aboutsummaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorPawel Biernacki <kaktus@FreeBSD.org>2023-03-13 16:36:11 +0000
committerPawel Biernacki <kaktus@FreeBSD.org>2023-03-13 16:46:21 +0000
commit3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 (patch)
treea89ba3569a19e5b27742506735be22f67dfa8fbf /sys
parentfc76ddee9be0d7f98c9f9a162627950f8102964e (diff)
downloadsrc-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.tar.gz
src-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.zip
netinet6: allow disabling excess log messages
RFC 4443 specifies cases where certain packets, like those originating from local-scope addresses destined outside of the scope shouldn't be forwarded. The current practice is to drop them, send ICMPv6 message where appropriate, and log the message: cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt 58, rcvif vlan5, outif vlan2 At times the volume of such messages cat get very high. Let's allow local admins to disable such messages on per vnet basis, keeping the current default (log). Reported by: zarychtam@plan-b.pwste.edu.pl Reviewed by: zlei (previous version), pauamma (docs) Differential Revision: https://reviews.freebsd.org/D38644
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet6/in6_proto.c5
-rw-r--r--sys/netinet6/ip6_forward.c6
-rw-r--r--sys/netinet6/ip6_mroute.c3
-rw-r--r--sys/netinet6/ip6_var.h3
4 files changed, 14 insertions, 3 deletions
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index ca1257456326..1f2a41dd51de 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -179,6 +179,7 @@ VNET_DEFINE(int, ip6stealth) = 0;
#endif
VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS
* (RFC 4861) */
+VNET_DEFINE(bool, ip6_log_cannot_forward) = 1;
/* icmp6 */
/*
@@ -342,6 +343,10 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(ip6stealth), 0,
"Forward IPv6 packets without decrementing their TTL");
#endif
+SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO,
+ log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW,
+ &VNET_NAME(ip6_log_cannot_forward), 1,
+ "Log packets that cannot be forwarded");
/* net.inet6.icmp6 */
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept,
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index a95e58ba09a1..fc00eab4b784 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -114,7 +114,8 @@ ip6_forward(struct mbuf *m, int srcrt)
IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
IP6STAT_INC(ip6s_cantforward);
/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
- if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
+ if (V_ip6_log_cannot_forward &&
+ (V_ip6_log_time + V_ip6_log_interval < time_uptime)) {
V_ip6_log_time = time_uptime;
log(LOG_DEBUG,
"cannot forward "
@@ -221,7 +222,8 @@ again:
IP6STAT_INC(ip6s_badscope);
in6_ifstat_inc(nh->nh_ifp, ifs6_in_discard);
- if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
+ if (V_ip6_log_cannot_forward &&
+ (V_ip6_log_time + V_ip6_log_interval < time_uptime)) {
V_ip6_log_time = time_uptime;
log(LOG_DEBUG,
"cannot forward "
diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c
index e690cb64894f..cdccd04abc63 100644
--- a/sys/netinet6/ip6_mroute.c
+++ b/sys/netinet6/ip6_mroute.c
@@ -1099,7 +1099,8 @@ X_ip6_mforward(struct ip6_hdr *ip6, struct ifnet *ifp, struct mbuf *m)
*/
if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
IP6STAT_INC(ip6s_cantforward);
- if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
+ if (V_ip6_log_cannot_forward &&
+ (V_ip6_log_time + V_ip6_log_interval < time_uptime)) {
V_ip6_log_time = time_uptime;
log(LOG_DEBUG,
"cannot forward "
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index 32158534ef5b..469b49459e2c 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -339,6 +339,9 @@ VNET_DECLARE(int, nd6_ignore_ipv6_only_ra);
#define V_nd6_ignore_ipv6_only_ra VNET(nd6_ignore_ipv6_only_ra)
#endif
+VNET_DECLARE(bool, ip6_log_cannot_forward);
+#define V_ip6_log_cannot_forward VNET(ip6_log_cannot_forward)
+
extern struct pr_usrreqs rip6_usrreqs;
struct sockopt;