From nobody Wed Nov 20 17:00:44 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XtngK0lBSz5dVNH; Wed, 20 Nov 2024 17:00:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XtngK0F0kz4MFb; Wed, 20 Nov 2024 17:00:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732122045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oLMBkpmrC4SX250VAPymrwkl23HDwB56pqaxS0DNr1g=; b=AtoZtxizIsh0fC+6bnF8kK0K29I0alfpIcD88whKUsptELHTflyRd9hCK/b890y6q3ncmp qPzSq+txEgmUdStqO/9vhWFufEgaOLoOIdFKKMDJkkEdJX7oNBYiWsJpfFinr9Xci2QupB lAWM+95D8bxKfiWsGV6W7XURe9EgWcRagk0fhAe7JG4L3CAw62rrtFM7KXwCgkdZ/1G7ib 03HFBQdh/rI6YOzkenbT7cpkf8n31NdoUpPhkekLcTlTIP9uUCBf8osIyluqY51dxdVVL6 JL7ucnCH+85fXKbaUzQg8Z9BNBeJbw0G1BqbyzCeCdp3Wl2yTmu7OVgj9JlaGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732122045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oLMBkpmrC4SX250VAPymrwkl23HDwB56pqaxS0DNr1g=; b=yhREA4N1K50fWAXuxnRfvw/8JC8amM9oAcmuHqkcRKghlyE3GXOpzt0CFEj5YEhXYl8gwS uFRF5fgQrw+t6jjFp97no4ESsBTCBhgoPSEleL5dQCIuDNFnzA3phKYLKLHrn6FYvoa+ua ZWbEX2pCqjzgPhTJ6P9RyY3mMeus+gE+C4BCOFaKTlnr5KGhzZVQHaZV4+dEbpnWjlGn1A ojGQ+q0NnGQe8tLGD6AzKUhK6e2ku7XqZu3uUuO4jpIpHMegZsYvSgQfs1BOqfUJQfY7uu ju+JfsdDFZo8qSKS4dmGTvIvrjGpElA1PEIpHr41oD/An9z6duC36qsoSgmOMA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732122045; a=rsa-sha256; cv=none; b=DLDcsQCEmnDlufIVNckclw0xyI3S4/uwENiRVGWavWflsmyYUhraUFW9lc1vS3dSpHwuuj zIZgfaRZlhGT/ZSwD9xZGp292pM3FsfYsPTL7mJ8AGecJwvrPuXd9t0WqXgieJeUzHs6oe rvLFv/5swyhhnS69ZRjFRyO4/cwgQcslWk5SwJ1wvw+bd6aKz7fQNlvFl8YBByqbJ0iGTa L0siXU70DG4uFadY992KR4XlQe+sMzPf3Pit+RMHai+1lPzVIV8WteA4RkcgFeAyk/FlOS dVkokkFrX5G2GKU/rjd1DGXzAVAHpYMy2D9AR5rZAvVf9b1NkpJ6RE9mMUXEIA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XtngJ6qC2z12bx; Wed, 20 Nov 2024 17:00:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AKH0itS001215; Wed, 20 Nov 2024 17:00:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AKH0i4T001212; Wed, 20 Nov 2024 17:00:44 GMT (envelope-from git) Date: Wed, 20 Nov 2024 17:00:44 GMT Message-Id: <202411201700.4AKH0i4T001212@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: e27970ae8fff - main - netinet: handle blackhole routes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e27970ae8fffd7d14cd106efc150e60ae307607a Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e27970ae8fffd7d14cd106efc150e60ae307607a commit e27970ae8fffd7d14cd106efc150e60ae307607a Author: Kristof Provost AuthorDate: 2024-11-12 15:55:50 +0000 Commit: Kristof Provost CommitDate: 2024-11-20 15:52:41 +0000 netinet: handle blackhole routes If during ip_forward() we find a blackhole (or reject) route we should stop processing and count this in the 'cantforward' counter, just like we already do for IPv6. Blackhole routes are set to use the loopback interface, so we don't actually incorrectly forward traffic, but we do fail to count it as unroutable. Test this, both for IPv4 and IPv6. Reviewed by: melifaro Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D47529 --- sys/netinet/ip_input.c | 12 ++++++++++ tests/sys/netinet/forward.sh | 53 +++++++++++++++++++++++++++++++++++++++++ tests/sys/netinet6/forward6.sh | 54 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 82d7acdd0710..e00f3b77c74c 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -942,6 +942,18 @@ ip_forward(struct mbuf *m, int srcrt) flowid = m->m_pkthdr.flowid; ro.ro_nh = fib4_lookup(M_GETFIB(m), ip->ip_dst, 0, NHR_REF, flowid); if (ro.ro_nh != NULL) { + if (ro.ro_nh->nh_flags & (NHF_BLACKHOLE | NHF_BROADCAST)) { + IPSTAT_INC(ips_cantforward); + m_freem(m); + NH_FREE(ro.ro_nh); + return; + } + if (ro.ro_nh->nh_flags & NHF_REJECT) { + IPSTAT_INC(ips_cantforward); + NH_FREE(ro.ro_nh); + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); + return; + } ia = ifatoia(ro.ro_nh->nh_ifa); } else ia = NULL; diff --git a/tests/sys/netinet/forward.sh b/tests/sys/netinet/forward.sh index e16927a27d07..3ae83eb3edc5 100755 --- a/tests/sys/netinet/forward.sh +++ b/tests/sys/netinet/forward.sh @@ -259,6 +259,58 @@ fwd_ip_icmp_gw_slow_success_cleanup() { vnet_cleanup } +atf_test_case "fwd_ip_blackhole" "cleanup" +fwd_ip_blackhole_head() { + + atf_set descr 'Test blackhole routes' + atf_set require.user root +} + +fwd_ip_blackhole_body() { + jname="v4t-fwd_ip_blackhole" + + vnet_init + + epair=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + + ifconfig ${epair}a 192.0.2.2/24 up + + vnet_mkjail ${jname} ${epair}b ${epair_out}b + jexec ${jname} ifconfig lo0 127.0.0.1/8 up + jexec ${jname} ifconfig ${epair}b 192.0.2.1/24 up + jexec ${jname} ifconfig ${epair_out}b 198.51.100.1/24 up + jexec ${jname} sysctl net.inet.ip.forwarding=1 + + route add default 192.0.2.1 + + atf_check -s exit:2 -o ignore \ + ping -c 1 -t 1 198.51.100.2 + atf_check -s exit:0 -o match:"0 packets not forwardable" \ + jexec ${jname} netstat -s -p ip + + # Create blackhole route + jexec ${jname} /sbin/route add 198.51.100.2 -blackhole -fib 0 + jexec ${jname} netstat -rn + + # Include an IP option to ensure slow path + atf_check -s exit:2 -o ignore \ + ping -c 1 -t 1 -R 198.51.100.2 + atf_check -s exit:0 -o match:"1 packet not forwardable" \ + jexec ${jname} netstat -s -p ip + + # Now try via the fast path + atf_check -s exit:2 -o ignore \ + ping -c 1 -t 1 198.51.100.2 + atf_check -s exit:0 -o match:"2 packets not forwardable" \ + jexec ${jname} netstat -s -p ip +} + +fwd_ip_blackhole_cleanup() { + + vnet_cleanup +} + atf_init_test_cases() { @@ -266,6 +318,7 @@ atf_init_test_cases() atf_add_test_case "fwd_ip_icmp_gw_fast_success" atf_add_test_case "fwd_ip_icmp_iface_slow_success" atf_add_test_case "fwd_ip_icmp_gw_slow_success" + atf_add_test_case "fwd_ip_blackhole" } # end diff --git a/tests/sys/netinet6/forward6.sh b/tests/sys/netinet6/forward6.sh index b3ccd30aea62..40d17837d6f2 100755 --- a/tests/sys/netinet6/forward6.sh +++ b/tests/sys/netinet6/forward6.sh @@ -466,6 +466,59 @@ fwd_ip6_gu_icmp_gw_ll_slow_success_cleanup() { vnet_cleanup } +atf_test_case "fwd_ip6_blackhole" "cleanup" +fwd_ip6_blackhole_head() { + + atf_set descr 'Test blackhole routing' + atf_set require.user root +} + +fwd_ip6_blackhole_body() { + jname="v6t-fwd_ip6_blackhole" + + vnet_init + + epair=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + + ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad + + vnet_mkjail ${jname} ${epair}b ${epair_out}b + jexec ${jname} ifconfig lo0 inet6 ::1/128 up no_dad + jexec ${jname} ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad + jexec ${jname} ifconfig ${epair_out}b inet6 2001:db8:1::1/64 up no_dad + jexec ${jname} sysctl net.inet6.ip6.forwarding=1 + + route -6 add default 2001:db8::1 + + atf_check -s exit:2 -o ignore \ + ping6 -c 1 -t 1 2001:db8:1::2 + atf_check -s exit:0 -o match:"0 packets not forwardable" \ + jexec ${jname} netstat -s -p ip6 + + # Create blackhole route + jexec ${jname} route -6 add 2001:db8:1::2 -blackhole + + # Force slow path + jexec ${jname} sysctl net.inet6.ip6.redirect=1 + atf_check -s exit:2 -o ignore \ + ping6 -c 1 -t 1 2001:db8:1::2 + atf_check -s exit:0 -o match:"1 packet not forwardable" \ + jexec ${jname} netstat -s -p ip6 + + # Now try the fast path + jexec ${jname} sysctl net.inet6.ip6.redirect=0 + atf_check -s exit:2 -o ignore \ + ping6 -c 1 -t 1 2001:db8:1::2 + atf_check -s exit:0 -o match:"2 packets not forwardable" \ + jexec ${jname} netstat -s -p ip6 +} + +fwd_ip6_blackhole_cleanup() { + + vnet_cleanup +} + atf_init_test_cases() { @@ -475,6 +528,7 @@ atf_init_test_cases() atf_add_test_case "fwd_ip6_gu_icmp_iface_slow_success" atf_add_test_case "fwd_ip6_gu_icmp_gw_gu_slow_success" atf_add_test_case "fwd_ip6_gu_icmp_gw_ll_slow_success" + atf_add_test_case "fwd_ip6_blackhole" } # end