From: Alexander Bluhm Subject: Re: Stop logging to syslog when an IPv6 packet cannot be forwarded. To: tech Date: Mon, 15 Sep 2025 16:30:31 +0200 On Mon, Sep 15, 2025 at 12:43:36PM +0200, florian@openbsd.org wrote: > IPv4 does not do this and it is one of thousands of things that can go > wrong and we do not log those either. > > With that net.inet6.ip6.log_interval can go. > > OK? OK bluhm@ > diff --git lib/libc/sys/sysctl.2 lib/libc/sys/sysctl.2 > index bd31f3aa0f4..b4a34f2748c 100644 > --- lib/libc/sys/sysctl.2 > +++ lib/libc/sys/sysctl.2 > @@ -1849,7 +1849,6 @@ The currently defined protocols and names are: > .It ip6 Ta forwarding Ta integer Ta yes > .It ip6 Ta hdrnestlimit Ta integer Ta yes > .It ip6 Ta hlim Ta integer Ta yes > -.It ip6 Ta log_interval Ta integer Ta yes > .It ip6 Ta maxdynroutes Ta integer Ta yes > .It ip6 Ta maxfragpackets Ta integer Ta yes > .It ip6 Ta maxfrags Ta integer Ta yes > @@ -1973,12 +1972,6 @@ This value applies to all the transport protocols on top of IPv6. > Methods for overriding this value are documented in > .Xr ip6 4 . > .Pp > -.It Li ip6.log_interval Pq Va net.inet6.ip6.log_interval > -This variable permits adjusting the amount of logs generated by the > -IPv6 packet forwarding engine. > -The value indicates the number of > -seconds of interval which must elapse between log output. > -.Pp > .It Li ip6.maxdynroutes Pq Va net.inet6.ip6.maxdynroutes > Maximum number of routes created by redirect. > Set to negative to disable. > diff --git sys/netinet6/in6.h sys/netinet6/in6.h > index b3b7c28fc04..a6826e8756e 100644 > --- sys/netinet6/in6.h > +++ sys/netinet6/in6.h > @@ -616,7 +616,7 @@ ifatoia6(struct ifaddr *ifa) > { "sourcecheck_logint", CTLTYPE_INT }, \ > { 0, 0 }, \ > { 0, 0 }, \ > - { "log_interval", CTLTYPE_INT }, \ > + { 0, 0 }, \ > { "hdrnestlimit", CTLTYPE_INT }, \ > { "dad_count", CTLTYPE_INT }, \ > { "auto_flowlabel", CTLTYPE_INT }, \ > diff --git sys/netinet6/in6_proto.c sys/netinet6/in6_proto.c > index cf78a56d460..1f13bba4191 100644 > --- sys/netinet6/in6_proto.c > +++ sys/netinet6/in6_proto.c > @@ -357,7 +357,6 @@ int ip6_defhlim = IPV6_DEFHLIM; /* [a] */ > int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS; /* [a] */ > int ip6_maxfragpackets = 200; /* [a] */ > int ip6_maxfrags = 200; /* [a] */ > -int ip6_log_interval = 5; /* [a] */ > int ip6_hdrnestlimit = 10; /* [a] appropriate? */ > int ip6_dad_count = 1; /* [a] DupAddrDetectionTransmits */ > int ip6_dad_pending; /* number of currently running DADs */ > @@ -365,7 +364,6 @@ int ip6_auto_flowlabel = 1; /* [a] */ > int ip6_mcast_pmtu = 0; /* [a] enable pMTU discovery for multicast? */ > int ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */ > int ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */ > -time_t ip6_log_time = (time_t)0L; > > /* raw IP6 parameters */ > /* > diff --git sys/netinet6/ip6_forward.c sys/netinet6/ip6_forward.c > index 3d65103d8bb..672c02b329d 100644 > --- sys/netinet6/ip6_forward.c > +++ sys/netinet6/ip6_forward.c > @@ -94,7 +94,6 @@ ip6_forward(struct mbuf *m, struct route *ro, int flags) > #ifdef IPSEC > struct tdb *tdb = NULL; > #endif /* IPSEC */ > - char src6[INET6_ADDRSTRLEN], dst6[INET6_ADDRSTRLEN]; > > /* > * Do not forward packets to multicast destination (should be handled > @@ -105,21 +104,7 @@ ip6_forward(struct mbuf *m, struct route *ro, int flags) > if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || > IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || > IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { > - time_t uptime; > - > ip6stat_inc(ip6s_cantforward); > - uptime = getuptime(); > - > - if (ip6_log_time + atomic_load_int(&ip6_log_interval) < > - uptime) { > - ip6_log_time = uptime; > - inet_ntop(AF_INET6, &ip6->ip6_src, src6, sizeof(src6)); > - inet_ntop(AF_INET6, &ip6->ip6_dst, dst6, sizeof(dst6)); > - log(LOG_DEBUG, > - "cannot forward " > - "from %s to %s nxt %d received on interface %u\n", > - src6, dst6, ip6->ip6_nxt, ifidx); > - } > m_freem(m); > goto done; > } > @@ -222,22 +207,8 @@ reroute: > */ > if (in6_addr2scopeid(ifidx, &ip6->ip6_src) != > in6_addr2scopeid(rt->rt_ifidx, &ip6->ip6_src)) { > - time_t uptime; > - > ip6stat_inc(ip6s_cantforward); > ip6stat_inc(ip6s_badscope); > - uptime = getuptime(); > - > - if (ip6_log_time + atomic_load_int(&ip6_log_interval) < > - uptime) { > - ip6_log_time = uptime; > - inet_ntop(AF_INET6, &ip6->ip6_src, src6, sizeof(src6)); > - inet_ntop(AF_INET6, &ip6->ip6_dst, dst6, sizeof(dst6)); > - log(LOG_DEBUG, > - "cannot forward " > - "src %s, dst %s, nxt %d, rcvif %u, outif %u\n", > - src6, dst6, ip6->ip6_nxt, ifidx, rt->rt_ifidx); > - } > type = ICMP6_DST_UNREACH; > code = ICMP6_DST_UNREACH_BEYONDSCOPE; > m_freem(m); > diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c > index f7d89316c8d..37680d7fe52 100644 > --- sys/netinet6/ip6_input.c > +++ sys/netinet6/ip6_input.c > @@ -1447,7 +1447,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = { > #endif > { IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 }, > { IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 }, > - { IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX }, > { IPV6CTL_HDRNESTLIMIT, &ip6_hdrnestlimit, 0, 100 }, > { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, > { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, > diff --git sys/netinet6/ip6_mroute.c sys/netinet6/ip6_mroute.c > index 3b0b54af5ca..b942728b407 100644 > --- sys/netinet6/ip6_mroute.c > +++ sys/netinet6/ip6_mroute.c > @@ -951,18 +951,6 @@ ip6_mforward(struct ip6_hdr *ip6, struct ifnet *ifp, struct mbuf *m, int flags) > */ > if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { > ip6stat_inc(ip6s_cantforward); > - if (ip6_log_time + atomic_load_int(&ip6_log_interval) < > - getuptime()) { > - char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; > - > - ip6_log_time = getuptime(); > - > - inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); > - inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); > - log(LOG_DEBUG, "cannot forward " > - "from %s to %s nxt %d received on interface %u\n", > - src, dst, ip6->ip6_nxt, m->m_pkthdr.ph_ifidx); > - } > return 0; > } > > diff --git sys/netinet6/ip6_var.h sys/netinet6/ip6_var.h > index aff1126c9ee..37f733dfd7d 100644 > --- sys/netinet6/ip6_var.h > +++ sys/netinet6/ip6_var.h > @@ -289,8 +289,6 @@ extern struct socket *ip6_mrouter[RT_TABLEID_MAX + 1]; /* multicast routing daem > extern int ip6_sendredirects; /* send IP redirects when forwarding? */ > extern int ip6_maxfragpackets; /* Maximum packets in reassembly queue */ > extern int ip6_maxfrags; /* Maximum fragments in reassembly queue */ > -extern int ip6_log_interval; > -extern time_t ip6_log_time; > extern int ip6_hdrnestlimit; /* upper limit of # of extension headers */ > extern int ip6_dad_count; /* DupAddrDetectionTransmits */ > extern int ip6_dad_pending; /* number of currently running DADs */ > > -- > In my defence, I have been left unsupervised.