Do not send ICMP redirect if IP forwarding is IPsec only.

If sysctl net.inet.ip.forwarding is set to 2, only packets processed
by IPsec are forwarded.  I this case behave more like a router than
a host and do not accept ICMP redirect packets.

OK deraadt@ sashan@ florian@ claudio@

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 2d42796..a283bc2 100644 (file)
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_icmp.c,v 1.193 2024/06/07 18:24:16 bluhm Exp $     */
+/*     $OpenBSD: ip_icmp.c,v 1.194 2024/06/20 19:25:04 bluhm Exp $     */
 /*     $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $    */
 
 /*
@@ -589,7 +589,7 @@ reflect:
                struct sockaddr_in ssrc;
                struct rtentry *newrt = NULL;
 
-               if (icmp_rediraccept == 0 || ip_forwarding == 1)
+               if (icmp_rediraccept == 0 || ip_forwarding != 0)
                        goto freeit;
                if (code > 3)
                        goto badcode;