Created attachment 178624 [details] introduce new sysctl net.inet.icmp.error_keeptags Currently, icmp_error() function copies FIB number into generated ICMP response from original packet but not mbuf_tags(9) chain. This prevents us from easily matching of ICMP packets corresponding to tagged original ones by means of ipfw(8). For example, ICMP "time-exceeded in-transit" packets (usually generated in response to traceroute probes) lose tags attached to original packets. Attached simble patch introduces new sysctl net.inet.icmp.error_keeptags with default value 0 corresponding to current behaviour to avoid extra overhead. sysctl net.inet.icmp.error_keeptags=1 makes icmp_error() copy mbuf_tags from original packet to generated ICMP response.
My PR.
A commit references this bug: Author: eugen Date: Sun Oct 21 21:29:20 UTC 2018 New revision: 339558 URL: https://svnweb.freebsd.org/changeset/base/339558 Log: New sysctl: net.inet.icmp.error_keeptags Currently, icmp_error() function copies FIB number from original packet into generated ICMP response but not mbuf_tags(9) chain. This prevents us from easily matching ICMP responses corresponding to tagged original packets by means of packet filter such as ipfw(8). For example, ICMP "time-exceeded in-transit" packets usually generated in response to traceroute probes lose tags attached to original packets. This change adds new sysctl net.inet.icmp.error_keeptags that defaults to 0 to avoid extra overhead when this feature not needed. Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags from original packet to generated ICMP response. PR: 215874 MFC after: 1 month Changes: head/sys/netinet/ip_icmp.c
A commit references this bug: Author: eugen Date: Tue Nov 20 10:43:18 UTC 2018 New revision: 340669 URL: https://svnweb.freebsd.org/changeset/base/340669 Log: MFC r339558: New sysctl: net.inet.icmp.error_keeptags Currently, icmp_error() function copies FIB number from original packet into generated ICMP response but not mbuf_tags(9) chain. This prevents us from easily matching ICMP responses corresponding to tagged original packets by means of packet filter such as ipfw(8). For example, ICMP "time-exceeded in-transit" packets usually generated in response to traceroute probes lose tags attached to original packets. This change adds new sysctl net.inet.icmp.error_keeptags that defaults to 0 to avoid extra overhead when this feature not needed. Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags from original packet to generated ICMP response. PR: 215874 Changes: _U stable/12/ stable/12/sys/netinet/ip_icmp.c
A commit references this bug: Author: eugen Date: Tue Nov 20 10:44:50 UTC 2018 New revision: 340670 URL: https://svnweb.freebsd.org/changeset/base/340670 Log: MFC r339558: New sysctl: net.inet.icmp.error_keeptags Currently, icmp_error() function copies FIB number from original packet into generated ICMP response but not mbuf_tags(9) chain. This prevents us from easily matching ICMP responses corresponding to tagged original packets by means of packet filter such as ipfw(8). For example, ICMP "time-exceeded in-transit" packets usually generated in response to traceroute probes lose tags attached to original packets. This change adds new sysctl net.inet.icmp.error_keeptags that defaults to 0 to avoid extra overhead when this feature not needed. Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags from original packet to generated ICMP response. PR: 215874 Changes: _U stable/11/ stable/11/sys/netinet/ip_icmp.c
A commit references this bug: Author: eugen Date: Tue Nov 20 10:45:46 UTC 2018 New revision: 340671 URL: https://svnweb.freebsd.org/changeset/base/340671 Log: MFC r339558: New sysctl: net.inet.icmp.error_keeptags Currently, icmp_error() function copies FIB number from original packet into generated ICMP response but not mbuf_tags(9) chain. This prevents us from easily matching ICMP responses corresponding to tagged original packets by means of packet filter such as ipfw(8). For example, ICMP "time-exceeded in-transit" packets usually generated in response to traceroute probes lose tags attached to original packets. This change adds new sysctl net.inet.icmp.error_keeptags that defaults to 0 to avoid extra overhead when this feature not needed. Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags from original packet to generated ICMP response. PR: 215874 Changes: _U stable/10/ stable/10/sys/netinet/ip_icmp.c