diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2005-01-04 19:42:40 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2005-01-04 19:42:40 +0000 |
commit | 0a3089268bf86c6df7169d12474eff34763edbf1 (patch) | |
tree | 82b0116383944d1d9d66ea3df9782eeaeb3e1788 | |
parent | e0f9857632385849b607c258b89fbb5fa612fd8b (diff) |
restrict forwarding to ipsec processed traffic of ip.forwarding==2
ok deraadt, henning, fgsch, mcbride
-rw-r--r-- | lib/libc/gen/sysctl.3 | 10 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 12 |
2 files changed, 19 insertions, 3 deletions
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3 index e132cb41635..5ed975f65d0 100644 --- a/lib/libc/gen/sysctl.3 +++ b/lib/libc/gen/sysctl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysctl.3,v 1.140 2004/07/28 17:15:12 tholo Exp $ +.\" $OpenBSD: sysctl.3,v 1.141 2005/01/04 19:42:39 markus Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -1184,10 +1184,16 @@ If the kernel has been compiled with the option, then debugging information will also be reported when this variable is set. .It Li ip.forwarding -Returns 1 when +If set to 1, then .Tn IP forwarding is enabled for the host, indicating the host is acting as a router. +If set to 2, then +.Tn IP +forwarding is restricted to traffic that has +been IPsec encapsulated or decapsulated by +the host. +The default value is 0. .It Li ip.ipsec-allocs The number of IPsec flows that can use a security association before it expires. diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index aeb80b98400..d81ff8af4cc 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.168 2004/11/10 03:27:27 mcbride Exp $ */ +/* $OpenBSD: ip_output.c,v 1.169 2005/01/04 19:42:38 markus Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -77,6 +77,7 @@ extern int ipsec_auth_default_level; extern int ipsec_esp_trans_default_level; extern int ipsec_esp_network_default_level; extern int ipsec_ipcomp_default_level; +extern int ipforwarding; #endif /* IPSEC */ static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); @@ -683,6 +684,15 @@ sendit: hlen = ip->ip_hl << 2; #endif +#ifdef IPSEC + if ((flags & IP_FORWARDING) && (ipforwarding == 2) && + (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) { + error = EHOSTUNREACH; + m_freem(m); + goto done; + } +#endif + /* * If small enough for interface, can just send directly. */ |