On Tue, Mar 27, 2001 at 10:48:26AM -0600, Jonathan Lemon wrote:
> On Tue, Mar 27, 2001 at 06:36:46PM +0200, Jesper Skriver wrote:
> > On Tue, Mar 27, 2001 at 10:19:22AM -0600, Jonathan Lemon wrote:
> > >
> > > I forget why I picked ENETRESET; probably because it was the
> > > first thing that leaped out at me when I quickly skimmed over
> > > <sys/errno.h> looking for an appropriate error code; but I
> > > didn't consider the UDP case.
> >
> > --- src/sys/netinet/ip_input.c 2001/03/08 23:14:54
> > 1.130.2.21
> > +++ src/sys/netinet/ip_input.c 2001/03/27 16:35:15
> > @@ -1484,7 +1484,7 @@
> > EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
> > EMSGSIZE, EHOSTUNREACH, 0, 0,
> > 0, 0,
> > 0, 0,
> > - ENOPROTOOPT, ENETRESET
> > + ENOPROTOOPT, ECONNREFUSED
> > };
>
> Yes, I think this probably is the best approach; just get rid
> of the ENETRESET altogether for this case.
In follow-up to this discussion from March (yes, I'm a slow reader ;-),
I'd like to propose that we do, in fact, s/ENETRESET/ECONNREFUSED/ in
the inetctlerrmap in ip_input.c.
At work, we make extensive use of nmap, which uses a mixture of
OS-provided stack features and direct packet capture/generation. We
discovered that the icmp_may_rst code added to FreeBSD causes nmap to
report incorrect results when ICMP_UNREACH_*_PROHIB messages are
received in response to connect(2).
We've considered just disabling the tunable, changing nmap, or changing
FreeBSD. After much analysis, we've concluded that most sensible change
is for FreeBSD to generate an ECONNREFUSED in response to the icmp
unreach prohib messages. I'm sure other applications expect
ECONNREFUSED but not ENETRESET in response to connect(2) calls as well.
Since this only occurs in the TCPS_SYN_SENT state, there cannot be an
actual tcp connection in place to reset. And, since we're in a SYN_SENT
state, what is most likely happening is that our connection request is
being refused by the remote host (or an upstream router/firewall).
Finally, ECONNREFUSED is, and long has been, a documented error in the
connect(2) man page.
While I'm at it, I'll be bold and request that if this change is
acceptable, it be MFC'd for 4.4-RELEASE (I think this is a low-risk,
high-payoff change, but opinions may vary). (I do like the icmp_may_rst
behavior in general, of course.)
I've attached a copy of the desired patch since the one above may be
hosed by message reformatting.
cheers,
--Scott
--
Scott Renfro <[EMAIL PROTECTED]> +1 650 862 4206
--- src/sys/netinet/ip_input.c.orig Wed Aug 22 01:49:43 2001
+++ src/sys/netinet/ip_input.c Wed Aug 22 01:50:06 2001
@@ -1562,7 +1562,7 @@
EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
EMSGSIZE, EHOSTUNREACH, 0, 0,
0, 0, 0, 0,
- ENOPROTOOPT, ENETRESET
+ ENOPROTOOPT, ECONNREFUSED
};
/*
