Re: netmask for loopback interfaces

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rodney W. Grimes <freebsd-rwg_at_gndrsh.dnsmgr.net>
Date: Thu, 04 Nov 2021 14:36:37 UTC
> Jamie wrote:
> 
> > Oleksandr Kryvulia <shuriku@shurik.kiev.ua> wrote:
> 
> > > 04.11.21 01:01, Mike Karels wrote:
> > > > I have a pending change to stop using class A/B/C netmasks when setting
> > > > an interface address without an explicit mask, and instead to use a default
> > > > mask (24 bits).  A question has arisen as to what the default mask should
> > > > be for loopback interfaces.  The standard 127.0.0.1 is added with an 8 bit
> > > > mask currently, but additions without a mask would default to 24 bits.
> > > > There is no warning for missing masks for loopback in the current code.
> > > > I'm not convinced that the mask has any meaning here; only a host route
> > > > to the assigned address is created.  Does anyone know of any meaning or
> > > > use of the mask on a loopback address?
> > > >
> > > > Thanks,
> > > > 		Mike
> > > >
> > >
> > > /8 mask on loopback prevetnts using of 127.x.x.x network anywhere 
> > > outside of the localhost. This described in RFC 5735 [1] and 1122 [2]
> > >
> > > [1] https://datatracker.ietf.org/doc/html/rfc5735
> > > [2] https://datatracker.ietf.org/doc/html/rfc1122
> 
> It's true that 127/8 is currently reserved, but that isn't enforced
> by FreeBSD using the mask on the interface.  Such packets are prevented
> from forwarding by in_canforward(), which in turn uses IN_LOOPBACK().
> The latter uses a compiled-in 8-bit mask.

I have a review up that "relaxes" the restrictions on this (127/8)
and other ranges.

	https://reviews.freebsd.org/D19316

> 
> > There is a push by some people to release 127.0.0.0/8 address space,
> > leaving only 127.0.0.0/16 as reserved for localhost.
> 
> > https://www.spinics.net/lists/netdev/msg598545.html
> 
> > https://github.com/schoen/unicast-extensions/blob/master/127.md
> 
> > https://github.com/schoen/unicast-extensions/
> 
> > I make no comment on the feasability of doing this!
> 
> > However, that aside, aren't you just confusing the mask with routing?
> 
> The two masks (interface and route) are separate, but the routing mask
> is set from the interface mask for most interfaces (broadcast or NBMA,
> but not loopback or point-to-point).  The interface mask is visible to
> user level, including routing daemons.  But I think it would be wrong
> for a routing daemon to infer anything from the mask on a loopback
> route.  But the reason for my question was to find out if there is
  ^^^^^  I think you meant interface here?

> anything that uses the interface mask in this case, and thus whether
> a change in the default matters.

I actually do believe routing daemons pay very close attention to
the netmask on and interfaces.  It is how CIDR routes to interfaces
are created and maintained by most of them.  Even ancient gated
used this information.

> 
> > I think the mask on any IP on a loopback interface should be /32
> > (if you want to add a "127.0.0.0/8 -local" route even if done
> > automatically", then so be it)
> 
> Using /32 on loopback is not a bad idea.  /etc/network.subr is wired
> to 127.0.0.1/8 currently.  I don't think I'll change it in this pass
> though.
> 
> > Note, the default FreeBSD firewall rules already have:
> 
> >     ${fwcmd} add 100 pass all from any to any via lo0
> >     ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> >     ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> 
> If you use the default rules...

The default rules should work with a fresh install that
is left with defaults in place.  Due to loss of 127/8
routes the firewall code is borked and we only do not
leak 127/8 packets because of other code in the kernel
that prevents them from leaking.

> 		Mike

-- 
Rod Grimes                                                 rgrimes@freebsd.org