diff options
author | Alexander V. Chernikov <melifaro@FreeBSD.org> | 2023-01-22 16:57:36 +0000 |
---|---|---|
committer | Alexander V. Chernikov <melifaro@FreeBSD.org> | 2023-02-09 15:46:09 +0000 |
commit | 4a35f20563812b2d21784989651878e3a2d837d8 (patch) | |
tree | eb060f484394f7a0eb88c9d499a8acd38b268333 | |
parent | a28a4cb5e9090806b6a7f8912f3ddcc1dfc57217 (diff) | |
download | src-4a35f20563812b2d21784989651878e3a2d837d8.tar.gz src-4a35f20563812b2d21784989651878e3a2d837d8.zip |
netinet6: honor blackhole/unreach routes in the non-fastforwading code.
Currently, under the conditions specified below, IPv6 ingress packet
processing can ignore blackhole/reject flag on the prefix. The packet
will instead be looped locally till TTL expiration and a single ICMPv6
unreachable message will be send to the source even in case of
RTF_BLACKHOLE.
The following conditions needs hold to make the scenario happen:
* IPv6 forwarding is enabled
* Packet is not fast-forwarded
* Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag
Fix this behavior by checking for the blackhole/reject flags in
ip6_forward().
Reported by: Dmitriy Smirnov <fox@sage.su>
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D38164
MFC after: 3 days
(cherry picked from commit 30dd227cff75bdabaac2002a2b17095f3392a485)
-rw-r--r-- | sys/netinet6/ip6_forward.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index d4306eea416f..7e4b08672726 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -196,6 +196,15 @@ again: goto bad; } + if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) { + IP6STAT_INC(ip6s_cantforward); + if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) { + icmp6_error(mcopy, ICMP6_DST_UNREACH, + ICMP6_DST_UNREACH_REJECT, 0); + } + goto bad; + } + /* * Source scope check: if a packet can't be delivered to its * destination for the reason that the destination is beyond the scope |