diff options
| author |   bluhm <bluhm@openbsd.org> | 2021-01-16 13:09:46 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2021-01-16 13:09:46 +0000 |
| commit | 74cd0baeececc34944a03856094a4dcf5c732d0f (patch) | |
| tree | a5a9f6f953dc3c126edb23f756a0ca08a152785b | |
| parent | s/authorization/authentication/g (diff) | |
| download | wireguard-openbsd-74cd0baeececc34944a03856094a4dcf5c732d0f.tar.xz wireguard-openbsd-74cd0baeececc34944a03856094a4dcf5c732d0f.zip | |
The sysctl variable net.inet.ip.forwarding is checked before
ip_input() passes the packet to ip_forward(). But with an af-to
rule, pf(4) calls ip_forward() directly. Check the forwarding
sysctl also in pf to get consistent behavior. This requires to set
both ip and ip6 forwarding to get packet flow in both directions
over af-to rules.
OK kn@
| -rw-r--r-- | sys/net/pf.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 49ceef8b732..e5e03458045 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1099 2021/01/15 22:27:49 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1100 2021/01/16 13:09:46 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7253,20 +7253,32 @@ done: pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; switch (pd.naf) { case AF_INET: - if (pd.dir == PF_IN) + if (pd.dir == PF_IN) { + if (ipforwarding == 0) { + ipstat_inc(ips_cantforward); + action = PF_DROP; + break; + } ip_forward(pd.m, ifp, NULL, 1); - else + } else ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0); break; case AF_INET6: - if (pd.dir == PF_IN) + if (pd.dir == PF_IN) { + if (ip6_forwarding == 0) { + ip6stat_inc(ip6s_cantforward); + action = PF_DROP; + break; + } ip6_forward(pd.m, NULL, 1); - else + } else ip6_output(pd.m, NULL, NULL, 0, NULL, NULL); break; } - pd.m = NULL; - action = PF_PASS; + if (action != PF_DROP) { + pd.m = NULL; + action = PF_PASS; + } break; #endif /* INET6 */ case PF_DROP: |