From: Florian Obser Subject: Remove net.inet6.ip6.use_deprecated knob. To: tech Date: Mon, 15 Sep 2025 12:35:28 +0200 There is no good reason to not use the default of using deprecated addresses. Furthermore, it confused netinet/tcp_input.c, which followed an older RFC. RFC 4862 5.5.4 has: IP and higher layers (e.g., TCP, UDP) MUST continue to accept and process datagrams destined to a deprecated address as normal since a deprecated address is still a valid address for the interface. As for the knob itself: An implementation MAY prevent any new communication from using a deprecated address, but system management MUST have the ability to disable such a facility, and the facility MUST be disabled by default. OK? diff --git lib/libc/sys/sysctl.2 lib/libc/sys/sysctl.2 index ef16ab52ab3..bd31f3aa0f4 100644 --- lib/libc/sys/sysctl.2 +++ lib/libc/sys/sysctl.2 @@ -1859,7 +1859,6 @@ The currently defined protocols and names are: .It ip6 Ta multipath Ta integer Ta yes .It ip6 Ta neighborgcthresh Ta integer Ta yes .It ip6 Ta redirect Ta integer Ta yes -.It ip6 Ta use_deprecated Ta integer Ta yes .El .Pp The variables are as follows: @@ -2028,10 +2027,6 @@ The default value is 2048. Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems. -.Pp -.It Li ip6.use_deprecated Pq Va net.inet6.ip6.use_deprecated -This variable controls the use of deprecated addresses, specified in -RFC 4862 5.5.4. .El .Pp We reuse diff --git sys/netinet/tcp_input.c sys/netinet/tcp_input.c index 3bdd57208d1..bd61054df4b 100644 --- sys/netinet/tcp_input.c +++ sys/netinet/tcp_input.c @@ -817,60 +817,6 @@ findpcb: /* * Received a SYN. */ -#ifdef INET6 - /* - * If deprecated address is forbidden, we do - * not accept SYN to deprecated interface - * address to prevent any new inbound - * connection from getting established. - * When we do not accept SYN, we send a TCP - * RST, with deprecated source address (instead - * of dropping it). We compromise it as it is - * much better for peer to send a RST, and - * RST will be the final packet for the - * exchange. - * - * If we do not forbid deprecated addresses, we - * accept the SYN packet. RFC2462 does not - * suggest dropping SYN in this case. - * If we decipher RFC2462 5.5.4, it says like - * this: - * 1. use of deprecated addr with existing - * communication is okay - "SHOULD continue - * to be used" - * 2. use of it with new communication: - * (2a) "SHOULD NOT be used if alternate - * address with sufficient scope is - * available" - * (2b) nothing mentioned otherwise. - * Here we fall into (2b) case as we have no - * choice in our source address selection - we - * must obey the peer. - * - * The wording in RFC2462 is confusing, and - * there are multiple description text for - * deprecated address handling - worse, they - * are not exactly the same. I believe 5.5.4 - * is the best one, so we follow 5.5.4. - */ - if (ip6 && - !atomic_load_int(&ip6_use_deprecated)) { - struct in6_ifaddr *ia6; - struct ifnet *ifp = - if_get(m->m_pkthdr.ph_ifidx); - - if (ifp && - (ia6 = in6ifa_ifpwithaddr(ifp, - &ip6->ip6_dst)) && - (ia6->ia6_flags & - IN6_IFF_DEPRECATED)) { - tp = NULL; - if_put(ifp); - goto dropwithreset; - } - if_put(ifp); - } -#endif /* * LISTEN socket received a SYN diff --git sys/netinet6/in6.c sys/netinet6/in6.c index a0d272e93a8..f1b435a53cd 100644 --- sys/netinet6/in6.c +++ sys/netinet6/in6.c @@ -1423,13 +1423,6 @@ in6_ifawithscope(struct ifnet *oifp, const struct in6_addr *dst, u_int rdomain, /* Rule 3: Avoid deprecated addresses. */ if (ifatoia6(ifa)->ia6_flags & IN6_IFF_DEPRECATED) { - /* - * Ignore any deprecated addresses if - * specified by configuration. - */ - if (!atomic_load_int(&ip6_use_deprecated)) - continue; - /* * If we have already found a non-deprecated * candidate, just ignore deprecated addresses. diff --git sys/netinet6/in6.h sys/netinet6/in6.h index e9a853262d9..b3b7c28fc04 100644 --- sys/netinet6/in6.h +++ sys/netinet6/in6.h @@ -584,7 +584,6 @@ ifatoia6(struct ifaddr *ifa) #define IPV6CTL_DAD_COUNT 16 #define IPV6CTL_AUTO_FLOWLABEL 17 #define IPV6CTL_DEFMCASTHLIM 18 -#define IPV6CTL_USE_DEPRECATED 21 /* use deprecated addr (RFC2462 5.5.4) */ /* 24 to 40: reserved */ #define IPV6CTL_MAXFRAGS 41 /* max fragments */ #define IPV6CTL_MFORWARDING 42 @@ -624,7 +623,7 @@ ifatoia6(struct ifaddr *ifa) { "defmcasthlim", CTLTYPE_INT }, \ { 0, 0 }, \ { 0, 0 }, \ - { "use_deprecated", CTLTYPE_INT }, \ + { 0, 0 }, \ { 0, 0 }, \ { 0, 0 }, \ { 0, 0 }, \ diff --git sys/netinet6/in6_proto.c sys/netinet6/in6_proto.c index 08ce551c1fa..cf78a56d460 100644 --- sys/netinet6/in6_proto.c +++ sys/netinet6/in6_proto.c @@ -362,7 +362,6 @@ int ip6_hdrnestlimit = 10; /* [a] appropriate? */ int ip6_dad_count = 1; /* [a] DupAddrDetectionTransmits */ int ip6_dad_pending; /* number of currently running DADs */ int ip6_auto_flowlabel = 1; /* [a] */ -int ip6_use_deprecated = 1; /* [a] allow deprecated addr (RFC2462 5.5.4) */ int ip6_mcast_pmtu = 0; /* [a] enable pMTU discovery for multicast? */ int ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */ int ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */ diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c index 92a8d3e4cba..f7d89316c8d 100644 --- sys/netinet6/ip6_input.c +++ sys/netinet6/ip6_input.c @@ -1452,7 +1452,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = { { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, { IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 }, - { IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 }, { IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 }, { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, diff --git sys/netinet6/ip6_var.h sys/netinet6/ip6_var.h index a885afcd0c0..aff1126c9ee 100644 --- sys/netinet6/ip6_var.h +++ sys/netinet6/ip6_var.h @@ -281,7 +281,6 @@ extern int ip6_forwarding; /* act as router? */ extern int ip6_mforwarding; /* act as multicast router? */ extern int ip6_multipath; /* use multipath routes */ extern int ip6_sendredirect; /* send ICMPv6 redirect? */ -extern int ip6_use_deprecated; /* allow deprecated addr as source */ extern int ip6_mcast_pmtu; /* path MTU discovery for multicast */ extern int ip6_neighborgcthresh; /* Threshold # of NDP entries for GC */ extern int ip6_maxdynroutes; /* Max # of routes created via redirect */ -- In my defence, I have been left unsupervised.