diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-07-28 12:22:08 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-07-28 12:22:08 +0000 |
| commit | 2c869411523f439be65befa698dfde3c1f56b552 (patch) | |
| tree | c51f9835b1440f8b4e50b84821e96847da585f99 /sys | |
| parent | 3beb0ebc0557abe69f04aa0d69f0133517cb5a49 (diff) | |
Implement pf divert-reply for raw sockets. Note that an empty
divert->addr means that the rule has a divert-reply option. With
divert-to the divert->addr is always set. The divert-reply rules
should compare the original packet with the socket addresses. So
skip the step that compares the inp->inp_laddr with the empty
divert->addr.
OK mikeb@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/raw_ip.c | 5 | ||||
| -rw-r--r-- | sys/netinet6/icmp6.c | 5 | ||||
| -rw-r--r-- | sys/netinet6/raw_ip6.c | 5 |
3 files changed, 12 insertions, 3 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 96038f7461f..d15c8c5e0af 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.83 2015/07/15 23:09:59 deraadt Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.84 2015/07/28 12:22:07 bluhm Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -148,9 +148,12 @@ rip_input(struct mbuf *m, ...) /* XXX rdomain support */ if ((divert = pf_find_divert(m)) == NULL) continue; + if (!divert->addr.v4.s_addr) + goto divert_reply; if (inp->inp_laddr.s_addr != divert->addr.v4.s_addr) continue; } else + divert_reply: #endif if (inp->inp_laddr.s_addr && inp->inp_laddr.s_addr != ip->ip_dst.s_addr) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 796e118206a..80f090cf087 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.162 2015/07/15 22:16:42 deraadt Exp $ */ +/* $OpenBSD: icmp6.c,v 1.163 2015/07/28 12:22:07 bluhm Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -1097,10 +1097,13 @@ icmp6_rip6_input(struct mbuf **mp, int off) /* XXX rdomain support */ if ((divert = pf_find_divert(m)) == NULL) continue; + if (IN6_IS_ADDR_UNSPECIFIED(&divert->addr.v6)) + goto divert_reply; if (!IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6, &divert->addr.v6)) continue; } else + divert_reply: #endif if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->inp_laddr6) && !IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6, &ip6->ip6_dst)) diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index d5c7de72c70..c3912e764f9 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.78 2015/07/28 11:44:51 bluhm Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.79 2015/07/28 12:22:07 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -162,10 +162,13 @@ rip6_input(struct mbuf **mp, int *offp, int proto) /* XXX rdomain support */ if ((divert = pf_find_divert(m)) == NULL) continue; + if (IN6_IS_ADDR_UNSPECIFIED(&divert->addr.v6)) + goto divert_reply; if (!IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6, &divert->addr.v6)) continue; } else + divert_reply: #endif if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->inp_laddr6) && !IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6, &ip6->ip6_dst)) |