Hello!
> if (LOOPBACK(key.src) && !(dev_out->flags&IFF_LOOPBACK)) {
> printk(KERN_DEBUG ... );
> return -EINVAL;
> }
>
> i.e. if the source address starts with 127 and the destination
> interface does not have the loopback flag we ignore the route
> that got us here and dump the packet.
Exactly. Packets with loopback addresses must not leave the host.
> But who is to say that the interface *is* to a remote host or
> network? Many people running diald with their provider giving
> dynamic addresses have used things like 127.0.0.2:127.0.0.3 for
> diald's proxy.
They will have to stop to make this. 127.* addresses are reserved not for fun.
> This is another of those undocumented changes. It's a "2.2 breaks
> my setup" situation which requires you to read the kernel source
> to find out what is happening. Not funny...
You missed one thing: printk 8)8)
> And I thought we'd managed to reclaim some of the wasted address
> space under 127 :-(.
No options, LOTS of valid addresses are reserved for private usage:
10/8 etc. It is more than enough. 127.* has strict host scope.
Addresses 127.* except for 127.0.0.1 are reserved as addresses,
which in no curcumstances may be used as real addresses.
F.e. ntpd used (at least, in older versions) to identify
external clock sources.
> Is there some good reason why this bloat is there? I mean, if you
> don't want 127 addresses going out of an interface why not just
> not route them there? Isn't the fact that a route exists an indication
> it was wanted???
Yes. If packet has source 127.* some apps assume that it is guaranteed
to be origined by THIS host. F.e. it is critical for canonical RPC4.0
secure RPC. Cetainly, it is hole in sunos-4, but it is still not a good
reason to allow to break into sunos-4 by unprivileged Linux user.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
