netinet6: allow disabling excess log messages
RFC 4443 specifies cases where certain packets, like those originating from local-scope addresses destined outside of the scope shouldn't be forwarded. The current practice is to drop them, send ICMPv6 message where appropriate, and log the message: cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt 58, rcvif vlan5, outif vlan2 At times the volume of such messages cat get very high. Let's allow local admins to disable such messages on per vnet basis, keeping the current default (log). Reported by: zarychtam@plan-b.pwste.edu.pl Reviewed by: zlei (previous version), pauamma (docs) Differential Revision: https://reviews.freebsd.org/D38644
This commit is contained in:
parent
fc76ddee9b
commit
3eaffc6265
|
@ -29,7 +29,7 @@
|
|||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 12, 2021
|
||||
.Dd February 22, 2023
|
||||
.Dt INET6 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -185,7 +185,9 @@ The
|
|||
.Tn ICMPv6
|
||||
message protocol is accessible from a raw socket.
|
||||
.Ss MIB Variables
|
||||
A number of variables are implemented in the net.inet6 branch of the
|
||||
A number of variables are implemented in the
|
||||
.Va net.inet6
|
||||
branch of the
|
||||
.Xr sysctl 3
|
||||
MIB.
|
||||
In addition to the variables supported by the transport protocols
|
||||
|
@ -341,6 +343,11 @@ mapped address on
|
|||
.Dv AF_INET6
|
||||
sockets.
|
||||
Defaults to on.
|
||||
.It Va ip6.log_cannot_forward
|
||||
Boolean: log packets that can't be forwarded because of unspecified source
|
||||
address or destination address beyond the scope of the source address as
|
||||
described in RFC4443.
|
||||
Enabled by default.
|
||||
.It Va ip6.source_address_validation
|
||||
Boolean: perform source address validation for packets destined for the local
|
||||
host.
|
||||
|
@ -440,6 +447,15 @@ sockets.
|
|||
.Xr ip6 4 ,
|
||||
.Xr tcp 4 ,
|
||||
.Xr udp 4
|
||||
.Rs
|
||||
.%A A. Conta
|
||||
.%A S. Deering
|
||||
.%A M. Gupta
|
||||
.%T "Internet Control Message Protocol (ICMPv6) for the Internet" \
|
||||
"Protocol Version 6 (IPv6) Specification"
|
||||
.%R RFC 4443
|
||||
.%D March 2006
|
||||
.Re
|
||||
.Sh STANDARDS
|
||||
.Rs
|
||||
.%A Tatsuya Jinmei
|
||||
|
|
|
@ -179,6 +179,7 @@ VNET_DEFINE(int, ip6stealth) = 0;
|
|||
#endif
|
||||
VNET_DEFINE(int, nd6_onlink_ns_rfc4861) = 0;/* allow 'on-link' nd6 NS
|
||||
* (RFC 4861) */
|
||||
VNET_DEFINE(bool, ip6_log_cannot_forward) = 1;
|
||||
|
||||
/* icmp6 */
|
||||
/*
|
||||
|
@ -342,6 +343,10 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_VNET | CTLFLAG_RW,
|
|||
&VNET_NAME(ip6stealth), 0,
|
||||
"Forward IPv6 packets without decrementing their TTL");
|
||||
#endif
|
||||
SYSCTL_BOOL(_net_inet6_ip6, OID_AUTO,
|
||||
log_cannot_forward, CTLFLAG_VNET | CTLFLAG_RW,
|
||||
&VNET_NAME(ip6_log_cannot_forward), 1,
|
||||
"Log packets that cannot be forwarded");
|
||||
|
||||
/* net.inet6.icmp6 */
|
||||
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept,
|
||||
|
|
|
@ -114,7 +114,8 @@ ip6_forward(struct mbuf *m, int srcrt)
|
|||
IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
|
||||
IP6STAT_INC(ip6s_cantforward);
|
||||
/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
|
||||
if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
|
||||
if (V_ip6_log_cannot_forward &&
|
||||
(V_ip6_log_time + V_ip6_log_interval < time_uptime)) {
|
||||
V_ip6_log_time = time_uptime;
|
||||
log(LOG_DEBUG,
|
||||
"cannot forward "
|
||||
|
@ -221,7 +222,8 @@ again:
|
|||
IP6STAT_INC(ip6s_badscope);
|
||||
in6_ifstat_inc(nh->nh_ifp, ifs6_in_discard);
|
||||
|
||||
if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
|
||||
if (V_ip6_log_cannot_forward &&
|
||||
(V_ip6_log_time + V_ip6_log_interval < time_uptime)) {
|
||||
V_ip6_log_time = time_uptime;
|
||||
log(LOG_DEBUG,
|
||||
"cannot forward "
|
||||
|
|
|
@ -1099,7 +1099,8 @@ X_ip6_mforward(struct ip6_hdr *ip6, struct ifnet *ifp, struct mbuf *m)
|
|||
*/
|
||||
if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
|
||||
IP6STAT_INC(ip6s_cantforward);
|
||||
if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
|
||||
if (V_ip6_log_cannot_forward &&
|
||||
(V_ip6_log_time + V_ip6_log_interval < time_uptime)) {
|
||||
V_ip6_log_time = time_uptime;
|
||||
log(LOG_DEBUG,
|
||||
"cannot forward "
|
||||
|
|
|
@ -339,6 +339,9 @@ VNET_DECLARE(int, nd6_ignore_ipv6_only_ra);
|
|||
#define V_nd6_ignore_ipv6_only_ra VNET(nd6_ignore_ipv6_only_ra)
|
||||
#endif
|
||||
|
||||
VNET_DECLARE(bool, ip6_log_cannot_forward);
|
||||
#define V_ip6_log_cannot_forward VNET(ip6_log_cannot_forward)
|
||||
|
||||
extern struct pr_usrreqs rip6_usrreqs;
|
||||
struct sockopt;
|
||||
|
||||
|
|
Loading…
Reference in New Issue