Re: attention please: host's IP stack behavior got changed slightly

Wed, 18 Dec 2019 00:17:56 -0800 

Hello,

</snip>
On Wed, Dec 18, 2019 at 12:24:57AM +0100, Alexander Bluhm wrote:
> On Mon, Dec 16, 2019 at 03:42:27PM +0100, Alexandr Nedvedicky wrote:
> > > I think this is a "do as I want" kind of thing. If I use pf(4) to redirect
> > > traffic to a different address then I think our version of strict host
> > > model should step back and accept the connection.
> >
> >     and also the change makes IPv4 behavior consistent with IPv6.
> >     so if we won't be committing diff for IPv4, then we should change IPv6
> >     to enforce divert-to for IPv6 too.
> 
> IPv4 and IPv6 code looks different.  In ip6_input_if() the
> IN6_IS_ADDR_LOOPBACK() check accepts packets redirected to ::1.  Do
> we really need that?  We always have ::1 on lo0 and a valid route.
> And why should a source ::1 enforce local delivery?  That looks
> odd.
> 
> I would prefer to have the PF_TAG_TRANSLATE_LOCALHOST check in both
> ip_input_if() and ip6_input_if() to explicitly make clear that
> redirect does not follow the strict host model.
> 

    I see. Updated diff below makes ip6_input_if() to explicitly check
    for PF_TAG_TRANSLATE_LOCALHOST tag, when ip6_forwarding is disabled.

    if ip6_forwarding is enabled, then the ip6_input_if() keeps current
    behavior.

thanks and
regards
sashan

--------8<---------------8<---------------8<------------------8<--------
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 058b2f038fa..f4114f45045 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -753,7 +753,8 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct 
rtentry **prt)
                        }
                }
        } else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index &&
-           !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC))) {
+           !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) ||
+               (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) {
                /* received on wrong interface. */
 #if NCARP > 0
                struct ifnet *out_if;
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 5404d7ccfb4..919f8ae8f03 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -335,8 +335,11 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, 
struct ifnet *ifp)
                goto bad;
        }
 
-       if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
-           IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
+       if (((ip6_forwarding != 0) && ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
+           IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)))) ||
+           ((ip6_forwarding == 0) &&
+           ((m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST) &&
+           IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)))) {
                nxt = ip6_ours(mp, offp, nxt, af);
                goto out;
        }

Reply via email to