diff options
| author | Alexander V. Chernikov <melifaro@FreeBSD.org> | 2023-01-22 16:57:36 +0000 |
|---|---|---|
| committer | Alexander V. Chernikov <melifaro@FreeBSD.org> | 2023-01-22 18:48:07 +0000 |
| commit | 30dd227cff75bdabaac2002a2b17095f3392a485 (patch) | |
| tree | ab96403968e746a362cbd2ae8df646c7d2d57f89 /sys/netinet6 | |
| parent | 7a56009cf5b0606dc078346386b5eae3ccae24d3 (diff) | |
| download | src-30dd227cff75bdabaac2002a2b17095f3392a485.tar.gz src-30dd227cff75bdabaac2002a2b17095f3392a485.zip | |
netinet6: honor blackhole/unreach routes in the non-fastforwading code.
Currently, under the conditions specified below, IPv6 ingress packet
processing can ignore blackhole/reject flag on the prefix. The packet
will instead be looped locally till TTL expiration and a single ICMPv6
unreachable message will be send to the source even in case of
RTF_BLACKHOLE.
The following conditions needs hold to make the scenario happen:
* IPv6 forwarding is enabled
* Packet is not fast-forwarded
* Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag
Fix this behavior by checking for the blackhole/reject flags in
ip6_forward().
Reported by: Dmitriy Smirnov <fox@sage.su>
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D38164
MFC after: 3 days
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/ip6_forward.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 5173415afda6..39c93ac35427 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -196,6 +196,15 @@ again: goto bad; } + if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) { + IP6STAT_INC(ip6s_cantforward); + if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) { + icmp6_error(mcopy, ICMP6_DST_UNREACH, + ICMP6_DST_UNREACH_REJECT, 0); + } + goto bad; + } + /* * Source scope check: if a packet can't be delivered to its * destination for the reason that the destination is beyond the scope |