docs/132190: EPERM explanation for send(2), sendto(2), and sendmsg(2) system calls is incomplete

[Karl Lehenbauer]

>Number:         132190
>Category:       docs
>Synopsis:       EPERM explanation for send(2), sendto(2), and sendmsg(2) system calls is incomplete
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 28 09:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Karl Lehenbauer
>Release:        7.1-STABLE
>Organization:
FlightAware
>Environment:
FreeBSD xxx.flightaware.com 7.1-STABLE FreeBSD 7.1-STABLE #1: Wed Jan 28 12:20:44 CST 2009     xxx at ixxx.flightaware.com:/usr/obj/usr/src/sys/YANKEE  amd64

>Description:
In the send, sendto and sendmsg system calls, the description for an EPERM result is:

The process using a SOCK_RAW socket was jailed and thesource address specified in the IP header did not  match the IP address bound to the prison.

While this is probably true (I haven't checked), a far more common reason for getting EPERM is that the firewall denied the packet.  If you attempt to use send, sendto or sendmsg and the firewall denies the packet, you'll get EPERM.

You can test this by firewalling some IP address and then trying to ping it from the same machine.  You'll get "sendto: permission denied" out of ping.

I propose the wording be changed to something like:

The packet was rejected for sending due to firewall rules on the local machine, or the process using a SOCK_RAW socket was jailed and the source address specified in the IP header did not  match the IP address bound to the prison.

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: