diff options
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_fw2.c | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 9197b6b..e985fa9 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1267,8 +1267,8 @@ packets with source addresses not from this interface. .It Cm versrcreach For incoming packets, a routing table lookup is done on the packet's source address. -If a route to the source address exists, but not the default route, -the packet matches. +If a route to the source address exists, but not the default route +or a blackhole/reject route, the packet matches. Otherwise the packet does not match. All outgoing packets match. .Pp diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 0b6f754..de6abf3 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -506,6 +506,12 @@ verify_path(struct in_addr src, struct ifnet *ifp) return 0; } + /* or if this is a blackhole/reject route */ + if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { + RTFREE(ro.ro_rt); + return 0; + } + /* found valid route */ RTFREE(ro.ro_rt); return 1; |
