diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2016-03-04 22:38:24 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2016-03-04 22:38:24 +0000 |
| commit | 8d03c28fd084fcef89aa953a184957b1b7dbf273 (patch) | |
| tree | 9a409ea53b3a8b1d383055a0865bd8ab176e269b /sys/net | |
| parent | 70c1a7400abd34503922fdd04a89134bdc391b60 (diff) | |
- putting back KASSERT(), which I've backed out on Jan 31
We don't expect inbound packets to come to PF with statekey attached.
- I've also found missing call to pf_pkt_addr_changed() at various
places, which needs to get fixed to prevent KASSERT() from firing.
OK mpi@, sthen@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if_etherip.c | 10 | ||||
| -rw-r--r-- | sys/net/pf.c | 8 | ||||
| -rw-r--r-- | sys/net/pipex.c | 6 |
3 files changed, 21 insertions, 3 deletions
diff --git a/sys/net/if_etherip.c b/sys/net/if_etherip.c index 4b030e340ec..4c947dd9bee 100644 --- a/sys/net/if_etherip.c +++ b/sys/net/if_etherip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_etherip.c,v 1.5 2016/01/25 05:12:34 jsg Exp $ */ +/* $OpenBSD: if_etherip.c,v 1.6 2016/03/04 22:38:23 sashan Exp $ */ /* * Copyright (c) 2015 Kazuya GODA <goda@openbsd.org> * @@ -499,6 +499,10 @@ ip_etherip_input(struct mbuf *m, ...) } m->m_flags &= ~(M_BCAST|M_MCAST); +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif + ml_enqueue(&ml, m); if_input(ifp, &ml); } @@ -642,6 +646,10 @@ ip6_etherip_input(struct mbuf **mp, int *offp, int proto) m->m_flags &= ~(M_BCAST|M_MCAST); +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif + ml_enqueue(&ml, m); if_input(ifp, &ml); diff --git a/sys/net/pf.c b/sys/net/pf.c index bca07ca2c73..3c7e0f4c807 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.965 2016/01/31 00:18:07 sashan Exp $ */ +/* $OpenBSD: pf.c,v 1.966 2016/03/04 22:38:23 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6534,6 +6534,12 @@ done: if (action == PF_PASS && qid) pd.m->m_pkthdr.pf.qid = qid; if (pd.dir == PF_IN && s && s->key[PF_SK_STACK]) { + /* + * ASSERT() below fires whenever caller forgets to call + * pf_pkt_addr_changed(). This might happen when we deal with + * IP tunnels. + */ + KASSERT(pd.m->m_pkthdr.pf.statekey == NULL); pd.m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; } if (pd.dir == PF_OUT && diff --git a/sys/net/pipex.c b/sys/net/pipex.c index ae36c52394e..c79c41953e4 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.84 2015/11/03 21:33:56 chl Exp $ */ +/* $OpenBSD: pipex.c,v 1.85 2016/03/04 22:38:23 sashan Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -1139,6 +1139,10 @@ pipex_ip_input(struct mbuf *m0, struct pipex_session *session) goto drop; } +#if NPF > 0 + pf_pkt_addr_changed(m0); +#endif + len = m0->m_pkthdr.len; #if NBPFILTER > 0 |