git: 22e8dc82ff0c - main - pf: Use pf_send_icmp() consistently in pf_route()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Jun 2025 13:11:44 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=22e8dc82ff0c244ed97f1a43ad35d71b11555d58
commit 22e8dc82ff0c244ed97f1a43ad35d71b11555d58
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-19 13:29:36 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-26 13:11:01 +0000
pf: Use pf_send_icmp() consistently in pf_route()
It sets the routing domain and other mbuf flags. In pf_route6() the bad packet
counter and dup-to check were missing.
OK visa@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 51a22f9bf3
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 521969001f92..cdf48fc4d60a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -327,7 +327,7 @@ int pf_change_icmp_af(struct mbuf *, int,
sa_family_t);
int pf_translate_icmp_af(int, void *);
static void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
- sa_family_t, struct pf_krule *, int);
+ int, sa_family_t, struct pf_krule *, int);
static void pf_detach_state(struct pf_kstate *);
static int pf_state_key_attach(struct pf_state_key *,
struct pf_state_key *, struct pf_kstate *);
@@ -4342,11 +4342,11 @@ pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
} else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET &&
r->return_icmp)
pf_send_icmp(pd->m, r->return_icmp >> 8,
- r->return_icmp & 255, pd->af, r, rtableid);
+ r->return_icmp & 255, 0, pd->af, r, rtableid);
else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 &&
r->return_icmp6)
pf_send_icmp(pd->m, r->return_icmp6 >> 8,
- r->return_icmp6 & 255, pd->af, r, rtableid);
+ r->return_icmp6 & 255, 0, pd->af, r, rtableid);
}
static int
@@ -4403,8 +4403,8 @@ pf_send_challenge_ack(struct pf_pdesc *pd, struct pf_kstate *s,
}
static void
-pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
- struct pf_krule *r, int rtableid)
+pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, int mtu,
+ sa_family_t af, struct pf_krule *r, int rtableid)
{
struct pf_send_entry *pfse;
struct mbuf *m0;
@@ -4469,6 +4469,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
pfse->pfse_m = m0;
pfse->icmpopts.type = type;
pfse->icmpopts.code = code;
+ pfse->icmpopts.mtu = mtu;
pf_send(pfse);
}
@@ -9083,14 +9084,11 @@ pf_route(struct pf_krule *r, struct ifnet *oifp,
s);
}
- icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
- ifp->if_mtu);
- SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
- goto done;
- } else {
- SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
- goto bad;
+ pf_send_icmp(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
+ ifp->if_mtu, pd->af, r, pd->act.rtableid);
}
+ SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
+ goto bad;
}
error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist);
@@ -9370,12 +9368,12 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp,
sizeof(struct ip6_hdr), s);
}
- icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
- SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
- } else {
- SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
- goto bad;
+ if (r->rt != PF_DUPTO)
+ pf_send_icmp(m0, ICMP6_PACKET_TOO_BIG, 0,
+ ifp->if_mtu, pd->af, r, pd->act.rtableid);
}
+ SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
+ goto bad;
}
done: