Hello,
</snip>
On Fri, Dec 20, 2019 at 11:12:15PM +0100, Alexander Bluhm wrote:
> On Wed, Dec 18, 2019 at 09:07:35AM +0100, Alexandr Nedvedicky wrote:
> > I see. Updated diff below makes ip6_input_if() to explicitly check
> > for PF_TAG_TRANSLATE_LOCALHOST tag, when ip6_forwarding is disabled.
> >
> > if ip6_forwarding is enabled, then the ip6_input_if() keeps current
> > behavior.
>
> You have misunderstood my internsion.
>
Yes, I obviously did. Updated diff is below.
</snip>
>
> And the second question, but not for this commit, is why do we
> need this block?
>
> if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
> IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
> nxt = ip6_ours(mp, offp, nxt, af);
> goto out;
> }
>
> It was removed in kame here:
>
</snip>
It did not come to my mind to check kame project, when seeing
code above. It looks like it has evolved to current shape
from original code below (as committed by itojun@)
+ /*
+ * Check with the firewall...
+ */
+ if (ip6_fw_chk_ptr) {
+ u_short port = 0;
+ /* If ipfw says divert, we have to just drop packet */
+ /* use port as a dummy argument */
+ if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
+ m_freem(m);
+ m = NULL;
+ }
+ if (!m)
+ return;
+ }
+#endif
+
+ /*
+ * Scope check
+ */
+ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
+ IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
+ ip6stat.ip6s_badscope++;
+ in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
+ goto bad;
+ }
+ if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
+ IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
+ if (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) {
+ ours = 1;
+ deliverifp = m->m_pkthdr.rcvif;
+ goto hbhcheck;
+ } else {
+ ip6stat.ip6s_badscope++;
+ in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
+ goto bad;
+ }
+ }
It seems to me we should just remove them. You have my OK if you want
to do it. Perhaps intention in earlier change to ip6_input_if() was to
move IN6_IS_ADDR_LOOPBACK() checks before ip6_input_if() calls pf_test()
instead of doing copy'n'modified-paste.
thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 058b2f038fa..f4114f45045 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -753,7 +753,8 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct
rtentry **prt)
}
}
} else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index &&
- !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC))) {
+ !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) ||
+ (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) {
/* received on wrong interface. */
#if NCARP > 0
struct ifnet *out_if;
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 5404d7ccfb4..62e92d9c46c 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -435,7 +435,8 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af,
struct ifnet *ifp)
if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index &&
!((ifp->if_flags & IFF_LOOPBACK) ||
- (ifp->if_type == IFT_ENC))) {
+ (ifp->if_type == IFT_ENC)) ||
+ (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST)) {
/* received on wrong interface */
#if NCARP > 0
struct ifnet *out_if;
