do not send icmp response if the original packet is encrypted.

Obtained from: KAME MFC after: 1 week
svn path=/head/; revision=130183
2024-12-13 10:02:38 +00:00 · 2004-06-07 09:56:59 +00:00 · 2004-06-07 09:56:59 +00:00 · cad1917d48 · 2020-12-20 02:59:44 +00:00
commit cad1917d48
parent be5318b2ca
1 changed files with 3 additions and 0 deletions
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@ -154,10 +154,13 @@ icmp_error(n, type, code, dest, destifp)
 	if (type != ICMP_REDIRECT)
 		icmpstat.icps_error++;
 	/*
+	 * Don't send error if the original packet was encrypted.
 	 * Don't send error if not the first fragment of message.
 	 * Don't error if the old packet protocol was ICMP
 	 * error message, only known informational types.
 	 */
+	if (n->m_flags & M_DECRYPTED)
+		goto freeit;
 	if (oip->ip_off &~ (IP_MF|IP_DF))
 		goto freeit;
 	if (oip->ip_p == IPPROTO_ICMP && type != ICMP_REDIRECT &&