netinet6: honor blackhole/unreach routes in the non-fastforwading code.

Currently, under the conditions specified below, IPv6 ingress packet processing can ignore blackhole/reject flag on the prefix. The packet will instead be looped locally till TTL expiration and a single ICMPv6 unreachable message will be send to the source even in case of RTF_BLACKHOLE. The following conditions needs hold to make the scenario happen: * IPv6 forwarding is enabled * Packet is not fast-forwarded * Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag Fix this behavior by checking for the blackhole/reject flags in ip6_forward(). Reported by: Dmitriy Smirnov <fox@sage.su> Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D38164 MFC after: 3 days
2026-06-13 18:50:31 -04:00 · 2023-01-22 16:57:36 +00:00 · 2023-01-22 16:57:36 +00:00 · 30dd227cff
commit 30dd227cff
parent 7a56009cf5
1 changed files with 9 additions and 0 deletions
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@ -196,6 +196,15 @@ again:
 		goto bad;
 	}

+	if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) {
+		IP6STAT_INC(ip6s_cantforward);
+		if ((nh->nh_flags & NHF_REJECT) && (mcopy != NULL)) {
+			icmp6_error(mcopy, ICMP6_DST_UNREACH,
+			    ICMP6_DST_UNREACH_REJECT, 0);
+		}
+		goto bad;
+	}
+
 	/*
 	 * Source scope check: if a packet can't be delivered to its
 	 * destination for the reason that the destination is beyond the scope