diff options
| author |   bluhm <bluhm@openbsd.org> | 2013-06-05 15:22:32 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2013-06-05 15:22:32 +0000 |
| commit | d2d95ac127156f8813e554019a54a890dc86c19d (patch) | |
| tree | ffaf6aa0b6dc05aae250d85532339f80a705e339 /sys | |
| parent | Include sys/timeout.h to make if_gre.c compile without pf. (diff) | |
| download | wireguard-openbsd-d2d95ac127156f8813e554019a54a890dc86c19d.tar.xz wireguard-openbsd-d2d95ac127156f8813e554019a54a890dc86c19d.zip | |
If an ICMP packet gets diverted to a raw IP socket, if must not be
consumed by icmp_input(). As an exception, control packets that
belong to a connection to a local socket must go to pr_ctlinput().
Add a switch over the ICMP type to handle that.
OK markus@ henning@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_icmp.c | 25 | ||||
| -rw-r--r-- | sys/netinet6/icmp6.c | 23 |
2 files changed, 46 insertions, 2 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index baef294334c..4e62bb9d028 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.100 2013/06/05 02:25:05 lteo Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.101 2013/06/05 15:22:32 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -363,6 +363,29 @@ icmp_input(struct mbuf *m, ...) #endif if (icp->icmp_type > ICMP_MAXTYPE) goto raw; +#if NPF > 0 + if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) { + switch (icp->icmp_type) { + /* + * These ICMP types map to other connections. They must be + * delivered to pr_ctlinput() also for diverted connections. + */ + case ICMP_UNREACH: + case ICMP_TIMXCEED: + case ICMP_PARAMPROB: + case ICMP_SOURCEQUENCH: + break; + /* + * Although pf_icmp_mapping() considers redirects belonging + * to a diverted connection, we must process it here anyway. + */ + case ICMP_REDIRECT: + break; + default: + goto raw; + } + } +#endif /* NPF */ icmpstat.icps_inhist[icp->icmp_type]++; code = icp->icmp_code; switch (icp->icmp_type) { diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 437d9d3f7bd..5c306e7bf47 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.129 2013/06/04 19:11:51 bluhm Exp $ */ +/* $OpenBSD: icmp6.c,v 1.130 2013/06/05 15:22:32 bluhm Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -453,6 +453,24 @@ icmp6_input(struct mbuf **mp, int *offp, int proto) goto freeit; } +#if NPF > 0 + if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) { + switch (icmp6->icmp6_type) { + /* + * These ICMP6 types map to other connections. They must be + * delivered to pr_ctlinput() also for diverted connections. + */ + case ICMP6_DST_UNREACH: + case ICMP6_PACKET_TOO_BIG: + case ICMP6_TIME_EXCEEDED: + case ICMP6_PARAM_PROB: + break; + default: + goto raw; + } + } +#endif /* NPF */ + #if NCARP > 0 if (m->m_pkthdr.rcvif->if_type == IFT_CARP && icmp6->icmp6_type == ICMP6_ECHO_REQUEST && @@ -860,6 +878,9 @@ badlen: break; } +#if NPF > 0 +raw: +#endif /* deliver the packet to appropriate sockets */ icmp6_rip6_input(&m, *offp); |