if_ovpn: fix address family check when traffic class bits are set

When the tunneled (IPv6) traffic had traffic class bits set (but only >= 16) the packet got lost on the receive side. This happened because the address family check in ovpn_get_af() failed to mask correctly, so the version check didn't match, causing us to drop the packet. While here also extend the existing 6-in-6 test case to trigger this issue. PR: 266598 Sponsored by: Rubicon Communications, LLC ("Netgate")
2022-09-26 11:58:51 +02:00 · 2022-09-26 11:58:51 +02:00 · 76e1c9c671
commit 76e1c9c671
parent 0fdc247274
2 changed files with 2 additions and 1 deletions
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@ -1572,7 +1572,7 @@ ovpn_get_af(struct mbuf *m)
 		return (AF_INET);

 	ip6 = mtod(m, struct ip6_hdr *);
-	if (ip6->ip6_vfc == IPV6_VERSION)
+	if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION)
 		return (AF_INET6);

 	return (0);
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@ -383,6 +383,7 @@ atf_test_case "6in6" "cleanup"
 	sleep 10

 	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
 }

 6in6_cleanup()