From: bluhm <bluhm@openbsd.org>
Date: Mon, 26 Jul 2021 20:44:44 +0000 (+0000)
Subject: The mbuf header cleanup in revision 1.173 of ip_icmp.c was too
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=8831ce958a73402383b566dc1aa3ab9b97c46475;p=openbsd

The mbuf header cleanup in revision 1.173 of ip_icmp.c was too
strict.  ICMP error packets generated by pf were not passed
immediately, but could be blocked.  Preserve PF_TAG_GENERATED flag
in icmp_reflect() and icmp6_reflect().
reported by sf@; OK patrick@ kn@
---

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index fd7b016ef93..88d49863b2d 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_icmp.c,v 1.186 2021/03/30 08:37:10 sashan Exp $	*/
+/*	$OpenBSD: ip_icmp.c,v 1.187 2021/07/26 20:44:44 bluhm Exp $	*/
 /*	$NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $	*/
 
 /*
@@ -691,6 +691,7 @@ icmp_reflect(struct mbuf *m, struct mbuf **op, struct in_ifaddr *ia)
 	struct rtentry *rt = NULL;
 	int optlen = (ip->ip_hl << 2) - sizeof(struct ip);
 	u_int rtableid;
+	u_int8_t pfflags;
 
 	if (!in_canforward(ip->ip_src) &&
 	    ((ip->ip_src.s_addr & IN_CLASSA_NET) !=
@@ -704,8 +705,10 @@ icmp_reflect(struct mbuf *m, struct mbuf **op, struct in_ifaddr *ia)
 		return (ELOOP);
 	}
 	rtableid = m->m_pkthdr.ph_rtableid;
+	pfflags = m->m_pkthdr.pf.flags;
 	m_resethdr(m);
 	m->m_pkthdr.ph_rtableid = rtableid;
+	m->m_pkthdr.pf.flags = pfflags & PF_TAG_GENERATED;
 
 	/*
 	 * If the incoming packet was addressed directly to us,
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 4016424f9c9..bdba0978bfb 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: icmp6.c,v 1.235 2021/03/10 10:21:49 jsg Exp $	*/
+/*	$OpenBSD: icmp6.c,v 1.236 2021/07/26 20:44:44 bluhm Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -1052,6 +1052,7 @@ icmp6_reflect(struct mbuf **mp, size_t off, struct sockaddr *sa)
 	struct in6_addr t, *src = NULL;
 	struct sockaddr_in6 sa6_src, sa6_dst;
 	u_int rtableid;
+	u_int8_t pfflags;
 
 	CTASSERT(sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr) <= MHLEN);
 
@@ -1069,8 +1070,10 @@ icmp6_reflect(struct mbuf **mp, size_t off, struct sockaddr *sa)
 		return (ELOOP);
 	}
 	rtableid = m->m_pkthdr.ph_rtableid;
+	pfflags = m->m_pkthdr.pf.flags;
 	m_resethdr(m);
 	m->m_pkthdr.ph_rtableid = rtableid;
+	m->m_pkthdr.pf.flags = pfflags & PF_TAG_GENERATED;
 
 	/*
 	 * If there are extra headers between IPv6 and ICMPv6, strip