Hi,
I wonder why UDP echo does not work with inetd on 127.0.0.1.
Note that it is default off. One of my regress machines has it
enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t
expects that UDP echo works on 127.0.0.1.
It was disabled with this commit:
----------------------------
revision 1.65
date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11;
be more paranoid about UDP-based echo services validation. namely,
reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
reserved port, or NFS port.
hint from deraadt.
----------------------------
Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1
is broken.
I cannot see the security reason for disabling 127/8.
Loops are prevented by blocking priviledged ports.
Echo to a local interface address through loopback is still allowed.
The kernel checks that 127/8 does not come from extern.
127.0.0.1 should be handled like ::1 .
The feature was introduced together with IPv6 mapped addresses.
See cvs diff -r1.64 -r1.65 inetd.c
There it made sense to be paranoid about the IPv4 compatibility part
of the IPv6 address. But this feature has been removed since decades.
So it could be a left over.
Should we also disable ::1 IPv6?
Or allow 127.0.0.1 only?
Or remove the case 127 completely?
bluhm
Index: usr.sbin/inetd/inetd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
retrieving revision 1.164
diff -u -p -r1.164 inetd.c
--- usr.sbin/inetd/inetd.c 19 Apr 2023 12:58:16 -0000 1.164
+++ usr.sbin/inetd/inetd.c 20 Jul 2023 19:52:39 -0000
@@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
if (IN_MULTICAST(in.s_addr))
goto bad;
switch ((in.s_addr & 0xff000000) >> 24) {
- case 0: case 127: case 255:
+ case 0: case 255:
goto bad;
}
if (dg_broadcast(&in))
