Date: Wed, 13 Feb 2002 10:54:42 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Michael Meltzer <mjm@michaelmeltzer.com>, Attila Nagy <bra@fsn.hu> Cc: stable@FreeBSD.ORG Subject: Re: 127/8 in ip_output.c Message-ID: <20020213105442.A46245@sunbay.com> In-Reply-To: <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> <00c701c1b3f3$169409f0$34f820c0@ix1x1000> References: <00c701c1b3f3$169409f0$34f820c0@ix1x1000> <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> <01a701c1b33c$733b99a0$34f820c0@ix1x1000> <20020212141520.A8237@sunbay.com> <00c701c1b3f3$169409f0$34f820c0@ix1x1000>
next in thread | previous in thread | raw e-mail | index | archive | help
--PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline OK, got it. Let me know if the attached patch fixes the problem for IPF. On Tue, Feb 12, 2002 at 01:28:37PM -0500, Michael Meltzer wrote: > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+- > > I do not use squid but, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html, the > freebsd section uses the 127.* game > > http://cr.yp.to/djbdns/faq/cache.html#mixnmatch , it the 127.* trick again, > and if you want to services the inside address you need a rdr from the > inside ip to 127. > > > The point is this is too strong a position on the issue, maybe you want a > sysctl around it, not unheard of for network RFC's. But frankly you are > trying to build firewall functionality into the kernel when most people > expect it in their ipf rule set. Worst let there rules set will look right > when they try to open it up and led to "craziness/frustration/very bad > works" when it does not work as excepted or meet their expectation about > what is happening. I been doing things like this on Solaris /FreeBSD for > years to solve network problems. > > MJM > > PS. what is the view of the "group"? > > ----- Original Message ----- > From: "Ruslan Ermilov" <ru@FreeBSD.ORG> > To: "Michael Meltzer" <mjm@michaelmeltzer.com> > Cc: <stable@FreeBSD.ORG> > Sent: Tuesday, February 12, 2002 7:15 AM > Subject: Re: 127/8 in ip_output.c > > > > On Mon, Feb 11, 2002 at 03:41:15PM -0500, Michael Meltzer wrote: > > > > > > I just got caught by block of all 127/8 in ip_output.c, At this point > > > I have recompiled my system to remove it but frankly I think it > should > > > be removed from the OS, What happened it the it took out djbdsn along > > > with IPF, now those system where configured based on their respective > > > HOWTO's. Unless someone wants to start changing all the HOWTO's this > > > is asking for trouble. This is not nice, Luckily I knew how to code, > > > where to look and compile a kernel, think everyone who uses FreeBSD > > > will be so luckily. The RFC what to prevent 127/8 from leveling the > > > box, but could it be done not to breaking the tools. > > > > > Could you please forward me a reference to this HOWTO? > > > > > > Cheers, > > -- > > Ruslan Ermilov Sysadmin and DBA, > > ru@sunbay.com Sunbay Software AG, > > ru@FreeBSD.org FreeBSD committer, > > +380.652.512.251 Simferopol, Ukraine > > > > http://www.FreeBSD.org The Power To Serve > > http://www.oracle.com Enabling The Information Age > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message On Wed, Feb 13, 2002 at 09:35:02AM +0100, Attila Nagy wrote: > Hello, > > > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+- > Besides that I often use jail to separate different services on the same > machine. > For this task I like to use addresses from the 127/8 range and bind the > jails to those on the lo0 interface. > > For a shell jail I can run this on 127.0.0.5 with a RDR line in > /etc/ipnat.rules: > rdr fxp0 1.2.3.4/32 port 22 -> 127.0.0.5 port 22 > > And if users want to connect out from this jail I specify a: > map fxp0 127.0.0.5/32 -> 1.2.3.4/32 > > as you can see this way I don't use 127/8 addresses on external > interfaces, but the current behaviour stops this, because it sees the > traffic before IPF can NAT the packages, so it deny the 127.0.0.5. > > I think this is not a breakage of the RFC, since I use 127/8 *internally* > for an internal network (that's what 127/8 is for) and FreeBSD denies it > to work. > > I think it should be very good to give a sysctl for setting this... > > Thanks, > -------------------------------------------------------------------------- > Attila Nagy e-mail: Attila.Nagy@fsn.hu > Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) > H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ip_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.99.2.25 diff -u -p -r1.99.2.25 ip_output.c --- ip_output.c 2002/02/01 10:42:09 1.99.2.25 +++ ip_output.c 2002/02/13 08:49:04 @@ -403,16 +403,6 @@ ip_output(m0, opt, ro, flags, imo) goto bad; } - /* 127/8 must not appear on wire - RFC1122. */ - if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || - (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { - if ((ifp->if_flags & IFF_LOOPBACK) == 0) { - ipstat.ips_badaddr++; - error = EADDRNOTAVAIL; - goto bad; - } - } - /* * Look for broadcast address and * verify user is allowed to send @@ -775,6 +765,16 @@ skip_ipsec: } pass: + /* 127/8 must not appear on wire - RFC1122. */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || + (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { + if ((ifp->if_flags & IFF_LOOPBACK) == 0) { + ipstat.ips_badaddr++; + error = EADDRNOTAVAIL; + goto bad; + } + } + m->m_pkthdr.csum_flags |= CSUM_IP; sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_hwassist; if (sw_csum & CSUM_DELAY_DATA) { --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020213105442.A46245>