From nobody Wed Jul 13 14:49:43 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3BF8F1D02B7F; Wed, 13 Jul 2022 14:49:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LjgWX1FRFz3Gdd; Wed, 13 Jul 2022 14:49:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657723784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5CEtDrXh+fTA1pfHla8+xpABiTXxFQB3z+TpFAyyXpE=; b=jprcJJRQBhO5G6yiqg4VtfdPHjFZ0nkLP+JQn0mtLvN1xTAZJ+Gs9wcQbohpYJhs2REBQI VCv6b2w2eaTUtTr8GL7Fvmi9JOKc/7xoTFPScX6USGamAp+SzMgHOHLaQhBhEbmRhnxrjT oEbKzA/tHXqs1baWsu3q84ks+CwmFeT/fHEJaTIGfzIAPTkxDFrfT0f09olHsxaVNpkXZM yxChuw/TSUpc1C9HlkPuXfFTCZ+yu2rpQFIo5WmOIRaCS+E7ImHheRrZ6L0b3wsUKwzRpm jJBuzcaoLpRPQnjlGq4hYjRxNWk72weaOAad2UYccxS3gQb+8COLLllk4eKJOQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LjgWX0BrGzRWS; Wed, 13 Jul 2022 14:49:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26DEnhfn089613; Wed, 13 Jul 2022 14:49:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26DEnh0G089612; Wed, 13 Jul 2022 14:49:43 GMT (envelope-from git) Date: Wed, 13 Jul 2022 14:49:43 GMT Message-Id: <202207131449.26DEnh0G089612@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mike Karels Subject: git: efe58855f3ea - main - IPv4: experimental changes to allow net 0/8, 240/4, part of 127/8 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: karels X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: efe58855f3ea2cfc24cb705aabce3bc0fe1fb6d5 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657723784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5CEtDrXh+fTA1pfHla8+xpABiTXxFQB3z+TpFAyyXpE=; b=vYy3EZHy492z3DKxMV/Ki0maUQab6xK94UR5rfT+ME89Zjz6zCURDXdU4vTdXVMy600+tn t+puA1Kh20UqXYa4gcQKa1D11jnmJYqW9k3xy4SS+WaHKHR1Mp67yYDzVRoYVd7c/sHELv gGZnf1BNrgnTRuGIsRHFEPXDAwhQpzzCeGo4Qt3eK3Mcohhb2SPue8Fih1rr78TWx0rs6J WQewFb/ihLLnRrBfZuqfFSjWRU3U4wgNZBACjIDRtRtFnzaIA6RnRvRRz+Gfg/4l8ut9Ck aCPX0rrgfzlg6BhRw1/X1wVYq5eHclTdueE5//4rNFOVDpxB0tD27Jkt9Wql6A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657723784; a=rsa-sha256; cv=none; b=uPHB1ks7kD+58o+oibuSmIQlHwYqiYmxJ3VcUn6YSv//STza6FDa0YbUGF3c8gozW29BO6 1Awuc7lOlxLEhqAqIXPEtliSQW5CnimoftFrvk6JUYDlRwKBfHhfNQNjs/H8kWb/v1ozVf CpS7nsFdo9s06SlI8HdySzm0GpEvj8vP+dIbsgX/AwM5cDSiWPQG5v6ZaLuS3BjMMKwN8p JhUZAXTn8wDotmNIQA2zBHpe+2I3u7ec5n86NOVHd3MsJRT8SaKYhh4yMDERy9tbNvXFj2 3HfpxlPRCLBtTBVkUm1GB6bnaQTvM+t0X6zTZaC1jYrSYrlTmWqAXPOUaEHYmA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by karels: URL: https://cgit.FreeBSD.org/src/commit/?id=efe58855f3ea2cfc24cb705aabce3bc0fe1fb6d5 commit efe58855f3ea2cfc24cb705aabce3bc0fe1fb6d5 Author: Mike Karels AuthorDate: 2022-05-24 19:26:25 +0000 Commit: Mike Karels CommitDate: 2022-07-13 14:46:05 +0000 IPv4: experimental changes to allow net 0/8, 240/4, part of 127/8 Combined changes to allow experimentation with net 0/8 (network 0), 240/4 (Experimental/"Class E"), and part of the loopback net 127/8 (all but 127.0/16). All changes are disabled by default, and can be enabled by the following sysctls: net.inet.ip.allow_net0=1 net.inet.ip.allow_net240=1 net.inet.ip.loopback_prefixlen=16 When enabled, the corresponding addresses can be used as normal unicast IP addresses, both as endpoints and when forwarding. Add descriptions of the new sysctls to inet.4. Add to vnet.h, as CACHE_LINE_SIZE is undefined in various C files when in.h includes vnet.h. The proposals motivating this experimentation can be found in https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-0 https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-240 https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-127 Reviewed by: rgrimes, pauamma_gundo.com; previous versions melifaro, glebius Differential Revision: https://reviews.freebsd.org/D35741 --- share/man/man4/inet.4 | 11 +++++++++++ sys/net/vnet.h | 1 + sys/netinet/in.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++-- sys/netinet/in.h | 18 ++++++++++++++++++ sys/netinet/ip_icmp.c | 4 ++-- 5 files changed, 80 insertions(+), 4 deletions(-) diff --git a/share/man/man4/inet.4 b/share/man/man4/inet.4 index dbab301302b1..60b2e588500d 100644 --- a/share/man/man4/inet.4 +++ b/share/man/man4/inet.4 @@ -284,6 +284,17 @@ Integer: maximum number of fragments the host will accept and hold in the reassembly queue for a packet. 0 means that the host will not accept any fragmented packets for the VNET. This is a per-VNET limit. +.It Va ip.allow_net0 +Boolean: allow experimental use of addresses in 0.0.0.0/8 as endpoints, +and allow forwarding of packets with these addresses. +.It Va ip.allow_net240 +Boolean: allow experimental use of addresses in 240.0.0.0/4 as endpoints, +and allow forwarding of packets with these addresses. +.It Va ip.loopback_prefixlen +Integer: prefix length of the address space reserved for loopback purposes. +The default is 8, meaning that 127.0.0.0/8 is reserved for loopback, +and cannot be sent, received, or forwarded on a non-loopback interface. +Use of other values is experimental. .El .Sh SEE ALSO .Xr ioctl 2 , diff --git a/sys/net/vnet.h b/sys/net/vnet.h index afb6857bbccc..d0ede39c0cb1 100644 --- a/sys/net/vnet.h +++ b/sys/net/vnet.h @@ -65,6 +65,7 @@ * as required for libkvm. */ #if defined(_KERNEL) || defined(_WANT_VNET) +#include /* for CACHE_LINE_SIZE */ #include struct vnet { diff --git a/sys/netinet/in.c b/sys/netinet/in.c index 9e4b677cf7e1..c3880c4ba983 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -97,6 +97,28 @@ SYSCTL_BOOL(_net_inet_ip, OID_AUTO, broadcast_lowest, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(broadcast_lowest), 0, "Treat lowest address on a subnet (host 0) as broadcast"); +VNET_DEFINE(bool, ip_allow_net240) = false; +#define V_ip_allow_net240 VNET(ip_allow_net240) +SYSCTL_BOOL(_net_inet_ip, OID_AUTO, allow_net240, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_allow_net240), 0, + "Allow use of Experimental addresses, aka Class E (240/4)"); +/* see https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-240 */ + +VNET_DEFINE(bool, ip_allow_net0) = false; +SYSCTL_BOOL(_net_inet_ip, OID_AUTO, allow_net0, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_allow_net0), 0, + "Allow use of addresses in network 0/8"); +/* see https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-0 */ + +VNET_DEFINE(uint32_t, in_loopback_mask) = IN_LOOPBACK_MASK_DFLT; +#define V_in_loopback_mask VNET(in_loopback_mask) +static int sysctl_loopback_prefixlen(SYSCTL_HANDLER_ARGS); +SYSCTL_PROC(_net_inet_ip, OID_AUTO, loopback_prefixlen, + CTLFLAG_VNET | CTLTYPE_INT | CTLFLAG_RW, + NULL, 0, sysctl_loopback_prefixlen, "I", + "Prefix length of address space reserved for loopback"); +/* see https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-127 */ + VNET_DECLARE(struct inpcbinfo, ripcbinfo); #define V_ripcbinfo VNET(ripcbinfo) @@ -251,12 +273,36 @@ in_canforward(struct in_addr in) { u_long i = ntohl(in.s_addr); - if (IN_EXPERIMENTAL(i) || IN_MULTICAST(i) || IN_LINKLOCAL(i) || - IN_ZERONET(i) || IN_LOOPBACK(i)) + if (IN_MULTICAST(i) || IN_LINKLOCAL(i) || IN_LOOPBACK(i)) + return (0); + if (IN_EXPERIMENTAL(i) && !V_ip_allow_net240) + return (0); + if (IN_ZERONET(i) && !V_ip_allow_net0) return (0); return (1); } +/* + * Sysctl to manage prefix of reserved loopback network; translate + * to/from mask. The mask is always contiguous high-order 1 bits + * followed by all 0 bits. + */ +static int +sysctl_loopback_prefixlen(SYSCTL_HANDLER_ARGS) +{ + int error, preflen; + + /* ffs is 1-based; compensate. */ + preflen = 33 - ffs(V_in_loopback_mask); + error = sysctl_handle_int(oidp, &preflen, 0, req); + if (error || !req->newptr) + return (error); + if (preflen < 8 || preflen > 32) + return (EINVAL); + V_in_loopback_mask = 0xffffffff << (32 - preflen); + return (0); +} + /* * Trim a mask in a sockaddr */ diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 1fc5c173b33c..44d64190ed01 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -383,7 +383,13 @@ __END_DECLS #define IN_BADCLASS(i) (((in_addr_t)(i) & 0xf0000000) == 0xf0000000) #define IN_LINKLOCAL(i) (((in_addr_t)(i) & 0xffff0000) == 0xa9fe0000) +#ifdef _KERNEL +#define IN_LOOPBACK(i) \ + (((in_addr_t)(i) & V_in_loopback_mask) == 0x7f000000) +#define IN_LOOPBACK_MASK_DFLT 0xff000000 +#else #define IN_LOOPBACK(i) (((in_addr_t)(i) & 0xff000000) == 0x7f000000) +#endif #define IN_ZERONET(i) (((in_addr_t)(i) & 0xff000000) == 0) #define IN_PRIVATE(i) ((((in_addr_t)(i) & 0xff000000) == 0x0a000000) || \ @@ -414,6 +420,18 @@ __END_DECLS #define IN_RFC3021_MASK ((in_addr_t)0xfffffffe) +#ifdef _KERNEL +#include + +VNET_DECLARE(bool, ip_allow_net0); +VNET_DECLARE(bool, ip_allow_net240); +/* Address space reserved for loopback */ +VNET_DECLARE(uint32_t, in_loopback_mask); +#define V_ip_allow_net0 VNET(ip_allow_net0) +#define V_ip_allow_net240 VNET(ip_allow_net240) +#define V_in_loopback_mask VNET(in_loopback_mask) +#endif + /* * Options for use with [gs]etsockopt at the IP level. * First word of comment is data type; bool is stored in int. diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 76bce4b38e24..a710cc2ba8cd 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -775,8 +775,8 @@ icmp_reflect(struct mbuf *m) NET_EPOCH_ASSERT(); if (IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)) || - IN_ZERONET(ntohl(ip->ip_src.s_addr)) ) { + (IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)) && !V_ip_allow_net240) || + (IN_ZERONET(ntohl(ip->ip_src.s_addr)) && !V_ip_allow_net0) ) { m_freem(m); /* Bad return address */ ICMPSTAT_INC(icps_badaddr); goto done; /* Ip_output() will check for broadcast */