Re: netmask for loopback interfaces
"Rodney W. Grimes" wrote: > > Note, the default FreeBSD firewall rules already have: > > > > ${fwcmd} add 100 pass all from any to any via lo0 > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > Which no longer work correctly since the "to 127.0.0.0/8" > packets SHALL go out what ever interface the route table > tells them to (often the default route), AND NOT lo0. > > oot {1003}# route -n get 127.1.1.1 >route to: 127.1.1.1 > destination: 0.0.0.0 >mask: 0.0.0.0 > gateway: 192.168.32.8 > fib: 0 > interface: em0 Hi! I'm not sure what you mean. The current default rules will stop anything to 127.0.0.0/8 going anywhere other than via lo0 - which preserves "current expected behaviour" - I was pointing out that in reply to Oleksandr's comment: | /8 mask on loopback prevetnts using of 127.x.x.x network anywhere | outside of the localhost. This described in RFC 5735 [1] and 1122 [2] His argument was that putting an /8 on the localhost address would neatly stop 127/8 traffic going to the LAN - I was pointing out there are other ways to do this, i.e. routing, and the firewall. Of course, if FreeBSD relaxes to allow the use of 128/8 outside 128/16, then these rules will need to be changed..
Re: netmask for loopback interfaces
Rod wrote: > > Jamie wrote: > > > > > Oleksandr Kryvulia wrote: > > > > > > 04.11.21 01:01, Mike Karels wrote: > > > > > I have a pending change to stop using class A/B/C netmasks when > > > > > setting > > > > > an interface address without an explicit mask, and instead to use a > > > > > default > > > > > mask (24 bits). A question has arisen as to what the default mask > > > > > should > > > > > be for loopback interfaces. The standard 127.0.0.1 is added with an > > > > > 8 bit > > > > > mask currently, but additions without a mask would default to 24 bits. > > > > > There is no warning for missing masks for loopback in the current > > > > > code. > > > > > I'm not convinced that the mask has any meaning here; only a host > > > > > route > > > > > to the assigned address is created. Does anyone know of any meaning > > > > > or > > > > > use of the mask on a loopback address? > > > > > > > > > > Thanks, > > > > > Mike > > > > > > > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere > > > > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > > > > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > > > [2] https://datatracker.ietf.org/doc/html/rfc1122 > > > > It's true that 127/8 is currently reserved, but that isn't enforced > > by FreeBSD using the mask on the interface. Such packets are prevented > > from forwarding by in_canforward(), which in turn uses IN_LOOPBACK(). > > The latter uses a compiled-in 8-bit mask. > I have a review up that "relaxes" the restrictions on this (127/8) > and other ranges. > https://reviews.freebsd.org/D19316 > > > > > There is a push by some people to release 127.0.0.0/8 address space, > > > leaving only 127.0.0.0/16 as reserved for localhost. > > > > > https://www.spinics.net/lists/netdev/msg598545.html > > > > > https://github.com/schoen/unicast-extensions/blob/master/127.md > > > > > https://github.com/schoen/unicast-extensions/ > > > > > I make no comment on the feasability of doing this! > > > > > However, that aside, aren't you just confusing the mask with routing? > > > > The two masks (interface and route) are separate, but the routing mask > > is set from the interface mask for most interfaces (broadcast or NBMA, > > but not loopback or point-to-point). The interface mask is visible to > > user level, including routing daemons. But I think it would be wrong > > for a routing daemon to infer anything from the mask on a loopback > > route. But the reason for my question was to find out if there is > ^ I think you meant interface here? Yes, thanks. (Although it may be true of loopback routes too.) > > anything that uses the interface mask in this case, and thus whether > > a change in the default matters. > I actually do believe routing daemons pay very close attention to > the netmask on and interfaces. It is how CIDR routes to interfaces > are created and maintained by most of them. Even ancient gated > used this information. Yes, but do they use information for the loopback for routing? Certainly they don't advertise the loop back by default; it isn't reachable externally. > > > > > I think the mask on any IP on a loopback interface should be /32 > > > (if you want to add a "127.0.0.0/8 -local" route even if done > > > automatically", then so be it) > > > > Using /32 on loopback is not a bad idea. /etc/network.subr is wired > > to 127.0.0.1/8 currently. I don't think I'll change it in this pass > > though. > > > > > Note, the default FreeBSD firewall rules already have: > > > > > ${fwcmd} add 100 pass all from any to any via lo0 > > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > > > If you use the default rules... > The default rules should work with a fresh install that > is left with defaults in place. Due to loss of 127/8 > routes the firewall code is borked and we only do not > leak 127/8 packets because of other code in the kernel > that prevents them from leaking. A fresh install does not enable the firewall rules by default. We could change /etc/network.subr to add a reject route for the loopback "net". When BSD last had a 127/8 route, it was not a reject route, so didn't make sense. Mike
Re: netmask for loopback interfaces
> Jamie wrote: > > > Oleksandr Kryvulia wrote: > > > > 04.11.21 01:01, Mike Karels wrote: > > > > I have a pending change to stop using class A/B/C netmasks when setting > > > > an interface address without an explicit mask, and instead to use a > > > > default > > > > mask (24 bits). A question has arisen as to what the default mask > > > > should > > > > be for loopback interfaces. The standard 127.0.0.1 is added with an 8 > > > > bit > > > > mask currently, but additions without a mask would default to 24 bits. > > > > There is no warning for missing masks for loopback in the current code. > > > > I'm not convinced that the mask has any meaning here; only a host route > > > > to the assigned address is created. Does anyone know of any meaning or > > > > use of the mask on a loopback address? > > > > > > > > Thanks, > > > > Mike > > > > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere > > > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > > [2] https://datatracker.ietf.org/doc/html/rfc1122 > > It's true that 127/8 is currently reserved, but that isn't enforced > by FreeBSD using the mask on the interface. Such packets are prevented > from forwarding by in_canforward(), which in turn uses IN_LOOPBACK(). > The latter uses a compiled-in 8-bit mask. I have a review up that "relaxes" the restrictions on this (127/8) and other ranges. https://reviews.freebsd.org/D19316 > > > There is a push by some people to release 127.0.0.0/8 address space, > > leaving only 127.0.0.0/16 as reserved for localhost. > > > https://www.spinics.net/lists/netdev/msg598545.html > > > https://github.com/schoen/unicast-extensions/blob/master/127.md > > > https://github.com/schoen/unicast-extensions/ > > > I make no comment on the feasability of doing this! > > > However, that aside, aren't you just confusing the mask with routing? > > The two masks (interface and route) are separate, but the routing mask > is set from the interface mask for most interfaces (broadcast or NBMA, > but not loopback or point-to-point). The interface mask is visible to > user level, including routing daemons. But I think it would be wrong > for a routing daemon to infer anything from the mask on a loopback > route. But the reason for my question was to find out if there is ^ I think you meant interface here? > anything that uses the interface mask in this case, and thus whether > a change in the default matters. I actually do believe routing daemons pay very close attention to the netmask on and interfaces. It is how CIDR routes to interfaces are created and maintained by most of them. Even ancient gated used this information. > > > I think the mask on any IP on a loopback interface should be /32 > > (if you want to add a "127.0.0.0/8 -local" route even if done > > automatically", then so be it) > > Using /32 on loopback is not a bad idea. /etc/network.subr is wired > to 127.0.0.1/8 currently. I don't think I'll change it in this pass > though. > > > Note, the default FreeBSD firewall rules already have: > > > ${fwcmd} add 100 pass all from any to any via lo0 > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > If you use the default rules... The default rules should work with a fresh install that is left with defaults in place. Due to loss of 127/8 routes the firewall code is borked and we only do not leak 127/8 packets because of other code in the kernel that prevents them from leaking. > Mike -- Rod Grimes rgri...@freebsd.org
Re: netmask for loopback interfaces
> Oleksandr Kryvulia wrote: > > > 04.11.21 01:01, Mike Karels ?: > > > I have a pending change to stop using class A/B/C netmasks when setting > > > an interface address without an explicit mask, and instead to use a > > > default > > > mask (24 bits). A question has arisen as to what the default mask should > > > be for loopback interfaces. The standard 127.0.0.1 is added with an 8 bit > > > mask currently, but additions without a mask would default to 24 bits. > > > There is no warning for missing masks for loopback in the current code. > > > I'm not convinced that the mask has any meaning here; only a host route > > > to the assigned address is created. Does anyone know of any meaning or > > > use of the mask on a loopback address? > > > > > > Thanks, > > > Mike > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere > > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > [2] https://datatracker.ietf.org/doc/html/rfc1122 > > There is a push by some people to release 127.0.0.0/8 address space, > leaving only 127.0.0.0/16 as reserved for localhost. > > https://www.spinics.net/lists/netdev/msg598545.html > > https://github.com/schoen/unicast-extensions/blob/master/127.md > > https://github.com/schoen/unicast-extensions/ > > I make no comment on the feasability of doing this! > > However, that aside, aren't you just confusing the mask with routing? > > I think the mask on any IP on a loopback interface should be /32 > (if you want to add a "127.0.0.0/8 -local" route even if done > automatically", then so be it) > > Note, the default FreeBSD firewall rules already have: > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Which no longer work correctly since the "to 127.0.0.0/8" packets SHALL go out what ever interface the route table tells them to (often the default route), AND NOT lo0. oot {1003}# route -n get 127.1.1.1 route to: 127.1.1.1 destination: 0.0.0.0 mask: 0.0.0.0 gateway: 192.168.32.8 fib: 0 interface: em0 flags: recvpipe sendpipe ssthresh rtt,msecmtuweightexpire 0 0 0 0 1500 1 0 > Cheers, Jamie -- Rod Grimes rgri...@freebsd.org
Re: netmask for loopback interfaces
> 04.11.21 01:01, Mike Karels ?: > > I have a pending change to stop using class A/B/C netmasks when setting > > an interface address without an explicit mask, and instead to use a default > > mask (24 bits). A question has arisen as to what the default mask should > > be for loopback interfaces. The standard 127.0.0.1 is added with an 8 bit > > mask currently, but additions without a mask would default to 24 bits. > > There is no warning for missing masks for loopback in the current code. > > I'm not convinced that the mask has any meaning here; only a host route > > to the assigned address is created. Does anyone know of any meaning or > > use of the mask on a loopback address? > > > > Thanks, > > Mike > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > [2] https://datatracker.ietf.org/doc/html/rfc1122 Saddly that no longer works correctly since there is no longer a 127/8 route in the table. Which, IMHO, is a mistake. -- Rod Grimes rgri...@freebsd.org
Re: netmask for loopback interfaces
Jamie wrote: > Oleksandr Kryvulia wrote: > > 04.11.21 01:01, Mike Karels wrote: > > > I have a pending change to stop using class A/B/C netmasks when setting > > > an interface address without an explicit mask, and instead to use a > > > default > > > mask (24 bits). A question has arisen as to what the default mask should > > > be for loopback interfaces. The standard 127.0.0.1 is added with an 8 bit > > > mask currently, but additions without a mask would default to 24 bits. > > > There is no warning for missing masks for loopback in the current code. > > > I'm not convinced that the mask has any meaning here; only a host route > > > to the assigned address is created. Does anyone know of any meaning or > > > use of the mask on a loopback address? > > > > > > Thanks, > > > Mike > > > > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere > > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > > [2] https://datatracker.ietf.org/doc/html/rfc1122 It's true that 127/8 is currently reserved, but that isn't enforced by FreeBSD using the mask on the interface. Such packets are prevented from forwarding by in_canforward(), which in turn uses IN_LOOPBACK(). The latter uses a compiled-in 8-bit mask. > There is a push by some people to release 127.0.0.0/8 address space, > leaving only 127.0.0.0/16 as reserved for localhost. > https://www.spinics.net/lists/netdev/msg598545.html > https://github.com/schoen/unicast-extensions/blob/master/127.md > https://github.com/schoen/unicast-extensions/ > I make no comment on the feasability of doing this! > However, that aside, aren't you just confusing the mask with routing? The two masks (interface and route) are separate, but the routing mask is set from the interface mask for most interfaces (broadcast or NBMA, but not loopback or point-to-point). The interface mask is visible to user level, including routing daemons. But I think it would be wrong for a routing daemon to infer anything from the mask on a loopback route. But the reason for my question was to find out if there is anything that uses the interface mask in this case, and thus whether a change in the default matters. > I think the mask on any IP on a loopback interface should be /32 > (if you want to add a "127.0.0.0/8 -local" route even if done > automatically", then so be it) Using /32 on loopback is not a bad idea. /etc/network.subr is wired to 127.0.0.1/8 currently. I don't think I'll change it in this pass though. > Note, the default FreeBSD firewall rules already have: > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any If you use the default rules... Mike
Re: netmask for loopback interfaces
Oleksandr Kryvulia wrote: > 04.11.21 01:01, Mike Karels пишет: > > I have a pending change to stop using class A/B/C netmasks when setting > > an interface address without an explicit mask, and instead to use a default > > mask (24 bits). A question has arisen as to what the default mask should > > be for loopback interfaces. The standard 127.0.0.1 is added with an 8 bit > > mask currently, but additions without a mask would default to 24 bits. > > There is no warning for missing masks for loopback in the current code. > > I'm not convinced that the mask has any meaning here; only a host route > > to the assigned address is created. Does anyone know of any meaning or > > use of the mask on a loopback address? > > > > Thanks, > > Mike > > > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere > outside of the localhost. This described in RFC 5735 [1] and 1122 [2] > > [1] https://datatracker.ietf.org/doc/html/rfc5735 > [2] https://datatracker.ietf.org/doc/html/rfc1122 There is a push by some people to release 127.0.0.0/8 address space, leaving only 127.0.0.0/16 as reserved for localhost. https://www.spinics.net/lists/netdev/msg598545.html https://github.com/schoen/unicast-extensions/blob/master/127.md https://github.com/schoen/unicast-extensions/ I make no comment on the feasability of doing this! However, that aside, aren't you just confusing the mask with routing? I think the mask on any IP on a loopback interface should be /32 (if you want to add a "127.0.0.0/8 -local" route even if done automatically", then so be it) Note, the default FreeBSD firewall rules already have: ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Cheers, Jamie
Re: netmask for loopback interfaces
04.11.21 01:01, Mike Karels пишет: I have a pending change to stop using class A/B/C netmasks when setting an interface address without an explicit mask, and instead to use a default mask (24 bits). A question has arisen as to what the default mask should be for loopback interfaces. The standard 127.0.0.1 is added with an 8 bit mask currently, but additions without a mask would default to 24 bits. There is no warning for missing masks for loopback in the current code. I'm not convinced that the mask has any meaning here; only a host route to the assigned address is created. Does anyone know of any meaning or use of the mask on a loopback address? Thanks, Mike /8 mask on loopback prevetnts using of 127.x.x.x network anywhere outside of the localhost. This described in RFC 5735 [1] and 1122 [2] [1] https://datatracker.ietf.org/doc/html/rfc5735 [2] https://datatracker.ietf.org/doc/html/rfc1122
netmask for loopback interfaces
I have a pending change to stop using class A/B/C netmasks when setting an interface address without an explicit mask, and instead to use a default mask (24 bits). A question has arisen as to what the default mask should be for loopback interfaces. The standard 127.0.0.1 is added with an 8 bit mask currently, but additions without a mask would default to 24 bits. There is no warning for missing masks for loopback in the current code. I'm not convinced that the mask has any meaning here; only a host route to the assigned address is created. Does anyone know of any meaning or use of the mask on a loopback address? Thanks, Mike