On Fri, Jul 21, 2023 at 03:05:41PM +0200, Claudio Jeker wrote: > On Fri, Jul 21, 2023 at 03:17:35PM +0300, Vitaliy Makkoveev wrote: > > On Thu, Jul 20, 2023 at 09:57:00PM +0200, Alexander Bluhm wrote: > > > Hi, > > > > > > I wonder why UDP echo does not work with inetd on 127.0.0.1. > > > > > > Note that it is default off. One of my regress machines has it > > > enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t > > > expects that UDP echo works on 127.0.0.1. > > > > > > It was disabled with this commit: > > > ---------------------------- > > > revision 1.65 > > > date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11; > > > be more paranoid about UDP-based echo services validation. namely, > > > reject the following sources: > > > 0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8 > > > ff00::/8 ::/128 > > > ::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule. > > > reserved port, or NFS port. > > > hint from deraadt. > > > ---------------------------- > > > > > > Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1 > > > is broken. > > > > > > I cannot see the security reason for disabling 127/8. > > > Loops are prevented by blocking priviledged ports. > > > Echo to a local interface address through loopback is still allowed. > > > The kernel checks that 127/8 does not come from extern. > > > 127.0.0.1 should be handled like ::1 . > > > > > > The feature was introduced together with IPv6 mapped addresses. > > > See cvs diff -r1.64 -r1.65 inetd.c > > > There it made sense to be paranoid about the IPv4 compatibility part > > > of the IPv6 address. But this feature has been removed since decades. > > > So it could be a left over. > > > > > > Should we also disable ::1 IPv6? > > > Or allow 127.0.0.1 only? > > > Or remove the case 127 completely? > > > > > > > It's better to have similar behaviour for both ipv4 and ipv6 cases. I > > see no reason to disable localhost. > > Now hold your horses. This was done because of RPC / NFS and especially > portmap. Neither of these protocols work over IPv6 so there is no reason > to block ::1.
But for these special ports we have this check in inetd. if (port < IPPORT_RESERVED || port == NFS_PORT) goto bad; To my surprise blocking 127/8 in kernel ip_input() on non-loopback interfaces was added after it was blocked in inetd. ---------------------------- revision 1.62 date: 2001/03/03 01:00:19; author: itojun; state: Exp; lines: +11 -1; drop packets with 127.0.0.0/8 in header field, if the packet is from outside. under RFC1122 sender rule 127.0.0.8 must not appear on the wire. count incidents by ipstat.ips_badaddr. sync with kame ---------------------------- Checking it in userland again looks unnecessary. Especially as userland does not know as the interface and blocks unconditionally. bluhm > > > Index: usr.sbin/inetd/inetd.c > > > =================================================================== > > > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v > > > retrieving revision 1.164 > > > diff -u -p -r1.164 inetd.c > > > --- usr.sbin/inetd/inetd.c 19 Apr 2023 12:58:16 -0000 1.164 > > > +++ usr.sbin/inetd/inetd.c 20 Jul 2023 19:52:39 -0000 > > > @@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa) > > > if (IN_MULTICAST(in.s_addr)) > > > goto bad; > > > switch ((in.s_addr & 0xff000000) >> 24) { > > > - case 0: case 127: case 255: > > > + case 0: case 255: > > > goto bad; > > > } > > > if (dg_broadcast(&in)) > > > > > > > -- > :wq Claudio