Re: IPv6 pf_test EACCES
On Mon, Dec 21, 2020 at 11:34:04PM +0100, Alexander Bluhm wrote: > Hi, > > A while ago we decided to pass EACCES to uerland if pf blocks a > packet. IPv6 still has the old EHOSTUNREACH code. > > Use the same errno for dropped IPv6 packets as in IPv4. > > ok? > looks good to me. OK sashan
Re: IPv6 pf_test EACCES
Yes please.
OK florian
On 21 December 2020 23:34:04 CET, Alexander Bluhm
wrote:
>Hi,
>
>A while ago we decided to pass EACCES to uerland if pf blocks a
>packet. IPv6 still has the old EHOSTUNREACH code.
>
>Use the same errno for dropped IPv6 packets as in IPv4.
>
>ok?
>
>bluhm
>
>Index: netinet6/ip6_output.c
>===
>RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
>retrieving revision 1.247
>diff -u -p -r1.247 ip6_output.c
>--- netinet6/ip6_output.c 17 Jul 2020 15:21:36 - 1.247
>+++ netinet6/ip6_output.c 21 Dec 2020 22:27:24 -
>@@ -616,7 +616,7 @@ reroute:
>
> #if NPF > 0
> if (pf_test(AF_INET6, PF_OUT, ifp, ) != PF_PASS) {
>- error = EHOSTUNREACH;
>+ error = EACCES;
> m_freem(m);
> goto done;
> }
>@@ -2773,7 +2773,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s
> if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL ||
> pf_test(AF_INET6, fwd ? PF_FWD : PF_OUT, encif, ) != PF_PASS) {
> m_freem(m);
>- return EHOSTUNREACH;
>+ return EACCES;
> }
> if (m == NULL)
> return 0;
--
Sent from a mobile device. Please excuse poor formating.
Re: IPv6 pf_test EACCES
On Mon, Dec 21, 2020 at 11:34:04PM +0100, Alexander Bluhm wrote:
> Hi,
>
> A while ago we decided to pass EACCES to uerland if pf blocks a
> packet. IPv6 still has the old EHOSTUNREACH code.
>
> Use the same errno for dropped IPv6 packets as in IPv4.
>
> ok?
Seems reasonable. OK claudio@
> Index: netinet6/ip6_output.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
> retrieving revision 1.247
> diff -u -p -r1.247 ip6_output.c
> --- netinet6/ip6_output.c 17 Jul 2020 15:21:36 - 1.247
> +++ netinet6/ip6_output.c 21 Dec 2020 22:27:24 -
> @@ -616,7 +616,7 @@ reroute:
>
> #if NPF > 0
> if (pf_test(AF_INET6, PF_OUT, ifp, ) != PF_PASS) {
> - error = EHOSTUNREACH;
> + error = EACCES;
> m_freem(m);
> goto done;
> }
> @@ -2773,7 +2773,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s
> if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL ||
> pf_test(AF_INET6, fwd ? PF_FWD : PF_OUT, encif, ) != PF_PASS) {
> m_freem(m);
> - return EHOSTUNREACH;
> + return EACCES;
> }
> if (m == NULL)
> return 0;
>
--
:wq Claudio
IPv6 pf_test EACCES
Hi,
A while ago we decided to pass EACCES to uerland if pf blocks a
packet. IPv6 still has the old EHOSTUNREACH code.
Use the same errno for dropped IPv6 packets as in IPv4.
ok?
bluhm
Index: netinet6/ip6_output.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.247
diff -u -p -r1.247 ip6_output.c
--- netinet6/ip6_output.c 17 Jul 2020 15:21:36 - 1.247
+++ netinet6/ip6_output.c 21 Dec 2020 22:27:24 -
@@ -616,7 +616,7 @@ reroute:
#if NPF > 0
if (pf_test(AF_INET6, PF_OUT, ifp, ) != PF_PASS) {
- error = EHOSTUNREACH;
+ error = EACCES;
m_freem(m);
goto done;
}
@@ -2773,7 +2773,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s
if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL ||
pf_test(AF_INET6, fwd ? PF_FWD : PF_OUT, encif, ) != PF_PASS) {
m_freem(m);
- return EHOSTUNREACH;
+ return EACCES;
}
if (m == NULL)
return 0;
