diff options
author | Pawel Biernacki <kaktus@FreeBSD.org> | 2023-03-13 16:36:11 +0000 |
---|---|---|
committer | Pawel Biernacki <kaktus@FreeBSD.org> | 2023-03-13 16:46:21 +0000 |
commit | 3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 (patch) | |
tree | a89ba3569a19e5b27742506735be22f67dfa8fbf /sys/netinet6/in6_proto.c | |
parent | fc76ddee9be0d7f98c9f9a162627950f8102964e (diff) | |
download | src-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.tar.gz src-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.zip |
netinet6: allow disabling excess log messages
RFC 4443 specifies cases where certain packets, like those originating from
local-scope addresses destined outside of the scope shouldn't be forwarded.
The current practice is to drop them, send ICMPv6 message where appropriate,
and log the message:
cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt
58, rcvif vlan5, outif vlan2
At times the volume of such messages cat get very high. Let's allow local
admins to disable such messages on per vnet basis, keeping the current
default (log).
Reported by: zarychtam@plan-b.pwste.edu.pl
Reviewed by: zlei (previous version), pauamma (docs)
Differential Revision: https://reviews.freebsd.org/D38644
Diffstat (limited to 'sys/netinet6/in6_proto.c')
-rw-r--r-- | sys/netinet6/in6_proto.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index ca1257456326..1f2a41dd51de 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -179,6 +179,7 @@ VNET_DEFINE(int, ip6stealth) = 0; #endif VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS * (RFC 4861) */ +VNET_DEFINE(bool, ip6_log_cannot_forward) = 1; /* icmp6 */ /* @@ -342,6 +343,10 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6stealth), 0, "Forward IPv6 packets without decrementing their TTL"); #endif +SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO, + log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(ip6_log_cannot_forward), 1, + "Log packets that cannot be forwarded"); /* net.inet6.icmp6 */ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept, |