kern/62385: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES

Oleg Bulyzhin oleg at rinet.ru
Thu Feb 5 04:30:27 PST 2004 

>Number:         62385
>Category:       kern
>Synopsis:       [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 05 04:30:20 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Oleg Bulyzhin
>Release:        FreeBSD 4.9-RELEASE-p1 i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD lath.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #1: Thu Dec 11 14:25:00 MSK 2003 root at lath.rinet.ru:/lh/obj/lh/src/sys/lath i386

	Same bug in CURRENT.
>Description:
	If you are using ipfw2 for layer2 packet filtering you may get
	confusing 'no buffer space available' (instead of 'permission denied')
	messages from various applications.

>How-To-Repeat:
	Build world & kernel with ipfw2 enabled.

	root at lath# ifconfig fxp0 10.10.10.1/30 alias
	root at lath# arp -s 10.10.10.2 00:ff:00:ff:ff:ff
	root at lath# ipfw add 1 deny ip from any to any layer2 MAC 00:ff:00:ff:ff:ff any
	00001 deny ip from any to any layer2 MAC 00:ff:00:ff:ff:ff any
	root at lath# sysctl net.link.ether.ipfw=1
	net.link.ether.ipfw: 0 -> 1
	root at lath# ping -c 5 10.10.10.2
	PING 10.10.10.2 (10.10.10.2): 56 data bytes
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available
	ping: sendto: No buffer space available

	--- 10.10.10.2 ping statistics ---
	5 packets transmitted, 0 packets received, 100% packet loss

>Fix:
	Here is patch for 4.9-RELEASE-p1:

--- if_ethersubr.c.orig	Thu Jul 31 15:09:48 2003
+++ if_ethersubr.c	Thu Feb  5 15:19:11 2004
@@ -416,7 +416,7 @@
 		if (ether_ipfw_chk(&m, ifp, &rule, eh, 0) == 0) {
 			if (m) {
 				m_freem(m);
-				return ENOBUFS;	/* pkt dropped */
+				return EACCES;	/* pkt dropped */
 			} else
 				return 0;	/* consumed e.g. in a pipe */
 		}



>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list