From owner-freebsd-bugs Wed Jan 27 06:30:03 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA20778 for freebsd-bugs-outgoing; Wed, 27 Jan 1999 06:30:03 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20760 for ; Wed, 27 Jan 1999 06:30:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id GAA57073; Wed, 27 Jan 1999 06:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA20580 for ; Wed, 27 Jan 1999 06:28:23 -0800 (PST) (envelope-from dwmalone@maths.tcd.ie) Received: from gosset.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 27 Jan 99 14:28:17 +0000 (GMT) Message-Id: <9901271428.aa56319@gosset.maths.tcd.ie> Date: Wed, 27 Jan 99 14:28:17 +0000 (GMT) From: dwmalone@maths.tcd.ie Reply-To: dwmalone@maths.tcd.ie To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/9723: icmp_reflect doesn't clear m->m_pkthdr.rcvif Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 9723 >Category: kern >Synopsis: icmp_reflect doesn't clear m->m_pkthdr.rcvif >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jan 27 06:30:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: David Malone >Release: FreeBSD 2.2.8-STABLE >Organization: School of Maths, Trinity College, Dublin. >Environment: Using ipfw and gatewaying in 2.2.8-STABLE as of last week some time. Problem looks like it is present in 3.0/4.0 too. >Description: When the icmp code uses icmp_reflect to reply to a packet it rewrites the original packet and then sends that. Unfortunately is does not clear m->m_pkthdr.rcvif after using it, so the outgoing packet looks like it has been recieved on some interface. This is a problem if you have a firewall rule which then filters stuff on the recieved packet. It looks like the same problem is present in current. >How-To-Repeat: Suppose you have a machine with de0 with address 10.0.0.1 and you have the firewall rules: deny ip from 10.0.0.1 to any recv de0 allow ip from any to any Pings from interface de0 will not be replied to, as the outgoing reply will match the first rule. >Fix: You can work around this by only filtering on incoming packets. I think it would be correct to add a clearing of m->m_pkthdr.rcvif toward the end of icmp_reflect. Something like the following seems to work on 2.2.8-STABLE, and looks like it would work on 3.0/4.0 too. --- ip_icmp.c.orig Wed Jan 27 14:16:14 1999 +++ ip_icmp.c Wed Jan 27 14:19:38 1999 @@ -613,6 +613,7 @@ bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1), (unsigned)(m->m_len - sizeof(struct ip))); } + m->m_pkthdr.rcvif = (struct ifnet *)0; m->m_flags &= ~(M_BCAST|M_MCAST); icmp_send(m, opts); done: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message