From owner-freebsd-hackers Sat Dec 22 13: 3:37 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by hub.freebsd.org (Postfix) with ESMTP id 30EDF37B416; Sat, 22 Dec 2001 13:03:22 -0800 (PST) Received: from news1.macomnet.ru (maxim@news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.3/8.11.3) with ESMTP id fBML3KY3182064; Sun, 23 Dec 2001 00:03:20 +0300 (MSK) Date: Sun, 23 Dec 2001 00:03:20 +0300 (MSK) From: Maxim Konovalov To: Yar Tikhiy Cc: net@FreeBSD.ORG, Subject: Re: IP options (was: Processing IP options reveals IPSTEALH router) In-Reply-To: <20011221191221.C25868@comp.chem.msu.su> Message-ID: <20011222235149.S26298-100000@news1.macomnet.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, Yar, On 19:12+0300, Dec 21, 2001, Yar Tikhiy wrote: > On Thu, Dec 20, 2001 at 01:24:48AM +0300, Maxim Konovalov wrote: > > > > > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following: > > > if a source-routed IP packet reachs the end of its route, but its > > > destination address doesn't match a current host/router, whether > > > the packet should be discarded, sent forth through usual routing > > > or accepted as destined for this host? FreeBSD will route such a > > > packet as usual. > > > > Stevens, TCP Ill. vII, p.257 says: > > > > "If the destination address of the packet does not match one of the > > local addresses and the option is a strict source routing > > (IPOPT_SSRR), an ICMP source route failure error is sent. If a local > > address isn't listed in the route, the previous system sent the packet > > to the wrong host. This isn't an error for a loose source route > > (IPOPT_LSRR); it means IP must forward the packet toward the > > destionation." > > > > That is what ip_input does near the line 1193. > > Oops, it appeared that I misunderstood the way the source route > record worked. FreeBSD does it right, except for a host (ipforwarding=0) > replying with error ICMP on some source route attempts. > What about the following small change? > > --- /usr/src/sys/netinet.orig/ip_input.c Fri Dec 7 00:54:48 2001 > +++ netinet/ip_input.c Fri Dec 21 19:08:56 2001 > @@ -1212,13 +1212,13 @@ > ia = (struct in_ifaddr *) > ifa_ifwithaddr((struct sockaddr *)&ipaddr); > if (ia == 0) { > + if (!ip_dosourceroute) > + goto nosourcerouting; Nice catch. > if (opt == IPOPT_SSRR) { > type = ICMP_UNREACH; > code = ICMP_UNREACH_SRCFAIL; > goto bad; > } > - if (!ip_dosourceroute) > - goto nosourcerouting; > /* > * Loose routing, and not at next destination > * yet; nothing to do except forward. > @@ -1231,18 +1231,19 @@ > * End of source route. Should be for us. > */ > if (!ip_acceptsourceroute) > - goto nosourcerouting; > + goto logandsendicmp; > save_rte(cp, ip->ip_src); > break; > } > > if (!ip_dosourceroute) { > +nosourcerouting: I do not agree here. As far as I understand when we recieve a SSRR packet and there are no our addresses in the source routing addresses list we have to send ICPM_UNREACH to the sender regardless of net.inet.ip.forwarding. > if (ipforwarding) { > char buf[16]; /* aaa.bbb.ccc.ddd\0 */ > /* > * Acting as a router, so generate ICMP > */ > -nosourcerouting: > +logandsendicmp: > strcpy(buf, inet_ntoa(ip->ip_dst)); > log(LOG_WARNING, > "attempted source route from %s to %s\n", > > Btw, there are many compares like cnt < IPOPT_OLEN + sizeof(*cp) in ip_doiptions(). IMHO more strict to compare agains IPOPT_MIN because multibyte ip options length cannot be less then four bytes. Am I wrong? -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message