kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket under certain situations

Xin LI delphij at delphij.net
Wed Apr 19 10:50:19 UTC 2006 

The following reply was made to PR kern/95559; it has been noted by GNATS.

From: Xin LI <delphij at delphij.net>
To: Gleb Smirnoff <glebius at FreeBSD.org>, gnn at FreeBSD.org, Robert Watson <rwatson at FreeBSD.org>, mlaier at FreeBSD.org
Cc: Xin LI <delphij at FreeBSD.org>, dhartmei at FreeBSD.org,  FreeBSD-gnats-submit at FreeBSD.org
Subject: Re: kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket
	under certain situations
Date: Wed, 19 Apr 2006 18:48:39 +0800

 --=-+RZxZOiXMpDlIO44tzHy
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: quoted-printable
 
 Hi, Gleb!
 
 =E5=9C=A8 2006-04-19=E4=B8=89=E7=9A=84 14:38 +0400=EF=BC=8CGleb Smirnoff=E5=
 =86=99=E9=81=93=EF=BC=9A
 > X> 	By removing either rule from the pf.conf seems to work
 > X> around the issue.  However, we have grep'ed EPERM from netinet
 > X> and pf code and found that there is not a reasonable reason
 > X> why write(2) would return EPERM in the code path.
 >=20
 > I think this behavior is correct. The traffic from host to jail
 > is routed through lo0, however within a jail the hosts address
 > is a foreign one, and thus is routed via some interface, not lo0.
 >=20
 > So traffic from host to jail runs through lo0 and traffic from
 > jail to host doesn't.
 >=20
 > With the above rules you establish TCP scurbbing in pf, which
 > requires inspecting and normalizing TCP packets in both
 > directions. However, you skip pf processing for one direction,
 > and pf sees only half of TCP connection and assumes connection
 > bogus and thus denies it.
 
 The strange thing is that the TCP connection (in ESTABLISHED state)'s
 socket will return EPERM after a good bunch of successful write() calls.
 Will pf happen to see only half of the TCP connection if it is in
 ESTABLISHED state?
 
 Cheers,
 --=20
 Xin LI <delphij delphij net>    http://www.delphij.net/
 
 --=-+RZxZOiXMpDlIO44tzHy
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description:
 	=?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?=
 	=?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?=
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.3 (FreeBSD)
 
 iD8DBQBERhWHhcUczkLqiksRAsNEAJ9DNdOWZ4kJBiKGk0TlCA0NeiPQHwCaAqGp
 tJrbWOUkNHJp9iUCd9uzkD4=
 =5mMH
 -----END PGP SIGNATURE-----
 
 --=-+RZxZOiXMpDlIO44tzHy--

More information about the freebsd-bugs mailing list