From f844a72095ba0e2d43089bd31d53287c50ddd7f0 Mon Sep 17 00:00:00 2001 From: henning Date: Thu, 23 Jun 2016 09:08:56 +0000 Subject: [PATCH] when pf_test returns something but PF_PASS, set error to EACCES instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired icmp errors - either pf generates those itself (block return), or there shouldn't be any. Bizarrely enough, ip_forward has EACCES handling with a comment specifically pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH from day #1 on. found & analyzed by Kristof Provost , discussed at BSDcan ok mpi millert --- sys/netinet/ip_output.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 6c8b47569f8..36133661083 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.323 2016/05/31 07:33:22 mpi Exp $ */ +/* $OpenBSD: ip_output.c,v 1.324 2016/06/23 09:08:56 henning Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -419,7 +419,7 @@ sendit: */ #if NPF > 0 if (pf_test(AF_INET, PF_OUT, ifp, &m) != PF_PASS) { - error = EHOSTUNREACH; + error = EACCES; m_freem(m); goto done; } -- 2.20.1