From owner-freebsd-stable  Wed Feb 13  0:55:44 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP id C814D37B400
	for <stable@FreeBSD.ORG>; Wed, 13 Feb 2002 00:55:29 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g1D8sgc47005;
	Wed, 13 Feb 2002 10:54:42 +0200 (EET)
	(envelope-from ru)
Date: Wed, 13 Feb 2002 10:54:42 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Michael Meltzer <mjm@michaelmeltzer.com>,
	Attila Nagy <bra@fsn.hu>
Cc: stable@FreeBSD.ORG
Subject: Re: 127/8 in ip_output.c
Message-ID: <20020213105442.A46245@sunbay.com>
References: <00c701c1b3f3$169409f0$34f820c0@ix1x1000> <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> <01a701c1b33c$733b99a0$34f820c0@ix1x1000> <20020212141520.A8237@sunbay.com> <00c701c1b3f3$169409f0$34f820c0@ix1x1000>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> <00c701c1b3f3$169409f0$34f820c0@ix1x1000>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

OK, got it.  Let me know if the attached patch fixes the problem for IPF.

On Tue, Feb 12, 2002 at 01:28:37PM -0500, Michael Meltzer wrote:
> http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+-
> 
> I do not use squid but, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html, the
> freebsd section uses the 127.* game
> 
> http://cr.yp.to/djbdns/faq/cache.html#mixnmatch , it the 127.* trick again,
> and if you want to services the inside address you need a rdr from the
> inside ip to 127.
> 
> 
> The point is this is too strong a position on the issue, maybe you want a
> sysctl around it, not unheard of for network RFC's. But frankly you are
> trying to build firewall functionality into the kernel when most people
> expect it in their ipf rule set. Worst let there rules set will look right
> when they try to open it up and led to "craziness/frustration/very bad
> works" when it does not work as excepted or meet their expectation about
> what is happening. I been doing things like this on Solaris /FreeBSD for
> years to solve network problems.
> 
> MJM
> 
> PS. what is the view of the "group"?
> 
> ----- Original Message -----
> From: "Ruslan Ermilov" <ru@FreeBSD.ORG>
> To: "Michael Meltzer" <mjm@michaelmeltzer.com>
> Cc: <stable@FreeBSD.ORG>
> Sent: Tuesday, February 12, 2002 7:15 AM
> Subject: Re: 127/8 in ip_output.c
> 
> 
> > On Mon, Feb 11, 2002 at 03:41:15PM -0500, Michael Meltzer wrote:
> > >
> > >    I just got caught by block of all 127/8 in ip_output.c, At this point
> > >    I have recompiled my system to remove it but frankly I think it
> should
> > >    be removed from the OS, What happened it the it took out djbdsn along
> > >    with IPF, now those system where configured based on their respective
> > >    HOWTO's. Unless someone wants to start changing all the HOWTO's this
> > >    is asking for trouble. This is not nice, Luckily I knew how to code,
> > >    where to look and compile a kernel, think everyone who uses FreeBSD
> > >    will be so luckily. The RFC what to prevent 127/8 from leveling the
> > >    box, but could it be done not to breaking the tools.
> > >
> > Could you please forward me a reference to this HOWTO?
> >
> >
> > Cheers,
> > --
> > Ruslan Ermilov Sysadmin and DBA,
> > ru@sunbay.com Sunbay Software AG,
> > ru@FreeBSD.org FreeBSD committer,
> > +380.652.512.251 Simferopol, Ukraine
> >
> > http://www.FreeBSD.org The Power To Serve
> > http://www.oracle.com Enabling The Information Age
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-stable" in the body of the message

On Wed, Feb 13, 2002 at 09:35:02AM +0100, Attila Nagy wrote:
> Hello,
> 
> > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+-
> Besides that I often use jail to separate different services on the same
> machine.
> For this task I like to use addresses from the 127/8 range and bind the
> jails to those on the lo0 interface.
> 
> For a shell jail I can run this on 127.0.0.5 with a RDR line in
> /etc/ipnat.rules:
> rdr fxp0 1.2.3.4/32 port 22 -> 127.0.0.5 port 22
> 
> And if users want to connect out from this jail I specify a:
> map fxp0 127.0.0.5/32 -> 1.2.3.4/32
> 
> as you can see this way I don't use 127/8 addresses on external
> interfaces, but the current behaviour stops this, because it sees the
> traffic before IPF can NAT the packages, so it deny the 127.0.0.5.
> 
> I think this is not a breakage of the RFC, since I use 127/8 *internally*
> for an internal network (that's what 127/8 is for) and FreeBSD denies it
> to work.
> 
> I think it should be very good to give a sysctl for setting this...
> 
> Thanks,
> --------------------------------------------------------------------------
> Attila Nagy                                    e-mail:  Attila.Nagy@fsn.hu
> Budapest Polytechnic (BMF.HU)                   @work: +361 210 1415 (194)
> H-1084 Budapest, Tavaszmezo u. 15-17.           cell.: +3630 306 6758


-- 
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p

Index: ip_output.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.99.2.25
diff -u -p -r1.99.2.25 ip_output.c
--- ip_output.c	2002/02/01 10:42:09	1.99.2.25
+++ ip_output.c	2002/02/13 08:49:04
@@ -403,16 +403,6 @@ ip_output(m0, opt, ro, flags, imo)
 			goto bad;
 	}
 
-	/* 127/8 must not appear on wire - RFC1122. */
-	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
-	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
-		if ((ifp->if_flags & IFF_LOOPBACK) == 0) {
-			ipstat.ips_badaddr++;
-			error = EADDRNOTAVAIL;
-			goto bad;
-		}
-	}
-
 	/*
 	 * Look for broadcast address and
 	 * verify user is allowed to send
@@ -775,6 +765,16 @@ skip_ipsec:
 	}
 
 pass:
+	/* 127/8 must not appear on wire - RFC1122. */
+	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
+	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
+		if ((ifp->if_flags & IFF_LOOPBACK) == 0) {
+			ipstat.ips_badaddr++;
+			error = EADDRNOTAVAIL;
+			goto bad;
+		}
+	}
+
 	m->m_pkthdr.csum_flags |= CSUM_IP;
 	sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_hwassist;
 	if (sw_csum & CSUM_DELAY_DATA) {

--PNTmBPCT7hxwcZjr--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message