Re: IP options (was: Processing IP options reveals IPSTEALH router)

Yar Tikhiy Sat, 22 Dec 2001 11:13:23 -0800

On Thu, Dec 20, 2001 at 01:24:48AM +0300, Maxim Konovalov wrote:
> 
> > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following:
> > if a source-routed IP packet reachs the end of its route, but its
> > destination address doesn't match a current host/router, whether
> > the packet should be discarded, sent forth through usual routing
> > or accepted as destined for this host?  FreeBSD will route such a
> > packet as usual.
> 
> Stevens, TCP Ill. vII, p.257 says:
> 
> "If the destination address of the packet does not match one of the
> local addresses and the option is a strict source routing
> (IPOPT_SSRR), an ICMP source route failure error is sent. If a local
> address isn't listed in the route, the previous system sent the packet
> to the wrong host. This isn't an error for a loose source route
> (IPOPT_LSRR); it means IP must forward the packet toward the
> destionation."
> 
> That is what ip_input does near the line 1193.


Oops, it appeared that I misunderstood the way the source route
record worked.  FreeBSD does it right, except for a host (ipforwarding=0)
replying with error ICMP on some source route attempts.
What about the following small change?

--- /usr/src/sys/netinet.orig/ip_input.c        Fri Dec  7 00:54:48 2001
+++ netinet/ip_input.c  Fri Dec 21 19:08:56 2001
@@ -1212,13 +1212,13 @@
                        ia = (struct in_ifaddr *)
                                ifa_ifwithaddr((struct sockaddr *)&ipaddr);
                        if (ia == 0) {
+                               if (!ip_dosourceroute)
+                                       goto nosourcerouting;
                                if (opt == IPOPT_SSRR) {
                                        type = ICMP_UNREACH;
                                        code = ICMP_UNREACH_SRCFAIL;
                                        goto bad;
                                }
-                               if (!ip_dosourceroute)
-                                       goto nosourcerouting;
                                /*
                                 * Loose routing, and not at next destination
                                 * yet; nothing to do except forward.
@@ -1231,18 +1231,19 @@
                                 * End of source route.  Should be for us.
                                 */
                                if (!ip_acceptsourceroute)
-                                       goto nosourcerouting;
+                                       goto logandsendicmp;
                                save_rte(cp, ip->ip_src);
                                break;
                        }
 
                        if (!ip_dosourceroute) {
+nosourcerouting:
                                if (ipforwarding) {
                                        char buf[16]; /* aaa.bbb.ccc.ddd\0 */
                                        /*
                                         * Acting as a router, so generate ICMP
                                         */
-nosourcerouting:
+logandsendicmp:
                                        strcpy(buf, inet_ntoa(ip->ip_dst));
                                        log(LOG_WARNING, 
                                            "attempted source route from %s to %s\n",

-- 
Yar

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: IP options (was: Processing IP options reveals IPSTEALH router)

Reply via email to