From: Alexander Bluhm Subject: Re: sysctl: deny negative values for `ip6_neighborgcthresh' To: Vitaliy Makkoveev Cc: tech@openbsd.org Date: Sat, 2 Aug 2025 13:49:36 +0200 On Sat, Aug 02, 2025 at 02:37:51PM +0300, Vitaliy Makkoveev wrote: > Negative `ip6_neighborgcthres' allows unlimited count of ND6 entries, > meanwhile positive value starts nd6_rtrequest() purging less recently > used ones. > > ok? This sysctl was implemented as response to a security issue. Any box on the internet could create ND entries by pinging non-existing directly attached IPv6 addresses. Then the ndp table of a router fills up unlimited. There is no reason to disable this security feature. If someone runs into the limit, we better increase the 5 * 2048 upper bound. OK bluhm@ > Index: sys/netinet6/ip6_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/ip6_input.c,v > retrieving revision 1.294 > diff -u -p -r1.294 ip6_input.c > --- sys/netinet6/ip6_input.c 31 Jul 2025 09:05:11 -0000 1.294 > +++ sys/netinet6/ip6_input.c 2 Aug 2025 11:28:11 -0000 > @@ -1459,7 +1459,7 @@ const struct sysctl_bounded_args ipv6ctl > { IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 }, > { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, > { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, > - { IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, -1, 5 * 2048 }, > + { IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, 0, 5 * 2048 }, > { IPV6CTL_MAXDYNROUTES, &ip6_maxdynroutes, -1, 5 * 4096 }, > }; > > Index: sys/netinet6/nd6.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/nd6.c,v > retrieving revision 1.293 > diff -u -p -r1.293 nd6.c > --- sys/netinet6/nd6.c 26 Jul 2025 01:16:59 -0000 1.293 > +++ sys/netinet6/nd6.c 2 Aug 2025 11:28:11 -0000 > @@ -729,7 +729,6 @@ nd6_rtrequest(struct ifnet *ifp, int req > struct llinfo_nd6 *ln; > struct ifaddr *ifa; > struct in6_ifaddr *ifa6; > - int ip6_neighborgcthresh_local; > > if (ISSET(rt->rt_flags, RTF_GATEWAY|RTF_MULTICAST|RTF_MPLS)) > return; > @@ -830,11 +829,7 @@ nd6_rtrequest(struct ifnet *ifp, int req > * cause re-entering rtable related routines triggering > * lock-order-reversal problems. > */ > - ip6_neighborgcthresh_local = > - atomic_load_int(&ip6_neighborgcthresh); > - > - if (ip6_neighborgcthresh_local >= 0 && > - nd6_inuse >= ip6_neighborgcthresh_local) { > + if (nd6_inuse >= atomic_load_int(&ip6_neighborgcthresh)) { > int i; > > for (i = 0; i < 10; i++) {