From 76e1c9c671043e08bdd951ae6c768b541fdede19 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 26 Sep 2022 11:58:51 +0200 Subject: [PATCH] if_ovpn: fix address family check when traffic class bits are set When the tunneled (IPv6) traffic had traffic class bits set (but only >= 16) the packet got lost on the receive side. This happened because the address family check in ovpn_get_af() failed to mask correctly, so the version check didn't match, causing us to drop the packet. While here also extend the existing 6-in-6 test case to trigger this issue. PR: 266598 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_ovpn.c | 2 +- tests/sys/net/if_ovpn/if_ovpn.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 286125fb42d5..ed0ff178972f 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1572,7 +1572,7 @@ ovpn_get_af(struct mbuf *m) return (AF_INET); ip6 = mtod(m, struct ip6_hdr *); - if (ip6->ip6_vfc == IPV6_VERSION) + if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) return (AF_INET6); return (0); diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh index 024f2488c951..bc1d3a85c987 100644 --- a/tests/sys/net/if_ovpn/if_ovpn.sh +++ b/tests/sys/net/if_ovpn/if_ovpn.sh @@ -383,6 +383,7 @@ atf_test_case "6in6" "cleanup" sleep 10 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 + atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 } 6in6_cleanup()