From owner-svn-src-head@freebsd.org Mon Aug 31 01:45:49 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5D7983D25A0; Mon, 31 Aug 2020 01:45:49 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BftMK1rWxz3cs4; Mon, 31 Aug 2020 01:45:49 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 241F3203A5; Mon, 31 Aug 2020 01:45:49 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07V1jnp5003693; Mon, 31 Aug 2020 01:45:49 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07V1jn1e003692; Mon, 31 Aug 2020 01:45:49 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202008310145.07V1jn1e003692@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Mon, 31 Aug 2020 01:45:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r364982 - head/sys/netinet6 X-SVN-Group: head X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: head/sys/netinet6 X-SVN-Commit-Revision: 364982 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2020 01:45:49 -0000 Author: kevans Date: Mon Aug 31 01:45:48 2020 New Revision: 364982 URL: https://svnweb.freebsd.org/changeset/base/364982 Log: ipv6: quit dropping packets looping back on p2p interfaces To paraphrase the below-referenced PR: This logic originated in the KAME project, and was even controversial when it was enabled there by default in 2001. No such equivalent logic exists in the IPv4 stack, and it turns out that this leads to us dropping valid traffic when the "point to point" interface is actually a 1:many tun interface, e.g. with the wireguard userland stack. Even in the case of true point-to-point links, this logic only avoids transient looping of packets sent by misconfigured applications or attackers, which can be subverted by proper route configuration rather than hardcoded logic in the kernel to drop packets. In the review, melifaro goes on to note that the kernel can't fix it, so it perhaps shouldn't try to be 'smart' about it. Additionally, that TTL will still kick in even with incorrect route configuration. PR: 247718 Reviewed by: melifaro, rgrimes MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25567 Modified: head/sys/netinet6/ip6_forward.c Modified: head/sys/netinet6/ip6_forward.c ============================================================================== --- head/sys/netinet6/ip6_forward.c Mon Aug 31 00:59:02 2020 (r364981) +++ head/sys/netinet6/ip6_forward.c Mon Aug 31 01:45:48 2020 (r364982) @@ -260,24 +260,8 @@ again: * modified by a redirect. */ if (V_ip6_sendredirects && nh->nh_ifp == m->m_pkthdr.rcvif && !srcrt && - (nh->nh_flags & NHF_REDIRECT) == 0) { - if ((nh->nh_ifp->if_flags & IFF_POINTOPOINT) != 0) { - /* - * If the incoming interface is equal to the outgoing - * one, and the link attached to the interface is - * point-to-point, then it will be highly probable - * that a routing loop occurs. Thus, we immediately - * drop the packet and send an ICMPv6 error message. - * - * type/code is based on suggestion by Rich Draves. - * not sure if it is the best pick. - */ - icmp6_error(mcopy, ICMP6_DST_UNREACH, - ICMP6_DST_UNREACH_ADDR, 0); - goto bad; - } + (nh->nh_flags & NHF_REDIRECT) == 0) type = ND_REDIRECT; - } /* * Fake scoped addresses. Note that even link-local source or