svn commit: r339558 - head/sys/netinet

[Eugene Grosbein]

Author: eugen
Date: Sun Oct 21 21:29:19 2018
New Revision: 339558
URL: https://svnweb.freebsd.org/changeset/base/339558

Log:
  New sysctl: net.inet.icmp.error_keeptags
  
  Currently, icmp_error() function copies FIB number from original packet
  into generated ICMP response but not mbuf_tags(9) chain.
  This prevents us from easily matching ICMP responses corresponding
  to tagged original packets by means of packet filter such as ipfw(8).
  For example, ICMP "time-exceeded in-transit" packets usually generated
  in response to traceroute probes lose tags attached to original packets.
  
  This change adds new sysctl net.inet.icmp.error_keeptags
  that defaults to 0 to avoid extra overhead when this feature not needed.
  
  Set net.inet.icmp.error_keeptags=1 to make icmp_error() copy mbuf_tags
  from original packet to generated ICMP response.
  
  PR:		215874
  MFC after:	1 month

Modified:
  head/sys/netinet/ip_icmp.c

Modified: head/sys/netinet/ip_icmp.c
==============================================================================
--- head/sys/netinet/ip_icmp.c	Sun Oct 21 21:17:42 2018	(r339557)
+++ head/sys/netinet/ip_icmp.c	Sun Oct 21 21:29:19 2018	(r339558)
@@ -158,6 +158,12 @@ SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstamprepl, CTLFL
 	&VNET_NAME(icmptstamprepl), 0,
 	"Respond to ICMP Timestamp packets");
 
+VNET_DEFINE_STATIC(int, error_keeptags) = 0;
+#define	V_error_keeptags		VNET(error_keeptags)
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, error_keeptags, CTLFLAG_VNET | CTLFLAG_RW,
+	&VNET_NAME(error_keeptags), 0,
+	"ICMP error response keeps copy of mbuf_tags of original packet");
+
 #ifdef ICMPPRINTFS
 int	icmpprintfs = 0;
 #endif
@@ -367,6 +373,10 @@ stdreply:	icmpelen = max(8, min(V_icmp_quotelen, ntohs
 	nip->ip_p = IPPROTO_ICMP;
 	nip->ip_tos = 0;
 	nip->ip_off = 0;
+
+	if (V_error_keeptags)
+		m_tag_copy_chain(m, n, M_NOWAIT);
+
 	icmp_reflect(m);
 
 freeit: