Remove the check for packets with broadcast source from if_gif's encapcheck.
The check was recommened in the draft-ietf-ngtrans-mech-05.txt. But it isn't clear, should it compare the source with all direct broadcast addresses in the system or not. RFC 4213 says it is enough to verify that the source address is the address of the encapsulator, as configured on the decapsulator. And this verification can be extended by administrator with any other forms of IPv4 ingress filtering. Discussed with: glebius, melifaro Sponsored by: Yandex LLC
This commit is contained in:
parent
cde04bfa59
commit
1d904a55c8
@ -167,7 +167,6 @@ in_gif_input(struct mbuf **mp, int *offp, int proto)
|
|||||||
static int
|
static int
|
||||||
gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
|
gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
|
||||||
{
|
{
|
||||||
struct in_ifaddr *ia4;
|
|
||||||
|
|
||||||
GIF_RLOCK_ASSERT(sc);
|
GIF_RLOCK_ASSERT(sc);
|
||||||
|
|
||||||
@ -186,19 +185,6 @@ gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
|
|||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* reject packets with broadcast on source */
|
|
||||||
/* XXXRW: should use hash lists? */
|
|
||||||
IN_IFADDR_RLOCK();
|
|
||||||
TAILQ_FOREACH(ia4, &V_in_ifaddrhead, ia_link) {
|
|
||||||
if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0)
|
|
||||||
continue;
|
|
||||||
if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) {
|
|
||||||
IN_IFADDR_RUNLOCK();
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
IN_IFADDR_RUNLOCK();
|
|
||||||
|
|
||||||
/* ingress filters on outer source */
|
/* ingress filters on outer source */
|
||||||
if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) {
|
if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) {
|
||||||
struct sockaddr_in sin;
|
struct sockaddr_in sin;
|
||||||
|
Loading…
Reference in New Issue
Block a user