246748 – feature wish: reply_from_interface and reply_src sysctl for IPv6

Bug 246748 - feature wish: reply_from_interface and reply_src sysctl for IPv6

Summary: feature wish: reply_from_interface and reply_src sysctl for IPv6

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-net (Nobody)

URL:
Keywords:	feature, ipv6

Depends on:
Blocks:

Reported:	2020-05-26 11:24 UTC by Gert Doering
Modified:	2020-06-09 09:31 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gert Doering 2020-05-26 11:24:13 UTC

IPv4 has the "net.inet.icmp.reply_from_interface" and "net.inet.icmp.reply_src" sysctls to influence source address selection for generated ICMP error responses (most typically, "administratively prohibited" or "ttl expired").

By default, these packets are sent with the source address of the interface where the generated ICMP packet is leaving out.

In a router/firewall context, "many network devices" use the source address of the interface where the original packet (that triggered the ICMP reply) came *in* on - which makes, for example "traceroute" show up the ingress interface into the router.  This is a very valuable tool.  If you want FreeBSD to do the same thing, you set "net.inet.icmp.reply_from_interface=1" - which works very nicely.

Here comes the feature request: IPv6 support does not have either sysctl today (at least up to 12.1).  Building a dual-stack setup with "I can do this in IPv4 but not in IPv6" is not good.

Can such functionality be added to the IPv6 ICMP generation as well?

The IPv4 code path looks fairly simple (~30 lines of code), but I most certainly do not understand the networking code myself to contribute an IPv6 equivalent.

Thanks :-)

Comment 1 Andrey V. Elsukov freebsd_committer

2020-05-29 10:21:06 UTC

Our IPv6 implementation uses source address selection algorithm defined in RFC3484. You have some abilities to modify default source address selection by using policies or prefer_source flag. Is it not enough for what you want?

Comment 2 Gert Doering 2020-05-29 10:29:36 UTC

No, as RFC3484 / RFC6724 do not take context into account ("packet comes in on em0, so use em0 source for the ICMP error packet, even if we intend to send the packet via em3").

I do not want *all* packets generated from this machine to use the "em0" source (so, not for outgoing TCP, for example), just generated ICMPs in reply to packets coming in on "em0".

Like, exactly what the v4 stack can be told to do :-)

Comment 3 Neel Chauhan freebsd_committer

2020-06-07 22:42:45 UTC

I'm interested on working on this feature.

Comment 4 Neel Chauhan freebsd_committer

2020-06-07 23:10:08 UTC

If you want this feature, I have a Phabricator review here: https://reviews.freebsd.org/D25181

Comment 5 Gert Doering 2020-06-08 15:21:27 UTC

Can I test this with a 12.1-RELEASE source tree, or do I need CURRENT?

Comment 6 Neel Chauhan freebsd_committer

2020-06-08 16:19:32 UTC

I wrote this patch on CURRENT. You might be able to backport this to 12.1 if you wanted.

Try applying the patch to 12.1 if you prefer, and if it fails, then try CURRENT.

Comment 7 Gert Doering 2020-06-09 09:31:40 UTC

Compiled a CURRENT world + kernel (this VM is not exactly fast,so it took all night).  Tested on the router VM it is for, and found that it works "mostly", but all ICMP packets are created with hlim=0.

Commented in more detail in the Phabricator.