diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2024-06-20 19:25:43 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2024-06-20 19:25:43 +0000 |
| commit | 8fb789f4ab1f9e44048fb77339edaab6b7c5541a (patch) | |
| tree | c542bff5e0b356c8db9e47f979e94d5656bc1ff8 /sys/net | |
| parent | 2b6bba564dfa2cabcc572f444847374f35e15658 (diff) | |
Read IPv6 forwarding value only once while processing a packet.
IPv4 uses IP_FORWARDING to pass down a consistent value of
net.inet.ip.forwarding down the stack. This is needed for unlocking
sysctl. Do the same for IPv6.
Read ip6_forwarding once in ip6_input_if() and pass down IPV6_FORWARDING
as flags to ip6_ours(), ip6_hbhchcheck(), ip6_forward(). Replace
the srcrt value with IPV6_REDIRECT flag for consistency with IPv4.
To have common syntax with IPv4, use ip6_forwarding == 0 checks
instead of !ip6_forwarding. This will also make it easier to
implement net.inet6.ip6.forwarding=2 for IPsec only forwarding
later.
In nd6_ns_input() and nd6_na_input() read ip6_forwarding once and
store it in i_am_router. The variable name has been chosen to avoid
confusion with is_router, which indicates router flag of the packet.
Reading of ip6_forwarding is done independently from ip6_input_if(),
consistency does not really matter. One is for ND router behavior
the other for forwarding. Again use the ip6_forwarding != 0 check,
so when ip6_forwarding IPsec only value 2 gets implemented, it will
behave like a router.
OK deraadt@ sashan@ florian@ claudio@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if.c | 4 | ||||
| -rw-r--r-- | sys/net/pf.c | 7 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 4 |
3 files changed, 9 insertions, 6 deletions
diff --git a/sys/net/if.c b/sys/net/if.c index 9b971251ec1..46e4e8c95f5 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.718 2024/02/06 00:18:53 bluhm Exp $ */ +/* $OpenBSD: if.c,v 1.719 2024/06/20 19:25:42 bluhm Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -3378,7 +3378,7 @@ ifnewlladdr(struct ifnet *ifp) * Update the link-local address. Don't do it if we're * a router to avoid confusing hosts on the network. */ - if (!ip6_forwarding) { + if (ip6_forwarding == 0) { ifa = &in6ifa_ifpforlinklocal(ifp, 0)->ia_ifa; if (ifa) { in6_purgeaddr(ifa); diff --git a/sys/net/pf.c b/sys/net/pf.c index ecc6bfef43c..47ec92d4bad 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1197 2024/06/07 18:24:16 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1198 2024/06/20 19:25:42 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7974,12 +7974,15 @@ done: break; case AF_INET6: if (pd.dir == PF_IN) { + int flags; + if (ip6_forwarding == 0) { ip6stat_inc(ip6s_cantforward); action = PF_DROP; break; } - ip6_forward(pd.m, NULL, 1); + flags = IPV6_FORWARDING | IPV6_REDIRECT; + ip6_forward(pd.m, NULL, flags); } else ip6_output(pd.m, NULL, NULL, 0, NULL, NULL); break; diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 571dbf9d346..8799b845e9b 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.230 2024/04/22 13:30:22 bluhm Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.231 2024/06/20 19:25:42 bluhm Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -1011,7 +1011,7 @@ pf_refragment6(struct mbuf **m0, struct m_tag *mtag, struct sockaddr_in6 *dst, while ((m = ml_dequeue(&ml)) != NULL) { m->m_pkthdr.pf.flags |= PF_TAG_REFRAGMENTED; if (ifp == NULL) { - ip6_forward(m, NULL, 0); + ip6_forward(m, NULL, IPV6_FORWARDING); } else if ((u_long)m->m_pkthdr.len <= ifp->if_mtu) { ifp->if_output(ifp, m, sin6tosa(dst), rt); } else { |