summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2018-05-10 08:52:02 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2018-05-10 08:52:02 +0000
commiteb25d27d2515f03a5f6e8104accf4b13b2d6d361 (patch)
tree062ec6489247c54c9ce3bd9fff63057a2eaa9623
parent83edae24ff04f6778408eadbc7b8942414dd6658 (diff)
pf route-to should not send packets from 127.0.0.1 or ::1 address
to the network. This is necessary for locally generated icmp packets that would be dropped otherwise. Refine this check to modify only the source address of packets that go to the external network. This allows route-to tricks on loopback interface. OK sashan@
-rw-r--r--sys/net/pf.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 96f1f9b72be..6f174d89505 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.1064 2018/04/06 10:39:15 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.1065 2018/05/10 08:52:01 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -5984,7 +5984,8 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
goto bad;
}
/* A locally generated packet may have invalid source address. */
- if ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+ if ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET &&
+ (ifp->if_flags & IFF_LOOPBACK) == 0)
ip->ip_src = ifatoia(rt->rt_ifa)->ia_addr.sin_addr;
in_proto_cksum_out(m0, ifp);
@@ -6139,7 +6140,8 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
goto bad;
}
/* A locally generated packet may have invalid source address. */
- if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src))
+ if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
+ (ifp->if_flags & IFF_LOOPBACK) == 0)
ip6->ip6_src = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
in6_proto_cksum_out(m0, ifp);