Re: IPv6 pf_test EACCES
On Mon, Dec 21, 2020 at 11:34:04PM +0100, Alexander Bluhm wrote: > Hi, > > A while ago we decided to pass EACCES to uerland if pf blocks a > packet. IPv6 still has the old EHOSTUNREACH code. > > Use the same errno for dropped IPv6 packets as in IPv4. > > ok? > looks good to me. OK sashan
Re: IPv6 pf_test EACCES
Yes please. OK florian On 21 December 2020 23:34:04 CET, Alexander Bluhm wrote: >Hi, > >A while ago we decided to pass EACCES to uerland if pf blocks a >packet. IPv6 still has the old EHOSTUNREACH code. > >Use the same errno for dropped IPv6 packets as in IPv4. > >ok? > >bluhm > >Index: netinet6/ip6_output.c >=== >RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v >retrieving revision 1.247 >diff -u -p -r1.247 ip6_output.c >--- netinet6/ip6_output.c 17 Jul 2020 15:21:36 - 1.247 >+++ netinet6/ip6_output.c 21 Dec 2020 22:27:24 - >@@ -616,7 +616,7 @@ reroute: > > #if NPF > 0 > if (pf_test(AF_INET6, PF_OUT, ifp, ) != PF_PASS) { >- error = EHOSTUNREACH; >+ error = EACCES; > m_freem(m); > goto done; > } >@@ -2773,7 +2773,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s > if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL || > pf_test(AF_INET6, fwd ? PF_FWD : PF_OUT, encif, ) != PF_PASS) { > m_freem(m); >- return EHOSTUNREACH; >+ return EACCES; > } > if (m == NULL) > return 0; -- Sent from a mobile device. Please excuse poor formating.
Re: IPv6 pf_test EACCES
On Mon, Dec 21, 2020 at 11:34:04PM +0100, Alexander Bluhm wrote: > Hi, > > A while ago we decided to pass EACCES to uerland if pf blocks a > packet. IPv6 still has the old EHOSTUNREACH code. > > Use the same errno for dropped IPv6 packets as in IPv4. > > ok? Seems reasonable. OK claudio@ > Index: netinet6/ip6_output.c > === > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v > retrieving revision 1.247 > diff -u -p -r1.247 ip6_output.c > --- netinet6/ip6_output.c 17 Jul 2020 15:21:36 - 1.247 > +++ netinet6/ip6_output.c 21 Dec 2020 22:27:24 - > @@ -616,7 +616,7 @@ reroute: > > #if NPF > 0 > if (pf_test(AF_INET6, PF_OUT, ifp, ) != PF_PASS) { > - error = EHOSTUNREACH; > + error = EACCES; > m_freem(m); > goto done; > } > @@ -2773,7 +2773,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s > if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL || > pf_test(AF_INET6, fwd ? PF_FWD : PF_OUT, encif, ) != PF_PASS) { > m_freem(m); > - return EHOSTUNREACH; > + return EACCES; > } > if (m == NULL) > return 0; > -- :wq Claudio
IPv6 pf_test EACCES
Hi, A while ago we decided to pass EACCES to uerland if pf blocks a packet. IPv6 still has the old EHOSTUNREACH code. Use the same errno for dropped IPv6 packets as in IPv4. ok? bluhm Index: netinet6/ip6_output.c === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v retrieving revision 1.247 diff -u -p -r1.247 ip6_output.c --- netinet6/ip6_output.c 17 Jul 2020 15:21:36 - 1.247 +++ netinet6/ip6_output.c 21 Dec 2020 22:27:24 - @@ -616,7 +616,7 @@ reroute: #if NPF > 0 if (pf_test(AF_INET6, PF_OUT, ifp, ) != PF_PASS) { - error = EHOSTUNREACH; + error = EACCES; m_freem(m); goto done; } @@ -2773,7 +2773,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL || pf_test(AF_INET6, fwd ? PF_FWD : PF_OUT, encif, ) != PF_PASS) { m_freem(m); - return EHOSTUNREACH; + return EACCES; } if (m == NULL) return 0;