HomeFreeBSD

ipv6: quit dropping packets looping back on p2p interfaces

Description

ipv6: quit dropping packets looping back on p2p interfaces

To paraphrase the below-referenced PR:

This logic originated in the KAME project, and was even controversial when
it was enabled there by default in 2001. No such equivalent logic exists in
the IPv4 stack, and it turns out that this leads to us dropping valid
traffic when the "point to point" interface is actually a 1:many tun
interface, e.g. with the wireguard userland stack.

Even in the case of true point-to-point links, this logic only avoids
transient looping of packets sent by misconfigured applications or
attackers, which can be subverted by proper route configuration rather than
hardcoded logic in the kernel to drop packets.

In the review, melifaro goes on to note that the kernel can't fix it, so it
perhaps shouldn't try to be 'smart' about it. Additionally, that TTL will
still kick in even with incorrect route configuration.

PR: 247718
Reviewed by: melifaro, rgrimes
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D25567

Details

Provenance
kevansAuthored on Aug 31 2020, 1:45 AM
Parents
rGc0a56af995f4: Add an entry to RELNOTES for the NFS over TLS kernel support.
Branches
Unknown
Tags
Unknown

Event Timeline