svn commit: r259796 - user/ae/inet6/sys/netinet6

Andrey V. Elsukov ae at FreeBSD.org
Mon Dec 23 22:26:18 UTC 2013 

Author: ae
Date: Mon Dec 23 22:26:17 2013
New Revision: 259796
URL: http://svnweb.freebsd.org/changeset/base/259796

Log:
  * Use new prison_xxx_ip6() functions.
  * rip6_output() always calls in6_selectsrc() where all prison restrictions
  will be applied, thus no need to call prison_check_ip6() here.
  * in rip6_bind() move prison_check_ip6() call to be a bit later, when
  sockaddr_in6 structure will have sin6_scope_id properly initialized.

Modified:
  user/ae/inet6/sys/netinet6/raw_ip6.c

Modified: user/ae/inet6/sys/netinet6/raw_ip6.c
==============================================================================
--- user/ae/inet6/sys/netinet6/raw_ip6.c	Mon Dec 23 22:20:47 2013	(r259795)
+++ user/ae/inet6/sys/netinet6/raw_ip6.c	Mon Dec 23 22:26:17 2013	(r259796)
@@ -166,6 +166,7 @@ rip6_input(struct mbuf **mp, int *offp, 
 	struct inpcb *last = 0;
 	struct mbuf *opts = NULL;
 	struct sockaddr_in6 fromsa;
+	uint32_t zoneid;
 
 	RIP6STAT_INC(rip6s_ipackets);
 
@@ -176,8 +177,8 @@ rip6_input(struct mbuf **mp, int *offp, 
 	}
 
 	init_sin6(&fromsa, m); /* general init */
-
 	ifp = m->m_pkthdr.rcvif;
+	zoneid = in6_getscopezone(ifp, IPV6_ADDR_SCOPE_LINKLOCAL);
 
 	INP_INFO_RLOCK(&V_ripcbinfo);
 	LIST_FOREACH(in6p, &V_ripcb, inp_list) {
@@ -200,8 +201,8 @@ rip6_input(struct mbuf **mp, int *offp, 
 			 * and fall through into normal filter path if so.
 			 */
 			if (!IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
-			    prison_check_ip6(in6p->inp_cred,
-			    &ip6->ip6_dst) != 0)
+			    prison_check_in6(in6p->inp_cred,
+			    &ip6->ip6_dst, zoneid) != 0)
 				continue;
 		}
 		INP_RLOCK(in6p);
@@ -466,9 +467,6 @@ rip6_output(struct mbuf *m, ...)
 	    &oifp, &in6a);
 	if (error)
 		goto bad;
-	error = prison_check_ip6(in6p->inp_cred, &in6a);
-	if (error != 0)
-		goto bad;
 	ip6->ip6_src = in6a;
 	ip6->ip6_dst = dstsock->sin6_addr;
 
@@ -740,8 +738,6 @@ rip6_bind(struct socket *so, struct sock
 
 	if (nam->sa_len != sizeof(*addr))
 		return (EINVAL);
-	if ((error = prison_check_ip6(td->td_ucred, &addr->sin6_addr)) != 0)
-		return (error);
 	if (TAILQ_EMPTY(&V_ifnet) || addr->sin6_family != AF_INET6)
 		return (EADDRNOTAVAIL);
 	INP_RLOCK(inp);
@@ -750,6 +746,8 @@ rip6_bind(struct socket *so, struct sock
 	INP_RUNLOCK(inp);
 	if (error != 0)
 		return (error);
+	if ((error = prison_check_ip6(td->td_ucred, addr)) != 0)
+		return (error);
 	if (!IN6_IS_ADDR_UNSPECIFIED(&addr->sin6_addr)) {
 		ifa = in6ifa_ifwithaddr(&addr->sin6_addr, addr->sin6_scope_id);
 		if (ifa == NULL)

More information about the svn-src-user mailing list