do not send icmp response if the original packet is encrypted.

Obtained from: KAME MFC after: 1 week
author: ume <ume@FreeBSD.org> 2004-06-07 09:56:59 +0000
committer: ume <ume@FreeBSD.org> 2004-06-07 09:56:59 +0000
commit: 4ef088056e761c4db372fe0ae25a21f4c0d9d04b (patch)
tree: 2579bd1eceeba43346eeb79b828a974bd21dec27 /sys/netinet/ip_icmp.c
parent: 24fcba21fb1b24b2fca81a5f0c3d537edb00b4b9 (diff)
download: FreeBSD-src-4ef088056e761c4db372fe0ae25a21f4c0d9d04b.zip
FreeBSD-src-4ef088056e761c4db372fe0ae25a21f4c0d9d04b.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 5517abe..ee24e51 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -154,10 +154,13 @@ icmp_error(n, type, code, dest, destifp)
 	if (type != ICMP_REDIRECT)
 		icmpstat.icps_error++;
 	/*
+	 * Don't send error if the original packet was encrypted.
 	 * Don't send error if not the first fragment of message.
 	 * Don't error if the old packet protocol was ICMP
 	 * error message, only known informational types.
 	 */
+	if (n->m_flags & M_DECRYPTED)
+		goto freeit;
 	if (oip->ip_off &~ (IP_MF|IP_DF))
 		goto freeit;
 	if (oip->ip_p == IPPROTO_ICMP && type != ICMP_REDIRECT &&
author	ume <ume@FreeBSD.org>	2004-06-07 09:56:59 +0000
committer	ume <ume@FreeBSD.org>	2004-06-07 09:56:59 +0000
commit	4ef088056e761c4db372fe0ae25a21f4c0d9d04b (patch)
tree	2579bd1eceeba43346eeb79b828a974bd21dec27 /sys/netinet/ip_icmp.c
parent	24fcba21fb1b24b2fca81a5f0c3d537edb00b4b9 (diff)
download	FreeBSD-src-4ef088056e761c4db372fe0ae25a21f4c0d9d04b.zip FreeBSD-src-4ef088056e761c4db372fe0ae25a21f4c0d9d04b.tar.gz