Re: Don't send icmp redirect to the same interface a forwarded packet came in on

Christopher Zimmermann Wed, 02 May 2018 03:58:21 -0700

Hi,

I just want to bring this up again. Can some network guru give me an ok
or some feedback please?


Christopher


On 2017-12-01 Christopher Zimmermann <chr...@openbsd.org> wrote:
> Hi,
> 
> by accident I discovered this rather senseless redirect:
> 
> $ doas tcpdump -eptni vlan2 icmp 
> tcpdump: listening on vlan2, link-type EN10MB
> 11:11:11:11:11:11 22:22:22:22:22 0800 98: 192.168.1.2 > 192.168.4.7: icmp: 
> echo request
> 22:22:22:22:22 11:11:11:11:11:11 0800 98: 192.168.4.7 > 192.168.1.2: icmp: 
> echo reply
> 11:11:11:11:11:11 22:22:22:22:22 0800 70: 192.168.4.1 > 192.168.4.7: icmp: 
> redirect 192.168.1.2 to host 192.168.4.1
> ^C
> 110 packets received by filter
> 0 packets dropped by kernel


[...]


> In any case I'd propose the following diff which will check whether the
> redirect target is an address of the interface the forwarded packet came in 
> on.
> 
> 
> Christopher
> 
> 
> Index: ip_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.322
> diff -u -p -r1.322 ip_input.c
> --- ip_input.c        7 Sep 2017 10:54:49 -0000       1.322
> +++ ip_input.c        1 Dec 2017 18:00:53 -0000
> @@ -1514,16 +1514,27 @@ ip_forward(struct mbuf *m, struct ifnet 
>           (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
>           satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
>           ipsendredirects && !srcrt &&
> -         !arpproxy(satosin(rt_key(rt))->sin_addr, m->m_pkthdr.ph_rtableid)) {
> -             if ((ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_netmask) ==
> -                 ifatoia(rt->rt_ifa)->ia_net) {
> -                 if (rt->rt_flags & RTF_GATEWAY)
> +         !arpproxy(satosin(rt_key(rt))->sin_addr, m->m_pkthdr.ph_rtableid) &&
> +         (ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_netmask) ==
> +         ifatoia(rt->rt_ifa)->ia_net) {
> +             struct ifaddr *ifa;
> +
> +             if (rt->rt_flags & RTF_GATEWAY)
>                       dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
> -                 else
> +             else
>                       dest = ip->ip_dst.s_addr;
> -                 /* Router requirements says to only send host redirects */
> -                 type = ICMP_REDIRECT;
> -                 code = ICMP_REDIRECT_HOST;
> +
> +             /* don't redirect to the interface the packet came in on. */
> +             TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) {
> +                     if (ifa->ifa_addr->sa_family == AF_INET &&
> +                         satosin(ifa->ifa_addr)->sin_addr.s_addr == dest)
> +                             dest = 0;
> +             }
> +
> +             /* Router requirements says to only send host redirects */
> +             if (dest != 0) {
> +                     type = ICMP_REDIRECT;
> +                     code = ICMP_REDIRECT_HOST;
>               }
>       }
> 
>  



-- 
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
2779 7F73 44FD 0736 B67A  C410 69EC 7922 34B4 2566

Re: Don't send icmp redirect to the same interface a forwarded packet came in on

Reply via email to