Date: Mon, 31 Aug 2020 01:45:49 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r364982 - head/sys/netinet6 Message-ID: <202008310145.07V1jn1e003692@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Mon Aug 31 01:45:48 2020 New Revision: 364982 URL: https://svnweb.freebsd.org/changeset/base/364982 Log: ipv6: quit dropping packets looping back on p2p interfaces To paraphrase the below-referenced PR: This logic originated in the KAME project, and was even controversial when it was enabled there by default in 2001. No such equivalent logic exists in the IPv4 stack, and it turns out that this leads to us dropping valid traffic when the "point to point" interface is actually a 1:many tun interface, e.g. with the wireguard userland stack. Even in the case of true point-to-point links, this logic only avoids transient looping of packets sent by misconfigured applications or attackers, which can be subverted by proper route configuration rather than hardcoded logic in the kernel to drop packets. In the review, melifaro goes on to note that the kernel can't fix it, so it perhaps shouldn't try to be 'smart' about it. Additionally, that TTL will still kick in even with incorrect route configuration. PR: 247718 Reviewed by: melifaro, rgrimes MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25567 Modified: head/sys/netinet6/ip6_forward.c Modified: head/sys/netinet6/ip6_forward.c ============================================================================== --- head/sys/netinet6/ip6_forward.c Mon Aug 31 00:59:02 2020 (r364981) +++ head/sys/netinet6/ip6_forward.c Mon Aug 31 01:45:48 2020 (r364982) @@ -260,24 +260,8 @@ again: * modified by a redirect. */ if (V_ip6_sendredirects && nh->nh_ifp == m->m_pkthdr.rcvif && !srcrt && - (nh->nh_flags & NHF_REDIRECT) == 0) { - if ((nh->nh_ifp->if_flags & IFF_POINTOPOINT) != 0) { - /* - * If the incoming interface is equal to the outgoing - * one, and the link attached to the interface is - * point-to-point, then it will be highly probable - * that a routing loop occurs. Thus, we immediately - * drop the packet and send an ICMPv6 error message. - * - * type/code is based on suggestion by Rich Draves. - * not sure if it is the best pick. - */ - icmp6_error(mcopy, ICMP6_DST_UNREACH, - ICMP6_DST_UNREACH_ADDR, 0); - goto bad; - } + (nh->nh_flags & NHF_REDIRECT) == 0) type = ND_REDIRECT; - } /* * Fake scoped addresses. Note that even link-local source or
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008310145.07V1jn1e003692>