diff options
author | Martin Pieuchot <mpi@cvs.openbsd.org> | 2015-07-17 23:32:19 +0000 |
---|---|---|
committer | Martin Pieuchot <mpi@cvs.openbsd.org> | 2015-07-17 23:32:19 +0000 |
commit | b4c5d5baf2964ac837c95004c8224a4a130cb098 (patch) | |
tree | 7b8a1c92ed2bb412eacb4b8cb26c96beb0a856cf /sys | |
parent | 9169229b986d1a3a3b5fc88c635cbd9e4fd04008 (diff) |
Drop promiscuously received packets if the trunk(4) interface is not
in promiscuous mode.
The long story is that claudio@ had his ssh session reset multiple
times in the hackroom because czarkoff@'s machine was sending reset.
We figured out that the packet was reaching pf because of this missing
check. pf would then not find any state and sent a reset.
Analyzed with and ok phessler@, claudio@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/if_trunk.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/sys/net/if_trunk.c b/sys/net/if_trunk.c index 980c47224fc..f51d2c0d261 100644 --- a/sys/net/if_trunk.c +++ b/sys/net/if_trunk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_trunk.c,v 1.108 2015/07/02 10:02:40 mpi Exp $ */ +/* $OpenBSD: if_trunk.c,v 1.109 2015/07/17 23:32:18 mpi Exp $ */ /* * Copyright (c) 2005, 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -1116,6 +1116,21 @@ trunk_input(struct ifnet *ifp, struct mbuf *m) if ((trifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING)) goto bad; + /* + * Drop promiscuously received packets if we are not in + * promiscuous mode. + */ + if (!ETHER_IS_MULTICAST(eh->ether_dhost) && + (ifp->if_flags & IFF_PROMISC) && + (trifp->if_flags & IFF_PROMISC) == 0) { + if (bcmp(&tr->tr_ac.ac_enaddr, eh->ether_dhost, + ETHER_ADDR_LEN)) { + m_freem(m); + return (1); + } + } + + ml_enqueue(&ml, m); if_input(trifp, &ml); return (1); |