From dwmalone@maths.tcd.ie  Wed Jan 27 06:28:27 1999
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA20580
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Jan 1999 06:28:23 -0800 (PST)
          (envelope-from dwmalone@maths.tcd.ie)
Received: from gosset.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa19253@salmon.maths.tcd.ie>; 27 Jan 99 14:28:17 +0000 (GMT)
Message-Id: <9901271428.aa56319@gosset.maths.tcd.ie>
Date: Wed, 27 Jan 99 14:28:17 +0000 (GMT)
From: dwmalone@maths.tcd.ie
Sender: dwmalone@maths.tcd.ie
Reply-To: dwmalone@maths.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Subject: icmp_reflect doesn't clear m->m_pkthdr.rcvif
X-Send-Pr-Version: 3.2

>Number:         9723
>Category:       kern
>Synopsis:       icmp_reflect doesn't clear m->m_pkthdr.rcvif
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 27 06:30:01 PST 1999
>Closed-Date:    Sat Mar 6 15:13:21 PST 1999
>Last-Modified:  Sat Mar  6 15:14:32 PST 1999
>Originator:     David Malone
>Release:        FreeBSD 2.2.8-STABLE
>Organization:
School of Maths, Trinity College, Dublin.
>Environment:

Using ipfw and gatewaying in 2.2.8-STABLE as of last week some time.
Problem looks like it is present in 3.0/4.0 too.

>Description:

When the icmp code uses icmp_reflect to reply to a packet it rewrites
the original packet and then sends that. Unfortunately is does not clear
m->m_pkthdr.rcvif after using it, so the outgoing packet looks like it
has been recieved on some interface.

This is a problem if you have a firewall rule which then filters stuff on
the recieved packet. It looks like the same problem is present in current.

>How-To-Repeat:

Suppose you have a machine with de0 with address 10.0.0.1 and you have the
firewall rules:

	deny ip from 10.0.0.1 to any recv de0
	allow ip from any to any

Pings from interface de0 will not be replied to, as the outgoing reply will
match the first rule.

>Fix:

You can work around this by only filtering on incoming packets. I think it
would be correct to add a clearing of m->m_pkthdr.rcvif toward the end of
icmp_reflect. Something like the following seems to work on 2.2.8-STABLE,
and looks like it would work on 3.0/4.0 too.

--- ip_icmp.c.orig	Wed Jan 27 14:16:14 1999
+++ ip_icmp.c	Wed Jan 27 14:19:38 1999
@@ -613,6 +613,7 @@
 		bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1),
 			 (unsigned)(m->m_len - sizeof(struct ip)));
 	}
+	m->m_pkthdr.rcvif = (struct ifnet *)0;
 	m->m_flags &= ~(M_BCAST|M_MCAST);
 	icmp_send(m, opts);
 done:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: archie 
State-Changed-When: Sat Mar 6 15:13:21 PST 1999 
State-Changed-Why:  
Applied (modified version of) patch to 2.2.x, 3.x, and head branches. 
>Unformatted:
