Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Nov 2018 10:44:49 +0000 (UTC)
From:      Eugene Grosbein <eugen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r340670 - stable/11/sys/netinet
Message-ID:  <201811201044.wAKAindQ005278@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: eugen
Date: Tue Nov 20 10:44:49 2018
New Revision: 340670
URL: https://svnweb.freebsd.org/changeset/base/340670

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags
  
    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.
  
    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.
  
    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.
  
  PR:		215874

Modified:
  stable/11/sys/netinet/ip_icmp.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/ip_icmp.c
==============================================================================
--- stable/11/sys/netinet/ip_icmp.c	Tue Nov 20 10:43:18 2018	(r340669)
+++ stable/11/sys/netinet/ip_icmp.c	Tue Nov 20 10:44:49 2018	(r340670)
@@ -155,6 +155,12 @@ SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstamprepl, CTLFL
 	&VNET_NAME(icmptstamprepl), 0,
 	"Respond to ICMP Timestamp packets");
 
+VNET_DEFINE_STATIC(int, error_keeptags) = 0;
+#define	V_error_keeptags		VNET(error_keeptags)
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, error_keeptags, CTLFLAG_VNET | CTLFLAG_RW,
+	&VNET_NAME(error_keeptags), 0,
+	"ICMP error response keeps copy of mbuf_tags of original packet");
+
 #ifdef ICMPPRINTFS
 int	icmpprintfs = 0;
 #endif
@@ -367,6 +373,10 @@ stdreply:	icmpelen = max(8, min(V_icmp_quotelen, ntohs
 	nip->ip_p = IPPROTO_ICMP;
 	nip->ip_tos = 0;
 	nip->ip_off = 0;
+
+	if (V_error_keeptags)
+		m_tag_copy_chain(m, n, M_NOWAIT);
+
 	icmp_reflect(m);
 
 freeit:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811201044.wAKAindQ005278>