git: 3d846e48227e - main - Do not forward datagrams originated by link-local addresses
Rodney W. Grimes
freebsd at gndrsh.dnsmgr.net
Wed May 19 01:04:31 UTC 2021
> Just out of curiosity, why remove the RFC reference from the comment? Seems useful for those that want to know why this is a good practice.
RFC's are not immutable and more often that not an RFC comment
is out dated in the src.
As an example, network "10/8", original RFC 1627, obsoleted by 1918,
but the ietf tracker doesnt tell you that this was covered
in RFC5735, obsoleted by 6890, updated by 8190
(the 169.254.0.0/16 block is covered in 6890 with no changes to that
part by 8190....)
SOOOO.. RFC references are very hard to keep upto date and correct.
>
> Joe
>
> PGP Key : https://www.marcuscom.com/pgp.asc
>
> > On May 18, 2021, at 17:01, Lutz Donnerhacke <donner at freebsd.org> wrote:
> >
> > ?The branch main has been updated by donner:
> >
> > URL: https://cgit.FreeBSD.org/src/commit/?id=3d846e48227e2e78c1e7b35145f57353ffda56ba
> >
> > commit 3d846e48227e2e78c1e7b35145f57353ffda56ba
> > Author: Zhenlei Huang <zlei.huang at gmail.com>
> > AuthorDate: 2021-05-18 20:51:37 +0000
> > Commit: Lutz Donnerhacke <donner at FreeBSD.org>
> > CommitDate: 2021-05-18 20:59:46 +0000
> >
> > Do not forward datagrams originated by link-local addresses
> >
> > The current implement of ip_input() reject packets destined for
> > 169.254.0.0/16, but not those original from 169.254.0.0/16 link-local
> > addresses.
> >
> > Fix to fully respect RFC 3927 section 2.7.
> >
> > PR: 255388
> > Reviewed by: donner, rgrimes, karels
> > MFC after: 1 month
> > Differential Revision: https://reviews.freebsd.org/D29968
> > ---
> > sys/netinet/ip_input.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
> > index 43d375c2385f..1139e3a5abfa 100644
> > --- a/sys/netinet/ip_input.c
> > +++ b/sys/netinet/ip_input.c
> > @@ -738,15 +738,10 @@ passin:
> > }
> > ia = NULL;
> > }
> > - /* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */
> > - if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
> > - IPSTAT_INC(ips_cantforward);
> > - m_freem(m);
> > - return;
> > - }
> > if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
> > MROUTER_RLOCK();
> > - if (V_ip_mrouter) {
> > + /* Do not forward packets from IN_LINKLOCAL. */
> > + if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
> > /*
> > * If we are acting as a multicast router, all
> > * incoming multicast packets are passed to the
> > @@ -785,6 +780,13 @@ passin:
> > goto ours;
> > if (ip->ip_dst.s_addr == INADDR_ANY)
> > goto ours;
> > + /* Do not forward packets to or from IN_LINKLOCAL. */
> > + if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
> > + IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
> > + IPSTAT_INC(ips_cantforward);
> > + m_freem(m);
> > + return;
> > + }
> >
> > /*
> > * Not for us; forward if possible and desirable.
> > _______________________________________________
> > dev-commits-src-all at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
> > To unsubscribe, send any mail to "dev-commits-src-all-unsubscribe at freebsd.org"
>
>
>
--
Rod Grimes rgrimes at freebsd.org
More information about the dev-commits-src-main
mailing list