Date: Fri, 28 Feb 2025 00:41:43 +0800
From: Zhenlei Huang <zlei@FreeBSD.org>
To: FreeBSD Net <freebsd-net@freebsd.org>
Cc: Ed Maste <emaste@freebsd.org>
Subject: Fix forwarding net240 and net0, or update description of sysctl knobs net.inet.ip.allow_net{0, 240}
Message-ID: <983D4E90-44FD-483D-A07B-42FAE0B7C84C@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi, While hacking on https://reviews.freebsd.org/D49157 (netinet: Do not = forward or ICMP response to INADDR_ANY) I found inconsistence between the implementation and the description of sysctl knob = net.inet.ip.allow_net{0, 240}. net.inet.ip.allow_net240: Allow forwarding of and ICMP response to = Experimental addresses, aka Class E (240/4) net.inet.ip.allow_net0: Allow forwarding of and ICMP response to = addresses in network 0/8 ip_forward() checks net240 and net0 via in_canforward(), but = ip_tryforward(), well known as fast forwarding path, from its initial=20 version, does not. Since 33872124a5cf (Replace the fastforward path with = tryforward ...), the sysctl knob net.inet.ip.fastforwarding (default = off) is removed and is effectively always on, incoming packets are always = checked via ip_tryforward(), hence bypassing check whether it is from / = to net240 or net0. To put simply, net.inet.ip.allow_net240 and net.inet.ip.allow_net0 do = not actually control the behavior how FreeBSD forward net240 / net0. Given this behavior ( always forward net240 / net0 ) exists since 2015 = and predates net.inet.ip.allow_net240 and net.inet.ip.allow_net0, and it appears to have little impact to allow forwarding those traffic = from / to net240 / net0, I think we probably have to keep this behavior but rather than **FIX** it. So the description of the two sysctl knob = should be updated, as well as the two IETF drafts [1] and [2], to not = make any confusion. [1] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-240 [2] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-0 How do you think ? Best regards, Zhenlei
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?983D4E90-44FD-483D-A07B-42FAE0B7C84C>