Bug 246748 - feature wish: reply_from_interface and reply_src sysctl for IPv6
Summary: feature wish: reply_from_interface and reply_src sysctl for IPv6
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-net (Nobody)
URL:
Keywords: feature, ipv6
Depends on:
Blocks:
 
Reported: 2020-05-26 11:24 UTC by Gert Doering
Modified: 2020-06-09 09:31 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gert Doering 2020-05-26 11:24:13 UTC
IPv4 has the "net.inet.icmp.reply_from_interface" and "net.inet.icmp.reply_src" sysctls to influence source address selection for generated ICMP error responses (most typically, "administratively prohibited" or "ttl expired").

By default, these packets are sent with the source address of the interface where the generated ICMP packet is leaving out.

In a router/firewall context, "many network devices" use the source address of the interface where the original packet (that triggered the ICMP reply) came *in* on - which makes, for example "traceroute" show up the ingress interface into the router.  This is a very valuable tool.  If you want FreeBSD to do the same thing, you set "net.inet.icmp.reply_from_interface=1" - which works very nicely.

Here comes the feature request: IPv6 support does not have either sysctl today (at least up to 12.1).  Building a dual-stack setup with "I can do this in IPv4 but not in IPv6" is not good.

Can such functionality be added to the IPv6 ICMP generation as well?

The IPv4 code path looks fairly simple (~30 lines of code), but I most certainly do not understand the networking code myself to contribute an IPv6 equivalent.

Thanks :-)
Comment 1 Andrey V. Elsukov freebsd_committer 2020-05-29 10:21:06 UTC
Our IPv6 implementation uses source address selection algorithm defined in RFC3484. You have some abilities to modify default source address selection by using policies or prefer_source flag. Is it not enough for what you want?
Comment 2 Gert Doering 2020-05-29 10:29:36 UTC
No, as RFC3484 / RFC6724 do not take context into account ("packet comes in on em0, so use em0 source for the ICMP error packet, even if we intend to send the packet via em3").

I do not want *all* packets generated from this machine to use the "em0" source (so, not for outgoing TCP, for example), just generated ICMPs in reply to packets coming in on "em0".

Like, exactly what the v4 stack can be told to do :-)
Comment 3 Neel Chauhan 2020-06-07 22:42:45 UTC
I'm interested on working on this feature.
Comment 4 Neel Chauhan 2020-06-07 23:10:08 UTC
If you want this feature, I have a Phabricator review here: https://reviews.freebsd.org/D25181
Comment 5 Gert Doering 2020-06-08 15:21:27 UTC
Can I test this with a 12.1-RELEASE source tree, or do I need CURRENT?
Comment 6 Neel Chauhan 2020-06-08 16:19:32 UTC
I wrote this patch on CURRENT. You might be able to backport this to 12.1 if you wanted.

Try applying the patch to 12.1 if you prefer, and if it fails, then try CURRENT.
Comment 7 Gert Doering 2020-06-09 09:31:40 UTC
Compiled a CURRENT world + kernel (this VM is not exactly fast,so it took all night).  Tested on the router VM it is for, and found that it works "mostly", but all ICMP packets are created with hlim=0.

Commented in more detail in the Phabricator.