As another heavy nmap user, I'd vote just the other way. It's useful
to differentiate between a reset coming back from the destination host
and an unreachable from a firewall/router-acl. Ordinary apps probably
don't care all that much about why a connection could not be established,
and just report the error to the user.
Barney Wolff
On Wed, Aug 22, 2001 at 02:05:04AM -0700, Scott Renfro wrote:
> On Tue, Mar 27, 2001 at 10:48:26AM -0600, Jonathan Lemon wrote:
> > On Tue, Mar 27, 2001 at 06:36:46PM +0200, Jesper Skriver wrote:
> > > On Tue, Mar 27, 2001 at 10:19:22AM -0600, Jonathan Lemon wrote:
> > > >
> > > > I forget why I picked ENETRESET; probably because it was the
> > > > first thing that leaped out at me when I quickly skimmed over
> > > > <sys/errno.h> looking for an appropriate error code; but I
> > > > didn't consider the UDP case.
> > >
> > > --- src/sys/netinet/ip_input.c 2001/03/08 23:14:54
> > > 1.130.2.21
> > > +++ src/sys/netinet/ip_input.c 2001/03/27 16:35:15
> > > @@ -1484,7 +1484,7 @@
> > > EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
> > > EMSGSIZE, EHOSTUNREACH, 0, 0,
> > > 0, 0,
> > > 0, 0,
> > > - ENOPROTOOPT, ENETRESET
> > > + ENOPROTOOPT, ECONNREFUSED
> > > };
> >
> > Yes, I think this probably is the best approach; just get rid
> > of the ENETRESET altogether for this case.
>
> In follow-up to this discussion from March (yes, I'm a slow reader ;-),
> I'd like to propose that we do, in fact, s/ENETRESET/ECONNREFUSED/ in
> the inetctlerrmap in ip_input.c.
>
> At work, we make extensive use of nmap, which uses a mixture of
> OS-provided stack features and direct packet capture/generation. We
> discovered that the icmp_may_rst code added to FreeBSD causes nmap to
> report incorrect results when ICMP_UNREACH_*_PROHIB messages are
> received in response to connect(2).
>
> We've considered just disabling the tunable, changing nmap, or changing
> FreeBSD. After much analysis, we've concluded that most sensible change
> is for FreeBSD to generate an ECONNREFUSED in response to the icmp
> unreach prohib messages. I'm sure other applications expect
> ECONNREFUSED but not ENETRESET in response to connect(2) calls as well.
>
> Since this only occurs in the TCPS_SYN_SENT state, there cannot be an
> actual tcp connection in place to reset. And, since we're in a SYN_SENT
> state, what is most likely happening is that our connection request is
> being refused by the remote host (or an upstream router/firewall).
>
> Finally, ECONNREFUSED is, and long has been, a documented error in the
> connect(2) man page.
>
> While I'm at it, I'll be bold and request that if this change is
> acceptable, it be MFC'd for 4.4-RELEASE (I think this is a low-risk,
> high-payoff change, but opinions may vary). (I do like the icmp_may_rst
> behavior in general, of course.)
>
> I've attached a copy of the desired patch since the one above may be
> hosed by message reformatting.
>
> cheers,
> --Scott
>
> --
> Scott Renfro <[EMAIL PROTECTED]> +1 650 862 4206
> --- src/sys/netinet/ip_input.c.orig Wed Aug 22 01:49:43 2001
> +++ src/sys/netinet/ip_input.c Wed Aug 22 01:50:06 2001
> @@ -1562,7 +1562,7 @@
> EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
> EMSGSIZE, EHOSTUNREACH, 0, 0,
> 0, 0, 0, 0,
> - ENOPROTOOPT, ENETRESET
> + ENOPROTOOPT, ECONNREFUSED
> };
>
> /*
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
