when pf_test returns something but PF_PASS, set error to EACCES

instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired
icmp errors - either pf generates those itself (block return), or there
shouldn't be any.
Bizarrely enough, ip_forward has EACCES handling with a comment specifically
pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH
from day #1 on.
found & analyzed by Kristof Provost <kp at FreeBSD>, discussed at BSDcan
ok mpi millert

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 6c8b475..3613366 100644 (file)
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_output.c,v 1.323 2016/05/31 07:33:22 mpi Exp $     */
+/*     $OpenBSD: ip_output.c,v 1.324 2016/06/23 09:08:56 henning Exp $ */
 /*     $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $  */
 
 /*
@@ -419,7 +419,7 @@ sendit:
         */
 #if NPF > 0
        if (pf_test(AF_INET, PF_OUT, ifp, &m) != PF_PASS) {
-               error = EHOSTUNREACH;
+               error = EACCES;
                m_freem(m);
                goto done;
        }