From nobody Thu Nov 04 17:58:47 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A9B4E183E30F for ; Thu, 4 Nov 2021 17:58:56 +0000 (UTC) (envelope-from mike@mail.karels.net) Received: from mail.karels.net (mail.karels.net [216.160.39.52]) by mx1.freebsd.org (Postfix) with ESMTP id 4HlWbg40WYz4qTW for ; Thu, 4 Nov 2021 17:58:55 +0000 (UTC) (envelope-from mike@mail.karels.net) Received: from mail.karels.net (localhost [127.0.0.1]) by mail.karels.net (8.16.1/8.16.1) with ESMTPS id 1A4Hwmf1079050 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 4 Nov 2021 12:58:48 -0500 (CDT) (envelope-from mike@mail.karels.net) Received: (from mike@localhost) by mail.karels.net (8.16.1/8.16.1/Submit) id 1A4HwloY079049; Thu, 4 Nov 2021 12:58:47 -0500 (CDT) (envelope-from mike) Message-Id: <202111041758.1A4HwloY079049@mail.karels.net> To: "Rodney W. Grimes" cc: Jamie Landeg-Jones , shuriku@shurik.kiev.ua, freebsd-net@FreeBSD.org From: Mike Karels Reply-to: mike@karels.net Subject: Re: netmask for loopback interfaces In-reply-to: Your message of Thu, 04 Nov 2021 07:36:37 -0700. <202111041436.1A4Eabv2029696@gndrsh.dnsmgr.net> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <79047.1636048727.1@mail.karels.net> Content-Transfer-Encoding: quoted-printable Date: Thu, 04 Nov 2021 12:58:47 -0500 X-Rspamd-Queue-Id: 4HlWbg40WYz4qTW X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of mike@mail.karels.net has no SPF policy when checking 216.160.39.52) smtp.mailfrom=mike@mail.karels.net X-Spamd-Result: default: False [2.29 / 15.00]; HAS_REPLYTO(0.00)[mike@karels.net]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; DMARC_NA(0.00)[karels.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.996]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_SPAM_SHORT(1.00)[0.998]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[mike@karels.net,mike@mail.karels.net]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:209, ipnet:216.160.36.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[mike@karels.net,mike@mail.karels.net]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Rod wrote: > > Jamie wrote: > > = > > > Oleksandr Kryvulia wrote: > > = > > > > 04.11.21 01:01, Mike Karels wrote: > > > > > I have a pending change to stop using class A/B/C netmasks when = setting > > > > > an interface address without an explicit mask, and instead to us= e a default > > > > > mask (24 bits). A question has arisen as to what the default ma= sk should > > > > > be for loopback interfaces. The standard 127.0.0.1 is added wit= h an 8 bit > > > > > mask currently, but additions without a mask would default to 24= bits. > > > > > There is no warning for missing masks for loopback in the curren= t code. > > > > > I'm not convinced that the mask has any meaning here; only a hos= t route > > > > > to the assigned address is created. Does anyone know of any mea= ning or > > > > > use of the mask on a loopback address? > > > > > > > > > > Thanks, > > > > > Mike > > > > > > > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere = > > > > outside of the localhost. This described in RFC 5735 [1] and 1122 = [2] > > > > > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > > > [2] https://datatracker.ietf.org/doc/html/rfc1122 > > = > > It's true that 127/8 is currently reserved, but that isn't enforced > > by FreeBSD using the mask on the interface. Such packets are prevente= d > > from forwarding by in_canforward(), which in turn uses IN_LOOPBACK(). > > The latter uses a compiled-in 8-bit mask. > I have a review up that "relaxes" the restrictions on this (127/8) > and other ranges. > https://reviews.freebsd.org/D19316 > > = > > > There is a push by some people to release 127.0.0.0/8 address space, > > > leaving only 127.0.0.0/16 as reserved for localhost. > > = > > > https://www.spinics.net/lists/netdev/msg598545.html > > = > > > https://github.com/schoen/unicast-extensions/blob/master/127.md > > = > > > https://github.com/schoen/unicast-extensions/ > > = > > > I make no comment on the feasability of doing this! > > = > > > However, that aside, aren't you just confusing the mask with routing= ? > > = > > The two masks (interface and route) are separate, but the routing mask > > is set from the interface mask for most interfaces (broadcast or NBMA, > > but not loopback or point-to-point). The interface mask is visible to > > user level, including routing daemons. But I think it would be wrong > > for a routing daemon to infer anything from the mask on a loopback > > route. But the reason for my question was to find out if there is > ^^^^^ I think you meant interface here? Yes, thanks. (Although it may be true of loopback routes too.) > > anything that uses the interface mask in this case, and thus whether > > a change in the default matters. > I actually do believe routing daemons pay very close attention to > the netmask on and interfaces. It is how CIDR routes to interfaces > are created and maintained by most of them. Even ancient gated > used this information. Yes, but do they use information for the loopback for routing? Certainly they don't advertise the loop back by default; it isn't reachable external= ly. > > = > > > I think the mask on any IP on a loopback interface should be /32 > > > (if you want to add a "127.0.0.0/8 -local" route even if done > > > automatically", then so be it) > > = > > Using /32 on loopback is not a bad idea. /etc/network.subr is wired > > to 127.0.0.1/8 currently. I don't think I'll change it in this pass > > though. > > = > > > Note, the default FreeBSD firewall rules already have: > > = > > > ${fwcmd} add 100 pass all from any to any via lo0 > > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > = > > If you use the default rules... > The default rules should work with a fresh install that > is left with defaults in place. Due to loss of 127/8 > routes the firewall code is borked and we only do not > leak 127/8 packets because of other code in the kernel > that prevents them from leaking. A fresh install does not enable the firewall rules by default. We could change /etc/network.subr to add a reject route for the loopback "net". When BSD last had a 127/8 route, it was not a reject route, so didn't make sense. Mike