Re: allow TCP connections to IPv6 anycast addresses
On Sat, Aug 08 2020, Florian Obser wrote: > On Fri, Aug 07, 2020 at 11:52:46PM +0200, Jeremie Courreges-Anglas wrote: >> If you don't want to remove M_ACAST from sys/mbuf.h, can you please at >> least change the comment? /* obsolete */ or something. > > Good point, I forgot to ask about what to do with the flag. > I think we can remove it, from what I understand %b in printf(9) works > fine with a sparse decoding string. Should be fine indeed. > It compiles but I have no idea how to test it in ddb. show mbuf addr in a function that uses an mbuf? > OK? Better to leave out the comment? I think the comment can be dropped along with the #define. Userland shouldn't be poking at this. ok jca@ > diff --git sys/mbuf.h sys/mbuf.h > index d52896d3be8..3ddd1b89d66 100644 > --- sys/mbuf.h > +++ sys/mbuf.h > @@ -190,7 +190,7 @@ struct mbuf { > /* mbuf pkthdr flags, also in m_flags */ > #define M_VLANTAG0x0020 /* ether_vtag is valid */ > #define M_LOOP 0x0040 /* packet has been sent from local > machine */ > -#define M_ACAST 0x0080 /* received as IPv6 anycast */ > + /* 0x0080 used to be M_ACAST */ > #define M_BCAST 0x0100 /* sent/received as link-level > broadcast */ > #define M_MCAST 0x0200 /* sent/received as link-level > multicast */ > #define M_CONF 0x0400 /* payload was encrypted > (ESP-transport) */ > @@ -203,14 +203,13 @@ struct mbuf { > #ifdef _KERNEL > #define M_BITS \ > ("\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_EXTWR\5M_PROTO1\6M_VLANTAG\7M_LOOP" \ > -"\10M_ACAST\11M_BCAST\12M_MCAST\13M_CONF\14M_AUTH\15M_TUNNEL" \ > +"\11M_BCAST\12M_MCAST\13M_CONF\14M_AUTH\15M_TUNNEL" \ > "\16M_ZEROIZE\17M_COMP\20M_LINK0") > #endif > > /* flags copied when copying m_pkthdr */ > #define M_COPYFLAGS > (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|M_COMP|\ > - M_AUTH|M_LOOP|M_TUNNEL|M_LINK0|M_VLANTAG|M_ACAST|\ > - M_ZEROIZE) > + M_AUTH|M_LOOP|M_TUNNEL|M_LINK0|M_VLANTAG|M_ZEROIZE) > > /* Checksumming flags */ > #define M_IPV4_CSUM_OUT 0x0001 /* IPv4 checksum needed */ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: allow TCP connections to IPv6 anycast addresses
On Fri, Aug 07, 2020 at 11:52:46PM +0200, Jeremie Courreges-Anglas wrote: > If you don't want to remove M_ACAST from sys/mbuf.h, can you please at > least change the comment? /* obsolete */ or something. Good point, I forgot to ask about what to do with the flag. I think we can remove it, from what I understand %b in printf(9) works fine with a sparse decoding string. It compiles but I have no idea how to test it in ddb. OK? Better to leave out the comment? diff --git sys/mbuf.h sys/mbuf.h index d52896d3be8..3ddd1b89d66 100644 --- sys/mbuf.h +++ sys/mbuf.h @@ -190,7 +190,7 @@ struct mbuf { /* mbuf pkthdr flags, also in m_flags */ #define M_VLANTAG 0x0020 /* ether_vtag is valid */ #define M_LOOP 0x0040 /* packet has been sent from local machine */ -#define M_ACAST0x0080 /* received as IPv6 anycast */ + /* 0x0080 used to be M_ACAST */ #define M_BCAST0x0100 /* sent/received as link-level broadcast */ #define M_MCAST0x0200 /* sent/received as link-level multicast */ #define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */ @@ -203,14 +203,13 @@ struct mbuf { #ifdef _KERNEL #define M_BITS \ ("\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_EXTWR\5M_PROTO1\6M_VLANTAG\7M_LOOP" \ -"\10M_ACAST\11M_BCAST\12M_MCAST\13M_CONF\14M_AUTH\15M_TUNNEL" \ +"\11M_BCAST\12M_MCAST\13M_CONF\14M_AUTH\15M_TUNNEL" \ "\16M_ZEROIZE\17M_COMP\20M_LINK0") #endif /* flags copied when copying m_pkthdr */ #defineM_COPYFLAGS (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|M_COMP|\ -M_AUTH|M_LOOP|M_TUNNEL|M_LINK0|M_VLANTAG|M_ACAST|\ -M_ZEROIZE) +M_AUTH|M_LOOP|M_TUNNEL|M_LINK0|M_VLANTAG|M_ZEROIZE) /* Checksumming flags */ #defineM_IPV4_CSUM_OUT 0x0001 /* IPv4 checksum needed */ -- I'm not entirely sure you are real.
Re: allow TCP connections to IPv6 anycast addresses
On Fri, Aug 07 2020, Florian Obser wrote: > No longer prevent TCP connections to IPv6 anycast addresses. > > RFC 4291 dropped this requirement from RFC 3513: >o An anycast address must not be used as the source address of an > IPv6 packet. > > And from that requirement draft-itojun-ipv6-tcp-to-anycast rightly > concluded that TCP connections must be prevented. > > The draft also states: > > The proposed method MUST be removed when one of the following events > happens in the future: > > o Restriction imposed on IPv6 anycast address is loosened, so that >anycast address can be placed into source address field of the IPv6 >header[...] Also worth reading: https://tools.ietf.org/html/rfc4942#section-2.1.6 > OK? ok jca@ If you don't want to remove M_ACAST from sys/mbuf.h, can you please at least change the comment? /* obsolete */ or something. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
allow TCP connections to IPv6 anycast addresses
No longer prevent TCP connections to IPv6 anycast addresses. RFC 4291 dropped this requirement from RFC 3513: o An anycast address must not be used as the source address of an IPv6 packet. And from that requirement draft-itojun-ipv6-tcp-to-anycast rightly concluded that TCP connections must be prevented. The draft also states: The proposed method MUST be removed when one of the following events happens in the future: o Restriction imposed on IPv6 anycast address is loosened, so that anycast address can be placed into source address field of the IPv6 header[...] OK? diff --git share/man/man9/mbuf.9 share/man/man9/mbuf.9 index 6f798945437..ab02c36798f 100644 --- share/man/man9/mbuf.9 +++ share/man/man9/mbuf.9 @@ -306,8 +306,6 @@ protocol-specific. variable is valid. .It Dv M_LOOP packet has been sent from local machine. -.It Dv M_ACAST -received as IPv6 anycast. .It Dv M_BCAST packet sent/received as link-level broadcast. .It Dv M_MCAST diff --git sys/netinet/ip_input.c sys/netinet/ip_input.c index 1b511d14a4b..40c2f675959 100644 --- sys/netinet/ip_input.c +++ sys/netinet/ip_input.c @@ -619,20 +619,6 @@ ip_deliver(struct mbuf **mp, int *offp, int nxt, int af) goto bad; } -#ifdef INET6 - /* draft-itojun-ipv6-tcp-to-anycast */ - if (af == AF_INET6 && - ISSET((*mp)->m_flags, M_ACAST) && (nxt == IPPROTO_TCP)) { - if ((*mp)->m_len >= sizeof(struct ip6_hdr)) { - icmp6_error(*mp, ICMP6_DST_UNREACH, - ICMP6_DST_UNREACH_ADDR, - offsetof(struct ip6_hdr, ip6_dst)); - *mp = NULL; - } - goto bad; - } -#endif /* INET6 */ - #ifdef IPSEC if (ipsec_in_use) { if (ipsec_local_check(*mp, *offp, nxt, af) != 0) { diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c index 64489f53b48..6c1beb6866c 100644 --- sys/netinet6/ip6_input.c +++ sys/netinet6/ip6_input.c @@ -424,8 +424,6 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) */ if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL)) { struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); - if (ia6->ia6_flags & IN6_IFF_ANYCAST) - m->m_flags |= M_ACAST; if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && !((ifp->if_flags & IFF_LOOPBACK) || -- I'm not entirely sure you are real.