From: henning <henning@openbsd.org>
Date: Thu, 23 Jun 2016 09:08:56 +0000 (+0000)
Subject: when pf_test returns something but PF_PASS, set error to EACCES
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f844a72095ba0e2d43089bd31d53287c50ddd7f0;p=openbsd

when pf_test returns something but PF_PASS, set error to EACCES
instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired
icmp errors - either pf generates those itself (block return), or there
shouldn't be any.
Bizarrely enough, ip_forward has EACCES handling with a comment specifically
pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH
from day #1 on.
found & analyzed by Kristof Provost <kp at FreeBSD>, discussed at BSDcan
ok mpi millert
---

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 6c8b47569f8..36133661083 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.323 2016/05/31 07:33:22 mpi Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.324 2016/06/23 09:08:56 henning Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -419,7 +419,7 @@ sendit:
 	 */
 #if NPF > 0
 	if (pf_test(AF_INET, PF_OUT, ifp, &m) != PF_PASS) {
-		error = EHOSTUNREACH;
+		error = EACCES;
 		m_freem(m);
 		goto done;
 	}