diff options
author | kp <kp@FreeBSD.org> | 2016-08-17 09:24:46 +0000 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2016-09-27 14:11:05 -0300 |
commit | 96aef5e8573233292ae9fc73f77cf0cdf92dc41a (patch) | |
tree | fd16b8236303a21e49816a246b30c898682866db | |
parent | dca591671748f0eeb546d2a564d91e741bea265e (diff) | |
download | FreeBSD-src-96aef5e8573233292ae9fc73f77cf0cdf92dc41a.zip FreeBSD-src-96aef5e8573233292ae9fc73f77cf0cdf92dc41a.tar.gz |
MFC r302497:
pf: Map hook returns onto the correct error values
pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers
expect to get E<foo> error codes.
Map the returns values. A pass is 0 (everything is OK), anything else means
pf ate the packet, so return EACCES, which tells the stack not to emit an ICMP
error message.
PR: 207598
(cherry picked from commit 26d31e281678303d3071eb6fbac74b22036f44c5)
-rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index b00952c..2543879 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -3626,7 +3626,9 @@ pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, *m = NULL; } - return (chk); + if (chk != PF_PASS) + return (EACCES); + return (0); } static int @@ -3641,7 +3643,9 @@ pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, *m = NULL; } - return (chk); + if (chk != PF_PASS) + return (EACCES); + return (0); } #endif @@ -3664,7 +3668,9 @@ pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, m_freem(*m); *m = NULL; } - return chk; + if (chk != PF_PASS) + return (EACCES); + return (0); } static int @@ -3680,7 +3686,9 @@ pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, m_freem(*m); *m = NULL; } - return chk; + if (chk != PF_PASS) + return (EACCES); + return (0); } #endif /* INET6 */ |