git: 4a35f2056381 - stable/13 - netinet6: honor blackhole/unreach routes in the non-fastforwading code.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 09 Feb 2023 16:11:23 UTC
The branch stable/13 has been updated by melifaro:
URL: https://cgit.FreeBSD.org/src/commit/?id=4a35f20563812b2d21784989651878e3a2d837d8
commit 4a35f20563812b2d21784989651878e3a2d837d8
Author: Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-01-22 16:57:36 +0000
Commit: Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-02-09 15:46:09 +0000
netinet6: honor blackhole/unreach routes in the non-fastforwading code.
Currently, under the conditions specified below, IPv6 ingress packet
processing can ignore blackhole/reject flag on the prefix. The packet
will instead be looped locally till TTL expiration and a single ICMPv6
unreachable message will be send to the source even in case of
RTF_BLACKHOLE.
The following conditions needs hold to make the scenario happen:
* IPv6 forwarding is enabled
* Packet is not fast-forwarded
* Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag
Fix this behavior by checking for the blackhole/reject flags in
ip6_forward().
Reported by: Dmitriy Smirnov <fox@sage.su>
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D38164
MFC after: 3 days
(cherry picked from commit 30dd227cff75bdabaac2002a2b17095f3392a485)
---
sys/netinet6/ip6_forward.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index d4306eea416f..7e4b08672726 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -196,6 +196,15 @@ again:
goto bad;
}
+ if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) {
+ IP6STAT_INC(ip6s_cantforward);
+ if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) {
+ icmp6_error(mcopy, ICMP6_DST_UNREACH,
+ ICMP6_DST_UNREACH_REJECT, 0);
+ }
+ goto bad;
+ }
+
/*
* Source scope check: if a packet can't be delivered to its
* destination for the reason that the destination is beyond the scope