kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket under certain situations

Xin LI delphij at
Wed Apr 19 10:50:19 UTC 2006

The following reply was made to PR kern/95559; it has been noted by GNATS.

From: Xin LI <delphij at>
To: Gleb Smirnoff <glebius at>, gnn at, Robert Watson <rwatson at>, mlaier at
Cc: Xin LI <delphij at>, dhartmei at,  FreeBSD-gnats-submit at
Subject: Re: kern/95559: [RELENG_6] write(2) fails with EPERM on TCP socket
	under certain situations
Date: Wed, 19 Apr 2006 18:48:39 +0800

 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: quoted-printable
 Hi, Gleb!
 =E5=9C=A8 2006-04-19=E4=B8=89=E7=9A=84 14:38 +0400=EF=BC=8CGleb Smirnoff=E5=
 > X> 	By removing either rule from the pf.conf seems to work
 > X> around the issue.  However, we have grep'ed EPERM from netinet
 > X> and pf code and found that there is not a reasonable reason
 > X> why write(2) would return EPERM in the code path.
 > I think this behavior is correct. The traffic from host to jail
 > is routed through lo0, however within a jail the hosts address
 > is a foreign one, and thus is routed via some interface, not lo0.
 > So traffic from host to jail runs through lo0 and traffic from
 > jail to host doesn't.
 > With the above rules you establish TCP scurbbing in pf, which
 > requires inspecting and normalizing TCP packets in both
 > directions. However, you skip pf processing for one direction,
 > and pf sees only half of TCP connection and assumes connection
 > bogus and thus denies it.
 The strange thing is that the TCP connection (in ESTABLISHED state)'s
 socket will return EPERM after a good bunch of successful write() calls.
 Will pf happen to see only half of the TCP connection if it is in
 Xin LI <delphij delphij net>
 Content-Type: application/pgp-signature; name=signature.asc
 Version: GnuPG v1.4.3 (FreeBSD)

More information about the freebsd-bugs mailing list