From owner-freebsd-net Sat Dec 22 11:14:53 2001 Delivered-To: freebsd-net@freebsd.org Received: from comp.chem.msu.su (comp-ext.chem.msu.su [158.250.32.157]) by hub.freebsd.org (Postfix) with ESMTP id 405CB37B41A; Sat, 22 Dec 2001 11:14:14 -0800 (PST) Received: (from yar@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id fBLGCLQ30942; Fri, 21 Dec 2001 19:12:21 +0300 (MSK) (envelope-from yar) Date: Fri, 21 Dec 2001 19:12:21 +0300 From: Yar Tikhiy To: Maxim Konovalov Cc: net@FreeBSD.org, hackers@FreeBSD.org Subject: Re: IP options (was: Processing IP options reveals IPSTEALH router) Message-ID: <20011221191221.C25868@comp.chem.msu.su> References: <20011220003555.A52848@comp.chem.msu.su> <20011220011255.G79558-100000@news1.macomnet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011220011255.G79558-100000@news1.macomnet.ru>; from maxim@macomnet.ru on Thu, Dec 20, 2001 at 01:24:48AM +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 20, 2001 at 01:24:48AM +0300, Maxim Konovalov wrote: > > > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following: > > if a source-routed IP packet reachs the end of its route, but its > > destination address doesn't match a current host/router, whether > > the packet should be discarded, sent forth through usual routing > > or accepted as destined for this host? FreeBSD will route such a > > packet as usual. > > Stevens, TCP Ill. vII, p.257 says: > > "If the destination address of the packet does not match one of the > local addresses and the option is a strict source routing > (IPOPT_SSRR), an ICMP source route failure error is sent. If a local > address isn't listed in the route, the previous system sent the packet > to the wrong host. This isn't an error for a loose source route > (IPOPT_LSRR); it means IP must forward the packet toward the > destionation." > > That is what ip_input does near the line 1193. Oops, it appeared that I misunderstood the way the source route record worked. FreeBSD does it right, except for a host (ipforwarding=0) replying with error ICMP on some source route attempts. What about the following small change? --- /usr/src/sys/netinet.orig/ip_input.c Fri Dec 7 00:54:48 2001 +++ netinet/ip_input.c Fri Dec 21 19:08:56 2001 @@ -1212,13 +1212,13 @@ ia = (struct in_ifaddr *) ifa_ifwithaddr((struct sockaddr *)&ipaddr); if (ia == 0) { + if (!ip_dosourceroute) + goto nosourcerouting; if (opt == IPOPT_SSRR) { type = ICMP_UNREACH; code = ICMP_UNREACH_SRCFAIL; goto bad; } - if (!ip_dosourceroute) - goto nosourcerouting; /* * Loose routing, and not at next destination * yet; nothing to do except forward. @@ -1231,18 +1231,19 @@ * End of source route. Should be for us. */ if (!ip_acceptsourceroute) - goto nosourcerouting; + goto logandsendicmp; save_rte(cp, ip->ip_src); break; } if (!ip_dosourceroute) { +nosourcerouting: if (ipforwarding) { char buf[16]; /* aaa.bbb.ccc.ddd\0 */ /* * Acting as a router, so generate ICMP */ -nosourcerouting: +logandsendicmp: strcpy(buf, inet_ntoa(ip->ip_dst)); log(LOG_WARNING, "attempted source route from %s to %s\n", -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message