Date: Wed, 19 Apr 2006 10:50:18 GMT From: Xin LI <delphij@delphij.net> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket under certain situations Message-ID: <200604191050.k3JAoIvZ045822@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/95559; it has been noted by GNATS. From: Xin LI <delphij@delphij.net> To: Gleb Smirnoff <glebius@FreeBSD.org>, gnn@FreeBSD.org, Robert Watson <rwatson@FreeBSD.org>, mlaier@FreeBSD.org Cc: Xin LI <delphij@FreeBSD.org>, dhartmei@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket under certain situations Date: Wed, 19 Apr 2006 18:48:39 +0800 --=-+RZxZOiXMpDlIO44tzHy Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, Gleb! =E5=9C=A8 2006-04-19=E4=B8=89=E7=9A=84 14:38 +0400=EF=BC=8CGleb Smirnoff=E5= =86=99=E9=81=93=EF=BC=9A > X> By removing either rule from the pf.conf seems to work > X> around the issue. However, we have grep'ed EPERM from netinet > X> and pf code and found that there is not a reasonable reason > X> why write(2) would return EPERM in the code path. >=20 > I think this behavior is correct. The traffic from host to jail > is routed through lo0, however within a jail the hosts address > is a foreign one, and thus is routed via some interface, not lo0. >=20 > So traffic from host to jail runs through lo0 and traffic from > jail to host doesn't. >=20 > With the above rules you establish TCP scurbbing in pf, which > requires inspecting and normalizing TCP packets in both > directions. However, you skip pf processing for one direction, > and pf sees only half of TCP connection and assumes connection > bogus and thus denies it. The strange thing is that the TCP connection (in ESTABLISHED state)'s socket will return EPERM after a good bunch of successful write() calls. Will pf happen to see only half of the TCP connection if it is in ESTABLISHED state? Cheers, --=20 Xin LI <delphij delphij net> http://www.delphij.net/ --=-+RZxZOiXMpDlIO44tzHy Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBERhWHhcUczkLqiksRAsNEAJ9DNdOWZ4kJBiKGk0TlCA0NeiPQHwCaAqGp tJrbWOUkNHJp9iUCd9uzkD4= =5mMH -----END PGP SIGNATURE----- --=-+RZxZOiXMpDlIO44tzHy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604191050.k3JAoIvZ045822>