On Wed, Dec 18, 2019 at 09:07:35AM +0100, Alexandr Nedvedicky wrote: > I see. Updated diff below makes ip6_input_if() to explicitly check > for PF_TAG_TRANSLATE_LOCALHOST tag, when ip6_forwarding is disabled. > > if ip6_forwarding is enabled, then the ip6_input_if() keeps current > behavior.
You have misunderstood my internsion. Can we put the PF_TAG_TRANSLATE_LOCALHOST into ip6_input_if() like in in_ouraddr(). Then the logic and look of the code is similar. if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) || (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST)) { /* received on wrong interface */ And the second question, but not for this commit, is why do we need this block? if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) { nxt = ip6_ours(mp, offp, nxt, af); goto out; } It was removed in kame here: revision 1.189 date: 2001/04/01 09:08:57; author: jinmei; state: Exp; lines: +22 -23; clarified goto-ours logic: 1. separated checks against spoofed ::1 src/dst from the goto-ours check. this also fixed a bug that the kernel accepted a packet with src=::1, dst=invalid, rcvif=lo0 (you can test it by 'ping6 -S ::1 fe80::xxxx%lo0", where xxxx is not an interface ID of lo0) 2. (experimentally) omitted a specical case for link-local destinations at a loopback interface. I believe this is correct, because - we now have a host route for fe80::1%lo0, so we can accept a packet to the address using the generic logic. - we can reject packets to fe80::xxxx%lo0 (xxxx != 1) by the check for the RTF_GATEWAY bit for rt_flags (ip6_input.c line 872). *** NOTE to developers:*** this is the case for bsdi4, but please check it on other platforms. after the confirmation, I'll completely remove the part (currently, it's just escaped by '#ifdef 0') bluhm