Date: Wed, 16 Apr 2003 00:58:35 +0300 (EEST) From: dmitry@atlantis.dp.ua To: FreeBSD-gnats-submit@FreeBSD.org Subject: docs/51006: [PATCH] divert(4) and ipfw(8) manpages are too pessimistic Message-ID: <200304152158.h3FLwZWD001346@homelynx.homenet> Resent-Message-ID: <200304152200.h3FM0AJk079404@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 51006
>Category: docs
>Synopsis: [PATCH] divert(4) and ipfw(8) manpages are too pessimistic
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 15 15:00:09 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: dmitry@atlantis.dp.ua
>Release: FreeBSD 4.7-RELEASE i386
>Organization:
Atlantis ISP
>Environment:
System: FreeBSD homelynx.homenet 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Tue Mar 25 12:13:03 EET 2003 root@atlantis.atlantis.dp.ua:/usr/src/sys/compile/lynx i386
>Description:
divert(4) manpage claims:
In the case of an incoming packet the interface name will also be placed
in the 8 bytes following the address.
However, actual code in /sys/netinet/ip_divert.c records receive interface
name when it's defined for packet and fits in 8 bytes (including trailing
zero byte) both for incoming and outgoing packets. This is correct behaviour,
since it allows ipfw rules for transit packets (having 'out recv IFX xmit IFY'
part) to work correctly after divert rules. Also, ipfw(8) manpage incorrectly
states:
Packets diverted to userland, and then reinserted by a userland process
(such as natd(8)) will lose various packet attributes, including
their source interface.
Actually, natd(8) saves and reuses the sockaddr_in (as suggested in divert(4)),
and thus preserves packet source interface name.
>How-To-Repeat:
man 4 divert
man 8 ipfw
>Fix:
Apply the following patch:
--- divert.4.orig Wed Oct 9 15:45:43 2002
+++ divert.4 Tue Apr 15 23:19:33 2003
@@ -50,8 +50,8 @@
the interface on which the packet was received (if the packet
was incoming) or
.Dv INADDR_ANY
-(if the packet was outgoing). In the case of an incoming packet the interface
-name will also be placed in the 8 bytes following the address,
+(if the packet was outgoing). Incoming interface name (if defined
+for the packet) will also be placed in the 8 bytes following the address,
(assuming it fits).
.Sh WRITING PACKETS
Writing to a divert socket is similar to writing to a raw IP socket;
--- ipfw.8.orig Wed Oct 9 15:45:23 2002
+++ ipfw.8 Wed Apr 16 00:30:32 2003
@@ -2018,9 +2018,11 @@
This may be fixed in a later version.
.Pp
Packets diverted to userland, and then reinserted by a userland process
+may lose various packet attributes. Packet source interface name
+will be preserved (assuming it is shorter than 8 bytes) if userland process
+saves and reuses the sockaddr_in
(such as
-.Xr natd 8 )
-will lose various packet attributes, including their source interface.
+.Xr natd 8 ), otherwise it may be lost.
If a packet is reinserted in this manner, later rules may be incorrectly
applied, making the order of
.Cm divert
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304152158.h3FLwZWD001346>