NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/52074: -current npf map directive broken

The following reply was made to PR kern/52074; it has been noted by GNATS.

From: David Holland <>
Subject: Re: kern/52074: -current npf map directive broken
Date: Tue, 16 May 2017 06:20:11 +0000

 From: Roy Marples <>
 To: Frank Kardel <>, Robert Elz <kre%munnari.OZ.AU@localhost>
 Cc: Mindaugas Rasiukevicius <>,,, Christos Zoulas <>
 Subject: Re: kern/52074: -current npf map directive broken
 Date: Thu, 11 May 2017 10:47:28 +0100
 Hi Frank
 On 10/05/2017 10:11, Frank Kardel wrote:
 > On 05/10/17 00:45, Robert Elz wrote:
 >>      Date:        Sun, 07 May 2017 23:07:42 +0200
 >>      From:        Frank Kardel <>
 >>      Message-ID:  <>
 >>    | From what I understand  this code originally attempted to avoid
 >> sending
 >>    | from invalid/unusable local address (e. g. duplicate IP - error,
 >>    | tentative and detached should just be dropped).
 >> You also shouldn't be able to send from an address you don't own
 >> (generally - a router has to be able to forward, as distinct from
 >> originate, packets from anywhere of course).
 > You are correct - in this case (52074) we are looking at both aspects -
 > the local machine and the router/NAT box.
 > It is *not* about originating packets from anywhere. It is about
 > redirecting packets for non local targets to a locally existing proxy.
 I agree with Robert, we shouldn't be sending packets on the wire from an
 address we don't own.
 But you're not sending on the wire are you?
 I think a check to satisfy us all would be to test for IP_FORWARDING on
 the packet or IFF_LOOPBACK on the outgoing interface - if either are
 true we can skip address validation.

Home | Main Index | Thread Index | Old Index