From 30de9b210e4145e28e4a3583fd5144fb7bb45cbb Mon Sep 17 00:00:00 2001 From: David Rhodus Date: Tue, 14 Sep 2004 00:11:07 +0000 Subject: [PATCH] do not send icmp response if the original packet is encrypted. Obtained from: KAME Merged from fbsd. --- sys/netinet/ip_icmp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 176cda7d35..b3b0678dda 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -32,7 +32,7 @@ * * @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94 * $FreeBSD: src/sys/netinet/ip_icmp.c,v 1.39.2.19 2003/01/24 05:11:34 sam Exp $ - * $DragonFly: src/sys/netinet/ip_icmp.c,v 1.10 2004/07/23 14:14:30 joerg Exp $ + * $DragonFly: src/sys/netinet/ip_icmp.c,v 1.11 2004/09/14 00:11:07 drhodus Exp $ */ #include "opt_ipsec.h" @@ -160,10 +160,13 @@ icmp_error(n, type, code, dest, destifp) if (type != ICMP_REDIRECT) icmpstat.icps_error++; /* + * Don't send error if the original packet was encrypted. * Don't send error if not the first fragment of message. * Don't error if the old packet protocol was ICMP * error message, only known informational types. */ + if (n->m_flags & M_DECRYPTED) + goto freeit; if (oip->ip_off &~ (IP_MF|IP_DF)) goto freeit; if (oip->ip_p == IPPROTO_ICMP && type != ICMP_REDIRECT && -- 2.41.0