Hi,

I think we should use pf_send_icmp() in pf_route().  It is more
consistent and sets the routing domain and other mbuf flags.

In pf_route6() the bad packet counter and PF_DUPTO check were missing
which is inconsistent to IPv4.

ok?

bluhm

Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1054
diff -u -p -r1.1054 pf.c
--- net/pf.c    29 Dec 2017 23:55:22 -0000      1.1054
+++ net/pf.c    10 Jan 2018 01:07:19 -0000
@@ -183,7 +183,7 @@ void                         pf_translate_icmp(struct 
pf_pdes
                            u_int16_t *, struct pf_addr *, struct pf_addr *,
                            u_int16_t);
 int                     pf_translate_icmp_af(struct pf_pdesc*, int, void *);
-void                    pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
+void                    pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, int,
                            sa_family_t, struct pf_rule *, u_int);
 void                    pf_detach_state(struct pf_state *);
 void                    pf_state_key_detach(struct pf_state *, int);
@@ -2896,8 +2896,8 @@ pf_send_challenge_ack(struct pf_pdesc *p
 }
 
 void
-pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
-    struct pf_rule *r, u_int rdomain)
+pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, int param,
+    sa_family_t af, struct pf_rule *r, u_int rdomain)
 {
        struct mbuf     *m0;
 
@@ -2913,11 +2913,11 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
 
        switch (af) {
        case AF_INET:
-               icmp_error(m0, type, code, 0, 0);
+               icmp_error(m0, type, code, 0, param);
                break;
 #ifdef INET6
        case AF_INET6:
-               icmp6_error(m0, type, code, 0);
+               icmp6_error(m0, type, code, param);
                break;
 #endif /* INET6 */
        }
@@ -3815,13 +3815,13 @@ pf_test_rule(struct pf_pdesc *pd, struct
                    ICMP_INFOTYPE(ctx.icmptype)) && pd->af == AF_INET &&
                    r->return_icmp)
                        pf_send_icmp(pd->m, r->return_icmp >> 8,
-                           r->return_icmp & 255, pd->af, r, pd->rdomain);
+                           r->return_icmp & 255, 0, pd->af, r, pd->rdomain);
                else if ((pd->proto != IPPROTO_ICMPV6 ||
                    (ctx.icmptype >= ICMP6_ECHO_REQUEST &&
                    ctx.icmptype != ND_REDIRECT)) && pd->af == AF_INET6 &&
                    r->return_icmp6)
                        pf_send_icmp(pd->m, r->return_icmp6 >> 8,
-                           r->return_icmp6 & 255, pd->af, r, pd->rdomain);
+                           r->return_icmp6 & 255, 0, pd->af, r, pd->rdomain);
        }
 
        if (r->action == PF_DROP)
@@ -5974,12 +5974,10 @@ pf_route(struct pf_pdesc *pd, struct pf_
         */
        if (ip->ip_off & htons(IP_DF)) {
                ipstat_inc(ips_cantfrag);
-               if (r->rt != PF_DUPTO) {
-                       icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
-                           ifp->if_mtu);
-                       goto done;
-               } else
-                       goto bad;
+               if (r->rt != PF_DUPTO)
+                       pf_send_icmp(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
+                           ifp->if_mtu, pd->af, r, pd->rdomain);
+               goto bad;
        }
 
        m1 = m0;
@@ -6109,7 +6107,11 @@ pf_route6(struct pf_pdesc *pd, struct pf
        } else if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
                ifp->if_output(ifp, m0, sin6tosa(dst), rt);
        } else {
-               icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
+               ip6stat_inc(ip6s_cantfrag);
+               if (r->rt != PF_DUPTO)
+                       pf_send_icmp(m0, ICMP6_PACKET_TOO_BIG, 0,
+                           ifp->if_mtu, pd->af, r, pd->rdomain);
+               goto bad;
        }
 
 done:

Reply via email to