summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2005-01-04 19:42:40 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2005-01-04 19:42:40 +0000
commit0a3089268bf86c6df7169d12474eff34763edbf1 (patch)
tree82b0116383944d1d9d66ea3df9782eeaeb3e1788
parente0f9857632385849b607c258b89fbb5fa612fd8b (diff)
restrict forwarding to ipsec processed traffic of ip.forwarding==2
ok deraadt, henning, fgsch, mcbride
-rw-r--r--lib/libc/gen/sysctl.310
-rw-r--r--sys/netinet/ip_output.c12
2 files changed, 19 insertions, 3 deletions
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3
index e132cb41635..5ed975f65d0 100644
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sysctl.3,v 1.140 2004/07/28 17:15:12 tholo Exp $
+.\" $OpenBSD: sysctl.3,v 1.141 2005/01/04 19:42:39 markus Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -1184,10 +1184,16 @@ If the kernel has been compiled with the
option,
then debugging information will also be reported when this variable is set.
.It Li ip.forwarding
-Returns 1 when
+If set to 1, then
.Tn IP
forwarding is enabled for the host,
indicating the host is acting as a router.
+If set to 2, then
+.Tn IP
+forwarding is restricted to traffic that has
+been IPsec encapsulated or decapsulated by
+the host.
+The default value is 0.
.It Li ip.ipsec-allocs
The number of IPsec flows that can use a security association before
it expires.
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index aeb80b98400..d81ff8af4cc 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.168 2004/11/10 03:27:27 mcbride Exp $ */
+/* $OpenBSD: ip_output.c,v 1.169 2005/01/04 19:42:38 markus Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -77,6 +77,7 @@ extern int ipsec_auth_default_level;
extern int ipsec_esp_trans_default_level;
extern int ipsec_esp_network_default_level;
extern int ipsec_ipcomp_default_level;
+extern int ipforwarding;
#endif /* IPSEC */
static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
@@ -683,6 +684,15 @@ sendit:
hlen = ip->ip_hl << 2;
#endif
+#ifdef IPSEC
+ if ((flags & IP_FORWARDING) && (ipforwarding == 2) &&
+ (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
+ error = EHOSTUNREACH;
+ m_freem(m);
+ goto done;
+ }
+#endif
+
/*
* If small enough for interface, can just send directly.
*/