Site Navigation

Date:      Fri, 24 Nov 2000 23:20:33 +0100 (CET)
From:      jesper@skriver.dk
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        jesper@skriver.dk
Subject:   kern/23086: implement rfc1122 3.2.2.1
Message-ID:  <20001124222033.2BBFF3E4F@freesbee.wheel.dk>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         23086
>Category:       kern
>Synopsis:       implement rfc1122 3.2.2.1, react to ICMP administratively prohibited
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 24 14:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jesper Skriver
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Tele Danmark
>Environment:
System: FreeBSD tam 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Nov 20 22:19:22 CET 2000 root@tam:/usr/obj/usr/src/sys/TAM2 i386

	Any FreeBSD machine.
>Description:

	We currently does not react to ICMP administratively prohibited messages
send by routers when they deny our traffic, this causes a timeout when trying to
connect to TCP ports/services on a remote host, which is blocked by routers or
firewalls.

	rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually require
that we treat such a message for a TCP session, that we treat it like if we had
recieved a RST.

quote begin.

            A Destination Unreachable message that is received MUST be
            reported to the transport layer.  The transport layer SHOULD
            use the information appropriately; for example, see Sections
            4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
            that has its own mechanism for notifying the sender that a
            port is unreachable (e.g., TCP, which sends RST segments)
            MUST nevertheless accept an ICMP Port Unreachable for the
            same purpose.

quote end.

I've written a small extension that implement this, it also create a sysctl
"net.inet.tcp.icmp_admin_prohib_like_rst" to control if this new behaviour
is activated.

When it's activated (set to 1) we'll treat a ICMP administratively prohibited 
message (icmp type 3 code 9, 10 and 13) for a TCP sessions, as if we recived 
a TCP RST, but only if the TCP session is in SYN_SENT state.

The reason for only reacting when in SYN_SENT state, is that this will solve
the problem, and at the same time minimize the risk of this being abused.

I suggest that we enable this new behaviour by default, but it would be a 
change of current behaviour, so if people prefer to leave it disabled by 
default, at least for now, this would be ok for me, the attached diff 
actually have the sysctl set to 0 by default.

>How-To-Repeat:

	Try to telnet to any host where this is blocked by a router/firewall
that sends ICMP administratively prohibited messages, and do this with this 
sysctl set to 0 and to 1, like below:

tam# sysctl -w net.inet.tcp.icmp_admin_prohib_like_rst=0
net.inet.tcp.icmp_admin_prohib_like_rst: 1 -> 0
tam# time telnet 193.89.247.125 25
Trying 193.89.247.125...
telnet: connect to address 193.89.247.125: Connection refused
telnet: Unable to connect to remote host
0.012u 0.000s 0:45.06 0.0%      88+164k 0+0io 0pf+0w
tam# sysctl -w net.inet.tcp.icmp_admin_prohib_like_rst=1
net.inet.tcp.icmp_admin_prohib_like_rst: 0 -> 1
tam# time telnet 193.89.247.125 25
Trying 193.89.247.125...
telnet: connect to address 193.89.247.125: Connection refused
telnet: Unable to connect to remote host
0.012u 0.000s 0:00.06 16.6%     88+152k 0+0io 0pf+0w

This saved 45 seconds ...

>Fix:

	Apply the below diff

diff -ru sys/netinet.old/ip_icmp.c sys/netinet/ip_icmp.c
--- sys/netinet.old/ip_icmp.c	Thu Nov  2 10:46:23 2000
+++ sys/netinet/ip_icmp.c	Mon Nov 20 22:33:43 2000
@@ -328,6 +328,11 @@
 
 			case ICMP_UNREACH_NET_UNKNOWN:
 			case ICMP_UNREACH_NET_PROHIB:
+				if (icp->icmp_ip.ip_p == IPPROTO_TCP) {
+					code = PRC_UNREACH_PORT;
+					break;
+				}
+
 			case ICMP_UNREACH_TOSNET:
 				code = PRC_UNREACH_NET;
 				break;
@@ -335,11 +340,21 @@
 			case ICMP_UNREACH_HOST_UNKNOWN:
 			case ICMP_UNREACH_ISOLATED:
 			case ICMP_UNREACH_HOST_PROHIB:
+				if (icp->icmp_ip.ip_p == IPPROTO_TCP) {
+					code = PRC_UNREACH_PORT;
+					break;
+				}
+
 			case ICMP_UNREACH_TOSHOST:
 				code = PRC_UNREACH_HOST;
 				break;
 
 			case ICMP_UNREACH_FILTER_PROHIB:
+				if (icp->icmp_ip.ip_p == IPPROTO_TCP) {
+					code = PRC_UNREACH_PORT;
+					break;
+				}
+
 			case ICMP_UNREACH_HOST_PRECEDENCE:
 			case ICMP_UNREACH_PRECEDENCE_CUTOFF:
 				code = PRC_UNREACH_PORT;
diff -ru sys/netinet.old/tcp_subr.c sys/netinet/tcp_subr.c
--- sys/netinet.old/tcp_subr.c	Fri Oct 27 13:45:41 2000
+++ sys/netinet/tcp_subr.c	Tue Nov 21 21:16:27 2000
@@ -134,6 +134,15 @@
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD, 
     &tcbinfo.ipi_count, 0, "Number of active PCBs");
 
+/*
+ * Treat ICMP administratively prohibited like a TCP RST
+ * as required by rfc1122 section 3.2.2.1
+ */
+ 
+static int	icmp_admin_prohib_like_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_admin_prohib_like_rst, CTLFLAG_RW,
+	&icmp_admin_prohib_like_rst, 0, "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1");
+
 static void	tcp_cleartaocache __P((void));
 static void	tcp_notify __P((struct inpcb *, int));
 
@@ -961,6 +970,8 @@
 
 	if (cmd == PRC_QUENCH)
 		notify = tcp_quench;
+	else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip))
+		notify = tcp_drop_syn_sent;
 	else if (cmd == PRC_MSGSIZE)
 		notify = tcp_mtudisc;
 	else if (!PRC_IS_REDIRECT(cmd) &&
@@ -1071,6 +1082,20 @@
 
 	if (tp)
 		tp->snd_cwnd = tp->t_maxseg;
+}
+
+/*
+ * When a ICMP unreachable is recieved, drop the
+ * TCP connection, but only if in SYN_SENT
+ */
+void
+tcp_drop_syn_sent(inp, errno)
+	struct inpcb *inp;
+	int errno;
+{
+	struct tcpcb *tp = intotcpcb(inp);
+	if((tp) && (tp->t_state == TCPS_SYN_SENT))
+			tcp_drop(tp, errno);
 }
 
 /*
diff -ru sys/netinet.old/tcp_var.h sys/netinet/tcp_var.h
--- sys/netinet.old/tcp_var.h	Sat Jul 22 01:26:37 2000
+++ sys/netinet/tcp_var.h	Sun Nov 19 21:17:55 2000
@@ -387,6 +387,7 @@
 void	 tcp_input __P((struct mbuf *, int, int));
 void	 tcp_mss __P((struct tcpcb *, int));
 int	 tcp_mssopt __P((struct tcpcb *));
+void	 tcp_drop_syn_sent __P((struct inpcb *, int));
 void	 tcp_mtudisc __P((struct inpcb *, int));
 struct tcpcb *
 	 tcp_newtcpcb __P((struct inpcb *));

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124222033.2BBFF3E4F>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact