From aab8c844b91a74f9b0e9ccc3b5dbc9be4007e293 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Thu, 5 Jan 2023 14:34:50 -0800
Subject: [PATCH] tcp/ipfw: fix "ipfw fwd localaddr,port"

The ipfw(4) feature of forwarding to local address without modifying
a packet was broken.  The first lookup needs always be a non-wildcard
one, cause its goal is to find an already existing socket.  Otherwise
a local wildcard listener with the same port number may match resulting
in the connection being forwared to wrong port.

Reported by:	Pavel Polyakov <bsd kobyla.org>
Fixes:		d88eb4654f372d0451139a1dbf525a8f2cad1cf8
---
 sys/netinet/tcp_input.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 5141903522bf..606f6649d73d 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -834,7 +834,7 @@ findpcb:
 		 */
 		inp = in6_pcblookup_mbuf(&V_tcbinfo,
 		    &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport,
-		    lookupflag, m->m_pkthdr.rcvif, m);
+		    lookupflag & ~INPLOOKUP_WILDCARD, m->m_pkthdr.rcvif, m);
 		if (!inp) {
 			/*
 			 * It's new.  Try to find the ambushing socket.
@@ -865,7 +865,8 @@ findpcb:
 		 * already got one like this?
 		 */
 		inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport,
-		    ip->ip_dst, th->th_dport, lookupflag, m->m_pkthdr.rcvif, m);
+		    ip->ip_dst, th->th_dport, lookupflag & ~INPLOOKUP_WILDCARD,
+		    m->m_pkthdr.rcvif, m);
 		if (!inp) {
 			/*
 			 * It's new.  Try to find the ambushing socket.