From 30dd227cff75bdabaac2002a2b17095f3392a485 Mon Sep 17 00:00:00 2001 From: "Alexander V. Chernikov" Date: Sun, 22 Jan 2023 16:57:36 +0000 Subject: [PATCH] netinet6: honor blackhole/unreach routes in the non-fastforwading code. Currently, under the conditions specified below, IPv6 ingress packet processing can ignore blackhole/reject flag on the prefix. The packet will instead be looped locally till TTL expiration and a single ICMPv6 unreachable message will be send to the source even in case of RTF_BLACKHOLE. The following conditions needs hold to make the scenario happen: * IPv6 forwarding is enabled * Packet is not fast-forwarded * Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag Fix this behavior by checking for the blackhole/reject flags in ip6_forward(). Reported by: Dmitriy Smirnov Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D38164 MFC after: 3 days --- sys/netinet6/ip6_forward.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 5173415afda6..39c93ac35427 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -196,6 +196,15 @@ ip6_forward(struct mbuf *m, int srcrt) goto bad; } + if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) { + IP6STAT_INC(ip6s_cantforward); + if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) { + icmp6_error(mcopy, ICMP6_DST_UNREACH, + ICMP6_DST_UNREACH_REJECT, 0); + } + goto bad; + } + /* * Source scope check: if a packet can't be delivered to its * destination for the reason that the destination is beyond the scope