3 files changed, 36 insertions, 27 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index dd409468abd..04cf2a2d2bd 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.744 2011/05/22 13:21:24 claudio Exp $ */
+/*	$OpenBSD: pf.c,v 1.745 2011/05/24 14:01:51 claudio Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -5930,14 +5930,16 @@ done:
 				    "ip options in pf_test()");
 			}
 
-			pf_scrub_ip(m, s->state_flags, s->min_ttl, s->set_tos);
+			pf_scrub(m, s->state_flags, pd.af, s->min_ttl,
+			    s->set_tos);
 			pf_tag_packet(m, s->tag, s->rtableid[pd.didx]);
 			if (pqid || (pd.tos & IPTOS_LOWDELAY))
 				qid = s->pqid;
 			else
 				qid = s->qid;
 		} else {
-			pf_scrub_ip(m, r->scrub_flags, r->min_ttl, r->set_tos);
+			pf_scrub(m, a->scrub_flags, pd.af, a->min_ttl,
+			    a->set_tos);
 			if (pqid || (pd.tos & IPTOS_LOWDELAY))
 				qid = r->pqid;
 			else
@@ -6214,14 +6216,16 @@ done:
 				    "dangerous v6 headers");
 			}
 
-			pf_scrub_ip6(m, s->min_ttl);
+			pf_scrub(m, s->state_flags, pd.af, s->min_ttl,
+			    s->set_tos);
 			pf_tag_packet(m, s->tag, s->rtableid[pd.didx]);
 			if (pqid || (pd.tos & IPTOS_LOWDELAY))
 				qid = s->pqid;
 			else
 				qid = s->qid;
 		} else {
-			pf_scrub_ip6(m, r->min_ttl);
+			pf_scrub(m, a->scrub_flags, pd.af, a->min_ttl,
+			    a->set_tos);
 			if (pqid || (pd.tos & IPTOS_LOWDELAY))
 				qid = r->pqid;
 			else
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index fe8bcc732fe..691c40d28da 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_norm.c,v 1.132 2011/04/23 10:00:36 bluhm Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.133 2011/05/24 14:01:52 claudio Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -1548,35 +1548,41 @@ pf_normalize_mss(struct mbuf *m, int off, struct pf_pdesc *pd, u_int16_t maxmss)
 }
 
 void
-pf_scrub_ip(struct mbuf *m, u_int16_t flags, u_int8_t min_ttl, u_int8_t tos)
+pf_scrub(struct mbuf *m, u_int16_t flags, sa_family_t af, u_int8_t min_ttl,
+    u_int8_t tos)
 {
 	struct ip		*h = mtod(m, struct ip *);
+#ifdef INET6
+	struct ip6_hdr		*h6 = mtod(m, struct ip6_hdr *);
+#endif
 
 	/* Clear IP_DF if no-df was requested */
-	if (flags & PFSTATE_NODF && h->ip_off & htons(IP_DF))
+	if (flags & PFSTATE_NODF && af == AF_INET && h->ip_off & htons(IP_DF))
 		h->ip_off &= htons(~IP_DF);
 
 	/* Enforce a minimum ttl, may cause endless packet loops */
-	if (min_ttl && h->ip_ttl < min_ttl)
+	if (min_ttl && af == AF_INET && h->ip_ttl < min_ttl)
 		h->ip_ttl = min_ttl;
+#ifdef INET6
+	if (min_ttl && af == AF_INET6 && h6->ip6_hlim < min_ttl)
+		h6->ip6_hlim = min_ttl;
+#endif
 
 	/* Enforce tos */
-	if (flags & PFSTATE_SETTOS)
-		h->ip_tos = tos;
+	if (flags & PFSTATE_SETTOS) {
+		if (af == AF_INET)
+			h->ip_tos = tos;
+#ifdef INET6
+		if (af == AF_INET6) {
+			/* drugs are unable to explain such idiocy */
+			h6->ip6_flow &= htonl(0x0ff00000);
+			h6->ip6_flow |= htonl(((u_int32_t)tos) << 20);
+		}
+#endif
+	}
 
 	/* random-id, but not for fragments */
-	if (flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF)))
+	if (flags & PFSTATE_RANDOMID && af == AF_INET &&
+	    !(h->ip_off & ~htons(IP_DF)))
 		h->ip_id = htons(ip_randomid());
 }
-
-#ifdef INET6
-void
-pf_scrub_ip6(struct mbuf *m, u_int8_t min_ttl)
-{
-	struct ip6_hdr		*h = mtod(m, struct ip6_hdr *);
-
-	/* Enforce a minimum ttl, may cause endless packet loops */
-	if (min_ttl && h->ip6_hlim < min_ttl)
-		h->ip6_hlim = min_ttl;
-}
-#endif
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 6af4d70a69e..e9e44200aaa 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.331 2011/05/22 13:21:24 claudio Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.332 2011/05/24 14:01:52 claudio Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1790,8 +1790,7 @@ int	pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
 	    u_short *, struct tcphdr *, struct pf_state *,
 	    struct pf_state_peer *, struct pf_state_peer *, int *);
 int	pf_normalize_mss(struct mbuf *, int, struct pf_pdesc *, u_int16_t);
-void	pf_scrub_ip(struct mbuf *, u_int16_t, u_int8_t, u_int8_t);
-void	pf_scrub_ip6(struct mbuf *, u_int8_t);
+void	pf_scrub(struct mbuf *, u_int16_t, sa_family_t, u_int8_t, u_int8_t);
 u_int32_t
 	pf_state_expires(const struct pf_state *);
 void	pf_purge_expired_fragments(void);