From oleg@lath.rinet.ru  Thu Feb  5 04:23:13 2004
Return-Path: <oleg@lath.rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 03A0B16A4CE; Thu,  5 Feb 2004 04:23:13 -0800 (PST)
Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4A1B643D1F; Thu,  5 Feb 2004 04:23:11 -0800 (PST)
	(envelope-from oleg@lath.rinet.ru)
Received: from lath.rinet.ru (localhost [127.0.0.1])
	by lath.rinet.ru (8.12.9p2/8.12.9) with ESMTP id i15CN9tx023583
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 5 Feb 2004 15:23:09 +0300 (MSK)
	(envelope-from oleg@lath.rinet.ru)
Received: (from oleg@localhost)
	by lath.rinet.ru (8.12.9p2/8.12.9/Submit) id i15CN9J4023582;
	Thu, 5 Feb 2004 15:23:09 +0300 (MSK)
	(envelope-from oleg)
Message-Id: <200402051223.i15CN9J4023582@lath.rinet.ru>
Date: Thu, 5 Feb 2004 15:23:09 +0300 (MSK)
From: Oleg Bulyzhin <oleg@rinet.ru>
Reply-To: Oleg Bulyzhin <oleg@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: luigi@freebsd.org
Subject: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         62385
>Category:       kern
>Synopsis:       [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 05 04:30:20 PST 2004
>Closed-Date:    Sun Feb 22 09:31:46 PST 2004
>Last-Modified:  Sun Feb 22 09:31:46 PST 2004
>Originator:     Oleg Bulyzhin
>Release:        FreeBSD 4.9-RELEASE-p1 i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD lath.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #1: Thu Dec 11 14:25:00 MSK 2003 root@lath.rinet.ru:/lh/obj/lh/src/sys/lath i386

	Same bug in CURRENT.
>Description:
	If you are using ipfw2 for layer2 packet filtering you may get
	confusing 'no buffer space available' (instead of 'permission denied')
	messages from various applications.

>How-To-Repeat:
	Build world & kernel with ipfw2 enabled.

	root@lath# ifconfig fxp0 10.10.10.1/30 alias
	root@lath# arp -s 10.10.10.2 00:ff:00:ff:ff:ff
	root@lath# ipfw add 1 deny ip from any to any layer2 MAC 00:ff:00:ff:ff:ff any
	00001 deny ip from any to any layer2 MAC 00:ff:00:ff:ff:ff any
	root@lath# sysctl net.link.ether.ipfw=1
	net.link.ether.ipfw: 0 -> 1
	root@lath# ping -c 5 10.10.10.2
	PING 10.10.10.2 (10.10.10.2): 56 data bytes
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available

	--- 10.10.10.2 ping statistics ---
	5 packets transmitted, 0 packets received, 100% packet loss

>Fix:
	Here is patch for 4.9-RELEASE-p1:

--- if_ethersubr.c.orig	Thu Jul 31 15:09:48 2003
+++ if_ethersubr.c	Thu Feb  5 15:19:11 2004
@@ -416,7 +416,7 @@
 		if (ether_ipfw_chk(&m, ifp, &rule, eh, 0) == 0) {
 			if (m) {
 				m_freem(m);
-				return ENOBUFS;	/* pkt dropped */
+				return EACCES;	/* pkt dropped */
 			} else
 				return 0;	/* consumed e.g. in a pipe */
 		}



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Mon Feb 9 00:20:53 PST 2004 
Responsible-Changed-Why:  
Assing to maintainer list. The patch makes packets denied at layer 
cause EACCESS rather than ENOBUFS, and looks sensible to me. I can 
commit it if no one objects. 

David. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62385 
State-Changed-From-To: open->closed 
State-Changed-By: dwmalone 
State-Changed-When: Sun Feb 22 09:31:13 PST 2004 
State-Changed-Why:  
Fixed in -current and -stable. Thanks for the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62385 
>Unformatted:
