Date: Thu, 04 Nov 2021 12:58:47 -0500 From: Mike Karels <mike@karels.net> To: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> Cc: Jamie Landeg-Jones <jamie@catflap.org>, shuriku@shurik.kiev.ua, freebsd-net@FreeBSD.org Subject: Re: netmask for loopback interfaces Message-ID: <202111041758.1A4HwloY079049@mail.karels.net> In-Reply-To: Your message of Thu, 04 Nov 2021 07:36:37 -0700. <202111041436.1A4Eabv2029696@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Rod wrote: > > Jamie wrote: > > = > > > Oleksandr Kryvulia <shuriku@shurik.kiev.ua> wrote: > > = > > > > 04.11.21 01:01, Mike Karels wrote: > > > > > I have a pending change to stop using class A/B/C netmasks when = setting > > > > > an interface address without an explicit mask, and instead to us= e a default > > > > > mask (24 bits). A question has arisen as to what the default ma= sk should > > > > > be for loopback interfaces. The standard 127.0.0.1 is added wit= h an 8 bit > > > > > mask currently, but additions without a mask would default to 24= bits. > > > > > There is no warning for missing masks for loopback in the curren= t code. > > > > > I'm not convinced that the mask has any meaning here; only a hos= t route > > > > > to the assigned address is created. Does anyone know of any mea= ning or > > > > > use of the mask on a loopback address? > > > > > > > > > > Thanks, > > > > > Mike > > > > > > > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere = > > > > outside of the localhost. This described in RFC 5735 [1] and 1122 = [2] > > > > > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > > > [2] https://datatracker.ietf.org/doc/html/rfc1122 > > = > > It's true that 127/8 is currently reserved, but that isn't enforced > > by FreeBSD using the mask on the interface. Such packets are prevente= d > > from forwarding by in_canforward(), which in turn uses IN_LOOPBACK(). > > The latter uses a compiled-in 8-bit mask. > I have a review up that "relaxes" the restrictions on this (127/8) > and other ranges. > https://reviews.freebsd.org/D19316 > > = > > > There is a push by some people to release 127.0.0.0/8 address space, > > > leaving only 127.0.0.0/16 as reserved for localhost. > > = > > > https://www.spinics.net/lists/netdev/msg598545.html > > = > > > https://github.com/schoen/unicast-extensions/blob/master/127.md > > = > > > https://github.com/schoen/unicast-extensions/ > > = > > > I make no comment on the feasability of doing this! > > = > > > However, that aside, aren't you just confusing the mask with routing= ? > > = > > The two masks (interface and route) are separate, but the routing mask > > is set from the interface mask for most interfaces (broadcast or NBMA, > > but not loopback or point-to-point). The interface mask is visible to > > user level, including routing daemons. But I think it would be wrong > > for a routing daemon to infer anything from the mask on a loopback > > route. But the reason for my question was to find out if there is > ^^^^^ I think you meant interface here? Yes, thanks. (Although it may be true of loopback routes too.) > > anything that uses the interface mask in this case, and thus whether > > a change in the default matters. > I actually do believe routing daemons pay very close attention to > the netmask on and interfaces. It is how CIDR routes to interfaces > are created and maintained by most of them. Even ancient gated > used this information. Yes, but do they use information for the loopback for routing? Certainly they don't advertise the loop back by default; it isn't reachable external= ly. > > = > > > I think the mask on any IP on a loopback interface should be /32 > > > (if you want to add a "127.0.0.0/8 -local" route even if done > > > automatically", then so be it) > > = > > Using /32 on loopback is not a bad idea. /etc/network.subr is wired > > to 127.0.0.1/8 currently. I don't think I'll change it in this pass > > though. > > = > > > Note, the default FreeBSD firewall rules already have: > > = > > > ${fwcmd} add 100 pass all from any to any via lo0 > > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > = > > If you use the default rules... > The default rules should work with a fresh install that > is left with defaults in place. Due to loss of 127/8 > routes the firewall code is borked and we only do not > leak 127/8 packets because of other code in the kernel > that prevents them from leaking. A fresh install does not enable the firewall rules by default. We could change /etc/network.subr to add a reject route for the loopback "net". When BSD last had a 127/8 route, it was not a reject route, so didn't make sense. Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111041758.1A4HwloY079049>