On Fri, Jan 15, 2021 at 02:07:56PM +0100, Alexander Bluhm wrote:
> Hi,
>
> As documented in sysctl(2) net.inet.ip.forwarding can be 2.
>
> netinet/ip_output.c:448
> if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) &&
>
> Current input validation prevents this.
> # sysctl net.inet.ip.forwarding=2
> sysctl: net.inet.ip.forwarding: Invalid argument
>
> Also change bool check to integer comparison consistently.
> ip6_forwarding misses the feature, but that is a different story.
>
> ok?
>
> bluhm
>
ok mvs@
> Index: netinet/ip_input.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.353
> diff -u -p -r1.353 ip_input.c
> --- netinet/ip_input.c 11 Jan 2021 13:28:53 -0000 1.353
> +++ netinet/ip_input.c 15 Jan 2021 12:45:41 -0000
> @@ -115,7 +115,7 @@ const struct sysctl_bounded_args ipctl_v
> #ifdef MROUTING
> { IPCTL_MRTPROTO, &ip_mrtproto, 1, 0 },
> #endif
> - { IPCTL_FORWARDING, &ipforwarding, 0, 1 },
> + { IPCTL_FORWARDING, &ipforwarding, 0, 2 },
> { IPCTL_SENDREDIRECTS, &ipsendredirects, 0, 1 },
> { IPCTL_DEFTTL, &ip_defttl, 0, 255 },
> { IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 },
> @@ -1251,7 +1251,7 @@ ip_dooptions(struct mbuf *m, struct ifne
> }
> }
> KERNEL_UNLOCK();
> - if (forward && ipforwarding) {
> + if (forward && ipforwarding > 0) {
> ip_forward(m, ifp, NULL, 1);
> return (1);
> }
>
