From nobody Thu Jul 21 17:34:35 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lpfp42zXcz4X7lw; Thu, 21 Jul 2022 17:34:36 +0000 (UTC) (envelope-from mike@karels.net) Received: from mail.karels.net (mail.karels.net [216.160.39.52]) by mx1.freebsd.org (Postfix) with ESMTP id 4Lpfp36T9yz3HQ0; Thu, 21 Jul 2022 17:34:35 +0000 (UTC) (envelope-from mike@karels.net) Received: from mail.karels.net (localhost [127.0.0.1]) by mail.karels.net (8.16.1/8.16.1) with ESMTP id 26LHYZ1k003957; Thu, 21 Jul 2022 12:34:35 -0500 (CDT) (envelope-from mike@karels.net) Received: from [10.0.2.130] ([10.0.1.1]) by mail.karels.net with ESMTPSA id gnX2DyuO2WJzDwAA4+wvSQ (envelope-from ); Thu, 21 Jul 2022 12:34:35 -0500 From: Mike Karels To: rgrimes@freebsd.org Cc: Mike Karels , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: fb8ef16bab0d - main - IPv4: correct limit on loopback_prefix Date: Thu, 21 Jul 2022 12:34:35 -0500 X-Mailer: MailMate (1.14r5895) Message-ID: In-Reply-To: <202207211721.26LHLWwa078429@gndrsh.dnsmgr.net> References: <202207211721.26LHLWwa078429@gndrsh.dnsmgr.net> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Rspamd-Queue-Id: 4Lpfp36T9yz3HQ0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 21 Jul 2022, at 12:21, Rodney W. Grimes wrote: >> On 21 Jul 2022, at 11:21, Rodney W. Grimes wrote: >> >>>> The branch main has been updated by karels: >>>> >>>> URL: https://cgit.FreeBSD.org/src/commit/?id=3Dfb8ef16bab0d23e185dee= d5a6b2e44e72ad53d43 >>>> >>>> commit fb8ef16bab0d23e185deed5a6b2e44e72ad53d43 >>>> Author: Mike Karels >>>> AuthorDate: 2022-07-21 13:10:15 +0000 >>>> Commit: Mike Karels >>>> CommitDate: 2022-07-21 14:38:17 +0000 >>>> >>>> IPv4: correct limit on loopback_prefix >>>> >>>> Commit efe58855f3ea allowed the net.inet.ip.loopback_prefix valu= e >>>> to be 32. However, with a 32-bit mask, 127.0.0.1 is not include= d >>>> in the reserved loopback range, which should not be allowed. >>>> Change the max prefix length to 31. >>> >>> Hummm... 127.0.0.1/32 specifices exactly and ONLY 127.0.0.1, and >>> this should be fine. Looking at the mask calculated below with >>> loopback_prefix=3D32 this should yeild a mask of 0xffffffff, which >>> appears to be exactly what is correct. What DOES become an issue >>> when /32 is used is that the loopback ROUTE 127.0.0.0/32 is wrong >>> now, but then with a /32 you dont need a network route, as you >>> should have a host route to exactly 127.0.0.1. >>> >>> Can you be more descriptive on what problem arrose with /32? >> >> You are thinking about this the way I did originally; but the mask >> doesn?t apply to 127.0.0.1 directly. The test is >> >> #define IN_LOOPBACK(i) \ >> (((in_addr_t)(i) & V_in_loopback_mask) =3D=3D 0x7f000000) >> >> So if considering whether to forward 127.0.0.1, we?ll incorrectly >> say it?s OK if the prefixlen is 32 (mask of 255.255.255.255). >> In that case, only 127.0.0.0 is considered loopback. >> >> John Gilmore pointed out the problem. > > I see this issue now, but something is bugging me about > being forced to use a /31 when a /32 *would* work if the > 0x7f000000 was actually 0x7f000001, but that fails for > other cases. > > Note oddly the code would work with /32 if I decided to use > 127.0.0.0/32 as the IP address on lo0 so should the expression > become: > > #define IN_LOOPBACK(i) \ > (((in_addr_t)(i) & V_in_loopback_mask) =3D=3D (0x7f000001 & V_in_lo= opback_mask)) John mentioned that, also a little trickier version using ^1, but the question is, should 127.0.0.0 should be considered loopback, or could it be forwarded etc? I think it is better if neither 127.0.0.0 nor 127.0.0.1 was allowed to be forwarded. However, a prefix length of more than 16 doesn=E2=80=99t conform with current standards or the current draft, so it=E2=80=99s a somewhat academic issue. Mike >>>> --- >>>> sys/netinet/in.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/sys/netinet/in.c b/sys/netinet/in.c >>>> index c3880c4ba983..1c44623bdec1 100644 >>>> --- a/sys/netinet/in.c >>>> +++ b/sys/netinet/in.c >>>> @@ -297,7 +297,7 @@ sysctl_loopback_prefixlen(SYSCTL_HANDLER_ARGS) >>>> error =3D sysctl_handle_int(oidp, &preflen, 0, req); >>>> if (error || !req->newptr) >>>> return (error); >>>> - if (preflen < 8 || preflen > 32) >>>> + if (preflen < 8 || preflen > 31) >>>> return (EINVAL); >>>> V_in_loopback_mask =3D 0xffffffff << (32 - preflen); >>>> return (0); >>>> >>> >>> -- = >>> Rod Grimes rgrimes@fr= eebsd.org >> >> > > -- = > Rod Grimes rgrimes@free= bsd.org