Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Jun 2021 08:21:44 GMT
From:      Lutz Donnerhacke <donner@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 9d30353cb494 - stable/11 - Do not forward datagrams originated by link-local addresses
Message-ID:  <202106170821.15H8Lid0082844@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/11 has been updated by donner:

URL: https://cgit.FreeBSD.org/src/commit/?id=9d30353cb49467ba2b672673a5765588c4e857ec

commit 9d30353cb49467ba2b672673a5765588c4e857ec
Author:     Zhenlei Huang <zlei.huang@gmail.com>
AuthorDate: 2021-05-18 20:51:37 +0000
Commit:     Lutz Donnerhacke <donner@FreeBSD.org>
CommitDate: 2021-06-17 08:21:00 +0000

    Do not forward datagrams originated by link-local addresses
    
    The current implement of ip_input() reject packets destined for
    169.254.0.0/16, but not those original from 169.254.0.0/16 link-local
    addresses.
    
    Fix to fully respect RFC 3927 section 2.7.
    
    PR:             255388
    Reviewed by:    donner, rgrimes, karels
    Differential Revision:  https://reviews.freebsd.org/D29968
    Reviewed by:    rgrimes, donner, karels, marcus, emaste
    Differential Revision: https://reviews.freebsd.org/D30374
    
    (cherry picked from commit 3d846e48227e2e78c1e7b35145f57353ffda56ba)
    (cherry picked from commit 03b0505b8fe848f33f2f38fe89dd5538908c847e)
---
 sys/netinet/ip_input.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 0f14889f355d..53978fd0fe6c 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -733,14 +733,12 @@ passin:
 		IF_ADDR_RUNLOCK(ifp);
 		ia = NULL;
 	}
-	/* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */
-	if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
-		IPSTAT_INC(ips_cantforward);
-		m_freem(m);
-		return;
-	}
 	if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
-		if (V_ip_mrouter) {
+		/*
+		 * RFC 3927 2.7: Do not forward multicast packets from
+		 * IN_LINKLOCAL.
+		 */
+		if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
 			/*
 			 * If we are acting as a multicast router, all
 			 * incoming multicast packets are passed to the
@@ -775,6 +773,13 @@ passin:
 		goto ours;
 	if (ip->ip_dst.s_addr == INADDR_ANY)
 		goto ours;
+	/* RFC 3927 2.7: Do not forward packets to or from IN_LINKLOCAL. */
+	if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
+	    IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
+		IPSTAT_INC(ips_cantforward);
+		m_freem(m);
+		return;
+	}
 
 	/*
 	 * Not for us; forward if possible and desirable.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106170821.15H8Lid0082844>