docs/51006: [PATCH] divert(4) and ipfw(8) manpages are too pessimistic

dmitry at atlantis.dp.ua dmitry at atlantis.dp.ua
Tue Apr 15 22:00:12 UTC 2003 

>Number:         51006
>Category:       docs
>Synopsis:       [PATCH] divert(4) and ipfw(8) manpages are too pessimistic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 15 15:00:09 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     dmitry at atlantis.dp.ua
>Release:        FreeBSD 4.7-RELEASE i386
>Organization:
Atlantis ISP
>Environment:
System: FreeBSD homelynx.homenet 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Tue Mar 25 12:13:03 EET 2003 root at atlantis.atlantis.dp.ua:/usr/src/sys/compile/lynx i386


>Description:

   divert(4) manpage claims:
   
  In the case of an incoming packet the interface name will also be placed
  in the 8 bytes following the address.

However, actual code in /sys/netinet/ip_divert.c records receive interface
name when it's defined for packet and fits in 8 bytes (including trailing
zero byte) both for incoming and outgoing packets. This is correct behaviour,
since it allows ipfw rules for transit packets (having 'out recv IFX xmit IFY'
part) to work correctly after divert rules. Also, ipfw(8) manpage incorrectly
states:

  Packets diverted to userland, and then reinserted by a userland process
  (such as natd(8)) will lose various packet attributes, including
  their source interface.

Actually, natd(8) saves and reuses the sockaddr_in (as suggested in divert(4)),
and thus preserves packet source interface name.

>How-To-Repeat:

    man 4 divert
    man 8 ipfw

>Fix:

 Apply the following patch:
 
--- divert.4.orig	Wed Oct  9 15:45:43 2002
+++ divert.4	Tue Apr 15 23:19:33 2003
@@ -50,8 +50,8 @@
 the interface on which the packet was received (if the packet
 was incoming) or
 .Dv INADDR_ANY
-(if the packet was outgoing). In the case of an incoming packet the interface
-name will also be placed in the 8 bytes following the address,
+(if the packet was outgoing). Incoming interface name (if defined
+for the packet) will also be placed in the 8 bytes following the address,
 (assuming it fits).
 .Sh WRITING PACKETS
 Writing to a divert socket is similar to writing to a raw IP socket;
--- ipfw.8.orig	Wed Oct  9 15:45:23 2002
+++ ipfw.8	Wed Apr 16 00:30:32 2003
@@ -2018,9 +2018,11 @@
 This may be fixed in a later version.
 .Pp
 Packets diverted to userland, and then reinserted by a userland process
+may lose various packet attributes. Packet source interface name
+will be preserved (assuming it is shorter than 8 bytes) if userland process
+saves and reuses the sockaddr_in
 (such as
-.Xr natd 8 )
-will lose various packet attributes, including their source interface.
+.Xr natd 8 ), otherwise it may be lost.
 If a packet is reinserted in this manner, later rules may be incorrectly
 applied, making the order of
 .Cm divert
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-doc mailing list