Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
[Redirected to -net] On Thu, Feb 14, 2002 at 11:39:37AM -0500, Garrett Wollman wrote: > < said: > > > ping -s 127.1 1.2.3.4 > > telnet -S 127.1 1.2.3.4 > > If someone explicitly overrides source-address selection, they are > presumed to know WTF they are doing, and the kernel should not be > trying to second-guess them. > That "someone" could be a bad guy playing dirty games with your box and certainly knowing what he's doing. :-) So far, noone gave me a real example where using of net 127 outside loopback would be useful. If there such an example exists, we should wrap all three checks into a sysctl, including ip_input(), ip_output(), and in_canforward() parts, where ip_input() exists for almost a year, and in_canforward() existed since 1987. -- Ruslan, who just wants a consistency here. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
< said: > ping -s 127.1 1.2.3.4 > telnet -S 127.1 1.2.3.4 If someone explicitly overrides source-address selection, they are presumed to know WTF they are doing, and the kernel should not be trying to second-guess them. -GAWollman To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
On Wed, Feb 13, 2002 at 03:57:33PM -0800, Terry Lambert wrote: > Ruslan Ermilov wrote: > > On Wed, Feb 13, 2002 at 10:50:13AM -0500, Garrett Wollman wrote: > > > < said: > > > > > > > Please test with and without this patch. > > > > > > I continue to believe that this should be done by fixing the routing, > > > not by adding additional hacks to the already-bloated ip_output() > > > path. > > > > > BSD always had these "hacks" (rfc1122 requirements) in in_canforward(). > > RFC1122 requires the host to not send 127/8 addresses out of loopback, > > whether or not its routes are set up correctly. > > I pretty much agree with Garrett on this one. > > Loopback is a special critter; it has all sorts of > requirements, like not ARP'ing for addresses configured > on it (otherwise FreeBSD is not usable for DSR, which I > think it currently is not), etc.. > Heh? Without my patch: # ifconfig rl0 inet rl0: flags=8843 mtu 1500 inet 192.168.4.115 netmask 0xff00 broadcast 192.168.4.255 inet 127.0.0.2 netmask 0xff00 broadcast 127.255.255.255 # ping 127.0.0.3 # tcpdump -n net 127 tcpdump: listening on rl0 10:29:12.685957 arp who-has 127.0.0.3 tell 127.0.0.2 ^C 2480 packets received by filter 0 packets dropped by kernel > It looks to me that this should be handled some place > other than ip_output(). > Perhaps you don't realize that we can't fix "this" with just routing because we are also not allowed to send out packets originated from loopback network, like: ping -s 127.1 1.2.3.4 telnet -S 127.1 1.2.3.4 Cheers, -- Ruslan Ermilov Sysadmin and DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
On Wed, Feb 13, 2002 at 11:03:47AM +0200, Ruslan Ermilov wrote: > Hi! > > Please test with and without this patch. Hmm. I'm having a little trouble testing this on -CURRENT. As a first step, I just deleted all of the 127/8 blocking code in ip_output.c, and tried to do a rdr to 127.0.0.1. First, make sure the stops on outging 127/8 are really gone, bubbles# ping 127.0.0.2 PING 127.0.0.2 (127.0.0.2): 56 data bytes ^C --- 127.0.0.2 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss bubbles# And I see, bubbles# tcpdump 'net 127.0.0.0/8' tcpdump: listening on ep0 15:46:29.954112 bubbles > 127.0.0.2: icmp: echo request 15:46:30.964695 bubbles > 127.0.0.2: icmp: echo request ^C 46 packets received by filter 0 packets dropped by kernel bubbles# OK, all great. So I fire up ipnat(1), bubbles# cat ipnat.rules # $Id$ # # Testing IPFilter interaction with loopback rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp bubbles# ipnat -C -f ipnat.rules 1 entries flushed from NAT list bubbles# ipnat -l List of active MAP/Redirect filters: rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp List of active sessions: bubbles# ipfstat -io pass out from any to any pass in from any to any bubbles# And I start a listener on 2323, $ nc -l -p 2323 And from another host, $ telnet bubbles 23 Trying 192.168.64.20... telnet: connect to address 192.168.64.20: Operation timed out telnet: Unable to connect to remote host That is, it doesn't work. However, bubbles# ipnat -l List of active MAP/Redirect filters: rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp List of active sessions: RDR 127.0.0.1 2323 <- -> 192.168.64.20 23[192.168.64.60 1099] ipnat(1) is working. Where are the packets going? I couldn't find any being blocked or in the netstat statistics. Now, to see if this works at all, I change the ipnat.rules, bubbles# cat ipnat.rules # $Id$ # # Testing IPFilter interaction with loopback rdr ep0 192.168.64.20/32 port 23 -> 192.168.64.20 port 2323 tcp bubbles# ipnat -C -f ipnat.rules 1 entries flushed from NAT list bubbles# Now I try, $ telnet bubbles 23 Trying 192.168.64.20... Connected to bubbles.cjclark.org. Escape character is '^]'. And it works fine, bubbles# ipnat -l List of active MAP/Redirect filters: rdr ep0 192.168.64.20/32 port 23 -> 192.168.64.20 port 2323 tcp List of active sessions: RDR 192.168.64.20 2323 <- -> 192.168.64.20 23[192.168.64.60 1100] RDR 127.0.0.1 2323 <- -> 192.168.64.20 23[192.168.64.60 1099] bubbles# So at least in -CURRENT, did this 127.0.0.1 redirect doesn't seem to work even if you remove the code from ip_output.c completely. I'll give -STABLE a try, but these IPFilter people will have the same problem when 5.0-RELEASE comes around if my tests are accurate. -- Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
Garrett Wollman wrote: > < said: > > RFC1122 requires the host to not send 127/8 addresses out of loopback, > > whether or not its routes are set up correctly. > > As we have already seen, there is not consensus on this particular > issue, or on the general issue of how much of 1122 we should pay > attention to at all. (Are you going to implement multiple default > routes as well?) Actually, that's been a sore point in three commercial projects (so far), so it's probably not a good example. 8-). -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
Ruslan Ermilov wrote: > On Wed, Feb 13, 2002 at 10:50:13AM -0500, Garrett Wollman wrote: > > < said: > > > > > Please test with and without this patch. > > > > I continue to believe that this should be done by fixing the routing, > > not by adding additional hacks to the already-bloated ip_output() > > path. > > > BSD always had these "hacks" (rfc1122 requirements) in in_canforward(). > RFC1122 requires the host to not send 127/8 addresses out of loopback, > whether or not its routes are set up correctly. I pretty much agree with Garrett on this one. Loopback is a special critter; it has all sorts of requirements, like not ARP'ing for addresses configured on it (otherwise FreeBSD is not usable for DSR, which I think it currently is not), etc.. It looks to me that this should be handled some place other than ip_output(). -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
< said: > RFC1122 requires the host to not send 127/8 addresses out of loopback, > whether or not its routes are set up correctly. As we have already seen, there is not consensus on this particular issue, or on the general issue of how much of 1122 we should pay attention to at all. (Are you going to implement multiple default routes as well?) -GAWollman To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
On Wed, Feb 13, 2002 at 10:50:13AM -0500, Garrett Wollman wrote: > < said: > > > Please test with and without this patch. > > I continue to believe that this should be done by fixing the routing, > not by adding additional hacks to the already-bloated ip_output() > path. > BSD always had these "hacks" (rfc1122 requirements) in in_canforward(). RFC1122 requires the host to not send 127/8 addresses out of loopback, whether or not its routes are set up correctly. Cheers, -- Ruslan Ermilov Sysadmin and DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
rdr 127.0.0.1 and blocking 127/8 in ip_output()
< said: > Please test with and without this patch. I continue to believe that this should be done by fixing the routing, not by adding additional hacks to the already-bloated ip_output() path. -GAWollman To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
rdr 127.0.0.1 and blocking 127/8 in ip_output()
Hi! Please test with and without this patch. Cheers, -- Ruslan Ermilov Sysadmin and DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age Index: ip_output.c === RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.99.2.25 diff -u -p -r1.99.2.25 ip_output.c --- ip_output.c 2002/02/01 10:42:09 1.99.2.25 +++ ip_output.c 2002/02/13 08:49:04 @@ -403,16 +403,6 @@ ip_output(m0, opt, ro, flags, imo) goto bad; } - /* 127/8 must not appear on wire - RFC1122. */ - if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || - (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { - if ((ifp->if_flags & IFF_LOOPBACK) == 0) { - ipstat.ips_badaddr++; - error = EADDRNOTAVAIL; - goto bad; - } - } - /* * Look for broadcast address and * verify user is allowed to send @@ -775,6 +765,16 @@ skip_ipsec: } pass: + /* 127/8 must not appear on wire - RFC1122. */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || + (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { + if ((ifp->if_flags & IFF_LOOPBACK) == 0) { + ipstat.ips_badaddr++; + error = EADDRNOTAVAIL; + goto bad; + } + } + m->m_pkthdr.csum_flags |= CSUM_IP; sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_hwassist; if (sw_csum & CSUM_DELAY_DATA) {