From nobody Thu Nov 04 13:56:40 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 437241840ADD for ; Thu, 4 Nov 2021 13:57:01 +0000 (UTC) (envelope-from mike@mail.karels.net) Received: from mail.karels.net (mail.karels.net [216.160.39.52]) by mx1.freebsd.org (Postfix) with ESMTP id 4HlQDX2ZGlz3PgS for ; Thu, 4 Nov 2021 13:56:59 +0000 (UTC) (envelope-from mike@mail.karels.net) Received: from mail.karels.net (localhost [127.0.0.1]) by mail.karels.net (8.16.1/8.16.1) with ESMTPS id 1A4DufY9078224 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 4 Nov 2021 08:56:41 -0500 (CDT) (envelope-from mike@mail.karels.net) Received: (from mike@localhost) by mail.karels.net (8.16.1/8.16.1/Submit) id 1A4DueIJ078223; Thu, 4 Nov 2021 08:56:40 -0500 (CDT) (envelope-from mike) Message-Id: <202111041356.1A4DueIJ078223@mail.karels.net> To: Jamie Landeg-Jones cc: shuriku@shurik.kiev.ua, freebsd-net@FreeBSD.org From: Mike Karels Reply-to: mike@karels.net Subject: Re: netmask for loopback interfaces In-reply-to: Your message of Thu, 04 Nov 2021 13:03:29 -0000. <202111041303.1A4D3T0r091830@donotpassgo.dyslexicfish.net> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <78221.1636034200.1@mail.karels.net> Content-Transfer-Encoding: quoted-printable Date: Thu, 04 Nov 2021 08:56:40 -0500 X-Rspamd-Queue-Id: 4HlQDX2ZGlz3PgS X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of mike@mail.karels.net has no SPF policy when checking 216.160.39.52) smtp.mailfrom=mike@mail.karels.net X-Spamd-Result: default: False [0.29 / 15.00]; HAS_REPLYTO(0.00)[mike@karels.net]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; DMARC_NA(0.00)[karels.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.99)[0.988]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[mike@karels.net,mike@mail.karels.net]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:209, ipnet:216.160.36.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[mike@karels.net,mike@mail.karels.net]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Jamie wrote: > Oleksandr Kryvulia wrote: > > 04.11.21 01:01, Mike Karels wrote: > > > I have a pending change to stop using class A/B/C netmasks when sett= ing > > > an interface address without an explicit mask, and instead to use a = default > > > mask (24 bits). A question has arisen as to what the default mask s= hould > > > be for loopback interfaces. The standard 127.0.0.1 is added with an= 8 bit > > > mask currently, but additions without a mask would default to 24 bit= s. > > > There is no warning for missing masks for loopback in the current co= de. > > > I'm not convinced that the mask has any meaning here; only a host ro= ute > > > to the assigned address is created. Does anyone know of any meaning= or > > > use of the mask on a loopback address? > > > > > > Thanks, > > > Mike > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere = > > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > [2] https://datatracker.ietf.org/doc/html/rfc1122 It's true that 127/8 is currently reserved, but that isn't enforced by FreeBSD using the mask on the interface. Such packets are prevented from forwarding by in_canforward(), which in turn uses IN_LOOPBACK(). The latter uses a compiled-in 8-bit mask. > There is a push by some people to release 127.0.0.0/8 address space, > leaving only 127.0.0.0/16 as reserved for localhost. > https://www.spinics.net/lists/netdev/msg598545.html > https://github.com/schoen/unicast-extensions/blob/master/127.md > https://github.com/schoen/unicast-extensions/ > I make no comment on the feasability of doing this! > However, that aside, aren't you just confusing the mask with routing? The two masks (interface and route) are separate, but the routing mask is set from the interface mask for most interfaces (broadcast or NBMA, but not loopback or point-to-point). The interface mask is visible to user level, including routing daemons. But I think it would be wrong for a routing daemon to infer anything from the mask on a loopback route. But the reason for my question was to find out if there is anything that uses the interface mask in this case, and thus whether a change in the default matters. > I think the mask on any IP on a loopback interface should be /32 > (if you want to add a "127.0.0.0/8 -local" route even if done > automatically", then so be it) Using /32 on loopback is not a bad idea. /etc/network.subr is wired to 127.0.0.1/8 currently. I don't think I'll change it in this pass though. > Note, the default FreeBSD firewall rules already have: > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any If you use the default rules... Mike