Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 16 Dec 2000 11:42:07 -0800 (PST)
From:      Poul-Henning Kamp <phk@FreeBSD.org>
To:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID:  <200012161942.eBGJg7j93654@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
phk         2000/12/16 11:42:07 PST

  Modified files:
    sys/netinet          ip_icmp.c tcp_subr.c tcp_var.h 
  Log:
  We currently does not react to ICMP administratively prohibited
  messages send by routers when they deny our traffic, this causes
  a timeout when trying to connect to TCP ports/services on a remote
  host, which is blocked by routers or firewalls.
  
  rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
  requi re that we treat such a message for a TCP session, that we
  treat it like if we had recieved a RST.
  
  quote begin.
  
              A Destination Unreachable message that is received MUST be
              reported to the transport layer.  The transport layer SHOULD
              use the information appropriately; for example, see Sections
              4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
              that has its own mechanism for notifying the sender that a
              port is unreachable (e.g., TCP, which sends RST segments)
              MUST nevertheless accept an ICMP Port Unreachable for the
              same purpose.
  
  quote end.
  
  I've written a small extension that implement this, it also create
  a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
  this new behaviour is activated.
  
  When it's activated (set to 1) we'll treat a ICMP administratively
  prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
  sessions, as if we recived a TCP RST, but only if the TCP session
  is in SYN_SENT state.
  
  The reason for only reacting when in SYN_SENT state, is that this
  will solve the problem, and at the same time minimize the risk of
  this being abused.
  
  I suggest that we enable this new behaviour by default, but it
  would be a change of current behaviour, so if people prefer to
  leave it disabled by default, at least for now, this would be ok
  for me, the attached diff actually have the sysctl set to 0 by
  default.
  
  PR:		23086
  Submitted by:	Jesper Skriver <jesper@skriver.dk>
  
  Revision  Changes    Path
  1.48      +16 -1     src/sys/netinet/ip_icmp.c
  1.85      +26 -1     src/sys/netinet/tcp_subr.c
  1.62      +2 -1      src/sys/netinet/tcp_var.h



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012161942.eBGJg7j93654>