[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kernel/1816: Repetable crashes of ipfilter code

To: Camiel Dobbelaar <dobbe@xs4all.nl>
Subject: Re: kernel/1816: Repetable crashes of ipfilter code
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Date: Tue, 08 May 2001 07:29:05 -0700
Cc: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,bugs@openbsd.org, ipfilter@coombs.anu.edu.au

On a FreeBSD system I get:

PING cwsys (10.1.1.1): 56 data bytes
36 bytes from cwsys (10.1.1.1): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 f121   0 0000  ff  01 b482 10.1.1.2  10.1.1.1 

36 bytes from cwsys (10.1.1.1): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 f136   0 0000  ff  01 b46d 10.1.1.2  10.1.1.1 

Having said that, your rule,

	block return-icmp in proto icmp from any to any

... is invalid.  You should not return an ICMP for a blocked ICMP, as 
it would cause an ICMP storm.  I cannot recall which RFC states that 
this should not be done, maybe someone on the list can quote the RFC 
number.

This reminds me of someone who my sister knew (actually the brother of 
her best friend at the time), while out camping an ingrown toenail on 
his big toe was bothering him.  PO'ed at the pain, he aimed his .22 at 
the ingrown part of his toe, and you guessed it, he shot off a piece of 
his toe.  I suppose his ingrown toenail hurt so much that he felt he 
had to do something about it and maybe alcohol had something to do with 
it too.  This is a true story I heard from my sister verified by her 
best friend's brother, the guy who shot off his toe!  IMO, returning 
ICMP for blocked ICMP rates about the same, well maybe not quite but 
both hurt in their own way.  Don't return ICMP for dropped ICMP 
packets.  :)

Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC

In message <Pine.BSI.4.10.10105080832170.26363-100000@xs3.xs4all.nl>, 
Camiel Do
bbelaar writes:
> 
> Yep, you almost nailed it.
> 
> I could get it down to this:
> 
> ipf.rules:
> block return-icmp in proto icmp from any to any
> 
> - ipf -Fa -f /etc/ipf.rules
> - ping -R 127.0.0.1
> 
> For the ipfilter list: can this be reproduced on non-OpenBSD systems too?
> 
> --
> Cam
> 
> On Tue, 8 May 2001, Przemyslaw Frasunek wrote:
> 
> > On Tue, May 08, 2001 at 05:54:34AM -0000, venglin@freebsd.lublin.pl wrote:
> > > 	Sending ICMP ECHO with record route, directed to OpenBSD box
> > > 	with ipfilter enabled, causes 'panic: in_cksum: mp == NULL'.
> > 
> > I've noticed, that crash occurs only when record route packet is triggered
> > by rule containing return-icmp keyword. A simple workaround is to remove
> > return-icmp from rules which could match against ICMP packet.
>

Follow-Ups:
- Re: kernel/1816: Repetable crashes of ipfilter code
  - From: "Crist Clark" <crist.clark@globalstar.com>

References:
- Re: kernel/1816: Repetable crashes of ipfilter code
  - From: Camiel Dobbelaar <dobbe@xs4all.nl>

Prev by Date: Re: kernel/1816: Repetable crashes of ipfilter code
Next by Date: Re: kernel/1816: Repetable crashes of ipfilter code
Prev by thread: Re: kernel/1816: Repetable crashes of ipfilter code
Next by thread: Re: kernel/1816: Repetable crashes of ipfilter code
Index(es):
- Date
- Thread