CVSROOT: /cvs
Module name: src
Changes by: henn...@cvs.openbsd.org 2016/06/23 03:08:56
Modified files:
sys/netinet : ip_output.c
Log message:
when pf_test returns something but PF_PASS, set error to EACCES
instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired
icmp errors - either pf generates those itself (block return), or there
shouldn't be any.
Bizarrely enough, ip_forward has EACCES handling with a comment specifically
pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH
from day #1 on.
found & analyzed by Kristof Provost <kp at FreeBSD>, discussed at BSDcan
ok mpi millert
