From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: ipv4: don't forward packets from 0.0.0.0
To: David Gwynne <david@gwynne.id.au>
Cc: tech@openbsd.org
Date: Thu, 18 Jun 2026 09:15:54 +0100

On 2026/06/18 16:52, David Gwynne wrote:
> i don't think we should forward packets with certain source addresses,
> and 0.0.0.0 in particular.

seems sane. RFC 6890 2.2.2 table 1 specifically says "forwardable: no".
ip6_forward already has an equivalent IN6_IS_ADDR_UNSPECIFIED check.

> thoughts?

I think this is more correct than what we have now.

> 
> Index: ip_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_input.c,v
> diff -u -p -r1.428 ip_input.c
> --- ip_input.c	26 May 2026 20:43:31 -0000	1.428
> +++ ip_input.c	8 Jun 2026 01:17:20 -0000
> @@ -1579,7 +1579,9 @@ ip_forward(struct mbuf *m, struct ifnet 
>  	u_int32_t dest;
>  
>  	dest = 0;
> -	if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) {
> +	if (m->m_flags & (M_BCAST|M_MCAST) ||
> +	    in_canforward(ip->ip_dst) == 0 ||
> +	    ip->ip_src.s_addr == INADDR_ANY) {
>  		ipstat_inc(ips_cantforward);
>  		m_freem(m);
>  		goto done;
>