From nobody Mon Mar 13 16:49:23 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pb2gR4fBFz3xwTQ; Mon, 13 Mar 2023 16:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pb2gR4C2Vz4JQG; Mon, 13 Mar 2023 16:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678726163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NzsMKhp/pHXyfn3gPOpZqgq8+2yP5ecyyL9qNNAnLR8=; b=v0gZVjurNZrJi2L9O5axdJY9JfEhZOuDu6zJVwcdEETpAePeoV64dO77lMzScfGj0qWm0Y 9cXadskXwi5i22ucXThvrW8XKOSzqJLGM15q5UiRRfQJhwfb/7Ep3CKfwxXMBX2cGwlv3W fBHzH4YnypJXBxcWQgYNdpxKNNb/kfSlpYRmM22BzMDcxAdLp2elq0OCQ3wyuzqoZbhXsl ncrZFKy6BqUnMgIsGp0kJyAt3mGCJJnG3gW8zgC5juHdg/6l261ir7ii59lUUcIm46e/Fa 0QFgZuv1A4DZ20YI86MgtAJ6PW14xzEONU3ZkyJUNS8VgTwRclz7Ero/4CZ2cA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678726163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NzsMKhp/pHXyfn3gPOpZqgq8+2yP5ecyyL9qNNAnLR8=; b=VnCq7shXOeJvBCClkgZ5LYnQtrnNh0UQ1LL9nrdoTffnvNMuTo6Y45YOj72DWmIKbTsLsl CWX14mhXDS+VqOr2A1ryOXbmd3CETRgPcPhXz94+c6RY7Kh5hJOs6iQTpalbghGpNhLTZr u0lYR3N7P5c7eGKIH5b/iOxA3CimKOqIcfVmmZ9zNsuI6F4s4+MhqJm4k8uiJoH1MmuJVf u4/hUv5bQ9mzXx6y0l6dSzJlNqTv3NyR07cecz2nIGIi/6W23OZUsXjSTGtH+X4o6h2OmS hRxXAW9Msh2/Muuga1EaKJVSFjGmvb/KMoQytFPJ0DyaUqZPWaRcqT4G+XCH6Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678726163; a=rsa-sha256; cv=none; b=TH7GSUCqr0WBOZ2LBd0d7MQ0tFRKBTcs7le/I9Gvpo8JbvZo0zKjqydLEVYKrGdDxZ/z8B ITJIhY39IOc+SBRPtcunci6GwRPFNsera7zkWmZVJUBsr/jWbY9ZTo4OYfjBGEJh9xpqs9 4oVBcM2mnlehNgbWpEn/7600UCcFKQPL+HzLW9xGrp8FTW+/9HHq4uFeTLEAUVIZRT2n4c cLgTYvfrMIibC5uMqSmishxTGFQS0HZu7xVoxbUHebDbjZmKZQ0Xc525xNcWQLrAic5QgM Pq/fj4XD7pGhHI5alXYi7yKg622jYw0QKYdPu1OqGZcwcQTjTQZrhpV1Z4cXQA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Pb2gR2yrfz11Kc; Mon, 13 Mar 2023 16:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32DGnNgh023756; Mon, 13 Mar 2023 16:49:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32DGnNxn023755; Mon, 13 Mar 2023 16:49:23 GMT (envelope-from git) Date: Mon, 13 Mar 2023 16:49:23 GMT Message-Id: <202303131649.32DGnNxn023755@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Pawel Biernacki Subject: git: 3eaffc626589 - main - netinet6: allow disabling excess log messages List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kaktus X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kaktus: URL: https://cgit.FreeBSD.org/src/commit/?id=3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 commit 3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 Author: Pawel Biernacki AuthorDate: 2023-03-13 16:36:11 +0000 Commit: Pawel Biernacki CommitDate: 2023-03-13 16:46:21 +0000 netinet6: allow disabling excess log messages RFC 4443 specifies cases where certain packets, like those originating from local-scope addresses destined outside of the scope shouldn't be forwarded. The current practice is to drop them, send ICMPv6 message where appropriate, and log the message: cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt 58, rcvif vlan5, outif vlan2 At times the volume of such messages cat get very high. Let's allow local admins to disable such messages on per vnet basis, keeping the current default (log). Reported by: zarychtam@plan-b.pwste.edu.pl Reviewed by: zlei (previous version), pauamma (docs) Differential Revision: https://reviews.freebsd.org/D38644 --- share/man/man4/inet6.4 | 20 ++++++++++++++++++-- sys/netinet6/in6_proto.c | 5 +++++ sys/netinet6/ip6_forward.c | 6 ++++-- sys/netinet6/ip6_mroute.c | 3 ++- sys/netinet6/ip6_var.h | 3 +++ 5 files changed, 32 insertions(+), 5 deletions(-) diff --git a/share/man/man4/inet6.4 b/share/man/man4/inet6.4 index 87c57ea2c3d2..3a950e746266 100644 --- a/share/man/man4/inet6.4 +++ b/share/man/man4/inet6.4 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 12, 2021 +.Dd February 22, 2023 .Dt INET6 4 .Os .Sh NAME @@ -185,7 +185,9 @@ The .Tn ICMPv6 message protocol is accessible from a raw socket. .Ss MIB Variables -A number of variables are implemented in the net.inet6 branch of the +A number of variables are implemented in the +.Va net.inet6 +branch of the .Xr sysctl 3 MIB. In addition to the variables supported by the transport protocols @@ -341,6 +343,11 @@ mapped address on .Dv AF_INET6 sockets. Defaults to on. +.It Va ip6.log_cannot_forward +Boolean: log packets that can't be forwarded because of unspecified source +address or destination address beyond the scope of the source address as +described in RFC4443. +Enabled by default. .It Va ip6.source_address_validation Boolean: perform source address validation for packets destined for the local host. @@ -440,6 +447,15 @@ sockets. .Xr ip6 4 , .Xr tcp 4 , .Xr udp 4 +.Rs +.%A A. Conta +.%A S. Deering +.%A M. Gupta +.%T "Internet Control Message Protocol (ICMPv6) for the Internet" \ + "Protocol Version 6 (IPv6) Specification" +.%R RFC 4443 +.%D March 2006 +.Re .Sh STANDARDS .Rs .%A Tatsuya Jinmei diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index ca1257456326..1f2a41dd51de 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -179,6 +179,7 @@ VNET_DEFINE(int, ip6stealth) = 0; #endif VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS * (RFC 4861) */ +VNET_DEFINE(bool, ip6_log_cannot_forward) = 1; /* icmp6 */ /* @@ -342,6 +343,10 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6stealth), 0, "Forward IPv6 packets without decrementing their TTL"); #endif +SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO, + log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(ip6_log_cannot_forward), 1, + "Log packets that cannot be forwarded"); /* net.inet6.icmp6 */ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept, diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index a95e58ba09a1..fc00eab4b784 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -114,7 +114,8 @@ ip6_forward(struct mbuf *m, int srcrt) IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { IP6STAT_INC(ip6s_cantforward); /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " @@ -221,7 +222,8 @@ again: IP6STAT_INC(ip6s_badscope); in6_ifstat_inc(nh->nh_ifp, ifs6_in_discard); - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c index e690cb64894f..cdccd04abc63 100644 --- a/sys/netinet6/ip6_mroute.c +++ b/sys/netinet6/ip6_mroute.c @@ -1099,7 +1099,8 @@ X_ip6_mforward(struct ip6_hdr *ip6, struct ifnet *ifp, struct mbuf *m) */ if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { IP6STAT_INC(ip6s_cantforward); - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 32158534ef5b..469b49459e2c 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -339,6 +339,9 @@ VNET_DECLARE(int, nd6_ignore_ipv6_only_ra); #define V_nd6_ignore_ipv6_only_ra VNET(nd6_ignore_ipv6_only_ra) #endif +VNET_DECLARE(bool, ip6_log_cannot_forward); +#define V_ip6_log_cannot_forward VNET(ip6_log_cannot_forward) + extern struct pr_usrreqs rip6_usrreqs; struct sockopt;