From babolo@links.ru  Fri Nov  9 20:05:38 2001
Return-Path: <babolo@links.ru>
Received: from aaz.links.ru (aaz.links.ru [193.125.152.37])
	by hub.freebsd.org (Postfix) with ESMTP id 321C937B41A
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  9 Nov 2001 20:05:37 -0800 (PST)
Received: (from babolo@localhost)
	by aaz.links.ru (8.9.3/8.9.3) id HAA12504;
	Sat, 10 Nov 2001 07:11:26 +0300 (MSK)
Message-Id: <200111100411.HAA12504@aaz.links.ru>
Date: Sat, 10 Nov 2001 07:11:26 +0300 (MSK)
From: .@babolo.ru
Reply-To: .@babolo.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: Change mask of loopback net breaks compatibility with older versions
X-Send-Pr-Version: 3.2

>Number:         31891
>Category:       kern
>Synopsis:       Change mask of loopback net breaks compatibility with older versions
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 09 20:10:02 PST 2001
>Closed-Date:    Thu Nov 15 02:11:28 PST 2001
>Last-Modified:  Thu Nov 15 12:30:00 PST 2001
>Originator:     Aleksandr A. Babaylov
>Release:        FreeBSD 4.4
>Organization:
home
>Environment:

	FreeBSD cicuta.babolo.ru 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Oct  6 21:36:53 MSD 2001     babolo@cicuta.babolo.ru:/tmp/babolo/usr/src/sys/cicuta  i386


>Description:

There was 4.2 RELEASE, where packets with 127.0.0.0/24 source address
droped on input interfaces. Now it changed to 127.0.0.0/8,
which is incombatible with old configuration.
This net - 127.0.0.0/8 is extremly useful
as private net in clustering environment,
so I propose configuration variable MYLOOP_MASKLEN,
with default meaning that conforms RFC1122

>How-To-Repeat:

Try P2P addresses in 127.0.0.0/8 net.

>Fix:
	

--- sys/netinet/myloop_masklen.h	Sun Aug 26 04:51:23 2001
+++ sys/netinet/myloop_masklen.h	Sun Aug 26 04:51:14 2001
@@ -0,0 +1,7 @@
+#include "opt_myloop_masklen.h"
+
+#ifndef MYLOOP_MASKLEN
+#define	IN_MY_LOOP(i)		(((u_int32_t)(i) & IN_CLASSA_NET) == (IN_LOOPBACKNET << IN_CLASSA_NSHIFT))
+#else
+#define	IN_MY_LOOP(i)		(((u_int32_t)(i) & (INADDR_BROADCAST << (32 - MYLOOP_MASKLEN))) == (IN_LOOPBACKNET << IN_CLASSA_NSHIFT))
+#endif
--- sys/netinet/in.c	Mon Aug 13 20:26:17 2001
+++ sys/netinet/in.c	Sun Aug 26 04:52:53 2001
@@ -48,6 +48,7 @@
 #include <net/route.h>
 
 #include <netinet/in.h>
+#include <netinet/myloop_masklen.h>
 #include <netinet/in_var.h>
 #include <netinet/in_pcb.h>
 
@@ -112,11 +113,11 @@
 	register u_long i = ntohl(in.s_addr);
 	register u_long net;
 
-	if (IN_EXPERIMENTAL(i) || IN_MULTICAST(i))
+	if (IN_EXPERIMENTAL(i) || IN_MULTICAST(i) || IN_MY_LOOP(i))
 		return (0);
 	if (IN_CLASSA(i)) {
 		net = i & IN_CLASSA_NET;
-		if (net == 0 || net == (IN_LOOPBACKNET << IN_CLASSA_NSHIFT))
+		if (net == 0)
 			return (0);
 	}
 	return (1);
--- sys/netinet/ip_icmp.c	Tue Jul  3 15:01:46 2001
+++ sys/netinet/ip_icmp.c	Sun Aug 26 04:53:46 2001
@@ -50,6 +50,7 @@
 
 #define _IP_VHL
 #include <netinet/in.h>
+#include <netinet/myloop_masklen.h>
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
@@ -612,8 +613,7 @@
 	int optlen = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof(struct ip);
 
 	if (!in_canforward(ip->ip_src) &&
-	    ((ntohl(ip->ip_src.s_addr) & IN_CLASSA_NET) !=
-	     (IN_LOOPBACKNET << IN_CLASSA_NSHIFT))) {
+            !IN_MY_LOOP(ntohl(ip->ip_src.s_addr))) {
 		m_freem(m);	/* Bad return address */
 		goto done;	/* Ip_output() will check for broadcast */
 	}
--- sys/netinet/ip_input.c	Thu Jul 19 10:37:26 2001
+++ sys/netinet/ip_input.c	Sun Aug 26 04:54:13 2001
@@ -65,6 +65,7 @@
 #include <net/intrq.h>
 
 #include <netinet/in.h>
+#include <netinet/myloop_masklen.h>
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
@@ -347,8 +348,9 @@
 	}
 
 	/* 127/8 must not appear on wire - RFC1122 */
-	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
-	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
+	/* Local change: 127/MYLOOP_MASKLEN */
+	if (IN_MY_LOOP(ntohl(ip->ip_dst.s_addr)) ||
+	    IN_MY_LOOP(ntohl(ip->ip_src.s_addr))) {
 		if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
 			ipstat.ips_badaddr++;
 			goto bad;
--- sys/i386/conf/LINT	Wed Aug 15 05:23:49 2001
+++ sys/i386/conf/LINT	Sun Aug 26 02:02:45 2001
@@ -425,6 +425,11 @@
 # mchain library. It can be either loaded as KLD or compiled into kernel
 options 	LIBMCHAIN		#mbuf management library
 
+# Usually kernel must to drop any external packet with src in 127/8
+# But it is useful in clusters narrow this mask in kernel to use
+# some nets in 127/8 for kernels interoperate in cluster.
+options 	MYLOOP_MASKLEN=8
+
 # netgraph(4). Enable the base netgraph code with the NETGRAPH option.
 # Individual node types can be enabled with the corresponding option
 # listed below; however, this is not strictly necessary as netgraph
--- sys/conf/options	Fri Aug  3 04:47:27 2001
+++ sys/conf/options	Sun Aug 26 02:09:29 2001
@@ -272,6 +272,8 @@
 TCPDEBUG
 TCP_DROP_SYNFIN		opt_tcp_input.h
 XBONEHACK
+# For interconnect beetween kernels in cluster
+MYLOOP_MASKLEN
 
 # Netgraph(4). Use option NETGRAPH to enable the base netgraph code.
 # Each netgraph node type can be either be compiled into the kernel
>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <cristjc@earthlink.net>
To: .@babolo.ru
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/31891: Change mask of loopback net breaks compatibility with older versions
Date: Thu, 15 Nov 2001 01:58:48 -0800

 On Sat, Nov 10, 2001 at 07:11:26AM +0300, .@babolo.ru wrote:
 [snip]
 
 > >Description:
 > 
 > There was 4.2 RELEASE, where packets with 127.0.0.0/24 source address
 > droped on input interfaces. Now it changed to 127.0.0.0/8,
 > which is incombatible with old configuration.
 > This net - 127.0.0.0/8 is extremly useful
 > as private net in clustering environment,
 > so I propose configuration variable MYLOOP_MASKLEN,
 > with default meaning that conforms RFC1122
 > 
 > >How-To-Repeat:
 > 
 > Try P2P addresses in 127.0.0.0/8 net.
 
 This is a feature, not a bug. See RFC1122, "Requirements for Internet
 Hosts,"
 
             (g)  { 127, <any> }
 
                  Internal host loopback address.  Addresses of this form
                  MUST NOT appear outside a host.
 
 The 127/8 is never valid when coming from another host.
 
 Do not use 127/8 as a private network, that's what RFC1918 addresses
 are for.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: cjc 
State-Changed-When: Thu Nov 15 02:11:28 PST 2001 
State-Changed-Why:  
The reported problem is RFC-compliant behavior, not a bug. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31891 

From: .@babolo.ru
To: cjclark@alum.mit.edu
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/31891: Change mask of loopback net breaks compatibility with older versions
Date: Thu, 15 Nov 2001 19:23:11 +0300 (MSK)

 Crist J. Clark writes:
 > On Sat, Nov 10, 2001 at 07:11:26AM +0300, .@babolo.ru wrote:
 > [snip]
 > 
 > > >Description:
 > > 
 > > There was 4.2 RELEASE, where packets with 127.0.0.0/24 source address
 > > droped on input interfaces. Now it changed to 127.0.0.0/8,
 > > which is incombatible with old configuration.
 > > This net - 127.0.0.0/8 is extremly useful
 > > as private net in clustering environment,
 > > so I propose configuration variable MYLOOP_MASKLEN,
 > > with default meaning that conforms RFC1122
 > > 
 > > >How-To-Repeat:
 > > 
 > > Try P2P addresses in 127.0.0.0/8 net.
 > 
 > This is a feature, not a bug. See RFC1122, "Requirements for Internet
 > Hosts,"
 > 
 >             (g)  { 127, <any> }
 > 
 >                  Internal host loopback address.  Addresses of this form
 >                  MUST NOT appear outside a host.
 > 
 > The 127/8 is never valid when coming from another host.
 > 
 > Do not use 127/8 as a private network, that's what RFC1918 addresses
 > are for.
 OK.
 Lets it be feature.
 Consider please case where more then one
 kernel looks for outside world as one entity.
 May be name "cluster" is good enough in this case.
 There no protection beetween kernels in such
 environment and use of 127.X nets for interface
 inside cluster somehow protects from outside world.
 Yes, I remember another means too.
 
 Sorry my English is bad.
 
 -- 
 @BABOLO      http://links.ru/

From: "Crist J. Clark" <cristjc@earthlink.net>
To: .@babolo.ru
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/31891: Change mask of loopback net breaks compatibility with older versions
Date: Thu, 15 Nov 2001 12:23:51 -0800

 On Thu, Nov 15, 2001 at 07:23:11PM +0300, .@babolo.ru wrote:
 > Crist J. Clark writes:
 > > On Sat, Nov 10, 2001 at 07:11:26AM +0300, .@babolo.ru wrote:
 > > [snip]
 > > 
 > > > >Description:
 > > > 
 > > > There was 4.2 RELEASE, where packets with 127.0.0.0/24 source address
 > > > droped on input interfaces. Now it changed to 127.0.0.0/8,
 > > > which is incombatible with old configuration.
 > > > This net - 127.0.0.0/8 is extremly useful
 > > > as private net in clustering environment,
 > > > so I propose configuration variable MYLOOP_MASKLEN,
 > > > with default meaning that conforms RFC1122
 > > > 
 > > > >How-To-Repeat:
 > > > 
 > > > Try P2P addresses in 127.0.0.0/8 net.
 > > 
 > > This is a feature, not a bug. See RFC1122, "Requirements for Internet
 > > Hosts,"
 > > 
 > >             (g)  { 127, <any> }
 > > 
 > >                  Internal host loopback address.  Addresses of this form
 > >                  MUST NOT appear outside a host.
 > > 
 > > The 127/8 is never valid when coming from another host.
 > > 
 > > Do not use 127/8 as a private network, that's what RFC1918 addresses
 > > are for.
 > OK.
 > Lets it be feature.
 > Consider please case where more then one
 > kernel looks for outside world as one entity.
 > May be name "cluster" is good enough in this case.
 > There no protection beetween kernels in such
 > environment and use of 127.X nets for interface
 > inside cluster somehow protects from outside world.
 
 Using 127/8 affords no more "protection" from the outside world than
 using an RFC1918 network. None of those networks is routed on the
 Internet-at-large. Of course, none of that will protect you from
 source routing. For a cluster as you describe, I would recommend a
 firewall or better yet, disconnection from public networks.
 
 But in any case, the Internet Standard is clear. 127/8 packets must
 not ever be seen outside of a host. You should never see those
 crossing a physical interface. It makes even less sense to treat
 127/24 or some subnet of 127/8 like this, but not 127/8 as a whole.
 Of course, you can feel free to break any standards you wish on your
 own network (but don't complain too much when things stop working);
 you already have the patches to do so. But I don't think there is any
 desire to incorporate them into the base FreeBSD IP stack.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
>Unformatted:
