From owner-freebsd-net@freebsd.org  Tue Apr 17 14:02:37 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF381FA5B54
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 17 Apr 2018 14:02:37 +0000 (UTC)
 (envelope-from longwitz@incore.de)
Received: from dss.incore.de (dss.incore.de [195.145.1.138])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6A75974B6C
 for <freebsd-net@freebsd.org>; Tue, 17 Apr 2018 14:02:37 +0000 (UTC)
 (envelope-from longwitz@incore.de)
Received: from inetmail.dmz (inetmail.dmz [10.3.0.3])
 by dss.incore.de (Postfix) with ESMTP id C850381D
 for <freebsd-net@freebsd.org>; Tue, 17 Apr 2018 16:02:34 +0200 (CEST)
X-Virus-Scanned: amavisd-new at incore.de
Received: from dss.incore.de ([10.3.0.3])
 by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024)
 with LMTP id 9DWQhIX5e8X2 for <freebsd-net@freebsd.org>;
 Tue, 17 Apr 2018 16:02:33 +0200 (CEST)
Received: from mail.local.incore (fwintern.dmz [10.0.0.253])
 by dss.incore.de (Postfix) with ESMTP id DB2C194C
 for <freebsd-net@freebsd.org>; Tue, 17 Apr 2018 16:02:33 +0200 (CEST)
Received: from bsdlo.incore (bsdlo.incore [192.168.0.84])
 by mail.local.incore (Postfix) with ESMTP id C5D38508A9
 for <freebsd-net@freebsd.org>; Tue, 17 Apr 2018 16:02:33 +0200 (CEST)
Message-ID: <5AD5FE79.7050309@incore.de>
Date: Tue, 17 Apr 2018 16:02:33 +0200
From: Andreas Longwitz <longwitz@incore.de>
User-Agent: Thunderbird 2.0.0.19 (X11/20090113)
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: Changed behaviour of pf after new handling of EACCES in tcp_output()
 in r315514
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 14:02:38 -0000

In FreeBSD V11 the commit r315514 introduced a new handling of the error
code EACCES from ip_output() in tcp_output.c:

               case EACCES:
                        tp->t_softerror = error;
                        return (0);

If I use pf and block output with a rule like
   block out quick on em0 inet proto tcp from any to any port 23
and try
  date; telnet 192.168.0.122 23; date
then I see in V10 immediately reply

Di 17 Apr 2018 10:46:37 CEST
Trying 192.168.0.122...
telnet: connect to address 192.168.0.122: Permission denied
telnet: Unable to connect to remote host
Di 17 Apr 2018 10:46:37 CEST

and in V11 with commit r315514 the same reply after 90 seconds, in the
meantime telnet is waiting on WCHAN "connec":

Di. 17 Apr. 2018 10:46:28 CEST
Trying 192.168.0.122...
telnet: connect to address 192.168.0.122: Permission denied
telnet: Unable to connect to remote host
Di. 17 Apr. 2018 10:47:43 CEST

I like to know if this is intended behaviour.

Andreas Longwitz