From d06dba9ad473b167b4612045b483d44682afd80d Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Mon, 7 Oct 2002 12:59:56 +0000 Subject: use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or not instead of just testing return_icmp > 0 ok dhartmei@ --- sys/net/pf.c | 14 ++++++++------ sys/net/pfvar.h | 4 ++-- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'sys') diff --git a/sys/net/pf.c b/sys/net/pf.c index 783f211b40a..31821e7ffc2 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.248 2002/10/07 12:39:29 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.249 2002/10/07 12:59:54 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1736,7 +1736,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, if (((*rm)->action == PF_DROP) && (((*rm)->rule_flag & PFRULE_RETURNRST) || - (*rm)->return_icmp)) { + ((*rm)->rule_flag & PFRULE_RETURNICMP))) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL || (binat != NULL && direction == PF_OUT)) { @@ -1752,7 +1752,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, if ((*rm)->rule_flag & PFRULE_RETURNRST) pf_send_reset(off, th, pd, af, (*rm)->return_ttl); - else + else if ((*rm)->return_icmp) pf_send_icmp(m, (*rm)->return_icmp >> 8, (*rm)->return_icmp & 255, af); } @@ -1996,7 +1996,8 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, PFLOG_PACKET(ifp, h, m, af, direction, reason, *rm); } - if (((*rm)->action == PF_DROP) && (*rm)->return_icmp) { + if (((*rm)->action == PF_DROP) && + ((*rm)->rule_flag & PFRULE_RETURNICMP)) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL || (binat != NULL && direction == PF_OUT)) { @@ -2009,8 +2010,9 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, &uh->uh_sum, &baddr, bport, 1, af); rewrite++; } - pf_send_icmp(m, (*rm)->return_icmp >> 8, - (*rm)->return_icmp & 255, af); + if ((*rm)->return_icmp) + pf_send_icmp(m, (*rm)->return_icmp >> 8, + (*rm)->return_icmp & 255, af); } if ((*rm)->action == PF_DROP) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 62b5c342f40..35cad1f60fc 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.91 2002/10/07 12:39:29 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.92 2002/10/07 12:59:54 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -282,7 +282,7 @@ struct pf_rule { #define PFRULE_RETURNRST 0x01 #define PFRULE_NODF 0x02 #define PFRULE_FRAGMENT 0x04 - +#define PFRULE_RETURNICMP 0x08 #define PFRULE_FRAGCROP 0x10 /* non-buffering frag cache */ #define PFRULE_FRAGDROP 0x20 /* drop funny fragments */ -- cgit v1.2.3