From: Alexander Bluhm Subject: Re: Unlock IPV6CTL_MAXDYNROUTES case of ip6_sysctl() To: Vitaliy Makkoveev Cc: tech@openbsd.org Date: Sat, 26 Jul 2025 23:35:29 +0200 On Sat, Jul 26, 2025 at 04:54:57AM +0300, Vitaliy Makkoveev wrote: > The last one of `ipv6ctl_vars' variables. The sysctl(2) and IPv6 stack > both allow negative value for unlimited queue, so use cached value and > keep current behavior. > > We have no `ipv6ctl_vars' used in ramdisk, so exclude them from > SMALL_KERNEL. OK bluhm@ > Index: sys/netinet6/icmp6.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/icmp6.c,v > retrieving revision 1.270 > diff -u -p -r1.270 icmp6.c > --- sys/netinet6/icmp6.c 18 Jul 2025 08:39:14 -0000 1.270 > +++ sys/netinet6/icmp6.c 26 Jul 2025 01:43:45 -0000 > @@ -1292,6 +1292,7 @@ icmp6_redirect_input(struct mbuf *m, int > struct sockaddr_in6 ssrc; > unsigned long rtcount; > struct rtentry *newrt = NULL; > + int ip6_maxdynroutes_local = atomic_load_int(&ip6_maxdynroutes); > > /* > * do not install redirect route, if the number of entries > @@ -1300,7 +1301,8 @@ icmp6_redirect_input(struct mbuf *m, int > * (there will be additional hops, though). > */ > rtcount = rt_timer_queue_count(&icmp6_redirect_timeout_q); > - if (0 <= ip6_maxdynroutes && rtcount >= ip6_maxdynroutes) > + if (ip6_maxdynroutes_local >= 0 && > + rtcount >= ip6_maxdynroutes_local) > goto freeit; > > bzero(&sdst, sizeof(sdst)); > Index: sys/netinet6/in6_proto.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/in6_proto.c,v > retrieving revision 1.147 > diff -u -p -r1.147 in6_proto.c > --- sys/netinet6/in6_proto.c 26 Jul 2025 01:16:59 -0000 1.147 > +++ sys/netinet6/in6_proto.c 26 Jul 2025 01:43:45 -0000 > @@ -364,7 +364,7 @@ int ip6_auto_flowlabel = 1; /* [a] */ > int ip6_use_deprecated = 1; /* [a] allow deprecated addr (RFC2462 5.5.4) */ > int ip6_mcast_pmtu = 0; /* [a] enable pMTU discovery for multicast? */ > int ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */ > -int ip6_maxdynroutes = 4096; /* Max # of routes created via redirect */ > +int ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */ > time_t ip6_log_time = (time_t)0L; > > /* raw IP6 parameters */ > Index: sys/netinet6/ip6_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/ip6_input.c,v > retrieving revision 1.292 > diff -u -p -r1.292 ip6_input.c > --- sys/netinet6/ip6_input.c 26 Jul 2025 01:16:59 -0000 1.292 > +++ sys/netinet6/ip6_input.c 26 Jul 2025 01:43:45 -0000 > @@ -1440,7 +1440,8 @@ const u_char inet6ctlerrmap[PRC_NCMDS] = > extern int ip6_mrtproto; > #endif > > -const struct sysctl_bounded_args ipv6ctl_vars_unlocked[] = { > +#ifndef SMALL_KERNEL > +const struct sysctl_bounded_args ipv6ctl_vars[] = { > { IPV6CTL_FORWARDING, &ip6_forwarding, 0, 2 }, > { IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 }, > { IPV6CTL_DAD_PENDING, &ip6_dad_pending, SYSCTL_INT_READONLY }, > @@ -1459,13 +1460,9 @@ const struct sysctl_bounded_args ipv6ctl > { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, > { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, > { IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, -1, 5 * 2048 }, > -}; > - > -const struct sysctl_bounded_args ipv6ctl_vars[] = { > { IPV6CTL_MAXDYNROUTES, &ip6_maxdynroutes, -1, 5 * 4096 }, > }; > > -#ifndef SMALL_KERNEL > int > ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) > { > @@ -1501,13 +1498,13 @@ int > ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, > void *newp, size_t newlen) > { > - int error; > - > /* Almost all sysctl names at this level are terminal. */ > if (namelen != 1 && name[0] != IPV6CTL_IFQUEUE) > return (ENOTDIR); > > switch (name[0]) { > + case IPV6CTL_SOIIKEY: > + return (ip6_sysctl_soiikey(oldp, oldlenp, newp, newlen)); > #ifndef SMALL_KERNEL > case IPV6CTL_STATS: > return (ip6_sysctl_ip6stat(oldp, oldlenp, newp)); > @@ -1530,7 +1527,7 @@ ip6_sysctl(int *name, u_int namelen, voi > return (EOPNOTSUPP); > #endif > case IPV6CTL_MTUDISCTIMEOUT: { > - int oldval, newval; > + int oldval, newval, error; > > oldval = newval = atomic_load_int(&ip6_mtudisc_timeout); > error = sysctl_int_bounded(oldp, oldlenp, newp, newlen, > @@ -1548,7 +1545,7 @@ ip6_sysctl(int *name, u_int namelen, voi > return (sysctl_niq(name + 1, namelen - 1, > oldp, oldlenp, newp, newlen, &ip6intrq)); > case IPV6CTL_MULTIPATH: { > - int oldval, newval; > + int oldval, newval, error; > > oldval = newval = atomic_load_int(&ip6_multipath); > error = sysctl_int_bounded(oldp, oldlenp, newp, newlen, > @@ -1561,36 +1558,13 @@ ip6_sysctl(int *name, u_int namelen, voi > > return (error); > } > - case IPV6CTL_FORWARDING: > - case IPV6CTL_SENDREDIRECTS: > - case IPV6CTL_DAD_PENDING: > -#ifdef MROUTING > - case IPV6CTL_MRTPROTO: > -#endif > - case IPV6CTL_DEFHLIM: > - case IPV6CTL_MAXFRAGPACKETS: > - case IPV6CTL_LOG_INTERVAL: > - case IPV6CTL_HDRNESTLIMIT: > - case IPV6CTL_DAD_COUNT: > - case IPV6CTL_AUTO_FLOWLABEL: > - case IPV6CTL_DEFMCASTHLIM: > - case IPV6CTL_USE_DEPRECATED: > - case IPV6CTL_MAXFRAGS: > - case IPV6CTL_MFORWARDING: > - case IPV6CTL_MCAST_PMTU: > - case IPV6CTL_NEIGHBORGCTHRESH: > - return (sysctl_bounded_arr( > - ipv6ctl_vars_unlocked, nitems(ipv6ctl_vars_unlocked), > + default: > + return (sysctl_bounded_arr(ipv6ctl_vars, nitems(ipv6ctl_vars), > name, namelen, oldp, oldlenp, newp, newlen)); > -#endif /* SMALL_KERNEL */ > - case IPV6CTL_SOIIKEY: > - return (ip6_sysctl_soiikey(oldp, oldlenp, newp, newlen)); > +#else > default: > - NET_LOCK(); > - error = sysctl_bounded_arr(ipv6ctl_vars, nitems(ipv6ctl_vars), > - name, namelen, oldp, oldlenp, newp, newlen); > - NET_UNLOCK(); > - return (error); > + return (EOPNOTSUPP); > +#endif /* SMALL_KERNEL */ > } > /* NOTREACHED */ > }