diff options
| author |   mpf <mpf@openbsd.org> | 2007-10-31 21:15:27 +0000 |
|---|---|---|
| committer | mpf <mpf@openbsd.org> | 2007-10-31 21:15:27 +0000 |
| commit | 148e2a228fd20a9fcf3814689fff000cc1a3895a (patch) | |
| tree | 50b414f67f1630e31bddf2961f70b68423cefb4d | |
| parent | Don't leak potentially secret authname through ioctl interface. (diff) | |
| download | wireguard-openbsd-148e2a228fd20a9fcf3814689fff000cc1a3895a.tar.xz wireguard-openbsd-148e2a228fd20a9fcf3814689fff000cc1a3895a.zip | |
'block return' must not send anything on blocked icmp packets.
Noticed by Kai_Doernemann_at_genua.de
OK henning@, deraadt@
| -rw-r--r-- | sys/net/pf.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 3a12517ea9e..471e4d1432b 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.560 2007/10/25 21:36:21 mpf Exp $ */ +/* $OpenBSD: pf.c,v 1.561 2007/10/31 21:15:27 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3255,10 +3255,12 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp); } - } else if ((af == AF_INET) && r->return_icmp) + } else if (pd->proto != IPPROTO_ICMP && af == AF_INET && + r->return_icmp) pf_send_icmp(m, r->return_icmp >> 8, r->return_icmp & 255, af, r); - else if ((af == AF_INET6) && r->return_icmp6) + else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 && + r->return_icmp6) pf_send_icmp(m, r->return_icmp6 >> 8, r->return_icmp6 & 255, af, r); } |