On Fri, Nov 09, 2018 at 12:36:20PM -0700, Alexander Bluhm wrote:
> On Fri, Nov 09, 2018 at 08:24:47PM +0100, Jan Klemkow wrote:
> > Perfect, I also think its more intuitive to get a "permission denied"
> > in case of a pf(4) block then a "Host is unreachable".  The diff below
> > corrects kernel and extents the manpage for pf(4) blocks.
> 
> Don't forget divert_output() and rip_output().

You are right, I missed that.  Fix below.

Thanks,
Jan

Index: sys/netinet/ip_divert.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_divert.c,v
retrieving revision 1.59
diff -u -p -r1.59 ip_divert.c
--- sys/netinet/ip_divert.c     4 Oct 2018 17:33:41 -0000       1.59
+++ sys/netinet/ip_divert.c     9 Nov 2018 19:48:25 -0000
@@ -157,8 +157,6 @@ divert_output(struct inpcb *inp, struct 
 
                error = ip_output(m, NULL, &inp->inp_route,
                    IP_ALLOWBROADCAST | IP_RAWOUTPUT, NULL, NULL, 0);
-               if (error == EACCES)    /* translate pf(4) error for userland */
-                       error = EHOSTUNREACH;
        }
 
        divstat_inc(divs_opackets);
Index: sys/netinet/raw_ip.c
===================================================================
RCS file: /cvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.114
diff -u -p -r1.114 raw_ip.c
--- sys/netinet/raw_ip.c        4 Oct 2018 17:33:41 -0000       1.114
+++ sys/netinet/raw_ip.c        9 Nov 2018 19:46:33 -0000
@@ -292,8 +292,6 @@ rip_output(struct mbuf *m, struct socket
 
        error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
            inp->inp_moptions, inp, 0);
-       if (error == EACCES)    /* translate pf(4) error for userland */
-               error = EHOSTUNREACH;
        return (error);
 }
 
Index: sys/netinet/tcp_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_output.c,v
retrieving revision 1.127
diff -u -p -r1.127 tcp_output.c
--- sys/netinet/tcp_output.c    9 Nov 2018 14:14:31 -0000       1.127
+++ sys/netinet/tcp_output.c    9 Nov 2018 18:53:02 -0000
@@ -1084,8 +1084,6 @@ out:
                        tcp_mtudisc(tp->t_inpcb, -1);
                        return (0);
                }
-               if (error == EACCES)    /* translate pf(4) error for userland */
-                       error = EHOSTUNREACH;
                if ((error == EHOSTUNREACH || error == ENETDOWN) &&
                    TCPS_HAVERCVDSYN(tp->t_state)) {
                        tp->t_softerror = error;
Index: sys/netinet/udp_usrreq.c
===================================================================
RCS file: /cvs/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.253
diff -u -p -r1.253 udp_usrreq.c
--- sys/netinet/udp_usrreq.c    4 Oct 2018 17:33:41 -0000       1.253
+++ sys/netinet/udp_usrreq.c    9 Nov 2018 18:52:08 -0000
@@ -1004,8 +1004,6 @@ udp_output(struct inpcb *inp, struct mbu
        error = ip_output(m, inp->inp_options, &inp->inp_route,
            (inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
            inp, ipsecflowinfo);
-       if (error == EACCES)    /* translate pf(4) error for userland */
-               error = EHOSTUNREACH;
 
 bail:
        m_freem(control);
Index: lib/libc/sys/send.2
===================================================================
RCS file: /cvs/src/lib/libc/sys/send.2,v
retrieving revision 1.32
diff -u -p -r1.32 send.2
--- lib/libc/sys/send.2 5 Oct 2017 12:30:16 -0000       1.32
+++ lib/libc/sys/send.2 9 Nov 2018 19:06:47 -0000
@@ -162,7 +162,9 @@ The output queue for a network interface
 This generally indicates that the interface has stopped sending,
 but may be caused by transient congestion.
 .It Bq Er EACCES
-The
+The connection was blocked by
+.Xr pf 4 ,
+or
 .Dv SO_BROADCAST
 option is not set on the socket, and a broadcast address
 was given as the destination.

Reply via email to