Index | Thread | Search

From:
Alexander Bluhm <bluhm@openbsd.org>
Subject:
Re: sysctl: deny negative values for `ip6_neighborgcthresh'
To:
Vitaliy Makkoveev <mvs@openbsd.org>
Cc:
tech@openbsd.org
Date:
Sat, 2 Aug 2025 13:49:36 +0200

Download raw body.

Thread 
On Sat, Aug 02, 2025 at 02:37:51PM +0300, Vitaliy Makkoveev wrote:
> Negative `ip6_neighborgcthres' allows unlimited count of ND6 entries,
> meanwhile positive value starts nd6_rtrequest() purging less recently
> used ones.
> 
> ok?

This sysctl was implemented as response to a security issue.  Any
box on the internet could create ND entries by pinging non-existing
directly attached IPv6 addresses.  Then the ndp table of a router
fills up unlimited.  There is no reason to disable this security
feature.  If someone runs into the limit, we better increase the
5 * 2048 upper bound.

OK bluhm@

> Index: sys/netinet6/ip6_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
> retrieving revision 1.294
> diff -u -p -r1.294 ip6_input.c
> --- sys/netinet6/ip6_input.c	31 Jul 2025 09:05:11 -0000	1.294
> +++ sys/netinet6/ip6_input.c	2 Aug 2025 11:28:11 -0000
> @@ -1459,7 +1459,7 @@ const struct sysctl_bounded_args ipv6ctl
>  	{ IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 },
>  	{ IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 },
>  	{ IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 },
> -	{ IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, -1, 5 * 2048 },
> +	{ IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, 0, 5 * 2048 },
>  	{ IPV6CTL_MAXDYNROUTES, &ip6_maxdynroutes, -1, 5 * 4096 },
>  };
>  
> Index: sys/netinet6/nd6.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/nd6.c,v
> retrieving revision 1.293
> diff -u -p -r1.293 nd6.c
> --- sys/netinet6/nd6.c	26 Jul 2025 01:16:59 -0000	1.293
> +++ sys/netinet6/nd6.c	2 Aug 2025 11:28:11 -0000
> @@ -729,7 +729,6 @@ nd6_rtrequest(struct ifnet *ifp, int req
>  	struct llinfo_nd6 *ln;
>  	struct ifaddr *ifa;
>  	struct in6_ifaddr *ifa6;
> -	int ip6_neighborgcthresh_local;
>  
>  	if (ISSET(rt->rt_flags, RTF_GATEWAY|RTF_MULTICAST|RTF_MPLS))
>  		return;
> @@ -830,11 +829,7 @@ nd6_rtrequest(struct ifnet *ifp, int req
>  		 * cause re-entering rtable related routines triggering
>  		 * lock-order-reversal problems.
>  		 */
> -		ip6_neighborgcthresh_local =
> -		    atomic_load_int(&ip6_neighborgcthresh);
> -
> -		if (ip6_neighborgcthresh_local >= 0 &&
> -		    nd6_inuse >= ip6_neighborgcthresh_local) {
> +		if (nd6_inuse >= atomic_load_int(&ip6_neighborgcthresh)) {
>  			int i;
>  
>  			for (i = 0; i < 10; i++) {