_EXTENDED	opt_ipfw.h
 IPSTEALTH
 IPX
 IPXIP			opt_ipx.h

sys/netinet/ip_fastfwd.c

@@ -476,11 +476,7 @@ ip_fastforward(struct mbuf *m)
 		 */
 #ifdef IPFIREWALL_FORWARD
 		if (fwd_tag) {
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-			if (!in_localip(ip->ip_src) &&
-			    !in_localaddr(ip->ip_dst))
-#endif
-				dest.s_addr = ((struct sockaddr_in *)
+			dest.s_addr = ((struct sockaddr_in *)
 				    (fwd_tag + 1))->sin_addr.s_addr;
 			m_tag_delete(m, fwd_tag);
 		}

sys/netinet/ip_input.c

@@ -423,9 +423,6 @@ ip_input(struct mbuf *m)
 		m->m_flags &= ~M_FASTFWD_OURS;
 		goto ours;
 	}
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
-#else
 	if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
 		/*
 		 * Directly ship on the packet.  This allows to forward packets
@@ -435,7 +432,6 @@ ip_input(struct mbuf *m)
 		ip_forward(m, dchg);
 		return;
 	}
-#endif /* IPFIREWALL_FORWARD_EXTENDED */
 #endif /* IPFIREWALL_FORWARD */
 
 passin:

sys/netinet/ip_output.c

@@ -457,20 +457,11 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	/* Or forward to some other address? */
 	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (fwd_tag) {
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-		if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
-#endif
-			dst = (struct sockaddr_in *)&ro->ro_dst;
-			bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
-			m->m_flags |= M_SKIP_FIREWALL;
-			m_tag_delete(m, fwd_tag);
-			goto again;
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-		} else {
-			m_tag_delete(m, fwd_tag);
-			/* Continue. */
-		}
-#endif
+		dst = (struct sockaddr_in *)&ro->ro_dst;
+		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
+		m->m_flags |= M_SKIP_FIREWALL;
+		m_tag_delete(m, fwd_tag);
+		goto again;
 	}
 #endif /* IPFIREWALL_FORWARD */