From ef8f8f938aa6d1ea1347e941d416f4a2c0029c60 Mon Sep 17 00:00:00 2001 From: claudio Date: Fri, 6 May 2022 15:51:09 +0000 Subject: [PATCH] Relax the limitation of what is an acceptable unicast IP. Remove the IN_BADCLASS() check which filters out the experimental IPv4 address space. Now there are no more experiments in IPv4 and so there is less reason for these network daemons to deny such an IP. Everything still disallows multicast IPs (224/4) and loopback (127/8) a few also disallow 0/8 but this is not consistent. In any case using 240/4 in production is a really bad idea but it is not up to this software to prevent you from being a fool. OK deraadt@ tb@ --- usr.sbin/bgpd/kroute.c | 7 +++---- usr.sbin/bgpd/rde.c | 6 +++--- usr.sbin/eigrpd/util.c | 4 ++-- usr.sbin/ldpd/util.c | 4 ++-- usr.sbin/mrouted/inet.c | 3 +-- usr.sbin/ospfd/kroute.c | 7 +++---- usr.sbin/pppd/auth.c | 4 ++-- usr.sbin/ripd/kroute.c | 7 +++---- 8 files changed, 19 insertions(+), 23 deletions(-) diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c index e911b5335be..c4a45e1ec7a 100644 --- a/usr.sbin/bgpd/kroute.c +++ b/usr.sbin/bgpd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.244 2022/03/08 12:58:57 claudio Exp $ */ +/* $OpenBSD: kroute.c,v 1.245 2022/05/06 15:51:09 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -1448,12 +1448,11 @@ kr_redistribute(int type, struct ktable *kt, struct kroute *kr) return; /* - * We consider the loopback net, multicast and experimental addresses + * We consider the loopback net and multicast addresses * as not redistributable. */ a = ntohl(kr->prefix.s_addr); - if (IN_MULTICAST(a) || IN_BADCLASS(a) || - (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) + if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) return; /* Check if the nexthop is the loopback addr. */ diff --git a/usr.sbin/bgpd/rde.c b/usr.sbin/bgpd/rde.c index bb8c2dc0b92..1e39dc1dac7 100644 --- a/usr.sbin/bgpd/rde.c +++ b/usr.sbin/bgpd/rde.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.c,v 1.544 2022/03/22 10:53:08 claudio Exp $ */ +/* $OpenBSD: rde.c,v 1.545 2022/05/06 15:51:09 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -1790,10 +1790,10 @@ bad_flags: UPD_READ(&nexthop.v4.s_addr, p, plen, 4); /* * Check if the nexthop is a valid IP address. We consider - * multicast and experimental addresses as invalid. + * multicast addresses as invalid. */ tmp32 = ntohl(nexthop.v4.s_addr); - if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) { + if (IN_MULTICAST(tmp32)) { rde_update_err(peer, ERR_UPDATE, ERR_UPD_NEXTHOP, op, len); return (-1); diff --git a/usr.sbin/eigrpd/util.c b/usr.sbin/eigrpd/util.c index 7f0cd3c3d7b..bc7bff4f479 100644 --- a/usr.sbin/eigrpd/util.c +++ b/usr.sbin/eigrpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.10 2018/12/07 08:40:54 claudio Exp $ */ +/* $OpenBSD: util.c,v 1.11 2022/05/06 15:51:09 claudio Exp $ */ /* * Copyright (c) 2015 Renato Westphal @@ -224,7 +224,7 @@ bad_addr_v4(struct in_addr addr) if (((a >> IN_CLASSA_NSHIFT) == 0) || ((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) || - IN_MULTICAST(a) || IN_BADCLASS(a)) + IN_MULTICAST(a)) return (1); return (0); diff --git a/usr.sbin/ldpd/util.c b/usr.sbin/ldpd/util.c index 148e09a5927..25c1cbed9d7 100644 --- a/usr.sbin/ldpd/util.c +++ b/usr.sbin/ldpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.5 2018/12/07 08:40:54 claudio Exp $ */ +/* $OpenBSD: util.c,v 1.6 2022/05/06 15:51:09 claudio Exp $ */ /* * Copyright (c) 2015 Renato Westphal @@ -223,7 +223,7 @@ bad_addr_v4(struct in_addr addr) if (((a >> IN_CLASSA_NSHIFT) == 0) || ((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) || - IN_MULTICAST(a) || IN_BADCLASS(a)) + IN_MULTICAST(a)) return (1); return (0); diff --git a/usr.sbin/mrouted/inet.c b/usr.sbin/mrouted/inet.c index 4f00bc6d9ba..d433d51cc28 100644 --- a/usr.sbin/mrouted/inet.c +++ b/usr.sbin/mrouted/inet.c @@ -36,7 +36,6 @@ inet_valid_host(u_int32_t naddr) addr = ntohl(naddr); return (!(IN_MULTICAST(addr) || - IN_BADCLASS (addr) || (addr & 0xff000000) == 0)); } @@ -83,7 +82,7 @@ inet_valid_subnet(u_int32_t nsubnet, u_int32_t nmask) (subnet & 0xff000000) == 0x7f000000 || (subnet & 0xff000000) == 0x00000000) return (FALSE); } - else if (IN_CLASSD(subnet) || IN_BADCLASS(subnet)) { + else if (IN_CLASSD(subnet)) { /* Above Class C address space */ return (FALSE); } diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c index 9da45fa9399..8ba5855a416 100644 --- a/usr.sbin/ospfd/kroute.c +++ b/usr.sbin/ospfd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.114 2020/08/20 03:09:28 jmatthew Exp $ */ +/* $OpenBSD: kroute.c,v 1.115 2022/05/06 15:51:09 claudio Exp $ */ /* * Copyright (c) 2004 Esben Norby @@ -565,12 +565,11 @@ kr_redist_eval(struct kroute *kr, struct kroute *new_kr) goto dont_redistribute; /* - * We consider the loopback net, multicast and experimental addresses + * We consider the loopback net and multicast addresses * as not redistributable. */ a = ntohl(kr->prefix.s_addr); - if (IN_MULTICAST(a) || IN_BADCLASS(a) || - (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) + if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) goto dont_redistribute; /* * Consider networks with nexthop loopback as not redistributable diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index d67c0196307..c6418162dfa 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.39 2017/11/17 20:48:30 jca Exp $ */ +/* $OpenBSD: auth.c,v 1.40 2022/05/06 15:51:09 claudio Exp $ */ /* * auth.c - PPP authentication and phase control. @@ -1120,7 +1120,7 @@ bad_ip_adrs(addr) { addr = ntohl(addr); return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET - || IN_MULTICAST(addr) || IN_BADCLASS(addr); + || IN_MULTICAST(addr); } /* diff --git a/usr.sbin/ripd/kroute.c b/usr.sbin/ripd/kroute.c index 635c74c0887..b9523e7fdee 100644 --- a/usr.sbin/ripd/kroute.c +++ b/usr.sbin/ripd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.34 2019/12/11 21:04:59 remi Exp $ */ +/* $OpenBSD: kroute.c,v 1.35 2022/05/06 15:51:09 claudio Exp $ */ /* * Copyright (c) 2004 Esben Norby @@ -357,12 +357,11 @@ dont_redistribute: return; /* - * We consider the loopback net, multicast and experimental addresses + * We consider the loopback net and multicast addresses * as not redistributable. */ a = ntohl(kr->prefix.s_addr); - if (IN_MULTICAST(a) || IN_BADCLASS(a) || - (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) + if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) return; /* * Consider networks with nexthop loopback as not redistributable -- 2.20.1