kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs?

Antonio Tapiador del Dujo atapiador at dit.upm.es
Tue Jan 25 08:20:28 PST 2005 

The following reply was made to PR kern/75121; it has been noted by GNATS.

From: Antonio Tapiador del Dujo <atapiador at dit.upm.es>
To: Hajimu UMEMOTO <ume at freebsd.org>
Cc: Antonio Tapiador del Dujo <atapiador at dit.upm.es>,
	FreeBSD-gnats-submit at freebsd.org, Gleb Smirnoff <glebius at freebsd.org>
Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs?
Date: Tue, 25 Jan 2005 17:19:11 +0100

 --JgQwtEuHJzHdouWu
 Content-Type: text/plain; charset=iso-8859-1
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 I think I'm leaving this, because I'm going mad...
 Sorry if I'm wrong, but:
 
 El mi=E9rcoles, 26 de enero de 2005, a las 00:30:53, Hajimu UMEMOTO escribi=
 =F3:
 > Hi,
 >=20
 > >>>>> On Tue, 25 Jan 2005 15:57:48 +0100
 > >>>>> Antonio Tapiador del Dujo <atapiador at dit.upm.es> said:
 >=20
 > atapiador> But now IFF_LINK2 does not turn off ingress filter.
 > atapiador> Either kernel code or man page should be modified because one =
 is=20
 > atapiador> inconsistent with the other.
 >=20
 > No, it does.  You can find following chunk in in6_gif.cgif_validate6()
 > in6_gif.c:
 >=20
 > 	/* ingress filters on outer source */
 > 	if ((sc->gif_if.if_flags & IFF_LINK2) =3D=3D 0 && ifp) {
 >=20
 > The check you pointed out is not an ingress filter.
 
 You said: "Ingress filtering is for preventing IP address spoofing of=20
 outer src address and dest address."
 
 The check you point out is for the interface, as Glib said:
 "The IFF_LINK2 means that incoming tunnel packets may come from
 interface different to interface we use for sending out tunnel packets."
 
 Packets with src or dest addresses spoofed are droped before:
 
         /*
          * Check for address match.  Note that the check is for an incoming
          * packet.  We should compare the *source* address in our configura=
 tion
          * and the *destination* address of the packet, and vice versa.
          */
         if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) ||
             !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src))
                 return 0;
 
 --=20
 EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es
 
 --JgQwtEuHJzHdouWu
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: Digital signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (GNU/Linux)
 
 iD8DBQFB9nF/AeZK4jlfl3cRAp6dAJ96Ds9YSYPMdun6vawVVogOpjhdEwCglMHI
 dBjlCKcScsxz1EAN/G3tfMI=
 =NnAh
 -----END PGP SIGNATURE-----
 
 --JgQwtEuHJzHdouWu--

More information about the freebsd-bugs mailing list