From nobody Wed Jun 12 18:29:47 2024 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VzvGf3WSHz5ND3n for ; Wed, 12 Jun 2024 18:30:02 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (udns.ultimatedns.net [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VzvGf0f5zz50sq for ; Wed, 12 Jun 2024 18:30:01 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Authentication-Results: mx1.freebsd.org; none Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 45CITmb8066287; Wed, 12 Jun 2024 11:29:54 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ultimatedns.net; s=mx99; t=1718216994; x=1718217594; r=y; bh=IBfFdHW1HRV4+OvVh6nUzvvStBnRU8kRsI59SG/IBFo=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=HW/ch945uXlyZa+GZGbWknzHrYXxzQfKYIhArmQc3d9isgIjrMXF5jBZU/c7KcoqH iXTntHKQ5wjOTIrBlPi5ga0qCQotxRVIepV1i4jlrceBdsS30+rMELLkHK/YFLo4zY nfTV/pQf7EOGWMFF9mUOL8zEuA9ONpheshiyvOa8Wdvt2h0YUennKnUCCgg5F7ssEB +UsbGLrY1epX1Ko5zIAwkwB9oOnupS0Zyvwn295Vt4I09TwPy0KolqMsUxht53Rc7G L4rM5s2Hsy9OCh9gUgKm9taCFdfxML6bpd3YwFQL0Addtp5xi0iIripMtAE6tsgwN6 Nc49TjJsE+y6g== List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Date: Wed, 12 Jun 2024 11:29:47 -0700 From: Chris To: Poul-Henning Kamp Cc: current@freebsd.org Subject: Re: 14.1-R rc.conf/ifconfig netmask issue was really hard to figure out In-Reply-To: <202406120747.45C7lRGZ009491@critter.freebsd.dk> References: <202406120747.45C7lRGZ009491@critter.freebsd.dk> User-Agent: UDNSMS/17.0 Message-ID: <8f38acff4a9d2e33b801dcde1b2bcdcb@bsdforge.com> X-Sender: bsd-lists@bsdforge.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US] X-Rspamd-Queue-Id: 4VzvGf0f5zz50sq On 2024-06-12 00:47, Poul-Henning Kamp wrote: > I had a machine with this line in /etc/rc.conf: > > ifconfig_bla0="192.168.87.11" > > I found out the hard way, that this defaults to /8 now. > > The main symptom was that DNS was /really/ busted, which makes sense > when none of the DNS servers in the 192/8 "swamp" can be reached. > > Since we all know that it is always DNS(SEC), I spent a lot of time > having fun with that, before I noticed the /8 netmask on the interface. > > I agree that the class A/B/C netmask assumptions should have died long ago. > > But from a foot-shooting point of view, it makes no sense to default > 192.168/16 to a /8 netmask. > > If we're going to default to /8, at the very least ifconfig should > spitting out a very noisy warning and wait 5 seconds before proceeding, > when the netmask is not explicitly specified. > > But I also think we can do better than /8. > > One option is to go for "limit the damage in RFC1918" and default > them according to their size: reach: > > 10/8 > 172.16/12 > 192.168/16 > > That will prevent the DNS weirdness I had to figure out, and probably > still DWIM in most cases. > > Another option is to default all three to /24, which in my experience > is how people deploy RFC1918. > > A third option is to default any missing netmask to /24 instead of /8, > which would be what I would personally have done in the first place. I couldn't agree more. CPEs, WiFi AP's and most other network(ing) equipment that most users encounter, generally default to a /24 (255.255.255.0). IMHO this would result in the least amount of POLA. :) > > Poul-Henning --Chris