FreeBSD Bugzilla – Attachment 184886 Details for
Bug 221137
FreeBSD 11+ does not send ICMP redirects
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Very naive patch to support ICMP redirects.
icmp_redirect.patch (text/plain), 1.80 KB, created by
igorr
on 2017-08-01 08:04:09 UTC
(
hide
)
Description:
Very naive patch to support ICMP redirects.
Filename:
MIME Type:
Creator:
igorr
Created:
2017-08-01 08:04:09 UTC
Size:
1.80 KB
patch
obsolete
>Index: sys/netinet/ip_fastfwd.c >=================================================================== >--- sys/netinet/ip_fastfwd.c (revision 321782) >+++ sys/netinet/ip_fastfwd.c (working copy) >@@ -298,6 +298,17 @@ > return (NULL); /* icmp unreach already sent */ > > /* >+ * If route points to source network interface let ip_input() handle packet >+ */ >+ if (nh.nh_ifp->if_index == m->m_pkthdr.rcvif->if_index) { >+#ifdef DEBUG_XXX >+ printf("ip_tryforward: received packet on (%d) same interface (%d) as route. dstaddr = %04X srcaddr = %04X\n", m->m_pkthdr.rcvif->if_index, nh.nh_ifp->if_index, dest.s_addr, ip->ip_src.s_addr); >+#endif >+ m->m_flags |= M_SKIP_FIREWALL; /* skip input firewall in ip_input() */ >+ return m; >+ } >+ >+ /* > * Step 5: outgoing firewall packet processing > */ > if (!PFIL_HOOKED(&V_inet_pfil_hook)) >Index: sys/netinet/ip_input.c >=================================================================== >--- sys/netinet/ip_input.c (revision 321782) >+++ sys/netinet/ip_input.c (working copy) >@@ -571,6 +571,7 @@ > return; > if (m->m_flags & M_FASTFWD_OURS) { > m->m_flags &= ~M_FASTFWD_OURS; >+ m->m_flags &= ~M_SKIP_FIREWALL; /* because ip_tryforward() can set this flag */ > ip = mtod(m, struct ip *); > goto ours; > } >@@ -581,9 +582,18 @@ > * Bypass packet filtering for packets previously handled by IPsec. > */ > if (IPSEC_ENABLED(ipv4) && >- IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0) >+ IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0) { >+ m->m_flags &= ~M_SKIP_FIREWALL; /* because ip_tryforward() can set this flag */ > goto passin; >+ } > #endif >+ /* >+ * Bypass input packet filtering, because it was handled in ip_tryforward() >+ */ >+ if (m->m_flags & M_SKIP_FIREWALL) { >+ m->m_flags &= ~M_SKIP_FIREWALL; >+ goto passin; >+ } > > /* > * Run through list of hooks for input packets.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=184886">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 221137
: 184886 |
185012
|
196187