diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -521,11 +521,6 @@ goto bad; } } - /* The unspecified address can appear only as a src address - RFC1122 */ - if (__predict_false(ntohl(ip->ip_dst.s_addr) == INADDR_ANY)) { - IPSTAT_INC(ips_badaddr); - goto bad; - } if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) { sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); @@ -641,6 +636,17 @@ } } passin: + /* + * The unspecified address can appear only as a src address - RFC1122. + * + * The check is deferred to here to give firewalls a chance to block + * (and log) such packets. ip_tryforward() will not process such + * packets. + */ + if (__predict_false(ntohl(ip->ip_dst.s_addr) == INADDR_ANY)) { + IPSTAT_INC(ips_badaddr); + goto bad; + } /* * Process options and, if not destined for us, diff --git a/sys/netinet6/ip6_fastfwd.c b/sys/netinet6/ip6_fastfwd.c --- a/sys/netinet6/ip6_fastfwd.c +++ b/sys/netinet6/ip6_fastfwd.c @@ -107,6 +107,7 @@ IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst) || IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src) || + IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) || IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) || in6_localip(&ip6->ip6_dst)) return (m); diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -621,10 +621,10 @@ IP_PROBE(receive, NULL, NULL, ip6, rcvif, NULL, ip6); /* - * Check against address spoofing/corruption. + * Check against address spoofing/corruption. The unspecified address + * is checked further below. */ - if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || - IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { + if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src)) { /* * XXX: "badscope" is not very suitable for a multicast source. */ @@ -749,6 +749,17 @@ } passin: + /* + * The check is deferred to here to give firewalls a chance to block + * (and log) such packets. ip6_tryforward() will not process such + * packets. + */ + if (__predict_false(IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst))) { + IP6STAT_INC(ip6s_badscope); + in6_ifstat_inc(rcvif, ifs6_in_addrerr); + goto bad; + } + /* * Disambiguate address scope zones (if there is ambiguity). * We first make sure that the original source or destination address diff --git a/tests/sys/netpfil/pf/pflog.sh b/tests/sys/netpfil/pf/pflog.sh --- a/tests/sys/netpfil/pf/pflog.sh +++ b/tests/sys/netpfil/pf/pflog.sh @@ -195,9 +195,80 @@ pft_cleanup } +atf_test_case "unspecified_v4" "cleanup" +unspecified_v4_head() +{ + atf_set descr 'Ensure that packets to the unspecified address are visible to pfil hooks' + atf_set require.user root +} + +unspecified_v4_body() +{ + pflog_init + + vnet_mkjail alcatraz + jexec alcatraz ifconfig lo0 inet 127.0.0.1 + jexec alcatraz route add default 127.0.0.1 + + jexec alcatraz pfctl -e + jexec alcatraz ifconfig pflog0 up + pft_set_rules alcatraz "block log on lo0 to 0.0.0.0" + + jexec alcatraz tcpdump -n -e -ttt --immediate-mode -l -U -i pflog0 >> pflog.txt & + sleep 1 # Wait for tcpdump to start + + atf_check -s not-exit:0 -o ignore -e ignore \ + jexec alcatraz ping -S 127.0.0.1 -c 1 0.0.0.0 + + atf_check -o match:".*: block out on lo0: 127.0.0.1 > 0.0.0.0: ICMP echo request,.*" \ + cat pflog.txt +} + +unspecified_v4_cleanup() +{ + pft_cleanup +} + +atf_test_case "unspecified_v6" "cleanup" +unspecified_v6_head() +{ + atf_set descr 'Ensure that packets to the unspecified address are visible to pfil hooks' + atf_set require.user root +} + +unspecified_v6_body() +{ + pflog_init + + vnet_mkjail alcatraz + jexec alcatraz ifconfig lo0 up + jexec alcatraz route -6 add ::0 ::1 + + jexec alcatraz pfctl -e + jexec alcatraz ifconfig pflog0 up + pft_set_rules alcatraz "block log on lo0 to ::0" + + jexec alcatraz tcpdump -n -e -ttt --immediate-mode -l -U -i pflog0 >> pflog.txt & + sleep 1 # Wait for tcpdump to start + + atf_check -s not-exit:0 -o ignore -e ignore \ + jexec alcatraz ping -6 -S ::1 -c 1 ::0 + + cat pflog.txt + atf_check -o match:".*: block out on lo0: ::1 > ::: ICMP6, echo request,.*" \ + cat pflog.txt +} + +unspecified_v6_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "malformed" atf_add_test_case "matches" atf_add_test_case "state_max" + atf_add_test_case "unspecified_v4" + atf_add_test_case "unspecified_v6" }