Bug 215874

Summary: [patch] [icmp] [mbuf_tags] teach icmp_error() optionally keep original packet's mbuf_tags
Product: Base System Reporter: Eugene Grosbein <ports>
Component: kernAssignee: Eugene Grosbein <eugen>
Status: Closed FIXED    
Severity: Affects Some People CC: eugen
Priority: --- Keywords: patch
Version: 11.0-STABLEFlags: eugen: mfc-stable12+
eugen: mfc-stable11+
eugen: mfc-stable10+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
introduce new sysctl net.inet.icmp.error_keeptags none

Description Eugene Grosbein 2017-01-08 16:53:55 UTC 
Created attachment 178624 [details]
introduce new sysctl net.inet.icmp.error_keeptags

Currently, icmp_error() function copies FIB number into generated ICMP response from original packet but not mbuf_tags(9) chain. This prevents us from easily matching of ICMP packets corresponding to tagged original ones by means of ipfw(8).

For example, ICMP "time-exceeded in-transit" packets (usually generated in response to traceroute probes) lose tags attached to original packets. Attached simble patch introduces new sysctl net.inet.icmp.error_keeptags with default value 0 corresponding to current behaviour to avoid extra overhead.

sysctl net.inet.icmp.error_keeptags=1 makes icmp_error() copy mbuf_tags from original packet to generated ICMP response.
Comment 1 Eugene Grosbein freebsd_committer freebsd_triage 2017-09-19 17:15:15 UTC 
My PR.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-10-21 21:29:52 UTC 
A commit references this bug:

Author: eugen
Date: Sun Oct 21 21:29:20 UTC 2018
New revision: 339558
URL: https://svnweb.freebsd.org/changeset/base/339558

Log:
  New sysctl: net.inet.icmp.error_keeptags

  Currently, icmp_error() function copies FIB number from original packet
  into generated ICMP response but not mbuf_tags(9) chain.
  This prevents us from easily matching ICMP responses corresponding
  to tagged original packets by means of packet filter such as ipfw(8).
  For example, ICMP "time-exceeded in-transit" packets usually generated
  in response to traceroute probes lose tags attached to original packets.

  This change adds new sysctl net.inet.icmp.error_keeptags
  that defaults to 0 to avoid extra overhead when this feature not needed.

  Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
  from original packet to generated ICMP response.

  PR:		215874
  MFC after:	1 month

Changes:
  head/sys/netinet/ip_icmp.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-11-20 10:43:26 UTC 
A commit references this bug:

Author: eugen
Date: Tue Nov 20 10:43:18 UTC 2018
New revision: 340669
URL: https://svnweb.freebsd.org/changeset/base/340669

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags

    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.

    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.

    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.

  PR:		215874

Changes:
_U  stable/12/
  stable/12/sys/netinet/ip_icmp.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-11-20 10:45:30 UTC 
A commit references this bug:

Author: eugen
Date: Tue Nov 20 10:44:50 UTC 2018
New revision: 340670
URL: https://svnweb.freebsd.org/changeset/base/340670

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags

    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.

    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.

    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.

  PR:		215874

Changes:
_U  stable/11/
  stable/11/sys/netinet/ip_icmp.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-11-20 10:46:33 UTC 
A commit references this bug:

Author: eugen
Date: Tue Nov 20 10:45:46 UTC 2018
New revision: 340671
URL: https://svnweb.freebsd.org/changeset/base/340671

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags

    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.

    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.

    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.

  PR:		215874

Changes:
_U  stable/10/
  stable/10/sys/netinet/ip_icmp.c