diff options
| author |   bluhm <bluhm@openbsd.org> | 2018-05-10 08:52:01 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2018-05-10 08:52:01 +0000 |
| commit | 388c1b285726bf2ef33f3864ea712971b1edeb0a (patch) | |
| tree | f65962ad09092b1291a6cbfeacac7350e72eb489 | |
| parent | reorganize code (diff) | |
| download | wireguard-openbsd-388c1b285726bf2ef33f3864ea712971b1edeb0a.tar.xz wireguard-openbsd-388c1b285726bf2ef33f3864ea712971b1edeb0a.zip | |
pf route-to should not send packets from 127.0.0.1 or ::1 address
to the network. This is necessary for locally generated icmp packets
that would be dropped otherwise. Refine this check to modify only
the source address of packets that go to the external network. This
allows route-to tricks on loopback interface.
OK sashan@
| -rw-r--r-- | sys/net/pf.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 96f1f9b72be..6f174d89505 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1064 2018/04/06 10:39:15 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1065 2018/05/10 08:52:01 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5984,7 +5984,8 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) goto bad; } /* A locally generated packet may have invalid source address. */ - if ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) + if ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET && + (ifp->if_flags & IFF_LOOPBACK) == 0) ip->ip_src = ifatoia(rt->rt_ifa)->ia_addr.sin_addr; in_proto_cksum_out(m0, ifp); @@ -6139,7 +6140,8 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) goto bad; } /* A locally generated packet may have invalid source address. */ - if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) + if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) && + (ifp->if_flags & IFF_LOOPBACK) == 0) ip6->ip6_src = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr; in6_proto_cksum_out(m0, ifp); |