diff --git a/share/man/man4/inet6.4 b/share/man/man4/inet6.4 --- a/share/man/man4/inet6.4 +++ b/share/man/man4/inet6.4 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 12, 2021 +.Dd February 22, 2023 .Dt INET6 4 .Os .Sh NAME @@ -185,7 +185,9 @@ .Tn ICMPv6 message protocol is accessible from a raw socket. .Ss MIB Variables -A number of variables are implemented in the net.inet6 branch of the +A number of variables are implemented in the +.Va net.inet6 +branch of the .Xr sysctl 3 MIB. In addition to the variables supported by the transport protocols @@ -341,6 +343,11 @@ .Dv AF_INET6 sockets. Defaults to on. +.It Va ip6.log_cannot_forward +Boolean: log packets that can't be forwarded because of unspecified source +address or destination address beyond the scope of the source address as +described in RFC4443. +Enabled by default. .It Va ip6.source_address_validation Boolean: perform source address validation for packets destined for the local host. @@ -440,6 +447,15 @@ .Xr ip6 4 , .Xr tcp 4 , .Xr udp 4 +.Rs +.%A A. Conta +.%A S. Deering +.%A M. Gupta +.%T "Internet Control Message Protocol (ICMPv6) for the Internet" \ + "Protocol Version 6 (IPv6) Specification" +.%R RFC 4443 +.%D March 2006 +.Re .Sh STANDARDS .Rs .%A Tatsuya Jinmei diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -179,6 +179,7 @@ #endif VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS * (RFC 4861) */ +VNET_DEFINE(bool, ip6_log_cannot_forward) = 1; /* icmp6 */ /* @@ -342,6 +343,10 @@ &VNET_NAME(ip6stealth), 0, "Forward IPv6 packets without decrementing their TTL"); #endif +SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO, + log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(ip6_log_cannot_forward), 1, + "Log packets that cannot be forwarded"); /* net.inet6.icmp6 */ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept, diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -114,7 +114,8 @@ IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { IP6STAT_INC(ip6s_cantforward); /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " @@ -221,7 +222,8 @@ IP6STAT_INC(ip6s_badscope); in6_ifstat_inc(nh->nh_ifp, ifs6_in_discard); - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c --- a/sys/netinet6/ip6_mroute.c +++ b/sys/netinet6/ip6_mroute.c @@ -1099,7 +1099,8 @@ */ if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { IP6STAT_INC(ip6s_cantforward); - if (V_ip6_log_time + V_ip6_log_interval < time_uptime) { + if (V_ip6_log_cannot_forward && + (V_ip6_log_time + V_ip6_log_interval < time_uptime)) { V_ip6_log_time = time_uptime; log(LOG_DEBUG, "cannot forward " diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -339,6 +339,9 @@ #define V_nd6_ignore_ipv6_only_ra VNET(nd6_ignore_ipv6_only_ra) #endif +VNET_DECLARE(bool, ip6_log_cannot_forward); +#define V_ip6_log_cannot_forward VNET(ip6_log_cannot_forward) + extern struct pr_usrreqs rip6_usrreqs; struct sockopt;