Date: Sun, 23 Dec 2001 00:03:20 +0300 (MSK) From: Maxim Konovalov <maxim@macomnet.ru> To: Yar Tikhiy <yar@FreeBSD.ORG> Cc: net@FreeBSD.ORG, <hackers@FreeBSD.ORG> Subject: Re: IP options (was: Processing IP options reveals IPSTEALH router) Message-ID: <20011222235149.S26298-100000@news1.macomnet.ru> In-Reply-To: <20011221191221.C25868@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Yar,
On 19:12+0300, Dec 21, 2001, Yar Tikhiy wrote:
> On Thu, Dec 20, 2001 at 01:24:48AM +0300, Maxim Konovalov wrote:
> >
> > > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following:
> > > if a source-routed IP packet reachs the end of its route, but its
> > > destination address doesn't match a current host/router, whether
> > > the packet should be discarded, sent forth through usual routing
> > > or accepted as destined for this host? FreeBSD will route such a
> > > packet as usual.
> >
> > Stevens, TCP Ill. vII, p.257 says:
> >
> > "If the destination address of the packet does not match one of the
> > local addresses and the option is a strict source routing
> > (IPOPT_SSRR), an ICMP source route failure error is sent. If a local
> > address isn't listed in the route, the previous system sent the packet
> > to the wrong host. This isn't an error for a loose source route
> > (IPOPT_LSRR); it means IP must forward the packet toward the
> > destionation."
> >
> > That is what ip_input does near the line 1193.
>
> Oops, it appeared that I misunderstood the way the source route
> record worked. FreeBSD does it right, except for a host (ipforwarding=0)
> replying with error ICMP on some source route attempts.
> What about the following small change?
>
> --- /usr/src/sys/netinet.orig/ip_input.c Fri Dec 7 00:54:48 2001
> +++ netinet/ip_input.c Fri Dec 21 19:08:56 2001
> @@ -1212,13 +1212,13 @@
> ia = (struct in_ifaddr *)
> ifa_ifwithaddr((struct sockaddr *)&ipaddr);
> if (ia == 0) {
> + if (!ip_dosourceroute)
> + goto nosourcerouting;
Nice catch.
> if (opt == IPOPT_SSRR) {
> type = ICMP_UNREACH;
> code = ICMP_UNREACH_SRCFAIL;
> goto bad;
> }
> - if (!ip_dosourceroute)
> - goto nosourcerouting;
> /*
> * Loose routing, and not at next destination
> * yet; nothing to do except forward.
> @@ -1231,18 +1231,19 @@
> * End of source route. Should be for us.
> */
> if (!ip_acceptsourceroute)
> - goto nosourcerouting;
> + goto logandsendicmp;
> save_rte(cp, ip->ip_src);
> break;
> }
>
> if (!ip_dosourceroute) {
> +nosourcerouting:
I do not agree here. As far as I understand when we recieve a SSRR
packet and there are no our addresses in the source routing addresses
list we have to send ICPM_UNREACH to the sender regardless of
net.inet.ip.forwarding.
> if (ipforwarding) {
> char buf[16]; /* aaa.bbb.ccc.ddd\0 */
> /*
> * Acting as a router, so generate ICMP
> */
> -nosourcerouting:
> +logandsendicmp:
> strcpy(buf, inet_ntoa(ip->ip_dst));
> log(LOG_WARNING,
> "attempted source route from %s to %s\n",
>
>
Btw, there are many compares like
cnt < IPOPT_OLEN + sizeof(*cp)
in ip_doiptions(). IMHO more strict to compare agains IPOPT_MIN
because multibyte ip options length cannot be less then four bytes. Am
I wrong?
--
Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011222235149.S26298-100000>