Bug 215874 - [patch] [icmp] [mbuf_tags] teach icmp_error() optionally keep original packet's mbuf_tags
Summary: [patch] [icmp] [mbuf_tags] teach icmp_error() optionally keep original packet...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.0-STABLE
Hardware: Any Any
: --- Affects Some People
Assignee: Eugene Grosbein
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-01-08 16:53 UTC by Eugene Grosbein
Modified: 2018-11-20 10:55 UTC (History)
1 user (show)

See Also:
eugen: mfc-stable12+
eugen: mfc-stable11+
eugen: mfc-stable10+

Attachments
introduce new sysctl net.inet.icmp.error_keeptags (817 bytes, patch)
2017-01-08 16:53 UTC, Eugene Grosbein 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eugene Grosbein 2017-01-08 16:53:55 UTC 
Created attachment 178624 [details]
introduce new sysctl net.inet.icmp.error_keeptags

Currently, icmp_error() function copies FIB number into generated ICMP response from original packet but not mbuf_tags(9) chain. This prevents us from easily matching of ICMP packets corresponding to tagged original ones by means of ipfw(8).

For example, ICMP "time-exceeded in-transit" packets (usually generated in response to traceroute probes) lose tags attached to original packets. Attached simble patch introduces new sysctl net.inet.icmp.error_keeptags with default value 0 corresponding to current behaviour to avoid extra overhead.

sysctl net.inet.icmp.error_keeptags=1 makes icmp_error() copy mbuf_tags from original packet to generated ICMP response.
Comment 1 Eugene Grosbein freebsd_committer freebsd_triage 2017-09-19 17:15:15 UTC 
My PR.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-10-21 21:29:52 UTC 
A commit references this bug:

Author: eugen
Date: Sun Oct 21 21:29:20 UTC 2018
New revision: 339558
URL: https://svnweb.freebsd.org/changeset/base/339558

Log:
  New sysctl: net.inet.icmp.error_keeptags

  Currently, icmp_error() function copies FIB number from original packet
  into generated ICMP response but not mbuf_tags(9) chain.
  This prevents us from easily matching ICMP responses corresponding
  to tagged original packets by means of packet filter such as ipfw(8).
  For example, ICMP "time-exceeded in-transit" packets usually generated
  in response to traceroute probes lose tags attached to original packets.

  This change adds new sysctl net.inet.icmp.error_keeptags
  that defaults to 0 to avoid extra overhead when this feature not needed.

  Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
  from original packet to generated ICMP response.

  PR:		215874
  MFC after:	1 month

Changes:
  head/sys/netinet/ip_icmp.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-11-20 10:43:26 UTC 
A commit references this bug:

Author: eugen
Date: Tue Nov 20 10:43:18 UTC 2018
New revision: 340669
URL: https://svnweb.freebsd.org/changeset/base/340669

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags

    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.

    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.

    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.

  PR:		215874

Changes:
_U  stable/12/
  stable/12/sys/netinet/ip_icmp.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-11-20 10:45:30 UTC 
A commit references this bug:

Author: eugen
Date: Tue Nov 20 10:44:50 UTC 2018
New revision: 340670
URL: https://svnweb.freebsd.org/changeset/base/340670

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags

    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.

    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.

    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.

  PR:		215874

Changes:
_U  stable/11/
  stable/11/sys/netinet/ip_icmp.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-11-20 10:46:33 UTC 
A commit references this bug:

Author: eugen
Date: Tue Nov 20 10:45:46 UTC 2018
New revision: 340671
URL: https://svnweb.freebsd.org/changeset/base/340671

Log:
  MFC r339558: New sysctl: net.inet.icmp.error_keeptags

    Currently, icmp_error() function copies FIB number from original packet
    into generated ICMP response but not mbuf_tags(9) chain.
    This prevents us from easily matching ICMP responses corresponding
    to tagged original packets by means of packet filter such as ipfw(8).
    For example, ICMP "time-exceeded in-transit" packets usually generated
    in response to traceroute probes lose tags attached to original packets.

    This change adds new sysctl net.inet.icmp.error_keeptags
    that defaults to 0 to avoid extra overhead when this feature not needed.

    Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
    from original packet to generated ICMP response.

  PR:		215874

Changes:
_U  stable/10/
  stable/10/sys/netinet/ip_icmp.c