NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/52074: -current npf map directive broken

Hi Frank

On 10/05/2017 10:11, Frank Kardel wrote:
> On 05/10/17 00:45, Robert Elz wrote:
>>      Date:        Sun, 07 May 2017 23:07:42 +0200
>>      From:        Frank Kardel <>
>>      Message-ID:  <>
>>    | From what I understand  this code originally attempted to avoid
>> sending
>>    | from invalid/unusable local address (e. g. duplicate IP - error,
>>    | tentative and detached should just be dropped).
>> You also shouldn't be able to send from an address you don't own
>> (generally - a router has to be able to forward, as distinct from
>> originate, packets from anywhere of course).
> You are correct - in this case (52074) we are looking at both aspects -
> the local machine and the router/NAT box.
> It is *not* about originating packets from anywhere. It is about
> redirecting packets for non local targets to a locally existing proxy.

I agree with Robert, we shouldn't be sending packets on the wire from an
address we don't own.
But you're not sending on the wire are you?

I think a check to satisfy us all would be to test for IP_FORWARDING on
the packet or IFF_LOOPBACK on the outgoing interface - if either are
true we can skip address validation.



Home | Main Index | Thread Index | Old Index