Hi,
When pf(4) forwards incoming packets with route-to or reply-to, it
should decrement the time-to-live or hop-limit field. This makes
traceroute work and prevents routing loops. For outgoing packets
ip_forward() has already done this.
ok?
bluhm
Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1055
diff -u -p -r1.1055 pf.c
--- net/pf.c 10 Jan 2018 13:57:17 -0000 1.1055
+++ net/pf.c 14 Jan 2018 00:55:30 -0000
@@ -5912,6 +5912,17 @@ pf_route(struct pf_pdesc *pd, struct pf_
dst->sin_addr = ip->ip_dst;
rtableid = m0->m_pkthdr.ph_rtableid;
+ if (pd->dir == PF_IN) {
+ if (ip->ip_ttl <= IPTTLDEC) {
+ if (r->rt != PF_DUPTO)
+ pf_send_icmp(m0, ICMP_TIMXCEED,
+ ICMP_TIMXCEED_INTRANS, 0,
+ pd->af, r, pd->rdomain);
+ goto bad;
+ }
+ ip->ip_ttl -= IPTTLDEC;
+ }
+
if (s == NULL) {
bzero(sns, sizeof(sns));
if (pf_map_addr(AF_INET, r,
@@ -6053,6 +6064,17 @@ pf_route6(struct pf_pdesc *pd, struct pf
dst->sin6_len = sizeof(*dst);
dst->sin6_addr = ip6->ip6_dst;
rtableid = m0->m_pkthdr.ph_rtableid;
+
+ if (pd->dir == PF_IN) {
+ if (ip6->ip6_hlim <= IPV6_HLIMDEC) {
+ if (r->rt != PF_DUPTO)
+ pf_send_icmp(m0, ICMP6_TIME_EXCEEDED,
+ ICMP6_TIME_EXCEED_TRANSIT, 0,
+ pd->af, r, pd->rdomain);
+ goto bad;
+ }
+ ip6->ip6_hlim -= IPV6_HLIMDEC;
+ }
if (s == NULL) {
bzero(sns, sizeof(sns));
