From b7522c27d2b359e295a45f34bb176b59491768c7 Mon Sep 17 00:00:00 2001
From: Julian Elischer <julian@FreeBSD.org>
Date: Thu, 17 Aug 2006 00:37:03 +0000
Subject: [PATCH] Remove the IPFIREWALL_FORWARD_EXTENDED option and make it on
 by default as it always was in older versions of FreeBSD. This option is
 pointless as it is needed in just about every interesting usage of forward
 that I have ever seen. It doesn't make the system any safer and just wastes
 huge amounts of develper time when the system doesn't behave as expected when
 code is moved from 4.x to 6.x It doesn't make the system any safer and just
 wastes huge amounts of develper time when the system doesn't behave as
 expected when code is moved from 4.x to 6.x  or 7.x Reviewed by:
 glebius MFC after:	1 week

---
 sys/conf/NOTES           | 10 +++-------
 sys/conf/options         |  1 -
 sys/netinet/ip_fastfwd.c |  6 +-----
 sys/netinet/ip_input.c   |  4 ----
 sys/netinet/ip_output.c  | 19 +++++--------------
 5 files changed, 9 insertions(+), 31 deletions(-)

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 203eeb92abc0..5cab4b0009e2 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -720,12 +720,9 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 #
 # IPFIREWALL_FORWARD enables changing of the packet destination either
 # to do some sort of policy routing or transparent proxying.  Used by
-# ``ipfw forward''.
-#
-# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing
-# including redirecting packets to local IP addresses and ports.  All
-# redirections apply to locally generated packets too.  Because of this
-# great care is required when crafting the ruleset.
+# ``ipfw forward''. All  redirections apply to locally generated
+# packets too.  Because of this great care is required when
+# crafting the ruleset.
 #
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
@@ -742,7 +739,6 @@ options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPFIREWALL_FORWARD	#packet destination changes
-options 	IPFIREWALL_FORWARD_EXTENDED	#all packet dest changes
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
diff --git a/sys/conf/options b/sys/conf/options
index 50d7f45d4ff1..ff7f23327354 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -369,7 +369,6 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD	opt_ipfw.h
-IPFIREWALL_FORWARD_EXTENDED	opt_ipfw.h
 IPSTEALTH
 IPX
 IPXIP			opt_ipx.h
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 3b0496bd909a..ce017d92f384 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -476,11 +476,7 @@ ip_fastforward(struct mbuf *m)
 		 */
 #ifdef IPFIREWALL_FORWARD
 		if (fwd_tag) {
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-			if (!in_localip(ip->ip_src) &&
-			    !in_localaddr(ip->ip_dst))
-#endif
-				dest.s_addr = ((struct sockaddr_in *)
+			dest.s_addr = ((struct sockaddr_in *)
 				    (fwd_tag + 1))->sin_addr.s_addr;
 			m_tag_delete(m, fwd_tag);
 		}
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index a8600745d366..84768a7f2d58 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -423,9 +423,6 @@ ip_input(struct mbuf *m)
 		m->m_flags &= ~M_FASTFWD_OURS;
 		goto ours;
 	}
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
-#else
 	if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
 		/*
 		 * Directly ship on the packet.  This allows to forward packets
@@ -435,7 +432,6 @@ ip_input(struct mbuf *m)
 		ip_forward(m, dchg);
 		return;
 	}
-#endif /* IPFIREWALL_FORWARD_EXTENDED */
 #endif /* IPFIREWALL_FORWARD */
 
 passin:
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index dcdc6350dac4..8efc28863858 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -457,20 +457,11 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	/* Or forward to some other address? */
 	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (fwd_tag) {
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-		if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
-#endif
-			dst = (struct sockaddr_in *)&ro->ro_dst;
-			bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
-			m->m_flags |= M_SKIP_FIREWALL;
-			m_tag_delete(m, fwd_tag);
-			goto again;
-#ifndef IPFIREWALL_FORWARD_EXTENDED
-		} else {
-			m_tag_delete(m, fwd_tag);
-			/* Continue. */
-		}
-#endif
+		dst = (struct sockaddr_in *)&ro->ro_dst;
+		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
+		m->m_flags |= M_SKIP_FIREWALL;
+		m_tag_delete(m, fwd_tag);
+		goto again;
 	}
 #endif /* IPFIREWALL_FORWARD */