Date: Tue, 18 May 2021 19:51:38 -0400 From: Joe Clarke <jclarke@marcuscom.com> To: Lutz Donnerhacke <donner@freebsd.org> Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 3d846e48227e - main - Do not forward datagrams originated by link-local addresses Message-ID: <D759CEBE-115A-404D-B12C-20A673923092@marcuscom.com> In-Reply-To: <202105182101.14IL1Gki054229@gitrepo.freebsd.org> References: <202105182101.14IL1Gki054229@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Just out of curiosity, why remove the RFC reference from the comment? Seems= useful for those that want to know why this is a good practice. Joe PGP Key : https://www.marcuscom.com/pgp.asc > On May 18, 2021, at 17:01, Lutz Donnerhacke <donner@freebsd.org> wrote: >=20 > =EF=BB=BFThe branch main has been updated by donner: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D3d846e48227e2e78c1e7b35145f= 57353ffda56ba >=20 > commit 3d846e48227e2e78c1e7b35145f57353ffda56ba > Author: Zhenlei Huang <zlei.huang@gmail.com> > AuthorDate: 2021-05-18 20:51:37 +0000 > Commit: Lutz Donnerhacke <donner@FreeBSD.org> > CommitDate: 2021-05-18 20:59:46 +0000 >=20 > Do not forward datagrams originated by link-local addresses >=20 > The current implement of ip_input() reject packets destined for > 169.254.0.0/16, but not those original from 169.254.0.0/16 link-local > addresses. >=20 > Fix to fully respect RFC 3927 section 2.7. >=20 > PR: 255388 > Reviewed by: donner, rgrimes, karels > MFC after: 1 month > Differential Revision: https://reviews.freebsd.org/D29968 > --- > sys/netinet/ip_input.c | 16 +++++++++------- > 1 file changed, 9 insertions(+), 7 deletions(-) >=20 > diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c > index 43d375c2385f..1139e3a5abfa 100644 > --- a/sys/netinet/ip_input.c > +++ b/sys/netinet/ip_input.c > @@ -738,15 +738,10 @@ passin: > } > ia =3D NULL; > } > - /* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */ > - if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) { > - IPSTAT_INC(ips_cantforward); > - m_freem(m); > - return; > - } > if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { > MROUTER_RLOCK(); > - if (V_ip_mrouter) { > + /* Do not forward packets from IN_LINKLOCAL. */ > + if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) { > /* > * If we are acting as a multicast router, all > * incoming multicast packets are passed to the > @@ -785,6 +780,13 @@ passin: > goto ours; > if (ip->ip_dst.s_addr =3D=3D INADDR_ANY) > goto ours; > + /* Do not forward packets to or from IN_LINKLOCAL. */ > + if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) || > + IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) { > + IPSTAT_INC(ips_cantforward); > + m_freem(m); > + return; > + } >=20 > /* > * Not for us; forward if possible and desirable. > _______________________________________________ > dev-commits-src-all@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all > To unsubscribe, send any mail to "dev-commits-src-all-unsubscribe@freebsd.= org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D759CEBE-115A-404D-B12C-20A673923092>