From: florian@openbsd.org Subject: Stop logging to syslog when an IPv6 packet cannot be forwarded. To: tech Date: Mon, 15 Sep 2025 12:43:36 +0200 IPv4 does not do this and it is one of thousands of things that can go wrong and we do not log those either. With that net.inet6.ip6.log_interval can go. OK? diff --git lib/libc/sys/sysctl.2 lib/libc/sys/sysctl.2 index bd31f3aa0f4..b4a34f2748c 100644 --- lib/libc/sys/sysctl.2 +++ lib/libc/sys/sysctl.2 @@ -1849,7 +1849,6 @@ The currently defined protocols and names are: .It ip6 Ta forwarding Ta integer Ta yes .It ip6 Ta hdrnestlimit Ta integer Ta yes .It ip6 Ta hlim Ta integer Ta yes -.It ip6 Ta log_interval Ta integer Ta yes .It ip6 Ta maxdynroutes Ta integer Ta yes .It ip6 Ta maxfragpackets Ta integer Ta yes .It ip6 Ta maxfrags Ta integer Ta yes @@ -1973,12 +1972,6 @@ This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in .Xr ip6 4 . .Pp -.It Li ip6.log_interval Pq Va net.inet6.ip6.log_interval -This variable permits adjusting the amount of logs generated by the -IPv6 packet forwarding engine. -The value indicates the number of -seconds of interval which must elapse between log output. -.Pp .It Li ip6.maxdynroutes Pq Va net.inet6.ip6.maxdynroutes Maximum number of routes created by redirect. Set to negative to disable. diff --git sys/netinet6/in6.h sys/netinet6/in6.h index b3b7c28fc04..a6826e8756e 100644 --- sys/netinet6/in6.h +++ sys/netinet6/in6.h @@ -616,7 +616,7 @@ ifatoia6(struct ifaddr *ifa) { "sourcecheck_logint", CTLTYPE_INT }, \ { 0, 0 }, \ { 0, 0 }, \ - { "log_interval", CTLTYPE_INT }, \ + { 0, 0 }, \ { "hdrnestlimit", CTLTYPE_INT }, \ { "dad_count", CTLTYPE_INT }, \ { "auto_flowlabel", CTLTYPE_INT }, \ diff --git sys/netinet6/in6_proto.c sys/netinet6/in6_proto.c index cf78a56d460..1f13bba4191 100644 --- sys/netinet6/in6_proto.c +++ sys/netinet6/in6_proto.c @@ -357,7 +357,6 @@ int ip6_defhlim = IPV6_DEFHLIM; /* [a] */ int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS; /* [a] */ int ip6_maxfragpackets = 200; /* [a] */ int ip6_maxfrags = 200; /* [a] */ -int ip6_log_interval = 5; /* [a] */ int ip6_hdrnestlimit = 10; /* [a] appropriate? */ int ip6_dad_count = 1; /* [a] DupAddrDetectionTransmits */ int ip6_dad_pending; /* number of currently running DADs */ @@ -365,7 +364,6 @@ int ip6_auto_flowlabel = 1; /* [a] */ int ip6_mcast_pmtu = 0; /* [a] enable pMTU discovery for multicast? */ int ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */ int ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */ -time_t ip6_log_time = (time_t)0L; /* raw IP6 parameters */ /* diff --git sys/netinet6/ip6_forward.c sys/netinet6/ip6_forward.c index 3d65103d8bb..672c02b329d 100644 --- sys/netinet6/ip6_forward.c +++ sys/netinet6/ip6_forward.c @@ -94,7 +94,6 @@ ip6_forward(struct mbuf *m, struct route *ro, int flags) #ifdef IPSEC struct tdb *tdb = NULL; #endif /* IPSEC */ - char src6[INET6_ADDRSTRLEN], dst6[INET6_ADDRSTRLEN]; /* * Do not forward packets to multicast destination (should be handled @@ -105,21 +104,7 @@ ip6_forward(struct mbuf *m, struct route *ro, int flags) if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { - time_t uptime; - ip6stat_inc(ip6s_cantforward); - uptime = getuptime(); - - if (ip6_log_time + atomic_load_int(&ip6_log_interval) < - uptime) { - ip6_log_time = uptime; - inet_ntop(AF_INET6, &ip6->ip6_src, src6, sizeof(src6)); - inet_ntop(AF_INET6, &ip6->ip6_dst, dst6, sizeof(dst6)); - log(LOG_DEBUG, - "cannot forward " - "from %s to %s nxt %d received on interface %u\n", - src6, dst6, ip6->ip6_nxt, ifidx); - } m_freem(m); goto done; } @@ -222,22 +207,8 @@ reroute: */ if (in6_addr2scopeid(ifidx, &ip6->ip6_src) != in6_addr2scopeid(rt->rt_ifidx, &ip6->ip6_src)) { - time_t uptime; - ip6stat_inc(ip6s_cantforward); ip6stat_inc(ip6s_badscope); - uptime = getuptime(); - - if (ip6_log_time + atomic_load_int(&ip6_log_interval) < - uptime) { - ip6_log_time = uptime; - inet_ntop(AF_INET6, &ip6->ip6_src, src6, sizeof(src6)); - inet_ntop(AF_INET6, &ip6->ip6_dst, dst6, sizeof(dst6)); - log(LOG_DEBUG, - "cannot forward " - "src %s, dst %s, nxt %d, rcvif %u, outif %u\n", - src6, dst6, ip6->ip6_nxt, ifidx, rt->rt_ifidx); - } type = ICMP6_DST_UNREACH; code = ICMP6_DST_UNREACH_BEYONDSCOPE; m_freem(m); diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c index f7d89316c8d..37680d7fe52 100644 --- sys/netinet6/ip6_input.c +++ sys/netinet6/ip6_input.c @@ -1447,7 +1447,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = { #endif { IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 }, { IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 }, - { IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX }, { IPV6CTL_HDRNESTLIMIT, &ip6_hdrnestlimit, 0, 100 }, { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, diff --git sys/netinet6/ip6_mroute.c sys/netinet6/ip6_mroute.c index 3b0b54af5ca..b942728b407 100644 --- sys/netinet6/ip6_mroute.c +++ sys/netinet6/ip6_mroute.c @@ -951,18 +951,6 @@ ip6_mforward(struct ip6_hdr *ip6, struct ifnet *ifp, struct mbuf *m, int flags) */ if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { ip6stat_inc(ip6s_cantforward); - if (ip6_log_time + atomic_load_int(&ip6_log_interval) < - getuptime()) { - char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; - - ip6_log_time = getuptime(); - - inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); - inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); - log(LOG_DEBUG, "cannot forward " - "from %s to %s nxt %d received on interface %u\n", - src, dst, ip6->ip6_nxt, m->m_pkthdr.ph_ifidx); - } return 0; } diff --git sys/netinet6/ip6_var.h sys/netinet6/ip6_var.h index aff1126c9ee..37f733dfd7d 100644 --- sys/netinet6/ip6_var.h +++ sys/netinet6/ip6_var.h @@ -289,8 +289,6 @@ extern struct socket *ip6_mrouter[RT_TABLEID_MAX + 1]; /* multicast routing daem extern int ip6_sendredirects; /* send IP redirects when forwarding? */ extern int ip6_maxfragpackets; /* Maximum packets in reassembly queue */ extern int ip6_maxfrags; /* Maximum fragments in reassembly queue */ -extern int ip6_log_interval; -extern time_t ip6_log_time; extern int ip6_hdrnestlimit; /* upper limit of # of extension headers */ extern int ip6_dad_count; /* DupAddrDetectionTransmits */ extern int ip6_dad_pending; /* number of currently running DADs */ -- In my defence, I have been left unsupervised.