Date: Tue, 10 Mar 1998 15:35:10 -0600 (CST) From: Alex Nash <nash@Mcs.Net> To: Jt <hometeam@techpower.net> Cc: Mike D Tancsa <mdtancsa@sentex.net>, mike@sentex.net, stable@FreeBSD.ORG Subject: Re: ipfw unreach statement help Message-ID: <Pine.BSF.3.95.980310152913.406G-100000@Jupiter.Mcs.Net> In-Reply-To: <Pine.BSF.3.96.980310162212.3858A-100000@techpower.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Mar 1998, Jt wrote:
>
> I noticed ipfw man pages :
> Discard packets that match this rule, and try to
> send an ICMP unreachable notice with code code,
>
> what is preventing this from happening?
In /sys/netinet/ip_fw.c, starting at line 590 (for rev 1.51.2.12), there
is a test for a set of conditions which must be true to allow an
ICMP response to be sent:
/*
* At this point, we're going to drop the packet.
* Send a reject notice if all of the following are true:
*
* - The packet matched a reject rule
* - The packet is not an ICMP packet
* - The packet is not a multicast or broadcast packet
*/
if ((rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
&& ip->ip_p != IPPROTO_ICMP
&& !((*m)->m_flags & (M_BCAST|M_MCAST))
&& !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
The man page should be updated to mention these conditions.
Alex
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980310152913.406G-100000>