diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2010-09-08 08:34:43 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2010-09-08 08:34:43 +0000 |
| commit | 276c0f482291e1afa9f8f322e04c20fe05a1a40e (patch) | |
| tree | b9322561495b26b42a75281bccaafae22b3ee97a | |
| parent | 4c55da9abcff6f1fb774f6cafd4fd75e6eba73f0 (diff) | |
Return EACCES when pf_test() blocks a packet in ip_output(). This allows
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
| -rw-r--r-- | sys/netinet/ip_divert.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 8 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 4 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 11 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 4 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 4 |
6 files changed, 25 insertions, 10 deletions
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 44de7acc5ff..1d1e59cfaaf 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_divert.c,v 1.7 2010/07/03 04:44:51 guenther Exp $ */ +/* $OpenBSD: ip_divert.c,v 1.8 2010/09/08 08:34:42 claudio Exp $ */ /* * Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> @@ -125,6 +125,8 @@ divert_output(struct mbuf *m, ...) ((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0) | IP_ALLOWBROADCAST | IP_RAWOUTPUT, (void *)NULL, (void *)NULL); + if (error == EACCES) /* translate pf(4) error for userland */ + error = EHOSTUNREACH; } divstat.divs_opackets++; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c4461163b21..7579001ef08 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.183 2010/08/20 02:48:31 dlg Exp $ */ +/* $OpenBSD: ip_input.c,v 1.184 2010/09/08 08:34:42 claudio Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1557,6 +1557,12 @@ ip_forward(m, srcrt) ipstat.ips_cantfrag++; break; + case EACCES: + /* + * pf(4) blocked the packet. There is no need to send an ICMP + * packet back since pf(4) takes care of it. + */ + goto freecopy; case ENOBUFS: /* * a router should not generate ICMP_SOURCEQUENCH as diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index c62426681c9..7efb8311030 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.211 2010/08/13 06:46:08 dlg Exp $ */ +/* $OpenBSD: ip_output.c,v 1.212 2010/09/08 08:34:42 claudio Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -605,7 +605,7 @@ sendit: if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL || pf_test(PF_OUT, encif, &m, NULL) != PF_PASS) { - error = EHOSTUNREACH; + error = EACCES; splx(s); m_freem(m); goto done; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index f9f78226aba..ee21b1da104 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.49 2010/07/03 04:44:51 guenther Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.50 2010/09/08 08:34:42 claudio Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -207,7 +207,7 @@ rip_output(struct mbuf *m, ...) u_long dst; struct ip *ip; struct inpcb *inp; - int flags; + int flags, error; va_list ap; va_start(ap, m); @@ -275,8 +275,11 @@ rip_output(struct mbuf *m, ...) /* force routing domain */ m->m_pkthdr.rdomain = inp->inp_rtableid; - return (ip_output(m, inp->inp_options, &inp->inp_route, flags, - inp->inp_moptions, inp)); + error = ip_output(m, inp->inp_options, &inp->inp_route, flags, + inp->inp_moptions, inp); + if (error == EACCES) /* translate pf(4) error for userland */ + error = EHOSTUNREACH; + return (error); } /* diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 58de7ef9557..d58421cf3a5 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_output.c,v 1.90 2010/07/09 16:58:06 reyk Exp $ */ +/* $OpenBSD: tcp_output.c,v 1.91 2010/09/08 08:34:42 claudio Exp $ */ /* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */ /* @@ -1138,6 +1138,8 @@ out: tcp_mtudisc(tp->t_inpcb, -1); return (0); } + if (error == EACCES) /* translate pf(4) error for userland */ + error = EHOSTUNREACH; if ((error == EHOSTUNREACH || error == ENETDOWN) && TCPS_HAVERCVDSYN(tp->t_state)) { tp->t_softerror = error; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 707ec2d32b0..978a6122013 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.136 2010/07/09 16:58:06 reyk Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.137 2010/09/08 08:34:42 claudio Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -1019,6 +1019,8 @@ udp_output(struct mbuf *m, ...) inp->inp_socket->so_options & (SO_DONTROUTE | SO_BROADCAST | SO_JUMBO), inp->inp_moptions, inp); + if (error == EACCES) /* translate pf(4) error for userland */ + error = EHOSTUNREACH; bail: if (addr) { |