d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not forward datagrams originated by link-local addresses

Browse Source 
The current implement of ip_input() reject packets destined for
169.254.0.0/16, but not those original from 169.254.0.0/16 link-local
addresses.

Fix to fully respect RFC 3927 section 2.7.

PR:		255388
Reviewed by:	donner, rgrimes, karels
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D29968
This commit is contained in:
Zhenlei Huang 2021-05-18 22:51:37 +02:00 committed by Lutz Donnerhacke
parent 63b6a08ce2
commit 3d846e4822
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
sys/netinet/ip_input.c
View File

@ -738,15 +738,10 @@ ip_input(struct mbuf *m)
} }
ia = NULL; ia = NULL;
} }
/* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */
if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
IPSTAT_INC(ips_cantforward);
m_freem(m);
return;
}
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
MROUTER_RLOCK(); MROUTER_RLOCK();
if (V_ip_mrouter) { /* Do not forward packets from IN_LINKLOCAL. */
if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
/* /*
* If we are acting as a multicast router, all * If we are acting as a multicast router, all
* incoming multicast packets are passed to the * incoming multicast packets are passed to the
@ -785,6 +780,13 @@ ip_input(struct mbuf *m)
goto ours; goto ours;
if (ip->ip_dst.s_addr == INADDR_ANY) if (ip->ip_dst.s_addr == INADDR_ANY)
goto ours; goto ours;
/* Do not forward packets to or from IN_LINKLOCAL. */
if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
IPSTAT_INC(ips_cantforward);
m_freem(m);
return;
}
/* /*
* Not for us; forward if possible and desirable. * Not for us; forward if possible and desirable.