On Wed, Dec 18, 2019 at 09:07:35AM +0100, Alexandr Nedvedicky wrote:
> I see. Updated diff below makes ip6_input_if() to explicitly check
> for PF_TAG_TRANSLATE_LOCALHOST tag, when ip6_forwarding is disabled.
>
> if ip6_forwarding is enabled, then the ip6_input_if() keeps current
> behavior.
You have misunderstood my internsion.
Can we put the PF_TAG_TRANSLATE_LOCALHOST into ip6_input_if() like
in in_ouraddr(). Then the logic and look of the code is similar.
if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index &&
!((ifp->if_flags & IFF_LOOPBACK) ||
(ifp->if_type == IFT_ENC) ||
(m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST)) {
/* received on wrong interface */
And the second question, but not for this commit, is why do we
need this block?
if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
nxt = ip6_ours(mp, offp, nxt, af);
goto out;
}
It was removed in kame here:
revision 1.189
date: 2001/04/01 09:08:57; author: jinmei; state: Exp; lines: +22 -23;
clarified goto-ours logic:
1. separated checks against spoofed ::1 src/dst from the goto-ours check.
this also fixed a bug that the kernel accepted a packet with
src=::1, dst=invalid, rcvif=lo0
(you can test it by 'ping6 -S ::1 fe80::xxxx%lo0", where xxxx is not an
interface ID of lo0)
2. (experimentally) omitted a specical case for link-local destinations at a
loopback interface. I believe this is correct, because
- we now have a host route for fe80::1%lo0, so we can accept a packet to
the address using the generic logic.
- we can reject packets to fe80::xxxx%lo0 (xxxx != 1) by the check for
the RTF_GATEWAY bit for rt_flags (ip6_input.c line 872).
*** NOTE to developers:***
this is the case for bsdi4, but please check it on other platforms.
after the confirmation, I'll completely remove the part (currently, it's
just escaped by '#ifdef 0')
bluhm
