On Sat, Nov 10, 2018 at 11:22:48AM +0100, Claudio Jeker wrote: > On Fri, Nov 09, 2018 at 03:49:32PM -0700, Alexander Bluhm wrote: > > On Fri, Nov 09, 2018 at 09:03:20PM +0100, Jan Klemkow wrote: > > > On Fri, Nov 09, 2018 at 12:36:20PM -0700, Alexander Bluhm wrote: > > > > On Fri, Nov 09, 2018 at 08:24:47PM +0100, Jan Klemkow wrote: > > > > > Perfect, I also think its more intuitive to get a "permission denied" > > > > > in case of a pf(4) block then a "Host is unreachable". The diff below > > > > > corrects kernel and extents the manpage for pf(4) blocks. > > > > > > > > Don't forget divert_output() and rip_output(). > > > > > > You are right, I missed that. Fix below. > > > > code is OK bluhm@ > > Also OK claudio@ > > > > --- lib/libc/sys/send.2 5 Oct 2017 12:30:16 -0000 1.32 > > > +++ lib/libc/sys/send.2 9 Nov 2018 19:06:47 -0000 > > > @@ -162,7 +162,9 @@ The output queue for a network interface > > > This generally indicates that the interface has stopped sending, > > > but may be caused by transient congestion. > > > .It Bq Er EACCES > > > -The > > > +The connection was blocked by > > > +.Xr pf 4 , > > > +or > > > .Dv SO_BROADCAST > > > option is not set on the socket, and a broadcast address > > > was given as the destination. > > > > I have seen man pages that have multiple entries of the errno, > > instead of the "or" for different reasons in the text. > > > > +.It Bq Er EACCES > > +The connection was blocked by > > +.Xr pf 4 . > > .It Bq Er EACCES > > The > > .Dv SO_BROADCAST > > option is not set on the socket, and a broadcast address > > was given as the destination. > > > > What is our style here? > > This is something for jmc@ to decided. I'm happy with both versions.
Diff with fixed manpage from jmc. Thanks, Jan Index: sys/netinet/ip_divert.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_divert.c,v retrieving revision 1.59 diff -u -p -r1.59 ip_divert.c --- sys/netinet/ip_divert.c 4 Oct 2018 17:33:41 -0000 1.59 +++ sys/netinet/ip_divert.c 9 Nov 2018 19:48:25 -0000 @@ -157,8 +157,6 @@ divert_output(struct inpcb *inp, struct error = ip_output(m, NULL, &inp->inp_route, IP_ALLOWBROADCAST | IP_RAWOUTPUT, NULL, NULL, 0); - if (error == EACCES) /* translate pf(4) error for userland */ - error = EHOSTUNREACH; } divstat_inc(divs_opackets); Index: sys/netinet/raw_ip.c =================================================================== RCS file: /cvs/src/sys/netinet/raw_ip.c,v retrieving revision 1.114 diff -u -p -r1.114 raw_ip.c --- sys/netinet/raw_ip.c 4 Oct 2018 17:33:41 -0000 1.114 +++ sys/netinet/raw_ip.c 9 Nov 2018 19:46:33 -0000 @@ -292,8 +292,6 @@ rip_output(struct mbuf *m, struct socket error = ip_output(m, inp->inp_options, &inp->inp_route, flags, inp->inp_moptions, inp, 0); - if (error == EACCES) /* translate pf(4) error for userland */ - error = EHOSTUNREACH; return (error); } Index: sys/netinet/tcp_output.c =================================================================== RCS file: /cvs/src/sys/netinet/tcp_output.c,v retrieving revision 1.127 diff -u -p -r1.127 tcp_output.c --- sys/netinet/tcp_output.c 9 Nov 2018 14:14:31 -0000 1.127 +++ sys/netinet/tcp_output.c 9 Nov 2018 18:53:02 -0000 @@ -1084,8 +1084,6 @@ out: tcp_mtudisc(tp->t_inpcb, -1); return (0); } - if (error == EACCES) /* translate pf(4) error for userland */ - error = EHOSTUNREACH; if ((error == EHOSTUNREACH || error == ENETDOWN) && TCPS_HAVERCVDSYN(tp->t_state)) { tp->t_softerror = error; Index: sys/netinet/udp_usrreq.c =================================================================== RCS file: /cvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.253 diff -u -p -r1.253 udp_usrreq.c --- sys/netinet/udp_usrreq.c 4 Oct 2018 17:33:41 -0000 1.253 +++ sys/netinet/udp_usrreq.c 9 Nov 2018 18:52:08 -0000 @@ -1004,8 +1004,6 @@ udp_output(struct inpcb *inp, struct mbu error = ip_output(m, inp->inp_options, &inp->inp_route, (inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions, inp, ipsecflowinfo); - if (error == EACCES) /* translate pf(4) error for userland */ - error = EHOSTUNREACH; bail: m_freem(control); Index: lib/libc/sys/send.2 =================================================================== RCS file: /cvs/src/lib/libc/sys/send.2,v retrieving revision 1.32 diff -u -p -r1.32 send.2 --- lib/libc/sys/send.2 5 Oct 2017 12:30:16 -0000 1.32 +++ lib/libc/sys/send.2 10 Nov 2018 10:26:11 -0000 @@ -162,10 +162,12 @@ The output queue for a network interface This generally indicates that the interface has stopped sending, but may be caused by transient congestion. .It Bq Er EACCES -The +The connection was blocked by +.Xr pf 4 , +or .Dv SO_BROADCAST -option is not set on the socket, and a broadcast address -was given as the destination. +is not set on the socket +and a broadcast address was given as the destination. .It Bq Er EHOSTUNREACH The destination address specified an unreachable host. .It Bq Er EINVAL