From nobody Thu Feb 27 16:41:43 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z3cYw32s4z5qMVd for ; Thu, 27 Feb 2025 16:41:56 +0000 (UTC) (envelope-from zlei@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Z3cYw2CW5z45Nm; Thu, 27 Feb 2025 16:41:56 +0000 (UTC) (envelope-from zlei@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740674516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4bQGxMPnMtTSJPzsCnxJtq7+SYpJh3Uufv9TIsAzQbY=; b=mU+LPVVv88fUEBtT4IJ5lCNsMG3Cr86Qj89/Q+TzCKmroqFOMij8H8P4cHU2yyBZV9aFJM 8PeJdDhrPXXXIuuV2vm3ix2m/Xqo3WxSsMxwc3MRQSgt/YYTpAaPVqbCKXPrm59J+OKfJX w1LEBZ6wXp5JpeAF8+Pm7cjs8apmYcexYlpaA91iMjl2/9g0dKUgxmFOi9FRY0sFEs4VFt 0Zdgs38UsTo0dDtVdYyDneRNS2ya52Y5i/pbpFrJ6eJH6qS2BD3Jn/vTFuzg84KvaA3xN1 ui74Xg7uePKwLF1Z4EU+g3GBZjvb1FU2bZiVwo0rAH3YOuQYqG9Khq/6fc0LtQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1740674516; a=rsa-sha256; cv=none; b=DeV/l9krEmrOo4H+21LMV8+35XaqxK5beGVNPtln7S7HOkKSaNBbcWvLgcu45DiLQPn8bc 2bkzMrbdwpYxD8S3UToUoVzyScKnNDRLS+GQwRt5F+qCs0XwfSogmEmycYnfQzv8db3vNb EjZgtZsVQQfNF3lY2e/CezVFyIb6ymzo/Axv0UR/n24TeBhLnhgULvGIuf66df1nAaca+N lDD8Q5PkJZvlw+Ux8ySsSf++YIOzUZeb94k1lHYxxEKjtBzt3+oGV0Th85QFb4d81bjIRY Az/nuXIyT9y5E6pPngH16XDEOtcxOTh5uKem12v369aDjIlEtvuH+7lnfm4mfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740674516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4bQGxMPnMtTSJPzsCnxJtq7+SYpJh3Uufv9TIsAzQbY=; b=ptd7ytjkv0dIgYcA9BNItOGJes6F8QbB9eel6u3k4O1dvPVOxCeLS5UxJwcacT1u+9CzX5 O4g9IeJPg4kMF61INBGxngeOfX26BJhc9ZJiKiAiwxN6ugNlhefTXFSsP2OggoIvQBZXJy 7qwSXxehphlyZTMlqqHhgoOBi+WwUcvS8hxuXyk6ecBZ9+QxU5VKw+4aiSvl1IfEVLEABv pb7aeEfqPJAB6gDhOA0gwfRlG0oEpmFBpWQEVWchO0nC2qSI2f+p4emM0qjasM9l4K5hmK GJq2eHtneE0kplO32fLlDks/oyrmr02TV10he8k6Fgo+0akXrNjsjqXVxd17kA== Received: from smtpclient.apple (unknown [IPv6:2001:19f0:6001:9db:98f0:9fe0:3545:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: zlei/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Z3cYv2byFzDyH; Thu, 27 Feb 2025 16:41:55 +0000 (UTC) (envelope-from zlei@FreeBSD.org) From: Zhenlei Huang Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.10\)) Subject: Fix forwarding net240 and net0, or update description of sysctl knobs net.inet.ip.allow_net{0, 240} Message-Id: <983D4E90-44FD-483D-A07B-42FAE0B7C84C@FreeBSD.org> Date: Fri, 28 Feb 2025 00:41:43 +0800 Cc: Ed Maste To: FreeBSD Net X-Mailer: Apple Mail (2.3696.120.41.1.10) Hi, While hacking on https://reviews.freebsd.org/D49157 (netinet: Do not = forward or ICMP response to INADDR_ANY) I found inconsistence between the implementation and the description of sysctl knob = net.inet.ip.allow_net{0, 240}. net.inet.ip.allow_net240: Allow forwarding of and ICMP response to = Experimental addresses, aka Class E (240/4) net.inet.ip.allow_net0: Allow forwarding of and ICMP response to = addresses in network 0/8 ip_forward() checks net240 and net0 via in_canforward(), but = ip_tryforward(), well known as fast forwarding path, from its initial=20 version, does not. Since 33872124a5cf (Replace the fastforward path with = tryforward ...), the sysctl knob net.inet.ip.fastforwarding (default = off) is removed and is effectively always on, incoming packets are always = checked via ip_tryforward(), hence bypassing check whether it is from / = to net240 or net0. To put simply, net.inet.ip.allow_net240 and net.inet.ip.allow_net0 do = not actually control the behavior how FreeBSD forward net240 / net0. Given this behavior ( always forward net240 / net0 ) exists since 2015 = and predates net.inet.ip.allow_net240 and net.inet.ip.allow_net0, and it appears to have little impact to allow forwarding those traffic = from / to net240 / net0, I think we probably have to keep this behavior but rather than **FIX** it. So the description of the two sysctl knob = should be updated, as well as the two IETF drafts [1] and [2], to not = make any confusion. [1] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-240 [2] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-0 How do you think ? Best regards, Zhenlei