diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 6 | ||||
| -rw-r--r-- | sys/net/pf.c | 14 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 4 |
3 files changed, 14 insertions, 10 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 146969840e6..6f649cfbdae 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.158 2002/10/07 12:39:29 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.159 2002/10/07 12:59:55 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -458,8 +458,10 @@ pfrule : action dir logquick interface route af proto fromto if ($1.b2) { r.rule_flag |= PFRULE_RETURNRST; r.return_ttl = $1.w; - } else + } else { + r.rule_flag |= PFRULE_RETURNICMP; r.return_icmp = $1.w; + } r.direction = $2; r.log = $3.log; r.quick = $3.quick; diff --git a/sys/net/pf.c b/sys/net/pf.c index 783f211b40a..31821e7ffc2 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.248 2002/10/07 12:39:29 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.249 2002/10/07 12:59:54 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1736,7 +1736,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, if (((*rm)->action == PF_DROP) && (((*rm)->rule_flag & PFRULE_RETURNRST) || - (*rm)->return_icmp)) { + ((*rm)->rule_flag & PFRULE_RETURNICMP))) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL || (binat != NULL && direction == PF_OUT)) { @@ -1752,7 +1752,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, if ((*rm)->rule_flag & PFRULE_RETURNRST) pf_send_reset(off, th, pd, af, (*rm)->return_ttl); - else + else if ((*rm)->return_icmp) pf_send_icmp(m, (*rm)->return_icmp >> 8, (*rm)->return_icmp & 255, af); } @@ -1996,7 +1996,8 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, PFLOG_PACKET(ifp, h, m, af, direction, reason, *rm); } - if (((*rm)->action == PF_DROP) && (*rm)->return_icmp) { + if (((*rm)->action == PF_DROP) && + ((*rm)->rule_flag & PFRULE_RETURNICMP)) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL || (binat != NULL && direction == PF_OUT)) { @@ -2009,8 +2010,9 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, &uh->uh_sum, &baddr, bport, 1, af); rewrite++; } - pf_send_icmp(m, (*rm)->return_icmp >> 8, - (*rm)->return_icmp & 255, af); + if ((*rm)->return_icmp) + pf_send_icmp(m, (*rm)->return_icmp >> 8, + (*rm)->return_icmp & 255, af); } if ((*rm)->action == PF_DROP) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 62b5c342f40..35cad1f60fc 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.91 2002/10/07 12:39:29 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.92 2002/10/07 12:59:54 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -282,7 +282,7 @@ struct pf_rule { #define PFRULE_RETURNRST 0x01 #define PFRULE_NODF 0x02 #define PFRULE_FRAGMENT 0x04 - +#define PFRULE_RETURNICMP 0x08 #define PFRULE_FRAGCROP 0x10 /* non-buffering frag cache */ #define PFRULE_FRAGDROP 0x20 /* drop funny fragments */ |