diff options
| author |   bluhm <bluhm@openbsd.org> | 2016-12-28 15:19:02 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2016-12-28 15:19:02 +0000 |
| commit | 878ec36ea78007a72311c2bd0fc5fcfbf67437d3 (patch) | |
| tree | 5262e0d15392e4e6d39a7aa1ebbcbbc62357d39d | |
| parent | Rewrite and add d2i_X509_REQ_INFO(3) and i2d_X509_REQ_INFO(3), (diff) | |
| download | wireguard-openbsd-878ec36ea78007a72311c2bd0fc5fcfbf67437d3.tar.xz wireguard-openbsd-878ec36ea78007a72311c2bd0fc5fcfbf67437d3.zip | |
Better check for a valid route than for an existing route in pf
route-to by calling rtisvalid(). Make pf_route() and pf_route6()
similar and move the rtalloc() call to the same place.
OK mpi@
| -rw-r--r-- | sys/net/pf.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 8a22783e39d..5321bfdee96 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1006 2016/12/23 20:49:41 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1007 2016/12/28 15:19:02 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5832,12 +5832,6 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) if (ifp == NULL) goto bad; - rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid); - if (rt == NULL) { - ipstat_inc(ips_noroute); - goto bad; - } - if (pd->kif->pfik_ifp != ifp) { if (pf_test(AF_INET, PF_OUT, ifp, &m0) != PF_PASS) goto bad; @@ -5853,6 +5847,12 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) in_proto_cksum_out(m0, ifp); + rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid); + if (!rtisvalid(rt)) { + ipstat_inc(ips_noroute); + goto bad; + } + if (ntohs(ip->ip_len) <= ifp->if_mtu) { ip->ip_sum = 0; if (ifp->if_capabilities & IFCAP_CSUM_IPv4) @@ -5991,6 +5991,12 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr)) dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); + rt = rtalloc(sin6tosa(dst), RT_RESOLVE, rtableid); + if (!rtisvalid(rt)) { + ip6stat.ip6s_noroute++; + goto bad; + } + /* * If packet has been reassembled by PF earlier, we have to * use pf_refragment6() here to turn it back to fragments. @@ -5998,13 +6004,7 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) if ((mtag = m_tag_find(m0, PACKET_TAG_PF_REASSEMBLED, NULL))) { (void) pf_refragment6(&m0, mtag, dst, ifp); } else if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { - rt = rtalloc(sin6tosa(dst), RT_RESOLVE, rtableid); - if (rt == NULL) { - ip6stat.ip6s_noroute++; - goto bad; - } ifp->if_output(ifp, m0, sin6tosa(dst), rt); - rtfree(rt); } else { icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); } @@ -6012,6 +6012,7 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) done: if (r->rt != PF_DUPTO) pd->m = NULL; + rtfree(rt); return; bad: |