The branch main has been updated by melifaro:
URL:
https://cgit.FreeBSD.org/src/commit/?id=30dd227cff75bdabaac2002a2b17095f3392a485
commit 30dd227cff75bdabaac2002a2b17095f3392a485
Author: Alexander V. Chernikov <melif...@freebsd.org>
AuthorDate: 2023-01-22 16:57:36 +0000
Commit: Alexander V. Chernikov <melif...@freebsd.org>
CommitDate: 2023-01-22 18:48:07 +0000
netinet6: honor blackhole/unreach routes in the non-fastforwading code.
Currently, under the conditions specified below, IPv6 ingress packet
processing can ignore blackhole/reject flag on the prefix. The packet
will instead be looped locally till TTL expiration and a single ICMPv6
unreachable message will be send to the source even in case of
RTF_BLACKHOLE.
The following conditions needs hold to make the scenario happen:
* IPv6 forwarding is enabled
* Packet is not fast-forwarded
* Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag
Fix this behavior by checking for the blackhole/reject flags in
ip6_forward().
Reported by: Dmitriy Smirnov <f...@sage.su>
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D38164
MFC after: 3 days
---
sys/netinet6/ip6_forward.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 5173415afda6..39c93ac35427 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -196,6 +196,15 @@ again:
goto bad;
}
+ if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) {
+ IP6STAT_INC(ip6s_cantforward);
+ if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) {
+ icmp6_error(mcopy, ICMP6_DST_UNREACH,
+ ICMP6_DST_UNREACH_REJECT, 0);
+ }
+ goto bad;
+ }
+
/*
* Source scope check: if a packet can't be delivered to its
* destination for the reason that the destination is beyond the scope
