Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 Jan 2023 18:50:36 GMT
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 30dd227cff75 - main - netinet6: honor blackhole/unreach routes in the non-fastforwading code.
Message-ID:  <202301221850.30MIoaxl062908@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=30dd227cff75bdabaac2002a2b17095f3392a485

commit 30dd227cff75bdabaac2002a2b17095f3392a485
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-01-22 16:57:36 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-01-22 18:48:07 +0000

    netinet6: honor blackhole/unreach routes in the non-fastforwading code.
    
    Currently, under the conditions specified below, IPv6 ingress packet
     processing can ignore blackhole/reject flag on the prefix. The packet
     will instead be looped locally till TTL expiration and a single ICMPv6
     unreachable message will be send to the source even in case of
     RTF_BLACKHOLE.
    The following conditions needs hold to make the scenario happen:
    * IPv6 forwarding is enabled
    * Packet is not fast-forwarded
    * Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag
    Fix this behavior by checking for the blackhole/reject flags in
    ip6_forward().
    
    Reported by:    Dmitriy Smirnov <fox@sage.su>
    Reviewed by:    ae
    Differential Revision: https://reviews.freebsd.org/D38164
    MFC after:      3 days
---
 sys/netinet6/ip6_forward.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 5173415afda6..39c93ac35427 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -196,6 +196,15 @@ again:
 		goto bad;
 	}
 
+	if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) {
+		IP6STAT_INC(ip6s_cantforward);
+		if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) {
+			icmp6_error(mcopy, ICMP6_DST_UNREACH,
+			    ICMP6_DST_UNREACH_REJECT, 0);
+		}
+		goto bad;
+	}
+
 	/*
 	 * Source scope check: if a packet can't be delivered to its
 	 * destination for the reason that the destination is beyond the scope

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202301221850.30MIoaxl062908>