Re: kern/52074: -current npf map directive broken

[Roy Marples <roy%marples.name@localhost>]

Hi Frank

On 10/05/2017 10:11, Frank Kardel wrote:
> On 05/10/17 00:45, Robert Elz wrote:
>>      Date:        Sun, 07 May 2017 23:07:42 +0200
>>      From:        Frank Kardel <kardel%netbsd.org@localhost>
>>      Message-ID:  <590F8C9E.3040102%netbsd.org@localhost>
>>
>>    | From what I understand  this code originally attempted to avoid
>> sending
>>    | from invalid/unusable local address (e. g. duplicate IP - error,
>>    | tentative and detached should just be dropped).
>>
>> You also shouldn't be able to send from an address you don't own
>> (generally - a router has to be able to forward, as distinct from
>> originate, packets from anywhere of course).
> You are correct - in this case (52074) we are looking at both aspects -
> the local machine and the router/NAT box.
> It is *not* about originating packets from anywhere. It is about
> redirecting packets for non local targets to a locally existing proxy.

I agree with Robert, we shouldn't be sending packets on the wire from an
address we don't own.
But you're not sending on the wire are you?

I think a check to satisfy us all would be to test for IP_FORWARDING on
the packet or IFF_LOOPBACK on the outgoing interface - if either are
true we can skip address validation.

Thoughts?

Roy