Re: kern/52074: -current npf map directive broken

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,kardel%netbsd.org@localhost
Subject: Re: kern/52074: -current npf map directive broken
From: David Holland <dholland-bugs%netbsd.org@localhost>
Date: Tue, 16 May 2017 06:25:00 +0000 (UTC)

The following reply was made to PR kern/52074; it has been noted by GNATS.

From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/52074: -current npf map directive broken
Date: Tue, 16 May 2017 06:20:11 +0000

 Another.
 
    ------
 
 From: Roy Marples <roy%marples.name@localhost>
 To: Frank Kardel <kardel%netbsd.org@localhost>, Robert Elz <kre%munnari.OZ.AU@localhost>
 Cc: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>, netbsd-bugs%netbsd.org@localhost,
 	gnats-admin%netbsd.org@localhost, Christos Zoulas <christos%NetBSD.org@localhost>
 Subject: Re: kern/52074: -current npf map directive broken
 Date: Thu, 11 May 2017 10:47:28 +0100
 
 Hi Frank
 
 On 10/05/2017 10:11, Frank Kardel wrote:
 > On 05/10/17 00:45, Robert Elz wrote:
 >>      Date:        Sun, 07 May 2017 23:07:42 +0200
 >>      From:        Frank Kardel <kardel%netbsd.org@localhost>
 >>      Message-ID:  <590F8C9E.3040102%netbsd.org@localhost>
 >>
 >>    | From what I understand  this code originally attempted to avoid
 >> sending
 >>    | from invalid/unusable local address (e. g. duplicate IP - error,
 >>    | tentative and detached should just be dropped).
 >>
 >> You also shouldn't be able to send from an address you don't own
 >> (generally - a router has to be able to forward, as distinct from
 >> originate, packets from anywhere of course).
 > You are correct - in this case (52074) we are looking at both aspects -
 > the local machine and the router/NAT box.
 > It is *not* about originating packets from anywhere. It is about
 > redirecting packets for non local targets to a locally existing proxy.
 
 I agree with Robert, we shouldn't be sending packets on the wire from an
 address we don't own.
 But you're not sending on the wire are you?
 
 I think a check to satisfy us all would be to test for IP_FORWARDING on
 the packet or IFF_LOOPBACK on the outgoing interface - if either are
 true we can skip address validation.
 
 Thoughts?
 
 Roy

Prev by Date: Re: kern/52074: -current npf map directive broken
Next by Date: Re: port-arm/52163 - support for gpio for Xscale
Previous by Thread: Re: kern/52074: -current npf map directive broken
Next by Thread: Re: kern/52074: -current npf map directive broken
Indexes:

Home | Main Index | Thread Index | Old Index