From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: ipv4: don't forward packets from 0.0.0.0
To: David Gwynne <david@gwynne.id.au>, tech@openbsd.org
Date: Thu, 18 Jun 2026 10:31:56 +0200

On Thu, Jun 18, 2026 at 09:15:54AM +0100, Stuart Henderson wrote:
> On 2026/06/18 16:52, David Gwynne wrote:
> > i don't think we should forward packets with certain source addresses,
> > and 0.0.0.0 in particular.
> 
> seems sane. RFC 6890 2.2.2 table 1 specifically says "forwardable: no".
> ip6_forward already has an equivalent IN6_IS_ADDR_UNSPECIFIED check.
> 
> > thoughts?
> 
> I think this is more correct than what we have now.

Agree. OK claudio@

A follow up idea (aka bikeshed #2):
Pass ip->ip_src as 2nd argument to in_canforward() and implement
the logic from RFC 6890 into that function. Then all is in one place.

> > Index: ip_input.c
> > ===================================================================
> > RCS file: /cvs/src/sys/netinet/ip_input.c,v
> > diff -u -p -r1.428 ip_input.c
> > --- ip_input.c	26 May 2026 20:43:31 -0000	1.428
> > +++ ip_input.c	8 Jun 2026 01:17:20 -0000
> > @@ -1579,7 +1579,9 @@ ip_forward(struct mbuf *m, struct ifnet 
> >  	u_int32_t dest;
> >  
> >  	dest = 0;
> > -	if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) {
> > +	if (m->m_flags & (M_BCAST|M_MCAST) ||
> > +	    in_canforward(ip->ip_dst) == 0 ||
> > +	    ip->ip_src.s_addr == INADDR_ANY) {
> >  		ipstat_inc(ips_cantforward);
> >  		m_freem(m);
> >  		goto done;
> > 
> 

-- 
:wq Claudio