Bring back the full packet destination manipulation for 'ipfw fwd'

with the kernel compile time option:

 options IPFIREWALL_FORWARD_EXTENDED

This option has to be specified in addition to IPFIRWALL_FORWARD.

With this option even packets targeted for an IP address local
to the host can be redirected.  All restrictions to ensure proper
behaviour for locally generated packets are turned off.  Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.

Document the two kernel options.

PR:		kern/71910
PR:		kern/73129
MFC after:	1 week

sbin/ipfw/ipfw.8

@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 22, 2004
+.Dd February 22, 2005
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -672,6 +672,19 @@ This makes the
 .Xr netstat 1
 entry look rather weird but is intended for
 use with transparent proxy servers.
+.Pp
+To enable
+.Cm fwd
+a custom kernel needs to be compiled with the option
+.Cd "options IPFIREWALL_FORWARD" .
+With the additional option
+.Cd "options IPFIREWALL_FORWARD_EXTENDED"
+all safeguards are removed and it also makes it possible to redirect
+packets destined to locally configured IP addresses.
+Please note that such rules apply to locally generated packets as
+well and great care is required to ensure proper behaviour for
+automatically generated packets like ICMP message size exceeded
+and others.
 .It Cm pipe Ar pipe_nr
 Pass packet to a
 .Xr dummynet 4

sys/conf/NOTES

@@ -661,6 +661,11 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 # to do some sort of policy routing or transparent proxying.  Used by
 # ``ipfw forward''.
 #
+# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing
+# including redirecting packets to local IP addresses and ports.  All
+# redirections apply to locally generated packets too.  Because of this
+# great care is required when crafting the ruleset.
+#
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
 # from traceroute and similar tools.
@@ -676,6 +681,7 @@ options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPFIREWALL_FORWARD	#packet destination changes
+options		IPFIREWALL_FORWARD_EXTENDED	#all packet dest changes
 options 	IPV6FIREWALL		#firewall for IPv6
 options 	IPV6FIREWALL_VERBOSE
 options 	IPV6FIREWALL_VERBOSE_LIMIT=100

sys/conf/options

@@ -351,6 +351,7 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD	opt_ipfw.h
+IPFIREWALL_FORWARD_EXTENDED	opt_ifpw.h
 IPV6FIREWALL		opt_ip6fw.h
 IPV6FIREWALL_VERBOSE	opt_ip6fw.h
 IPV6FIREWALL_VERBOSE_LIMIT	opt_ip6fw.h

sys/netinet/ip_input.c

@@ -468,7 +468,19 @@ ip_input(struct mbuf *m)
 		m->m_flags &= ~M_FASTFWD_OURS;
 		goto ours;
 	}
+#ifndef IPFIREWALL_FORWARD_EXTENDED
 	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
+#else
+	if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
+		/*
+		 * Directly ship on the packet.  This allows to forward packets
+		 * that were destined for us to some other directly connected
+		 * host.
+		 */
+		ip_forward(m, dchg);
+		return;
+	}
+#endif /* IPFIREWALL_FORWARD_EXTENDED */
 #endif /* IPFIREWALL_FORWARD */
 
 passin:

sys/netinet/ip_output.c

@@ -706,18 +706,22 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	/* Or forward to some other address? */
 	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (fwd_tag) {
+#ifndef IPFIREWALL_FORWARD_EXTENDED
 		if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
+#endif
 			dst = (struct sockaddr_in *)&ro->ro_dst;
 			bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
 			m->m_flags |= M_SKIP_FIREWALL;
 			m_tag_delete(m, fwd_tag);
 			goto again;
+#ifndef IPFIREWALL_FORWARD_EXTENDED
 		} else {
 			m_tag_delete(m, fwd_tag);
 			/* Continue. */
 		}
-	}
 #endif
+	}
+#endif /* IPFIREWALL_FORWARD */
 
 passout:
 	/* 127/8 must not appear on wire - RFC1122. */