Remove the check for packets with broadcast source from if_gif's encapcheck.

The check was recommened in the draft-ietf-ngtrans-mech-05.txt. But it isn't
clear, should it compare the source with all direct broadcast addresses in the
system or not.
RFC 4213 says it is enough to verify that the source address is the address
of the encapsulator, as configured on the decapsulator. And this verification
can be extended by administrator with any other forms of IPv4 ingress filtering.

Discussed with:	glebius, melifaro
Sponsored by:	Yandex LLC
This commit is contained in:
Andrey V. Elsukov 2014-10-31 15:23:24 +00:00
parent cde04bfa59
commit 1d904a55c8

View File

@ -167,7 +167,6 @@ in_gif_input(struct mbuf **mp, int *offp, int proto)
static int static int
gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp) gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
{ {
struct in_ifaddr *ia4;
GIF_RLOCK_ASSERT(sc); GIF_RLOCK_ASSERT(sc);
@ -186,19 +185,6 @@ gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
return (0); return (0);
} }
/* reject packets with broadcast on source */
/* XXXRW: should use hash lists? */
IN_IFADDR_RLOCK();
TAILQ_FOREACH(ia4, &V_in_ifaddrhead, ia_link) {
if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0)
continue;
if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) {
IN_IFADDR_RUNLOCK();
return (0);
}
}
IN_IFADDR_RUNLOCK();
/* ingress filters on outer source */ /* ingress filters on outer source */
if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) { if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) {
struct sockaddr_in sin; struct sockaddr_in sin;