Re: inetd echo localhost

Fri, 21 Jul 2023 05:18:07 -0700 

On Thu, Jul 20, 2023 at 09:57:00PM +0200, Alexander Bluhm wrote:
> Hi,
> 
> I wonder why UDP echo does not work with inetd on 127.0.0.1.
> 
> Note that it is default off.  One of my regress machines has it
> enabled for other tests.  There perl dist/Net-Ping/t/510_ping_udp.t
> expects that UDP echo works on 127.0.0.1.
> 
> It was disabled with this commit:
> ----------------------------
> revision 1.65
> date: 2000/08/01 19:02:05;  author: itojun;  state: Exp;  lines: +47 -11;
> be more paranoid about UDP-based echo services validation.  namely,
> reject the following sources:
>         0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
>         ff00::/8 ::/128
>         ::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
>         reserved port, or NFS port.
> hint from deraadt.
> ----------------------------
> 
> Note that IPv6 echo to ::1 works fine.  Only IPv4 echo to 127.0.0.1
> is broken.
> 
> I cannot see the security reason for disabling 127/8.
> Loops are prevented by blocking priviledged ports.
> Echo to a local interface address through loopback is still allowed.
> The kernel checks that 127/8 does not come from extern.
> 127.0.0.1 should be handled like ::1 .
> 
> The feature was introduced together with IPv6 mapped addresses.
> See cvs diff -r1.64 -r1.65 inetd.c
> There it made sense to be paranoid about the IPv4 compatibility part
> of the IPv6 address.  But this feature has been removed since decades.
> So it could be a left over.
> 
> Should we also disable ::1 IPv6?
> Or allow 127.0.0.1 only?
> Or remove the case 127 completely?
> 

It's better to have similar behaviour for both ipv4 and ipv6 cases. I
see no reason to disable localhost.

ok mvs

> bluhm
> 
> Index: usr.sbin/inetd/inetd.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
> retrieving revision 1.164
> diff -u -p -r1.164 inetd.c
> --- usr.sbin/inetd/inetd.c    19 Apr 2023 12:58:16 -0000      1.164
> +++ usr.sbin/inetd/inetd.c    20 Jul 2023 19:52:39 -0000
> @@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
>               if (IN_MULTICAST(in.s_addr))
>                       goto bad;
>               switch ((in.s_addr & 0xff000000) >> 24) {
> -             case 0: case 127: case 255:
> +             case 0: case 255:
>                       goto bad;
>               }
>               if (dg_broadcast(&in))
>

Reply via email to