Relax the limitation of what is an acceptable unicast IP.

Remove the IN_BADCLASS() check which filters out the experimental IPv4
address space. Now there are no more experiments in IPv4 and so there
is less reason for these network daemons to deny such an IP.
Everything still disallows multicast IPs (224/4) and loopback (127/8)
a few also disallow 0/8 but this is not consistent.

In any case using 240/4 in production is a really bad idea but it is
not up to this software to prevent you from being a fool.

OK deraadt@ tb@

diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c
index e911b53..c4a45e1 100644 (file)
--- a/usr.sbin/bgpd/kroute.c
+++ b/usr.sbin/bgpd/kroute.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kroute.c,v 1.244 2022/03/08 12:58:57 claudio Exp $ */
+/*     $OpenBSD: kroute.c,v 1.245 2022/05/06 15:51:09 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1448,12 +1448,11 @@ kr_redistribute(int type, struct ktable *kt, struct kroute *kr)
                return;
 
        /*
-        * We consider the loopback net, multicast and experimental addresses
+        * We consider the loopback net and multicast addresses
         * as not redistributable.
         */
        a = ntohl(kr->prefix.s_addr);
-       if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
-           (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+       if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
                return;
 
        /* Check if the nexthop is the loopback addr. */

diff --git a/usr.sbin/bgpd/rde.c b/usr.sbin/bgpd/rde.c
index bb8c2dc..1e39dc1 100644 (file)
--- a/usr.sbin/bgpd/rde.c
+++ b/usr.sbin/bgpd/rde.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rde.c,v 1.544 2022/03/22 10:53:08 claudio Exp $ */
+/*     $OpenBSD: rde.c,v 1.545 2022/05/06 15:51:09 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1790,10 +1790,10 @@ bad_flags:
                UPD_READ(&nexthop.v4.s_addr, p, plen, 4);
                /*
                 * Check if the nexthop is a valid IP address. We consider
-                * multicast and experimental addresses as invalid.
+                * multicast addresses as invalid.
                 */
                tmp32 = ntohl(nexthop.v4.s_addr);
-               if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) {
+               if (IN_MULTICAST(tmp32)) {
                        rde_update_err(peer, ERR_UPDATE, ERR_UPD_NEXTHOP,
                            op, len);
                        return (-1);

diff --git a/usr.sbin/eigrpd/util.c b/usr.sbin/eigrpd/util.c
index 7f0cd3c..bc7bff4 100644 (file)
--- a/usr.sbin/eigrpd/util.c
+++ b/usr.sbin/eigrpd/util.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: util.c,v 1.10 2018/12/07 08:40:54 claudio Exp $ */
+/*     $OpenBSD: util.c,v 1.11 2022/05/06 15:51:09 claudio Exp $ */
 
 /*
  * Copyright (c) 2015 Renato Westphal <renato@openbsd.org>
@@ -224,7 +224,7 @@ bad_addr_v4(struct in_addr addr)
 
        if (((a >> IN_CLASSA_NSHIFT) == 0) ||
            ((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
-           IN_MULTICAST(a) || IN_BADCLASS(a))
+           IN_MULTICAST(a))
                return (1);
 
        return (0);

diff --git a/usr.sbin/ldpd/util.c b/usr.sbin/ldpd/util.c
index 148e09a..25c1cbe 100644 (file)
--- a/usr.sbin/ldpd/util.c
+++ b/usr.sbin/ldpd/util.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: util.c,v 1.5 2018/12/07 08:40:54 claudio Exp $ */
+/*     $OpenBSD: util.c,v 1.6 2022/05/06 15:51:09 claudio Exp $ */
 
 /*
  * Copyright (c) 2015 Renato Westphal <renato@openbsd.org>
@@ -223,7 +223,7 @@ bad_addr_v4(struct in_addr addr)
 
        if (((a >> IN_CLASSA_NSHIFT) == 0) ||
            ((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
-           IN_MULTICAST(a) || IN_BADCLASS(a))
+           IN_MULTICAST(a))
                return (1);
 
        return (0);

diff --git a/usr.sbin/mrouted/inet.c b/usr.sbin/mrouted/inet.c
index 4f00bc6..d433d51 100644 (file)
--- a/usr.sbin/mrouted/inet.c
+++ b/usr.sbin/mrouted/inet.c
@@ -36,7 +36,6 @@ inet_valid_host(u_int32_t naddr)
     addr = ntohl(naddr);
 
     return (!(IN_MULTICAST(addr) ||
-             IN_BADCLASS (addr) ||
              (addr & 0xff000000) == 0));
 }
 
@@ -83,7 +82,7 @@ inet_valid_subnet(u_int32_t nsubnet, u_int32_t nmask)
            (subnet & 0xff000000) == 0x7f000000 ||
            (subnet & 0xff000000) == 0x00000000) return (FALSE);
     }
-    else if (IN_CLASSD(subnet) || IN_BADCLASS(subnet)) {
+    else if (IN_CLASSD(subnet)) {
        /* Above Class C address space */
        return (FALSE);
     }

diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c
index 9da45fa..8ba5855 100644 (file)
--- a/usr.sbin/ospfd/kroute.c
+++ b/usr.sbin/ospfd/kroute.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kroute.c,v 1.114 2020/08/20 03:09:28 jmatthew Exp $ */
+/*     $OpenBSD: kroute.c,v 1.115 2022/05/06 15:51:09 claudio Exp $ */
 
 /*
  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -565,12 +565,11 @@ kr_redist_eval(struct kroute *kr, struct kroute *new_kr)
                goto dont_redistribute;
 
        /*
-        * We consider the loopback net, multicast and experimental addresses
+        * We consider the loopback net and multicast addresses
         * as not redistributable.
         */
        a = ntohl(kr->prefix.s_addr);
-       if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
-           (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+       if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
                goto dont_redistribute;
        /*
         * Consider networks with nexthop loopback as not redistributable

diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c
index d67c019..c641816 100644 (file)
--- a/usr.sbin/pppd/auth.c
+++ b/usr.sbin/pppd/auth.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: auth.c,v 1.39 2017/11/17 20:48:30 jca Exp $   */
+/*     $OpenBSD: auth.c,v 1.40 2022/05/06 15:51:09 claudio Exp $       */
 
 /*
  * auth.c - PPP authentication and phase control.
@@ -1120,7 +1120,7 @@ bad_ip_adrs(addr)
 {
     addr = ntohl(addr);
     return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET
-       || IN_MULTICAST(addr) || IN_BADCLASS(addr);
+       || IN_MULTICAST(addr);
 }
 
 /*

diff --git a/usr.sbin/ripd/kroute.c b/usr.sbin/ripd/kroute.c
index 635c74c..b9523e7 100644 (file)
--- a/usr.sbin/ripd/kroute.c
+++ b/usr.sbin/ripd/kroute.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kroute.c,v 1.34 2019/12/11 21:04:59 remi Exp $ */
+/*     $OpenBSD: kroute.c,v 1.35 2022/05/06 15:51:09 claudio Exp $ */
 
 /*
  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -357,12 +357,11 @@ dont_redistribute:
                return;
 
        /*
-        * We consider the loopback net, multicast and experimental addresses
+        * We consider the loopback net and multicast addresses
         * as not redistributable.
         */
        a = ntohl(kr->prefix.s_addr);
-       if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
-           (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+       if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
                return;
        /*
         * Consider networks with nexthop loopback as not redistributable