diff options
| author | Kyle Evans <kevans@FreeBSD.org> | 2020-08-31 01:45:48 +0000 |
|---|---|---|
| committer | Kyle Evans <kevans@FreeBSD.org> | 2020-08-31 01:45:48 +0000 |
| commit | 1e9b8db9b254b98ae065889f8c33b0dcc18138a1 (patch) | |
| tree | d1e133b931ffe6f5db44e79834f9912aba6c9f13 /sys/netinet6 | |
| parent | c0a56af995f4aa8c5ab5982c55ae62cd75ccd829 (diff) | |
| download | src-1e9b8db9b254b98ae065889f8c33b0dcc18138a1.tar.gz src-1e9b8db9b254b98ae065889f8c33b0dcc18138a1.zip | |
ipv6: quit dropping packets looping back on p2p interfaces
To paraphrase the below-referenced PR:
This logic originated in the KAME project, and was even controversial when
it was enabled there by default in 2001. No such equivalent logic exists in
the IPv4 stack, and it turns out that this leads to us dropping valid
traffic when the "point to point" interface is actually a 1:many tun
interface, e.g. with the wireguard userland stack.
Even in the case of true point-to-point links, this logic only avoids
transient looping of packets sent by misconfigured applications or
attackers, which can be subverted by proper route configuration rather than
hardcoded logic in the kernel to drop packets.
In the review, melifaro goes on to note that the kernel can't fix it, so it
perhaps shouldn't try to be 'smart' about it. Additionally, that TTL will
still kick in even with incorrect route configuration.
PR: 247718
Reviewed by: melifaro, rgrimes
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D25567
Notes
Notes:
svn path=/head/; revision=364982
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/ip6_forward.c | 18 |
1 files changed, 1 insertions, 17 deletions
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index b94dca89eef6..d4306eea416f 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -260,24 +260,8 @@ again: * modified by a redirect. */ if (V_ip6_sendredirects && nh->nh_ifp == m->m_pkthdr.rcvif && !srcrt && - (nh->nh_flags & NHF_REDIRECT) == 0) { - if ((nh->nh_ifp->if_flags & IFF_POINTOPOINT) != 0) { - /* - * If the incoming interface is equal to the outgoing - * one, and the link attached to the interface is - * point-to-point, then it will be highly probable - * that a routing loop occurs. Thus, we immediately - * drop the packet and send an ICMPv6 error message. - * - * type/code is based on suggestion by Rich Draves. - * not sure if it is the best pick. - */ - icmp6_error(mcopy, ICMP6_DST_UNREACH, - ICMP6_DST_UNREACH_ADDR, 0); - goto bad; - } + (nh->nh_flags & NHF_REDIRECT) == 0) type = ND_REDIRECT; - } /* * Fake scoped addresses. Note that even link-local source or |