Date: Fri, 21 Dec 2001 19:12:21 +0300 From: Yar Tikhiy <yar@FreeBSD.org> To: Maxim Konovalov <maxim@macomnet.ru> Cc: net@FreeBSD.org, hackers@FreeBSD.org Subject: Re: IP options (was: Processing IP options reveals IPSTEALH router) Message-ID: <20011221191221.C25868@comp.chem.msu.su> In-Reply-To: <20011220011255.G79558-100000@news1.macomnet.ru>; from maxim@macomnet.ru on Thu, Dec 20, 2001 at 01:24:48AM %2B0300 References: <20011220003555.A52848@comp.chem.msu.su> <20011220011255.G79558-100000@news1.macomnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 20, 2001 at 01:24:48AM +0300, Maxim Konovalov wrote:
>
> > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following:
> > if a source-routed IP packet reachs the end of its route, but its
> > destination address doesn't match a current host/router, whether
> > the packet should be discarded, sent forth through usual routing
> > or accepted as destined for this host? FreeBSD will route such a
> > packet as usual.
>
> Stevens, TCP Ill. vII, p.257 says:
>
> "If the destination address of the packet does not match one of the
> local addresses and the option is a strict source routing
> (IPOPT_SSRR), an ICMP source route failure error is sent. If a local
> address isn't listed in the route, the previous system sent the packet
> to the wrong host. This isn't an error for a loose source route
> (IPOPT_LSRR); it means IP must forward the packet toward the
> destionation."
>
> That is what ip_input does near the line 1193.
Oops, it appeared that I misunderstood the way the source route
record worked. FreeBSD does it right, except for a host (ipforwarding=0)
replying with error ICMP on some source route attempts.
What about the following small change?
--- /usr/src/sys/netinet.orig/ip_input.c Fri Dec 7 00:54:48 2001
+++ netinet/ip_input.c Fri Dec 21 19:08:56 2001
@@ -1212,13 +1212,13 @@
ia = (struct in_ifaddr *)
ifa_ifwithaddr((struct sockaddr *)&ipaddr);
if (ia == 0) {
+ if (!ip_dosourceroute)
+ goto nosourcerouting;
if (opt == IPOPT_SSRR) {
type = ICMP_UNREACH;
code = ICMP_UNREACH_SRCFAIL;
goto bad;
}
- if (!ip_dosourceroute)
- goto nosourcerouting;
/*
* Loose routing, and not at next destination
* yet; nothing to do except forward.
@@ -1231,18 +1231,19 @@
* End of source route. Should be for us.
*/
if (!ip_acceptsourceroute)
- goto nosourcerouting;
+ goto logandsendicmp;
save_rte(cp, ip->ip_src);
break;
}
if (!ip_dosourceroute) {
+nosourcerouting:
if (ipforwarding) {
char buf[16]; /* aaa.bbb.ccc.ddd\0 */
/*
* Acting as a router, so generate ICMP
*/
-nosourcerouting:
+logandsendicmp:
strcpy(buf, inet_ntoa(ip->ip_dst));
log(LOG_WARNING,
"attempted source route from %s to %s\n",
--
Yar
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011221191221.C25868>