From owner-freebsd-net Thu Aug 23 13:53:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from tp.databus.com (p101-46.acedsl.com [160.79.101.46]) by hub.freebsd.org (Postfix) with ESMTP id EB71337B409 for ; Thu, 23 Aug 2001 13:53:36 -0700 (PDT) (envelope-from barney@tp.databus.com) Received: (from barney@localhost) by tp.databus.com (8.11.4/8.11.4) id f7NKrRS25064; Thu, 23 Aug 2001 16:53:27 -0400 (EDT) (envelope-from barney) Date: Thu, 23 Aug 2001 16:53:26 -0400 From: Barney Wolff To: Scott Renfro Cc: freebsd-net@FreeBSD.ORG, Jonathan Lemon , Jesper Skriver , Bill Fenner , Cory Scott Subject: Re: Proposed change to icmp_may_rst induced ENETRESET Message-ID: <20010823165326.A24963@tp.databus.com> References: <20010822020504.C24160@bonsai.home.renfro.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010822020504.C24160@bonsai.home.renfro.org>; from scott@renfro.org on Wed, Aug 22, 2001 at 02:05:04AM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As another heavy nmap user, I'd vote just the other way. It's useful to differentiate between a reset coming back from the destination host and an unreachable from a firewall/router-acl. Ordinary apps probably don't care all that much about why a connection could not be established, and just report the error to the user. Barney Wolff On Wed, Aug 22, 2001 at 02:05:04AM -0700, Scott Renfro wrote: > On Tue, Mar 27, 2001 at 10:48:26AM -0600, Jonathan Lemon wrote: > > On Tue, Mar 27, 2001 at 06:36:46PM +0200, Jesper Skriver wrote: > > > On Tue, Mar 27, 2001 at 10:19:22AM -0600, Jonathan Lemon wrote: > > > > > > > > I forget why I picked ENETRESET; probably because it was the > > > > first thing that leaped out at me when I quickly skimmed over > > > > looking for an appropriate error code; but I > > > > didn't consider the UDP case. > > > > > > --- src/sys/netinet/ip_input.c 2001/03/08 23:14:54 > > > 1.130.2.21 > > > +++ src/sys/netinet/ip_input.c 2001/03/27 16:35:15 > > > @@ -1484,7 +1484,7 @@ > > > EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, > > > EMSGSIZE, EHOSTUNREACH, 0, 0, > > > 0, 0, > > > 0, 0, > > > - ENOPROTOOPT, ENETRESET > > > + ENOPROTOOPT, ECONNREFUSED > > > }; > > > > Yes, I think this probably is the best approach; just get rid > > of the ENETRESET altogether for this case. > > In follow-up to this discussion from March (yes, I'm a slow reader ;-), > I'd like to propose that we do, in fact, s/ENETRESET/ECONNREFUSED/ in > the inetctlerrmap in ip_input.c. > > At work, we make extensive use of nmap, which uses a mixture of > OS-provided stack features and direct packet capture/generation. We > discovered that the icmp_may_rst code added to FreeBSD causes nmap to > report incorrect results when ICMP_UNREACH_*_PROHIB messages are > received in response to connect(2). > > We've considered just disabling the tunable, changing nmap, or changing > FreeBSD. After much analysis, we've concluded that most sensible change > is for FreeBSD to generate an ECONNREFUSED in response to the icmp > unreach prohib messages. I'm sure other applications expect > ECONNREFUSED but not ENETRESET in response to connect(2) calls as well. > > Since this only occurs in the TCPS_SYN_SENT state, there cannot be an > actual tcp connection in place to reset. And, since we're in a SYN_SENT > state, what is most likely happening is that our connection request is > being refused by the remote host (or an upstream router/firewall). > > Finally, ECONNREFUSED is, and long has been, a documented error in the > connect(2) man page. > > While I'm at it, I'll be bold and request that if this change is > acceptable, it be MFC'd for 4.4-RELEASE (I think this is a low-risk, > high-payoff change, but opinions may vary). (I do like the icmp_may_rst > behavior in general, of course.) > > I've attached a copy of the desired patch since the one above may be > hosed by message reformatting. > > cheers, > --Scott > > -- > Scott Renfro +1 650 862 4206 > --- src/sys/netinet/ip_input.c.orig Wed Aug 22 01:49:43 2001 > +++ src/sys/netinet/ip_input.c Wed Aug 22 01:50:06 2001 > @@ -1562,7 +1562,7 @@ > EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, > EMSGSIZE, EHOSTUNREACH, 0, 0, > 0, 0, 0, 0, > - ENOPROTOOPT, ENETRESET > + ENOPROTOOPT, ECONNREFUSED > }; > > /* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message