Hi, While hacking on https://reviews.freebsd.org/D49157 (netinet: Do not forward or ICMP response to INADDR_ANY) I found inconsistence between the implementation and the description of sysctl knob net.inet.ip.allow_net{0, 240}.
net.inet.ip.allow_net240: Allow forwarding of and ICMP response to Experimental addresses, aka Class E (240/4) net.inet.ip.allow_net0: Allow forwarding of and ICMP response to addresses in network 0/8 ip_forward() checks net240 and net0 via in_canforward(), but ip_tryforward(), well known as fast forwarding path, from its initial version, does not. Since 33872124a5cf (Replace the fastforward path with tryforward ...), the sysctl knob net.inet.ip.fastforwarding (default off) is removed and is effectively always on, incoming packets are always checked via ip_tryforward(), hence bypassing check whether it is from / to net240 or net0. To put simply, net.inet.ip.allow_net240 and net.inet.ip.allow_net0 do not actually control the behavior how FreeBSD forward net240 / net0. Given this behavior ( always forward net240 / net0 ) exists since 2015 and predates net.inet.ip.allow_net240 and net.inet.ip.allow_net0, and it appears to have little impact to allow forwarding those traffic from / to net240 / net0, I think we probably have to keep this behavior but rather than **FIX** it. So the description of the two sysctl knob should be updated, as well as the two IETF drafts [1] and [2], to not make any confusion. [1] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-240 [2] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-0 How do you think ? Best regards, Zhenlei
