From nobody@FreeBSD.org  Thu Jan 17 08:02:14 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 29EB737B417
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 17 Jan 2002 08:02:01 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0HG21307109;
	Thu, 17 Jan 2002 08:02:01 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201171602.g0HG21307109@freefall.freebsd.org>
Date: Thu, 17 Jan 2002 08:02:01 -0800 (PST)
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 127.0.0.0/8 not added to routing table by default
X-Send-Pr-Version: www-1.0

>Number:         33996
>Category:       misc
>Synopsis:       127.0.0.0/8 not added to routing table by default
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 17 08:10:00 PST 2002
>Closed-Date:    Mon Jan 21 06:03:20 PST 2002
>Last-Modified:  Mon Jan 21 06:04:27 PST 2002
>Originator:     Aragon Gouveia
>Release:        4.4
>Organization:
none
>Environment:
FreeBSD root.nis.za 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Dec  7 14:07:57 SAST 2001     root@root.nis.za:/usr/src/sys/compile/ROOT i386
>Description:
      The reserved 127.0.0.0/8 range is not added to FreeBSD's routing table with destination interface lo0 by default. Instead, only 127.0.0.1/32 is being routed to the loopback interface. Pinging, for example, 127.2.3.4 returns no response - in my case it tries to route via the default route out onto the net!
>How-To-Repeat:
      route -n get 127.2.3.4
>Fix:
      Not sure - thought it'd be a simple update to the rc scripts, but I couldn't find anything relevant in them :).
>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Aragon Gouveia <aragon@phat.za.net>
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Thu, 17 Jan 2002 18:20:01 +0200

 On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote:
 > 
 > 
 > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing
 > table with destination interface lo0 by default. Instead, only
 > 127.0.0.1/32 is being routed to the loopback interface. Pinging,
 > for example, 127.2.3.4 returns no response - in my case it tries
 > to route via the default route out onto the net!
 > 
 Nah, this is something that should be controlled with a firewall.
 The default ipfw(8) rules block this.  Also, the kernel function
 in_canforward() does not allow forwarding of IP packets with the
 destination address in the 127.0.0.0/8 range.
 
 Can this PR be closed now?
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

From: "Aragon Gouveia" <aragon@phat.za.net>
To: "Ruslan Ermilov" <ru@FreeBSD.org>
Cc: <bug-followup@FreeBSD.org>
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Thu, 17 Jan 2002 18:40:55 +0200

 Hmm, ipfw? Are you referring to blocking incoming packets with 127.0.0.0/8
 as their source? What I mean to say is that any tcp/ip enabled machine
 should be routing the entire class A to it's loopback interface. Pinging any
 127 address from that machine should yield a response, not just 127.0.0.1.
 
 
 Regards,
 Aragon
 
 ----- Original Message -----
 From: "Ruslan Ermilov" <ru@FreeBSD.org>
 To: "Aragon Gouveia" <aragon@phat.za.net>
 Cc: <bug-followup@FreeBSD.org>
 Sent: Thursday, January 17, 2002 6:20 PM
 Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
 
 
 > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote:
 > >
 > >
 > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing
 > > table with destination interface lo0 by default. Instead, only
 > > 127.0.0.1/32 is being routed to the loopback interface. Pinging,
 > > for example, 127.2.3.4 returns no response - in my case it tries
 > > to route via the default route out onto the net!
 > >
 > Nah, this is something that should be controlled with a firewall.
 > The default ipfw(8) rules block this.  Also, the kernel function
 > in_canforward() does not allow forwarding of IP packets with the
 > destination address in the 127.0.0.0/8 range.
 >
 > Can this PR be closed now?
 >
 >
 > Cheers,
 > --
 > Ruslan Ermilov Oracle Developer/DBA,
 > ru@sunbay.com Sunbay Software AG,
 > ru@FreeBSD.org FreeBSD committer,
 > +380.652.512.251 Simferopol, Ukraine
 >
 > http://www.FreeBSD.org The Power To Serve
 > http://www.oracle.com Enabling The Information Age
 >
 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Aragon Gouveia <aragon@phat.za.net>
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Thu, 17 Jan 2002 18:57:56 +0200

 On Thu, Jan 17, 2002 at 06:40:55PM +0200, Aragon Gouveia wrote:
 > Hmm, ipfw? Are you referring to blocking incoming packets with 127.0.0.0/8
 > as their source?
 > 
 No, I said "destination address".  What I'm talking about here
 is a brief of section 5.3.7 (Martian Address Filtering) of the
 "Requirements for IP Version 4 Routers" RFC 1812.
 
 > What I mean to say is that any tcp/ip enabled machine
 > should be routing the entire class A to it's loopback interface. Pinging any
 > 127 address from that machine should yield a response, not just 127.0.0.1.
 > 
 Neither this nor RFC 1122 say that ALL 127.* addresses should
 be replied to.  A loopback interface OTOH may have any of the
 addresses from the 127 network assigned, and response generated.
 
 > ----- Original Message -----
 > From: "Ruslan Ermilov" <ru@FreeBSD.org>
 > To: "Aragon Gouveia" <aragon@phat.za.net>
 > Cc: <bug-followup@FreeBSD.org>
 > Sent: Thursday, January 17, 2002 6:20 PM
 > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
 > 
 > 
 > > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote:
 > > >
 > > >
 > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing
 > > > table with destination interface lo0 by default. Instead, only
 > > > 127.0.0.1/32 is being routed to the loopback interface. Pinging,
 > > > for example, 127.2.3.4 returns no response - in my case it tries
 > > > to route via the default route out onto the net!
 > > >
 > > Nah, this is something that should be controlled with a firewall.
 > > The default ipfw(8) rules block this.  Also, the kernel function
 > > in_canforward() does not allow forwarding of IP packets with the
 > > destination address in the 127.0.0.0/8 range.
 > >
 > > Can this PR be closed now?
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

From: "Crist J . Clark" <cjc@FreeBSD.ORG>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: bug-followup@FreeBSD.ORG
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Fri, 18 Jan 2002 01:22:34 -0800

 On Thu, Jan 17, 2002 at 08:30:02AM -0800, Ruslan Ermilov wrote:
 > The following reply was made to PR misc/33996; it has been noted by GNATS.
 > 
 > From: Ruslan Ermilov <ru@FreeBSD.org>
 > To: Aragon Gouveia <aragon@phat.za.net>
 > Cc: bug-followup@FreeBSD.org
 > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
 > Date: Thu, 17 Jan 2002 18:20:01 +0200
 > 
 >  On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote:
 >  > 
 >  > 
 >  > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing
 >  > table with destination interface lo0 by default. Instead, only
 >  > 127.0.0.1/32 is being routed to the loopback interface. Pinging,
 >  > for example, 127.2.3.4 returns no response - in my case it tries
 >  > to route via the default route out onto the net!
 >  > 
 >  Nah, this is something that should be controlled with a firewall.
 >  The default ipfw(8) rules block this.  Also, the kernel function
 >  in_canforward() does not allow forwarding of IP packets with the
 >  destination address in the 127.0.0.0/8 range.
 >  
 >  Can this PR be closed now?
 
 Well, there is a bug here. Have you ever actually tried,
 
   # ping 127.2.3.4
 
 And sniffed the wire? That is a Bad Thing. No machine should ever let
 127/8 on the wire. But I believe there is another PR on this.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: "Crist J . Clark" <cjc@FreeBSD.ORG>
Cc: bug-followup@FreeBSD.ORG
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Fri, 18 Jan 2002 17:40:59 +0200

 On Fri, Jan 18, 2002 at 01:22:34AM -0800, Crist J . Clark wrote:
 > On Thu, Jan 17, 2002 at 08:30:02AM -0800, Ruslan Ermilov wrote:
 > > The following reply was made to PR misc/33996; it has been noted by GNATS.
 > > 
 > > From: Ruslan Ermilov <ru@FreeBSD.org>
 > > To: Aragon Gouveia <aragon@phat.za.net>
 > > Cc: bug-followup@FreeBSD.org
 > > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
 > > Date: Thu, 17 Jan 2002 18:20:01 +0200
 > > 
 > >  On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote:
 > >  > 
 > >  > 
 > >  > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing
 > >  > table with destination interface lo0 by default. Instead, only
 > >  > 127.0.0.1/32 is being routed to the loopback interface. Pinging,
 > >  > for example, 127.2.3.4 returns no response - in my case it tries
 > >  > to route via the default route out onto the net!
 > >  > 
 > >  Nah, this is something that should be controlled with a firewall.
 > >  The default ipfw(8) rules block this.  Also, the kernel function
 > >  in_canforward() does not allow forwarding of IP packets with the
 > >  destination address in the 127.0.0.0/8 range.
 > >  
 > >  Can this PR be closed now?
 > 
 > Well, there is a bug here. Have you ever actually tried,
 > 
 >   # ping 127.2.3.4
 > 
 > And sniffed the wire? That is a Bad Thing. No machine should ever let
 > 127/8 on the wire. But I believe there is another PR on this.
 > 
 Yes I tried, and I get EACCES from ipfw(4) because of these lines:
 
 00100 allow ip from any to any via lo0
 00200 deny ip from any to 127.0.0.0/8
 00300 deny ip from 127.0.0.0/8 to any
 
 :-)
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: "Crist J . Clark" <cjc@FreeBSD.ORG>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Fri, 18 Jan 2002 12:23:53 -0500 (EST)

 <<On Fri, 18 Jan 2002 01:30:02 -0800 (PST), "Crist J . Clark" <cjc@FreeBSD.ORG> said:
 
 >  And sniffed the wire? That is a Bad Thing. No machine should ever let
 >  127/8 on the wire. But I believe there is another PR on this.
 
 I would note that the IPv6 code *does* install a blackhole route for
 ::/96, IPv6's equivalent of 127/8:
 
         # disallow "internal" addresses to appear on the wire
         route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
         route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
 
 -GAWollman
 

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Fri, 18 Jan 2002 12:43:17 -0500 (EST)

 <<On Fri, 18 Jan 2002 07:50:04 -0800 (PST), Ruslan Ermilov <ru@FreeBSD.ORG> said:
 
 >  On Fri, Jan 18, 2002 at 01:22:34AM -0800, Crist J . Clark wrote:
 >> And sniffed the wire? That is a Bad Thing. No machine should ever let
 >> 127/8 on the wire. But I believe there is another PR on this.
 >> 
 >  Yes I tried, and I get EACCES from ipfw(4) because of these lines:
  
 Requiring packet filtering for correct operation is an error.
 
 -GAWollman

From: "Crist J . Clark" <cristjc@earthlink.net>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: bug-followup@FreeBSD.ORG
Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
Date: Fri, 18 Jan 2002 13:07:05 -0800

 On Fri, Jan 18, 2002 at 05:40:59PM +0200, Ruslan Ermilov wrote:
 > On Fri, Jan 18, 2002 at 01:22:34AM -0800, Crist J . Clark wrote:
 > > On Thu, Jan 17, 2002 at 08:30:02AM -0800, Ruslan Ermilov wrote:
 > > > The following reply was made to PR misc/33996; it has been noted by GNATS.
 > > > 
 > > > From: Ruslan Ermilov <ru@FreeBSD.org>
 > > > To: Aragon Gouveia <aragon@phat.za.net>
 > > > Cc: bug-followup@FreeBSD.org
 > > > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default
 > > > Date: Thu, 17 Jan 2002 18:20:01 +0200
 > > > 
 > > >  On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote:
 > > >  > 
 > > >  > 
 > > >  > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing
 > > >  > table with destination interface lo0 by default. Instead, only
 > > >  > 127.0.0.1/32 is being routed to the loopback interface. Pinging,
 > > >  > for example, 127.2.3.4 returns no response - in my case it tries
 > > >  > to route via the default route out onto the net!
 > > >  > 
 > > >  Nah, this is something that should be controlled with a firewall.
 > > >  The default ipfw(8) rules block this.  Also, the kernel function
 > > >  in_canforward() does not allow forwarding of IP packets with the
 > > >  destination address in the 127.0.0.0/8 range.
 > > >  
 > > >  Can this PR be closed now?
 > > 
 > > Well, there is a bug here. Have you ever actually tried,
 > > 
 > >   # ping 127.2.3.4
 > > 
 > > And sniffed the wire? That is a Bad Thing. No machine should ever let
 > > 127/8 on the wire. But I believe there is another PR on this.
 > > 
 > Yes I tried, and I get EACCES from ipfw(4) because of these lines:
 > 
 > 00100 allow ip from any to any via lo0
 > 00200 deny ip from any to 127.0.0.0/8
 > 00300 deny ip from 127.0.0.0/8 to any
 > 
 > :-)
 
 OK,
 
   # ipfw d 200
   # ping 127.2.3.4
 
 The point being that even without firewalling enabled, I don't think
 that packets destined for 127/8 should ever leave a host. Well, it's
 not just me who thinks so, it is a requirement (RFC1122),
 
             (g)  { 127, <any> }
 
                  Internal host loopback address.  Addresses of this form
                  MUST NOT appear outside a host.
 
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Mon Jan 21 06:03:20 PST 2002 
State-Changed-Why:  
Duplicate of PR misc/30792. 
Fixed in 5.0-CURRENT, sys/netinet/ip_output.c,v 1.148. 


Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Mon Jan 21 06:03:20 PST 2002 
Responsible-Changed-Why:  

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33996 
>Unformatted:
