diff options
author | Pawel Biernacki <kaktus@FreeBSD.org> | 2023-03-13 16:36:11 +0000 |
---|---|---|
committer | Pawel Biernacki <kaktus@FreeBSD.org> | 2023-03-13 16:46:21 +0000 |
commit | 3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783 (patch) | |
tree | a89ba3569a19e5b27742506735be22f67dfa8fbf /sys | |
parent | fc76ddee9be0d7f98c9f9a162627950f8102964e (diff) | |
download | src-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.tar.gz src-3eaffc626589eb2fc20a3c9c87eb8ab0ee89e783.zip |
netinet6: allow disabling excess log messages
RFC 4443 specifies cases where certain packets, like those originating from
local-scope addresses destined outside of the scope shouldn't be forwarded.
The current practice is to drop them, send ICMPv6 message where appropriate,
and log the message:
cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt
58, rcvif vlan5, outif vlan2
At times the volume of such messages cat get very high. Let's allow local
admins to disable such messages on per vnet basis, keeping the current
default (log).
Reported by: zarychtam@plan-b.pwste.edu.pl
Reviewed by: zlei (previous version), pauamma (docs)
Differential Revision: https://reviews.freebsd.org/D38644
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet6/in6_proto.c | 5 | ||||
-rw-r--r-- | sys/netinet6/ip6_forward.c | 6 | ||||
-rw-r--r-- | sys/netinet6/ip6_mroute.c | 3 | ||||
-rw-r--r-- | sys/netinet6/ip6_var.h | 3 |
4 files changed, 14 insertions, 3 deletions
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index ca1257456326..1f2a41dd51de 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -179,6 +179,7 @@ VNET_DEFINE(int, ip6stealth) = 0; #endif VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS * (RFC 4861) */ +VNET_DEFINE(bool, ip6_log_cannot_forward) = 1; /* icmp6 */ /* @@ -342,6 +343,10 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6stealth), 0, "Forward IPv6 packets without decrementing their TTL"); #endif +SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO, + log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(ip6_log_cannot_forward), 1, + "Log packets that cannot be forwarded"); /* net.inet6.icmp6 */ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept, diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index a95e58ba09a1..fc00eab4b784 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -114,7 +114,8 @@ ip6_forward(struct mbuf *m, int srcrt) IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { IP6STAT_INC(ip6s_cantforward); /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " @@ -221,7 +222,8 @@ again: IP6STAT_INC(ip6s_badscope); in6_ifstat_inc(nh->nh_ifp, ifs6_in_discard); - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c index e690cb64894f..cdccd04abc63 100644 --- a/sys/netinet6/ip6_mroute.c +++ b/sys/netinet6/ip6_mroute.c @@ -1099,7 +1099,8 @@ X_ip6_mforward(struct ip6_hdr *ip6, struct ifnet *ifp, struct mbuf *m) */ if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { IP6STAT_INC(ip6s_cantforward); - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 32158534ef5b..469b49459e2c 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -339,6 +339,9 @@ VNET_DECLARE(int, nd6_ignore_ipv6_only_ra); #define V_nd6_ignore_ipv6_only_ra VNET(nd6_ignore_ipv6_only_ra) #endif +VNET_DECLARE(bool, ip6_log_cannot_forward); +#define V_ip6_log_cannot_forward VNET(ip6_log_cannot_forward) + extern struct pr_usrreqs rip6_usrreqs; struct sockopt; |