Bug 51006
| Summary: | [PATCH] divert(4) and ipfw(8) manpages are too pessimistic | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Documentation | Reporter: | Dmitry Pryanishnikov <dmitry> | ||||
| Component: | Books & Articles | Assignee: | dannyboy <dannyboy> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
I tweaked this a little; please check the accuracy of the patch at http://people.freebsd.org/~dannyboy/divert-and-ipfw.patch (reproduced below). Index: sbin/ipfw/ipfw.8 =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.126 diff -u -r1.126 ipfw.8 --- sbin/ipfw/ipfw.8 8 Jul 2003 08:07:03 -0000 1.126 +++ sbin/ipfw/ipfw.8 8 Jul 2003 12:17:19 -0000 @@ -2119,9 +2119,11 @@ This may be fixed in a later version. .Pp Packets diverted to userland, and then reinserted by a userland process -(such as -.Xr natd 8 ) -will lose various packet attributes, including their source interface. +may lose various packet attributes. The packet source interface name +will be preserved (if it is shorter than 8 bytes) if the userland process +saves and reuses the sockaddr_in +(as does +.Xr natd 8 ); otherwise, it may be lost. If a packet is reinserted in this manner, later rules may be incorrectly applied, making the order of .Cm divert Index: share/man/man4/divert.4 =================================================================== RCS file: /home/ncvs/src/share/man/man4/divert.4,v retrieving revision 1.27 diff -u -r1.27 divert.4 --- share/man/man4/divert.4 28 Jun 2003 23:53:37 -0000 1.27 +++ share/man/man4/divert.4 8 Jul 2003 12:17:19 -0000 @@ -50,9 +50,9 @@ the interface on which the packet was received (if the packet was incoming) or .Dv INADDR_ANY -(if the packet was outgoing). In the case of an incoming packet the interface -name will also be placed in the 8 bytes following the address, -(assuming it fits). +(if the packet was outgoing). The interface name (if defined +for the packet) will be placed in the 8 bytes following the address, +if it fits. .Sh WRITING PACKETS Writing to a divert socket is similar to writing to a raw IP socket; the packet is injected ``as is'' into the normal kernel IP packet Thanks, -- Daniel Harris State Changed From-To: open->feedback Submitter has been asked for feedback. Responsible Changed From-To: freebsd-doc->dannyboy I'll take this. On 2003.07.08 05:30:13 -0700, Daniel Harris wrote: Some mdoc(7) and language comments (yes, I noticed they also were in the orignal patch): > Index: sbin/ipfw/ipfw.8 > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v > retrieving revision 1.126 > diff -u -r1.126 ipfw.8 > --- sbin/ipfw/ipfw.8 8 Jul 2003 08:07:03 -0000 1.126 > +++ sbin/ipfw/ipfw.8 8 Jul 2003 12:17:19 -0000 > @@ -2119,9 +2119,11 @@ > This may be fixed in a later version. > .Pp > Packets diverted to userland, and then reinserted by a userland process > -(such as > -.Xr natd 8 ) > -will lose various packet attributes, including their source interface. > +may lose various packet attributes. The packet source interface name There should be a newline before 'The packet...'. > +will be preserved (if it is shorter than 8 bytes) if the userland process > +saves and reuses the sockaddr_in The double if sounds a bit odd to me, what about : will be preserved if it is shorter than 8 bytes, and the userland process saves and reuses the sockaddr_in > +(as does > +.Xr natd 8 ); otherwise, it may be lost. This should be: .Xr natd 8 ) ; otherwise, it may be lost. > Index: share/man/man4/divert.4 > =================================================================== > RCS file: /home/ncvs/src/share/man/man4/divert.4,v > retrieving revision 1.27 > diff -u -r1.27 divert.4 > --- share/man/man4/divert.4 28 Jun 2003 23:53:37 -0000 1.27 > +++ share/man/man4/divert.4 8 Jul 2003 12:17:19 -0000 > @@ -50,9 +50,9 @@ > the interface on which the packet was received (if the packet > was incoming) or > .Dv INADDR_ANY > -(if the packet was outgoing). In the case of an incoming packet the interface > -name will also be placed in the 8 bytes following the address, > -(assuming it fits). > +(if the packet was outgoing). The interface name (if defined There should be a newline before 'The interface'. -- Simon L. Nielsen Hello! On Tue, 8 Jul 2003, Daniel Harris wrote: > I tweaked this a little; please check the accuracy of the patch at > http://people.freebsd.org/~dannyboy/divert-and-ipfw.patch > (reproduced below). Thank you, your English is better than mine ;) Technically both variants are the same, so I think that your patch should be commited. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE State Changed From-To: feedback->patched Committed to HEAD, MFC to follow in around 10 days. State Changed From-To: patched->closed MFCed. |
divert(4) manpage claims: In the case of an incoming packet the interface name will also be placed in the 8 bytes following the address. However, actual code in /sys/netinet/ip_divert.c records receive interface name when it's defined for packet and fits in 8 bytes (including trailing zero byte) both for incoming and outgoing packets. This is correct behaviour, since it allows ipfw rules for transit packets (having 'out recv IFX xmit IFY' part) to work correctly after divert rules. Also, ipfw(8) manpage incorrectly states: Packets diverted to userland, and then reinserted by a userland process (such as natd(8)) will lose various packet attributes, including their source interface. Actually, natd(8) saves and reuses the sockaddr_in (as suggested in divert(4)), and thus preserves packet source interface name. Fix: Apply the following patch: How-To-Repeat: man 4 divert man 8 ipfw