diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2016-06-23 09:08:57 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2016-06-23 09:08:57 +0000 |
| commit | 0d8e7a55bd4f4d0e809c43005a708da4a34b8667 (patch) | |
| tree | 75b16b04f1c22c61ec3d3ba871e291d95ce3ffa0 /sys/netinet | |
| parent | 98c6565fa59831cf9a80df2caea8e4afd404a3d1 (diff) | |
when pf_test returns something but PF_PASS, set error to EACCES
instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired
icmp errors - either pf generates those itself (block return), or there
shouldn't be any.
Bizarrely enough, ip_forward has EACCES handling with a comment specifically
pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH
from day #1 on.
found & analyzed by Kristof Provost <kp at FreeBSD>, discussed at BSDcan
ok mpi millert
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_output.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 6c8b47569f8..36133661083 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.323 2016/05/31 07:33:22 mpi Exp $ */ +/* $OpenBSD: ip_output.c,v 1.324 2016/06/23 09:08:56 henning Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -419,7 +419,7 @@ sendit: */ #if NPF > 0 if (pf_test(AF_INET, PF_OUT, ifp, &m) != PF_PASS) { - error = EHOSTUNREACH; + error = EACCES; m_freem(m); goto done; } |