From owner-dev-commits-src-all@freebsd.org  Tue May 18 23:51:52 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 09DF663269F;
 Tue, 18 May 2021 23:51:52 +0000 (UTC)
 (envelope-from jclarke@marcuscom.com)
Received: from creme-brulee.marcuscom.com (creme-brulee.marcuscom.com
 [IPv6:2607:fc50:1:f300::2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "*.marcuscom.com", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FlCTM6ldJz4vhW;
 Tue, 18 May 2021 23:51:51 +0000 (UTC)
 (envelope-from jclarke@marcuscom.com)
Received: from smtpclient.apple ([IPv6:2600:1700:b00:b239:9484:26f7:8d5:dda3])
 (authenticated bits=0)
 by creme-brulee.marcuscom.com (8.16.1/8.16.1) with ESMTPSA id 14INphr6060204
 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
 Tue, 18 May 2021 19:51:44 -0400 (EDT)
 (envelope-from jclarke@marcuscom.com)
X-Authentication-Warning: creme-brulee.marcuscom.com: Host
 [IPv6:2600:1700:b00:b239:9484:26f7:8d5:dda3] claimed to be smtpclient.apple
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Joe Clarke <jclarke@marcuscom.com>
Mime-Version: 1.0 (1.0)
Subject: Re: git: 3d846e48227e - main - Do not forward datagrams originated by
 link-local addresses
Date: Tue, 18 May 2021 19:51:38 -0400
Message-Id: <D759CEBE-115A-404D-B12C-20A673923092@marcuscom.com>
References: <202105182101.14IL1Gki054229@gitrepo.freebsd.org>
Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org,
 dev-commits-src-main@freebsd.org
In-Reply-To: <202105182101.14IL1Gki054229@gitrepo.freebsd.org>
To: Lutz Donnerhacke <donner@freebsd.org>
X-Mailer: iPhone Mail (18E212)
X-Spam-Status: No, score=2.5 required=5.0 tests=RDNS_NONE autolearn=disabled
 version=3.4.5
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on
 creme-brulee.marcuscom.com
X-Rspamd-Queue-Id: 4FlCTM6ldJz4vhW
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 23:51:52 -0000

Just out of curiosity, why remove the RFC reference from the comment?  Seems=
 useful for those that want to know why this is a good practice.

Joe

PGP Key : https://www.marcuscom.com/pgp.asc

> On May 18, 2021, at 17:01, Lutz Donnerhacke <donner@freebsd.org> wrote:
>=20
> =EF=BB=BFThe branch main has been updated by donner:
>=20
> URL: https://cgit.FreeBSD.org/src/commit/?id=3D3d846e48227e2e78c1e7b35145f=
57353ffda56ba
>=20
> commit 3d846e48227e2e78c1e7b35145f57353ffda56ba
> Author:     Zhenlei Huang <zlei.huang@gmail.com>
> AuthorDate: 2021-05-18 20:51:37 +0000
> Commit:     Lutz Donnerhacke <donner@FreeBSD.org>
> CommitDate: 2021-05-18 20:59:46 +0000
>=20
>    Do not forward datagrams originated by link-local addresses
>=20
>    The current implement of ip_input() reject packets destined for
>    169.254.0.0/16, but not those original from 169.254.0.0/16 link-local
>    addresses.
>=20
>    Fix to fully respect RFC 3927 section 2.7.
>=20
>    PR:             255388
>    Reviewed by:    donner, rgrimes, karels
>    MFC after:      1 month
>    Differential Revision:  https://reviews.freebsd.org/D29968
> ---
> sys/netinet/ip_input.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>=20
> diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
> index 43d375c2385f..1139e3a5abfa 100644
> --- a/sys/netinet/ip_input.c
> +++ b/sys/netinet/ip_input.c
> @@ -738,15 +738,10 @@ passin:
>        }
>        ia =3D NULL;
>    }
> -    /* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */
> -    if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
> -        IPSTAT_INC(ips_cantforward);
> -        m_freem(m);
> -        return;
> -    }
>    if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
>        MROUTER_RLOCK();
> -        if (V_ip_mrouter) {
> +        /* Do not forward packets from IN_LINKLOCAL. */
> +        if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
>            /*
>             * If we are acting as a multicast router, all
>             * incoming multicast packets are passed to the
> @@ -785,6 +780,13 @@ passin:
>        goto ours;
>    if (ip->ip_dst.s_addr =3D=3D INADDR_ANY)
>        goto ours;
> +    /* Do not forward packets to or from IN_LINKLOCAL. */
> +    if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
> +        IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
> +        IPSTAT_INC(ips_cantforward);
> +        m_freem(m);
> +        return;
> +    }
>=20
>    /*
>     * Not for us; forward if possible and desirable.
> _______________________________________________
> dev-commits-src-all@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
> To unsubscribe, send any mail to "dev-commits-src-all-unsubscribe@freebsd.=
org"