Date: Thu, 23 Aug 2001 16:53:26 -0400 From: Barney Wolff <barney@databus.com> To: Scott Renfro <scott@renfro.org> Cc: freebsd-net@FreeBSD.ORG, Jonathan Lemon <jlemon@flugsvamp.com>, Jesper Skriver <jesper@skriver.dk>, Bill Fenner <fenner@research.att.com>, Cory Scott <cory@crazypenguin.com> Subject: Re: Proposed change to icmp_may_rst induced ENETRESET Message-ID: <20010823165326.A24963@tp.databus.com> In-Reply-To: <20010822020504.C24160@bonsai.home.renfro.org>; from scott@renfro.org on Wed, Aug 22, 2001 at 02:05:04AM -0700 References: <20010822020504.C24160@bonsai.home.renfro.org>
next in thread | previous in thread | raw e-mail | index | archive | help
As another heavy nmap user, I'd vote just the other way. It's useful to differentiate between a reset coming back from the destination host and an unreachable from a firewall/router-acl. Ordinary apps probably don't care all that much about why a connection could not be established, and just report the error to the user. Barney Wolff On Wed, Aug 22, 2001 at 02:05:04AM -0700, Scott Renfro wrote: > On Tue, Mar 27, 2001 at 10:48:26AM -0600, Jonathan Lemon wrote: > > On Tue, Mar 27, 2001 at 06:36:46PM +0200, Jesper Skriver wrote: > > > On Tue, Mar 27, 2001 at 10:19:22AM -0600, Jonathan Lemon wrote: > > > > > > > > I forget why I picked ENETRESET; probably because it was the > > > > first thing that leaped out at me when I quickly skimmed over > > > > <sys/errno.h> looking for an appropriate error code; but I > > > > didn't consider the UDP case. > > > > > > --- src/sys/netinet/ip_input.c 2001/03/08 23:14:54 > > > 1.130.2.21 > > > +++ src/sys/netinet/ip_input.c 2001/03/27 16:35:15 > > > @@ -1484,7 +1484,7 @@ > > > EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, > > > EMSGSIZE, EHOSTUNREACH, 0, 0, > > > 0, 0, > > > 0, 0, > > > - ENOPROTOOPT, ENETRESET > > > + ENOPROTOOPT, ECONNREFUSED > > > }; > > > > Yes, I think this probably is the best approach; just get rid > > of the ENETRESET altogether for this case. > > In follow-up to this discussion from March (yes, I'm a slow reader ;-), > I'd like to propose that we do, in fact, s/ENETRESET/ECONNREFUSED/ in > the inetctlerrmap in ip_input.c. > > At work, we make extensive use of nmap, which uses a mixture of > OS-provided stack features and direct packet capture/generation. We > discovered that the icmp_may_rst code added to FreeBSD causes nmap to > report incorrect results when ICMP_UNREACH_*_PROHIB messages are > received in response to connect(2). > > We've considered just disabling the tunable, changing nmap, or changing > FreeBSD. After much analysis, we've concluded that most sensible change > is for FreeBSD to generate an ECONNREFUSED in response to the icmp > unreach prohib messages. I'm sure other applications expect > ECONNREFUSED but not ENETRESET in response to connect(2) calls as well. > > Since this only occurs in the TCPS_SYN_SENT state, there cannot be an > actual tcp connection in place to reset. And, since we're in a SYN_SENT > state, what is most likely happening is that our connection request is > being refused by the remote host (or an upstream router/firewall). > > Finally, ECONNREFUSED is, and long has been, a documented error in the > connect(2) man page. > > While I'm at it, I'll be bold and request that if this change is > acceptable, it be MFC'd for 4.4-RELEASE (I think this is a low-risk, > high-payoff change, but opinions may vary). (I do like the icmp_may_rst > behavior in general, of course.) > > I've attached a copy of the desired patch since the one above may be > hosed by message reformatting. > > cheers, > --Scott > > -- > Scott Renfro <scott@renfro.org> +1 650 862 4206 > --- src/sys/netinet/ip_input.c.orig Wed Aug 22 01:49:43 2001 > +++ src/sys/netinet/ip_input.c Wed Aug 22 01:50:06 2001 > @@ -1562,7 +1562,7 @@ > EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, > EMSGSIZE, EHOSTUNREACH, 0, 0, > 0, 0, 0, 0, > - ENOPROTOOPT, ENETRESET > + ENOPROTOOPT, ECONNREFUSED > }; > > /* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010823165326.A24963>