Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Jun 2010 11:40:38 -0700
From:      Garrett Cooper <yanefbsd@gmail.com>
To:        sclark46@earthlink.net
Cc:        Guy Helmer <ghelmer@palisadesystems.com>, FreeBSD Stable <freebsd-stable@freebsd.org>
Subject:   Re: FreeBSD eats 169.254.x.x addressed packets
Message-ID:  <AANLkTikXBgxRV4OHMxg-SAPhjNFOTTPJ4JtcMDl25BQH@mail.gmail.com>
In-Reply-To: <4C0E8C59.5010202@earthlink.net>
References:  <4C0E81D7.8020209@earthlink.net> <A289320A-8306-427B-A834-2D5DCD851F0C@palisadesystems.com> <4C0E8C59.5010202@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jun 8, 2010 at 11:30 AM, Stephen Clark <sclark46@earthlink.net> wro=
te:
> On 06/08/2010 02:21 PM, Guy Helmer wrote:
>>
>> On Jun 8, 2010, at 12:45 PM, Stephen Clark wrote:
>>
>>> Hi,
>>>
>>> Why does FreeBSD 6.3 eat 169.254.x.x addressed packet when
>>> 4.9 didn't?
>>>
>>> ***** 6.3 *****
>>> $ sudo ipfstat -nio
>>> empty list for ipfilter(out)
>>> empty list for ipfilter(in)
>>> Z2984:~
>>> $ ifconfig rl0
>>> rl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> =A0mtu 1500
>>> =A0 =A0 =A0 =A0options=3D8<VLAN_MTU>
>>> =A0 =A0 =A0 =A0inet 192.168.129.1 netmask 0xffffff00 broadcast 192.168.=
129.255
>>> =A0 =A0 =A0 =A0inet 169.254.1.1 netmask 0xffff0000 broadcast 169.254.25=
5.255
>>> =A0 =A0 =A0 =A0ether 00:30:18:ae:7c:77
>>> =A0 =A0 =A0 =A0media: Ethernet autoselect (100baseTX<full-duplex>)
>>> =A0 =A0 =A0 =A0status: active
>>> Z2984:~
>>> $ ping 169.254.1.1
>>> PING 169.254.1.1 (169.254.1.1): 56 data bytes
>>> ^C
>>> --- 169.254.1.1 ping statistics ---
>>> 4 packets transmitted, 0 packets received, 100% packet loss
>>> Z2984:~
>>> $ uname -a
>>> FreeBSD Z2984.netwolves.com 6.3-RELEASE-p15 FreeBSD 6.3-RELEASE-p15 #17=
:
>>> Fri Apr 16 12:51:57 EST 2010
>>>
>>> **** 4.9 *****
>>> FreeBSD H101494.com 4.9-STABLE FreeBSD 4.9-STABLE #59: Thu Mar 30
>>> 13:42:10 EST 2006 =A0 =A0 root@A1234.com:/mnt2/src/sys/compile/ =A0i386
>>> H101494# ipf -Fa
>>> H101494# ipfstat -nio
>>> empty list for ipfilter(out)
>>> empty list for ipfilter(in)
>>> H101494# ifconfig rl0
>>> rl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> =A0mtu 1500
>>> =A0 =A0 =A0 =A0inet 10.254.151.1 netmask 0xffffff00 broadcast 10.254.15=
1.255
>>> =A0 =A0 =A0 =A0inet 10.255.3.30 netmask 0xffffffff broadcast 10.255.3.3=
0
>>> =A0 =A0 =A0 =A0inet 10.255.4.30 netmask 0xffffffff broadcast 10.255.4.3=
0
>>> =A0 =A0 =A0 =A0inet 169.254.202.1 netmask 0xffff0000 broadcast 169.254.=
255.255
>>> =A0 =A0 =A0 =A0ether 00:30:18:a3:49:b5
>>> =A0 =A0 =A0 =A0media: Ethernet autoselect (none)
>>> =A0 =A0 =A0 =A0status: no carrier
>>> H101494# ping 169.254.202.1
>>> PING 169.254.202.1 (169.254.202.1): 56 data bytes
>>> 64 bytes from 169.254.202.1: icmp_seq=3D0 ttl=3D64 time=3D0.052 ms
>>> 64 bytes from 169.254.202.1: icmp_seq=3D1 ttl=3D64 time=3D0.080 ms
>>> 64 bytes from 169.254.202.1: icmp_seq=3D2 ttl=3D64 time=3D0.081 ms
>>> ^C
>>> --- 169.254.202.1 ping statistics ---
>>> 3 packets transmitted, 3 packets received, 0% packet loss
>>> round-trip min/avg/max/stddev =3D 0.052/0.071/0.081/0.013 ms
>>>
>>>
>>
>>
>> That was a feature added to sys/netinet/in.c and ip_input.c back in 2007
>> to obey RFC 3927 not to output datagrams destined for 169.254.0.0/16.
>>
>> On a system that needed to be able to send datagrams to 169.254.0.0/16
>> addresses, I wrote this patch to add a sysctl knob net.inet.fwd_link_loc=
al
>> to dynamically allow a system to send those datagrams:
>>
>>
>> Index: in.c
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> RCS file: /home/ncvs/src/sys/netinet/in.c,v
>> retrieving revision 1.102.2.4.2.1
>> diff -u -r1.102.2.4.2.1 in.c
>> --- in.c =A0 =A0 =A0 =A015 Apr 2009 03:14:26 -0000 =A0 =A0 =A01.102.2.4.=
2.1
>> +++ in.c =A0 =A0 =A0 =A029 Jul 2009 15:10:42 -0000
>> @@ -67,6 +67,9 @@
>> =A0 =A0 =A0 =A0 =A0 =A0struct in_ifaddr *, struct sockaddr_in *, int);
>> =A0static void =A0 in_purgemaddrs(struct ifnet *);
>>
>> +int ip_fwdlinklocal =3D 0;
>> +SYSCTL_INT(_net_inet_ip, OID_AUTO, fwd_link_local, CTLFLAG_RW,
>> + =A0 =A0 =A0 &ip_fwdlinklocal, 0, "Forward link-local addresses");
>> =A0static int subnetsarelocal =3D 0;
>> =A0SYSCTL_INT(_net_inet_ip, OID_AUTO, subnets_are_local, CTLFLAG_RW,
>> =A0 =A0 =A0 =A0&subnetsarelocal, 0, "Treat all subnets as directly conne=
cted");
>> @@ -129,7 +132,8 @@
>> =A0 =A0 =A0 =A0register u_long i =3D ntohl(in.s_addr);
>> =A0 =A0 =A0 =A0register u_long net;
>>
>> - =A0 =A0 =A0 if (IN_EXPERIMENTAL(i) || IN_MULTICAST(i) || IN_LINKLOCAL(=
i))
>> + =A0 =A0 =A0 if (IN_EXPERIMENTAL(i) || IN_MULTICAST(i) ||
>> + =A0 =A0 =A0 =A0 =A0 (!ip_fwdlinklocal&& =A0IN_LINKLOCAL(i)))
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (0);
>> =A0 =A0 =A0 =A0if (IN_CLASSA(i)) {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0net =3D i& =A0IN_CLASSA_NET;
>> Index: ip_input.c
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
>> retrieving revision 1.332.2.5.2.1
>> diff -u -r1.332.2.5.2.1 ip_input.c
>> --- ip_input.c =A015 Apr 2009 03:14:26 -0000 =A0 =A0 =A01.332.2.5.2.1
>> +++ ip_input.c =A029 Jul 2009 15:10:44 -0000
>> @@ -134,6 +134,7 @@
>> =A0static struct ifqueue ipintrq;
>> =A0static int =A0 =A0ipqmaxlen =3D IFQ_MAXLEN;
>>
>> +extern int ip_fwdlinklocal;
>> =A0extern =A0 =A0 =A0 =A0struct domain inetdomain;
>> =A0extern =A0 =A0 =A0 =A0struct protosw inetsw[];
>> =A0u_char =A0 =A0 =A0 =A0ip_protox[IPPROTO_MAX];
>> @@ -532,7 +533,7 @@
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}
>> =A0 =A0 =A0 =A0}
>> =A0 =A0 =A0 =A0/* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0=
/16. */
>> - =A0 =A0 =A0 if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
>> + =A0 =A0 =A0 if (!ip_fwdlinklocal&& =A0IN_LINKLOCAL(ntohl(ip->ip_dst.s_=
addr))) {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ipstat.ips_cantforward++;
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_freem(m);
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return;
>>
>>
>
> Hmmm... how is not responding to pings associated with forwarding?

    Depends on where the box is located that you're pinging from and
to (network topology). It looks like that section of code (and ones
following it in the same function) just drops the packet on the floor
if people attempt to route packets to/from 169.254.x.x.
Thanks,
-Garrett

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikXBgxRV4OHMxg-SAPhjNFOTTPJ4JtcMDl25BQH>