Contributed by rueda on from the predrop-in-on-any-to-wrongif dept.
Alexandr Nedvedicky (sashan@)
wrote to tech@
regarding a recent significant
change:
Hello, commit from today [1] makes IP stack more paranoid. Up to now OpenBSD implemented so called 'weak host model' [2]. The today's commit alters that for hosts, which don't forward packets (don't act as routers). Your laptops, desktops and servers now check packet destination address with IP address bound to interface, where such packet is received on. If there will be mismatch the packet will be discarded and 'wrongif' counter will be bumped. You can use 'netstat -s|grep wrongif' to display the counter value. It is understood the behavior, which has been settled in IP stack since 80's, got changed. tech@openbsd.org (or bugs@openbsd.org) wants to hear back from you, if this change breaks your existing set up. There is a common believe this change won't hurt majority (> 97%) users, though there is some non-zero risk, hence this announcement is being sent. thanks and regards sashan [1] https://marc.info/?l=openbsd-cvs&m=157580332113635&w=2 [2] https://en.wikipedia.org/wiki/Host_model
The commit was:
CVSROOT: /cvs Module name: src Changes by: sashan@cvs.openbsd.org 2019/12/08 04:08:22 Modified files: lib/libc/sys : sysctl.2 sys/netinet : ip_carp.h ip_input.c ip_var.h sys/netinet6 : ip6_input.c ip6_var.h usr.bin/netstat: inet.c inet6.c Log message: Make sure packet destination address matches interface address, where such packet is bound to. This check is enforced if and only IP forwarding is disabled. Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@ OK bluhm@, claudio@, tobhe@
(Comments are closed)