pf: don't reject route-to'd too-large packets

If we're sending a packet via pf_route()/pf_route6() we check for packet
size and potentially generate ICMP(6) packet too big messages. If we do,
don't consider this a rejected packet. That is, return PF_PASS and set
the mbuf to NULL rather than returning PF_DROP.

This matters for locally generated packets, because with PF_DROP we
can end up returning EACCES to userspace, causing the connection to
terminate. Instead, with PF_PASS and a NULL mbuf this is translated to
PFIL_CONSUMED, which does not return an error to userspace.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")

1 files changed, 4 insertions, 2 deletions

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 755b87bcfeb7..8219aacd20de 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9371,7 +9371,8 @@ pf_route(struct pf_krule *r, struct ifnet *oifp,
 			   ifp->if_mtu, pd->af, r, pd->act.rtableid);
 		}
 		SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
-		action = PF_DROP;
+		/* Return pass, so we return PFIL_CONSUMED to the stack. */
+		action = PF_PASS;
 		goto bad;
 	}
 
@@ -9693,7 +9694,8 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp,
 				pf_send_icmp(m0, ICMP6_PACKET_TOO_BIG, 0,
 				    ifp->if_mtu, pd->af, r, pd->act.rtableid);
 		}
-		action = PF_DROP;
+		/* Return pass, so we return PFIL_CONSUMED to the stack. */
+		action = PF_PASS;
 		SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
 		goto bad;
 	}