git: 3d846e48227e - main - Do not forward datagrams originated by link-local addresses

Joe Clarke jclarke at marcuscom.com
Tue May 18 23:51:52 UTC 2021 

Just out of curiosity, why remove the RFC reference from the comment?  Seems useful for those that want to know why this is a good practice.

Joe

PGP Key : https://www.marcuscom.com/pgp.asc

> On May 18, 2021, at 17:01, Lutz Donnerhacke <donner at freebsd.org> wrote:
> 
> The branch main has been updated by donner:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=3d846e48227e2e78c1e7b35145f57353ffda56ba
> 
> commit 3d846e48227e2e78c1e7b35145f57353ffda56ba
> Author:     Zhenlei Huang <zlei.huang at gmail.com>
> AuthorDate: 2021-05-18 20:51:37 +0000
> Commit:     Lutz Donnerhacke <donner at FreeBSD.org>
> CommitDate: 2021-05-18 20:59:46 +0000
> 
>    Do not forward datagrams originated by link-local addresses
> 
>    The current implement of ip_input() reject packets destined for
>    169.254.0.0/16, but not those original from 169.254.0.0/16 link-local
>    addresses.
> 
>    Fix to fully respect RFC 3927 section 2.7.
> 
>    PR:             255388
>    Reviewed by:    donner, rgrimes, karels
>    MFC after:      1 month
>    Differential Revision:  https://reviews.freebsd.org/D29968
> ---
> sys/netinet/ip_input.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
> 
> diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
> index 43d375c2385f..1139e3a5abfa 100644
> --- a/sys/netinet/ip_input.c
> +++ b/sys/netinet/ip_input.c
> @@ -738,15 +738,10 @@ passin:
>        }
>        ia = NULL;
>    }
> -    /* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */
> -    if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
> -        IPSTAT_INC(ips_cantforward);
> -        m_freem(m);
> -        return;
> -    }
>    if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
>        MROUTER_RLOCK();
> -        if (V_ip_mrouter) {
> +        /* Do not forward packets from IN_LINKLOCAL. */
> +        if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
>            /*
>             * If we are acting as a multicast router, all
>             * incoming multicast packets are passed to the
> @@ -785,6 +780,13 @@ passin:
>        goto ours;
>    if (ip->ip_dst.s_addr == INADDR_ANY)
>        goto ours;
> +    /* Do not forward packets to or from IN_LINKLOCAL. */
> +    if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
> +        IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
> +        IPSTAT_INC(ips_cantforward);
> +        m_freem(m);
> +        return;
> +    }
> 
>    /*
>     * Not for us; forward if possible and desirable.
> _______________________________________________
> dev-commits-src-all at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
> To unsubscribe, send any mail to "dev-commits-src-all-unsubscribe at freebsd.org"

More information about the dev-commits-src-main mailing list