On Tue, Oct 20, 2020 at 10:14:13AM +1000, David Gwynne wrote: > such a diff looks like this. it adds a "global" flag that you can set on > interfaces.
Making addresses on loopback interfaces globally accessible is against the idea of the strong host model. Current behavior is a consequence when we switched the model. Setting it per interface is pretty complex. I cannot see the consequences of your diff, but with my experiance with IPsec, pf divert, rdr-to, carp, trunk I assume it will break come setups. This area is rather complicated. Do you realy need a "ifconfig lo0 global" feature? The idea of setting waek host model it with ip forward was, that it will fit most users by default. If you think a separate switch has an advantage, we could go that way. Other BSD do that according to https://en.wikipedia.org/wiki/Host_model . But I prefer the idea of setting the host model with forward. Usually you want it weak on a router and string on a host. That means less knobs and less confusion. Why can't you set ip forward to 1 ? Could pf divert-to be a solution to your setup? bluhm > Index: sbin/ifconfig/ifconfig.c > =================================================================== > RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v > retrieving revision 1.429 > diff -u -p -r1.429 ifconfig.c > --- sbin/ifconfig/ifconfig.c 7 Oct 2020 14:38:54 -0000 1.429 > +++ sbin/ifconfig/ifconfig.c 20 Oct 2020 00:12:06 -0000 > @@ -468,6 +468,8 @@ const struct cmd { > { "-autoconfprivacy", IFXF_INET6_NOPRIVACY, 0, setifxflags }, > { "soii", -IFXF_INET6_NOSOII, 0, setifxflags }, > { "-soii", IFXF_INET6_NOSOII, 0, setifxflags }, > + { "global", IFXF_GLOBAL, 0, setifxflags }, > + { "-global", -IFXF_GLOBAL, 0, setifxflags }, > #ifndef SMALL > { "hwfeatures", NEXTARG0, 0, printifhwfeatures }, > { "metric", NEXTARG, 0, setifmetric }, > @@ -675,7 +677,7 @@ const struct cmd { > "\7RUNNING\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX" \ > "\15LINK0\16LINK1\17LINK2\20MULTICAST" \ > "\23INET6_NOPRIVACY\24MPLS\25WOL\26AUTOCONF6\27INET6_NOSOII" \ > - "\30AUTOCONF4" > + "\30AUTOCONF4" "\031GLOBAL" > > int getinfo(struct ifreq *, int); > void getsock(int); > Index: sys/netinet/ip_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.351 > diff -u -p -r1.351 ip_input.c > --- sys/netinet/ip_input.c 22 Aug 2020 17:55:30 -0000 1.351 > +++ sys/netinet/ip_input.c 20 Oct 2020 00:12:06 -0000 > @@ -753,29 +753,42 @@ in_ouraddr(struct mbuf *m, struct ifnet > break; > } > } > - } else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index && > - !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) || > - (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { > - /* received on wrong interface. */ > -#if NCARP > 0 > - struct ifnet *out_if; > + } else if (ipforwarding == 0 && !ip_laddr(ifp, m, rt)) { > + ipstat_inc(ips_wrongif); > + match = 2; > + } > + > + return (match); > +} > > +int > +ip_laddr(struct ifnet *ifp, struct mbuf *m, struct rtentry *rt) > +{ > + struct ifnet *rtifp; > + int match = 0; > + > + if (rt->rt_ifidx == ifp->if_index || > + ifp->if_type == IFT_ENC || > + ISSET(ifp->if_flags, IFF_LOOPBACK) || > + ISSET(m->m_pkthdr.pf.flags, PF_TAG_TRANSLATE_LOCALHOST)) > + return (1); > + > + /* received on a different interface. */ > + rtifp = if_get(rt->rt_ifidx); > + if (rtifp != NULL) { > + if (ISSET(rtifp->if_xflags, IFXF_GLOBAL)) > + match = 1; > +#if NCARP > 0 > /* > * Virtual IPs on carp interfaces need to be checked also > * against the parent interface and other carp interfaces > * sharing the same parent. > */ > - out_if = if_get(rt->rt_ifidx); > - if (!(out_if && carp_strict_addr_chk(out_if, ifp))) { > - ipstat_inc(ips_wrongif); > - match = 2; > - } > - if_put(out_if); > -#else > - ipstat_inc(ips_wrongif); > - match = 2; > + else if (carp_strict_addr_chk(rtifp, ifp)) > + match = 1; > #endif > } > + if_put(rtifp); > > return (match); > } > Index: sys/netinet/ip_var.h > =================================================================== > RCS file: /cvs/src/sys/netinet/ip_var.h,v > retrieving revision 1.86 > diff -u -p -r1.86 ip_var.h > --- sys/netinet/ip_var.h 8 Dec 2019 11:08:22 -0000 1.86 > +++ sys/netinet/ip_var.h 20 Oct 2020 00:12:06 -0000 > @@ -244,6 +244,7 @@ void ip_savecontrol(struct inpcb *, str > void ipintr(void); > int ip_input_if(struct mbuf **, int *, int, int, struct ifnet *); > int ip_deliver(struct mbuf **, int *, int, int); > +int ip_laddr(struct ifnet *, struct mbuf *, struct rtentry *); > void ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int); > int rip_ctloutput(int, struct socket *, int, int, struct mbuf *); > void rip_init(void); > Index: sys/netinet6/ip6_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/ip6_input.c,v > retrieving revision 1.229 > diff -u -p -r1.229 ip6_input.c > --- sys/netinet6/ip6_input.c 24 Aug 2020 16:40:07 -0000 1.229 > +++ sys/netinet6/ip6_input.c 20 Oct 2020 00:12:06 -0000 > @@ -425,30 +425,9 @@ ip6_input_if(struct mbuf **mp, int *offp > if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL)) { > struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); > > - if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && > - !((ifp->if_flags & IFF_LOOPBACK) || > - (ifp->if_type == IFT_ENC) || > - (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { > - /* received on wrong interface */ > -#if NCARP > 0 > - struct ifnet *out_if; > - > - /* > - * Virtual IPs on carp interfaces need to be checked > - * also against the parent interface and other carp > - * interfaces sharing the same parent. > - */ > - out_if = if_get(rt->rt_ifidx); > - if (!(out_if && carp_strict_addr_chk(out_if, ifp))) { > - ip6stat_inc(ip6s_wrongif); > - if_put(out_if); > - goto bad; > - } > - if_put(out_if); > -#else > + if (ip6_forwarding == 0 && !ip_laddr(ifp, m, rt)) { > ip6stat_inc(ip6s_wrongif); > goto bad; > -#endif > } > /* > * packets to a tentative, duplicated, or somehow invalid
