From 06c3a42dc93861c1eaa20e2e136411879dcd6b8a Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 20 Jun 2024 19:25:04 +0000 Subject: [PATCH] Do not send ICMP redirect if IP forwarding is IPsec only. If sysctl net.inet.ip.forwarding is set to 2, only packets processed by IPsec are forwarded. I this case behave more like a router than a host and do not accept ICMP redirect packets. OK deraadt@ sashan@ florian@ claudio@ --- sys/netinet/ip_icmp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 2d42796dc47..a283bc2f8ce 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.193 2024/06/07 18:24:16 bluhm Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.194 2024/06/20 19:25:04 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -589,7 +589,7 @@ reflect: struct sockaddr_in ssrc; struct rtentry *newrt = NULL; - if (icmp_rediraccept == 0 || ip_forwarding == 1) + if (icmp_rediraccept == 0 || ip_forwarding != 0) goto freeit; if (code > 3) goto badcode; -- 2.20.1