From 546c3aa8e92003d6d783c7172f237b41667539e2 Mon Sep 17 00:00:00 2001 From: Jerry Jelinek Date: Fri, 20 Mar 2015 09:53:35 -0700 Subject: [PATCH] 5733 ipf should only forward when forwarding is enabled Reviewed by: Dan McDonald Approved by: Garrett D'Amore --- usr/src/uts/common/inet/ipf/ip_fil_solaris.c | 32 +++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c index 20dc18b588..f958ca2261 100644 --- a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c +++ b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c @@ -5,7 +5,7 @@ * * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2015, Joyent, Inc. All rights reserved. */ #if !defined(lint) @@ -1783,6 +1783,28 @@ fr_info_t *fin; return (((phy_if_t)fin->fin_ifp == phy_ifdata_routeto) ? 1 : 0); } +/* + * Return true only if forwarding is enabled on the interface. + */ +static int +fr_forwarding_enabled(phy_if_t phyif, net_handle_t ndp) +{ + lif_if_t lif; + + for (lif = net_lifgetnext(ndp, phyif, 0); lif > 0; + lif = net_lifgetnext(ndp, phyif, lif)) { + int res; + uint64_t flags; + + res = net_getlifflags(ndp, phyif, lif, &flags); + if (res != 0) + return (0); + if (flags & IFF_ROUTER) + return (1); + } + + return (0); +} /* * Function: fr_fastroute @@ -1834,6 +1856,10 @@ frdest_t *fdp; return (-1); } + /* Check the src here, fin_ifp is the src interface. */ + if (!fr_forwarding_enabled((phy_if_t)fin->fin_ifp, net_data_p)) + return (-1); + inj = net_inject_alloc(NETINFO_VERSION); if (inj == NULL) return -1; @@ -1898,6 +1924,10 @@ frdest_t *fdp; inj->ni_physical = net_routeto(net_data_p, sinp, NULL); } + /* we're checking the destinatation here */ + if (!fr_forwarding_enabled(inj->ni_physical, net_data_p)) + goto bad_fastroute; + /* * Clear the hardware checksum flags from packets that we are doing * input processing on as leaving them set will cause the outgoing -- 2.11.4.GIT