From owner-freebsd-net@FreeBSD.ORG Sat Feb 3 06:18:12 2007 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A301416A403 for ; Sat, 3 Feb 2007 06:18:12 +0000 (UTC) (envelope-from bms@incunabulum.net) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id 66F7313C4A6 for ; Sat, 3 Feb 2007 06:18:12 +0000 (UTC) (envelope-from bms@incunabulum.net) Received: from out1.internal (unknown [10.202.2.149]) by out1.messagingengine.com (Postfix) with ESMTP id 6AA15E0771 for ; Sat, 3 Feb 2007 01:16:56 -0500 (EST) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by out1.internal (MEProxy); Sat, 03 Feb 2007 01:16:56 -0500 X-Sasl-enc: bUwdwVdShk4BUWLozoRBKPyN0E4HX5SXLp0zk08cFdbt 1170483415 Received: from [192.168.123.18] (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTP id C78EE447B for ; Sat, 3 Feb 2007 01:16:55 -0500 (EST) Message-ID: <45C428D7.20900@incunabulum.net> Date: Sat, 03 Feb 2007 06:16:55 +0000 From: Bruce M Simpson User-Agent: Thunderbird 1.5.0.9 (X11/20070125) MIME-Version: 1.0 To: net@FreeBSD.org Content-Type: multipart/mixed; boundary="------------070806030404070403060507" Cc: Subject: [PATCH] ip_fastfwd forwards directed broadcasts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Feb 2007 06:18:12 -0000 This is a multi-part message in MIME format. --------------070806030404070403060507 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, Attached is a patch which tells our IPv4 fast-forwarding path to drop directed broadcast packets. The checks originally put in ip_fastfwd.c can deal only with undirected broadcasts. Whilst this patch doesn't mitigate the resulting CPU consumption, it does the right thing by letting the FIB deal with the hard work of determining whether or not a given destination address is for a broadcast destination. Normally, RTF_BROADCAST is set on routes which were added as a result of a call to arpresolve() to resolve the broadcast address, and thus in_addroute(). This is fine and covers the case where the directed broadcast address is known to the router -- which is what we want 99% of the time. The fix in PR 98799 is not the right fix: in_broadcast() can potentially return an IPv4 destination address as not being a broadcast address, because it only walks the address list hung off the single ifnet pointer provided. We perform a route lookup anyway, so let the FIB do the work. To detect directed broadcasts being propagated beyond a single hop would require cooperation from a routing daemon which is smart enough to set RTF_BROADCAST on the routes which it pushes to the kernel FIB for the network prefixes it learns; the router has to have topology information before it can do anything, otherwise, it's just another IPv4 address. Regards, BMS --------------070806030404070403060507 Content-Type: text/x-patch; name="dropbroadcasts.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="dropbroadcasts.diff" Index: ip_fastfwd.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fastfwd.c,v retrieving revision 1.37 diff -u -p -r1.37 ip_fastfwd.c --- ip_fastfwd.c 17 Aug 2006 00:37:03 -0000 1.37 +++ ip_fastfwd.c 3 Feb 2007 06:11:08 -0000 @@ -418,9 +418,11 @@ passin: ifp = ro.ro_rt->rt_ifp; /* - * Immediately drop blackholed traffic. + * Immediately drop blackholed traffic, and directed broadcasts + * for either the all-ones or all-zero subnet addresses on + * locally attached networks. */ - if (ro.ro_rt->rt_flags & RTF_BLACKHOLE) + if ((ro.ro_rt->rt_flags & (RTF_BLACKHOLE|RTF_BROADCAST)) != 0) goto drop; /* --------------070806030404070403060507--