From owner-freebsd-bugs@FreeBSD.ORG Wed Apr 19 10:50:19 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3360116A401 for ; Wed, 19 Apr 2006 10:50:19 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8DF443D4C for ; Wed, 19 Apr 2006 10:50:18 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3JAoIxW045824 for ; Wed, 19 Apr 2006 10:50:18 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3JAoIvZ045822; Wed, 19 Apr 2006 10:50:18 GMT (envelope-from gnats) Date: Wed, 19 Apr 2006 10:50:18 GMT Message-Id: <200604191050.k3JAoIvZ045822@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Xin LI Cc: Subject: Re: kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket under certain situations X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Xin LI List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Apr 2006 10:50:19 -0000 The following reply was made to PR kern/95559; it has been noted by GNATS. From: Xin LI To: Gleb Smirnoff , gnn@FreeBSD.org, Robert Watson , mlaier@FreeBSD.org Cc: Xin LI , dhartmei@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket under certain situations Date: Wed, 19 Apr 2006 18:48:39 +0800 --=-+RZxZOiXMpDlIO44tzHy Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, Gleb! =E5=9C=A8 2006-04-19=E4=B8=89=E7=9A=84 14:38 +0400=EF=BC=8CGleb Smirnoff=E5= =86=99=E9=81=93=EF=BC=9A > X> By removing either rule from the pf.conf seems to work > X> around the issue. However, we have grep'ed EPERM from netinet > X> and pf code and found that there is not a reasonable reason > X> why write(2) would return EPERM in the code path. >=20 > I think this behavior is correct. The traffic from host to jail > is routed through lo0, however within a jail the hosts address > is a foreign one, and thus is routed via some interface, not lo0. >=20 > So traffic from host to jail runs through lo0 and traffic from > jail to host doesn't. >=20 > With the above rules you establish TCP scurbbing in pf, which > requires inspecting and normalizing TCP packets in both > directions. However, you skip pf processing for one direction, > and pf sees only half of TCP connection and assumes connection > bogus and thus denies it. The strange thing is that the TCP connection (in ESTABLISHED state)'s socket will return EPERM after a good bunch of successful write() calls. Will pf happen to see only half of the TCP connection if it is in ESTABLISHED state? Cheers, --=20 Xin LI http://www.delphij.net/ --=-+RZxZOiXMpDlIO44tzHy Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBERhWHhcUczkLqiksRAsNEAJ9DNdOWZ4kJBiKGk0TlCA0NeiPQHwCaAqGp tJrbWOUkNHJp9iUCd9uzkD4= =5mMH -----END PGP SIGNATURE----- --=-+RZxZOiXMpDlIO44tzHy--