aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet6/in6_proto.c
diff options
context:
space:
mode:
authorPawel Biernacki <kaktus@FreeBSD.org>2023-03-13 16:36:11 +0000
committerPawel Biernacki <kaktus@FreeBSD.org>2023-03-13 16:46:21 +0000
commit3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 (patch)
treea89ba3569a19e5b27742506735be22f67dfa8fbf /sys/netinet6/in6_proto.c
parentfc76ddee9be0d7f98c9f9a162627950f8102964e (diff)
downloadsrc-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.tar.gz
src-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.zip
netinet6: allow disabling excess log messages
RFC 4443 specifies cases where certain packets, like those originating from local-scope addresses destined outside of the scope shouldn't be forwarded. The current practice is to drop them, send ICMPv6 message where appropriate, and log the message: cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt 58, rcvif vlan5, outif vlan2 At times the volume of such messages cat get very high. Let's allow local admins to disable such messages on per vnet basis, keeping the current default (log). Reported by: zarychtam@plan-b.pwste.edu.pl Reviewed by: zlei (previous version), pauamma (docs) Differential Revision: https://reviews.freebsd.org/D38644
Diffstat (limited to 'sys/netinet6/in6_proto.c')
-rw-r--r--sys/netinet6/in6_proto.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index ca1257456326..1f2a41dd51de 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -179,6 +179,7 @@ VNET_DEFINE(int, ip6stealth) = 0;
#endif
VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS
* (RFC 4861) */
+VNET_DEFINE(bool, ip6_log_cannot_forward) = 1;
/* icmp6 */
/*
@@ -342,6 +343,10 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(ip6stealth), 0,
"Forward IPv6 packets without decrementing their TTL");
#endif
+SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO,
+ log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW,
+ &VNET_NAME(ip6_log_cannot_forward), 1,
+ "Log packets that cannot be forwarded");
/* net.inet6.icmp6 */
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept,