From owner-freebsd-net  Tue Aug 29 13:33:25 2000
Delivered-To: freebsd-net@freebsd.org
Received: from darren2.lnk.telstra.net (darren2.lnk.telstra.net [139.130.53.33])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3C93737B424; Tue, 29 Aug 2000 13:33:18 -0700 (PDT)
Received: (from root@localhost)
	by darren2.lnk.telstra.net (8.9.1/8.8.7) id UAA28443;
	Tue, 29 Aug 2000 20:32:56 GMT
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200008292032.HAA19847@avalon.reed.wattle.id.au>
Subject: Re: CFR: patch for ICMP error generation bugs
In-Reply-To: <20000829192913.A39253@sunbay.com> from Ruslan Ermilov at "Aug 29, 0 07:29:13 pm"
To: ru@FreeBSD.org (Ruslan Ermilov)
Date: Wed, 30 Aug 2000 06:32:40 +1000 (EST)
Cc: net@FreeBSD.org, wollman@FreeBSD.org, fenner@FreeBSD.org,
	darrenr@FreeBSD.org, kannanv@malgudi.research.bell-labs.com,
	volf@oasis.IAEhv.nl
X-Mailer: ELM [version 2.4ME+ PL37 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some email I received from Ruslan Ermilov, sie wrote:
> Hi!
> 
> There are at least two problem reports PR 16240 and PR 20877
> that this patch addresses.  You can easily see yourself what
> gets wrong by monitoring ICMP error messages containing part
> of original datagram with `tcpdump -vvnx icmp' and comparing
> the original datagram with one in generated ICMP error.  You
> will notice that sometimes fields are in host byte order, or
> TTL field is decremented.
> 
> At least one case is not fixed by this patch -- in an IPFW
> based firewall, when we have a `unreach foo' rule matching
> `out'going packets, the ip_ttl field is still decremented.
[...]

1. I wouldn't remove the {}'s for the "ip (!ipstealth)" bit.
   This is more aesthetics some might argue :)

2. IMHO, "IPSTEALTH" should disappear.  I understand why someone
   wants it but as a general "kernel option" I think it is right
   out of place.  Let someone hack it into ipfw directly if they
   feel they desperately need it.  But that's a separate issue.
   I'd not seen where it was/what it did until now.  Anyone for
   changing FreeBSD's name to "HackBSD" ? ;-)

3. Your patch does fix up an imbalance on where HTONS()/NTOHS()
   - almost.  ip_id should not be converted *back* to network
   byte order until the other fields are.  This should get rid
   of your changes around the ipfw check in ip_output() ?

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message