Return EACCES when pf_test() blocks a packet in ip_output(). This allows

ip_forward() to know the difference between blocked packets and those that can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should be sent. In the other callers of ip_output() change the error back to EHOSTUNREACH since userland may not expect EACCES on a sendto(). OK henning@, markus@
author: claudio <claudio@openbsd.org> 2010-09-08 08:34:42 +0000
committer: claudio <claudio@openbsd.org> 2010-09-08 08:34:42 +0000
commit: d9dceccbc8a8ba78ba1b8bc20bf1503cf542c644 (patch)
tree: cf1655c3d0867861fe8d415cf711dc9a8a8fa2b3 /sys/netinet/ip_output.c
parent: Switch the MPLS blocks for RTM_CHANGE. Do not always remove the MPLS (diff)
download: wireguard-openbsd-d9dceccbc8a8ba78ba1b8bc20bf1503cf542c644.tar.xz
wireguard-openbsd-d9dceccbc8a8ba78ba1b8bc20bf1503cf542c644.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index c62426681c9..7efb8311030 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.211 2010/08/13 06:46:08 dlg Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.212 2010/09/08 08:34:42 claudio Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -605,7 +605,7 @@ sendit:
 		if ((encif = enc_getif(tdb->tdb_rdomain,
 		    tdb->tdb_tap)) == NULL ||
 		    pf_test(PF_OUT, encif, &m, NULL) != PF_PASS) {
-			error = EHOSTUNREACH;
+			error = EACCES;
 			splx(s);
 			m_freem(m);
 			goto done;
author	claudio <claudio@openbsd.org>	2010-09-08 08:34:42 +0000
committer	claudio <claudio@openbsd.org>	2010-09-08 08:34:42 +0000
commit	d9dceccbc8a8ba78ba1b8bc20bf1503cf542c644 (patch)
tree	cf1655c3d0867861fe8d415cf711dc9a8a8fa2b3 /sys/netinet/ip_output.c
parent	Switch the MPLS blocks for RTM_CHANGE. Do not always remove the MPLS (diff)
download	wireguard-openbsd-d9dceccbc8a8ba78ba1b8bc20bf1503cf542c644.tar.xz wireguard-openbsd-d9dceccbc8a8ba78ba1b8bc20bf1503cf542c644.zip