Attachment #184886 for bug #221137




		return (NULL);	/* icmp unreach already sent */

	/*
	 * If route points to source network interface let ip_input() handle packet
	 */
	if (nh.nh_ifp->if_index == m->m_pkthdr.rcvif->if_index) {
#ifdef DEBUG_XXX
		printf("ip_tryforward: received packet on (%d) same interface (%d) as route. dstaddr = %04X srcaddr = %04X\n", m->m_pkthdr.rcvif->if_index, nh.nh_ifp->if_index, dest.s_addr, ip->ip_src.s_addr);
#endif
		m->m_flags |= M_SKIP_FIREWALL; /* skip input firewall in ip_input() */
		return m;
	}

	/*
	 * Step 5: outgoing firewall packet processing
	 */
	if (!PFIL_HOOKED(&V_inet_pfil_hook))




			return;
		if (m->m_flags & M_FASTFWD_OURS) {
			m->m_flags &= ~M_FASTFWD_OURS;
			m->m_flags &= ~M_SKIP_FIREWALL; /* because ip_tryforward() can set this flag */
			ip = mtod(m, struct ip *);
			goto ours;
		}

	 * Bypass packet filtering for packets previously handled by IPsec.
	 */
	if (IPSEC_ENABLED(ipv4) &&
	    IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0) {
			m->m_flags &= ~M_SKIP_FIREWALL; /* because ip_tryforward() can set this flag */
			goto passin;
	}
#endif
	/*
	 * Bypass input packet filtering, because it was handled in ip_tryforward()
	 */
	if (m->m_flags & M_SKIP_FIREWALL) { 
		m->m_flags &= ~M_SKIP_FIREWALL;
		goto passin;
	}

	/*
	 * Run through list of hooks for input packets.

Return to bug 221137

Lines 298-303 Link Here

(-)sys/netinet/ip_fastfwd.c (+11 lines)
298	return (NULL); /* icmp unreach already sent */	298	return (NULL); /* icmp unreach already sent */
299		299
300	/*	300	/*
		301	* If route points to source network interface let ip_input() handle packet
		302	*/
		303	if (nh.nh_ifp->if_index == m->m_pkthdr.rcvif->if_index) {
		304	#ifdef DEBUG_XXX
		305	printf("ip_tryforward: received packet on (%d) same interface (%d) as route. dstaddr = %04X srcaddr = %04X\n", m->m_pkthdr.rcvif->if_index, nh.nh_ifp->if_index, dest.s_addr, ip->ip_src.s_addr);
		306	#endif
		307	m->m_flags \|= M_SKIP_FIREWALL; /* skip input firewall in ip_input() */
		308	return m;
		309	}
		310
		311	/*
301	* Step 5: outgoing firewall packet processing	312	* Step 5: outgoing firewall packet processing
302	*/	313	*/
303	if (!PFIL_HOOKED(&V_inet_pfil_hook))	314	if (!PFIL_HOOKED(&V_inet_pfil_hook))

Lines 571-576 Link Here

(-)sys/netinet/ip_input.c (-1 / +11 lines)
571	return;	571	return;
572	if (m->m_flags & M_FASTFWD_OURS) {	572	if (m->m_flags & M_FASTFWD_OURS) {
573	m->m_flags &= ~M_FASTFWD_OURS;	573	m->m_flags &= ~M_FASTFWD_OURS;
		574	m->m_flags &= ~M_SKIP_FIREWALL; /* because ip_tryforward() can set this flag */
574	ip = mtod(m, struct ip *);	575	ip = mtod(m, struct ip *);
575	goto ours;	576	goto ours;
576	}	577	}
Lines 581-589 Link Here
581	* Bypass packet filtering for packets previously handled by IPsec.	582	* Bypass packet filtering for packets previously handled by IPsec.
582	*/	583	*/
583	if (IPSEC_ENABLED(ipv4) &&	584	if (IPSEC_ENABLED(ipv4) &&
584	IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0)	585	IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0) {
		586	m->m_flags &= ~M_SKIP_FIREWALL; /* because ip_tryforward() can set this flag */
585	goto passin;	587	goto passin;
		588	}
586	#endif	589	#endif
		590	/*
		591	* Bypass input packet filtering, because it was handled in ip_tryforward()
		592	*/
		593	if (m->m_flags & M_SKIP_FIREWALL) {
		594	m->m_flags &= ~M_SKIP_FIREWALL;
		595	goto passin;
		596	}
587		597
588	/*	598	/*
589	* Run through list of hooks for input packets.	599	* Run through list of hooks for input packets.