d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update comment.

Browse Source 
Update the comment related to SIIT and v4mapped addresses being rejected
by us when coming from the wire given we have supported IPv6-only kernels
for a few years now.
See also draft-itojun-v6ops-v4mapped-harmful.

Suggested by:	melifaro
MFC after:	2 weeks
This commit is contained in:
Bjoern A. Zeeb 2019-12-06 16:53:42 +00:00
parent 5ccbeea1c5
commit 74ff87cd16
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sys/netinet6/ip6_input.c
View File

@ -677,11 +677,10 @@ ip6_input(struct mbuf *m)
* and bypass security checks (act as if it was from 127.0.0.1 by using
* IPv6 src ::ffff:127.0.0.1). Be cautious.
*
* This check chokes if we are in an SIIT cloud. As none of BSDs
* support IPv4-less kernel compilation, we cannot support SIIT
* environment at all. So, it makes more sense for us to reject any
* malicious packets for non-SIIT environment, than try to do a
* partial support for SIIT environment.
* We have supported IPv6-only kernels for a few years and this issue
* has not come up. The world seems to move mostly towards not using
* v4mapped on the wire, so it makes sense for us to keep rejecting
* any such packets.
*/
if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {