From blaze@auth.sl.ru  Thu May  4 01:14:43 2000
Return-Path: <blaze@auth.sl.ru>
Received: from auth.sl.ru (HQ-LLs-10M.synchroline.net [212.24.44.4])
	by hub.freebsd.org (Postfix) with SMTP id 54E4937B723
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  4 May 2000 01:14:40 -0700 (PDT)
	(envelope-from blaze@auth.sl.ru)
Received: (qmail 19588 invoked by uid 1000); 4 May 2000 08:14:28 -0000
Message-Id: <20000504081427.19587.qmail@auth.sl.ru>
Date: 4 May 2000 08:14:27 -0000
From: blaze@sl.ru
Sender: blaze@auth.sl.ru
Reply-To: blaze@sl.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: ICMP unreachable sent when ipfw drops packet
X-Send-Pr-Version: 3.2

>Number:         18382
>Category:       kern
>Synopsis:       ICMP unreachable sent when ipfw drops packet
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May  4 01:20:01 PDT 2000
>Closed-Date:    Tue Jun 13 00:12:55 PDT 2000
>Last-Modified:  Tue Jun 13 00:13:33 PDT 2000
>Originator:     Andrey Sverdlichenko
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:

Any 5.0-CURRENT with INET and IPFILTER enabled.

>Description:

When IP packet dropped by ipfw on second call of ip_fw_chk(), ip_forward()
sends ICMP unreachable packet. This causes 2 ICMP packets sent if matched
rule was `unreach'. And if rule was `deny' it should just drop packet,
without notifying sender.

>How-To-Repeat:

On router:
ipfw add unreach 1 ip from your.host to other.host out

On your.host ping other.host and see tcpdump

>Fix:

--- ip_input.c.old	Mon Mar 27 23:14:21 2000
+++ ip_input.c	Wed May  3 21:03:11 2000
@@ -1561,6 +1561,10 @@
 			return;
 		}
 	}
+	if (error == EACCES) {
+		m_freem(mcopy);
+		mcopy = NULL;
+	}
 	if (mcopy == NULL)
 		return;
 	destifp = NULL;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Fri May 5 01:52:00 PDT 2000 
Responsible-Changed-Why:  
I will commit the supplied fix after a bit of testing. 
State-Changed-From-To: open->feedback 
State-Changed-By: ru 
State-Changed-When: Mon May 15 11:41:10 PDT 2000 
State-Changed-Why:  
Fixed in 5.0-CURRENT, src/sys/netinet/ip_input.c,v 1.133. 
State-Changed-From-To: feedback->closed 
State-Changed-By: ru 
State-Changed-When: Tue Jun 13 00:12:55 PDT 2000 
State-Changed-Why:  
Fixed in all active branches. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18382 
>Unformatted:
