Don't create ICMP states on reply packets unless tracking states sloppy - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	mikeb <mikeb@openbsd.org>	2015-05-26 16:17:51 +0000
committer	mikeb <mikeb@openbsd.org>	2015-05-26 16:17:51 +0000
commit	e93f5c0a6e204e891614db09fc070bce2b47bf8c (patch)
tree	e7148e769d62ec5c444870d23ef380bff5796cc7 /lib
parent	Use if_output() instead of rerolling it. (diff)
download	wireguard-openbsd-e93f5c0a6e204e891614db09fc070bce2b47bf8c.tar.xz wireguard-openbsd-e93f5c0a6e204e891614db09fc070bce2b47bf8c.zip

Don't create ICMP states on reply packets unless tracking states sloppy

Since we've strengthened the ICMP state matching procedure during lookup to only match packets against states set up in a particular direction, we need to make sure we don't create states on packets that would otherwise be flowing in the direction opposite to the direction of the state and prevent further packets from matching the created state due to strict rules imposed by the ICMP direction check. Problem reported by Alexandr Nedvedicky, alexandr.nedvedicky-at-oracle.com. Discussed with reyk@; OK henning

Diffstat (limited to 'lib')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: