Date: Tue, 25 Jan 2005 16:20:06 GMT From: Antonio Tapiador del Dujo <atapiador@dit.upm.es> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs? Message-ID: <200501251620.j0PGK6EE076508@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/75121; it has been noted by GNATS. From: Antonio Tapiador del Dujo <atapiador@dit.upm.es> To: Hajimu UMEMOTO <ume@freebsd.org> Cc: Antonio Tapiador del Dujo <atapiador@dit.upm.es>, FreeBSD-gnats-submit@freebsd.org, Gleb Smirnoff <glebius@freebsd.org> Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs? Date: Tue, 25 Jan 2005 17:19:11 +0100 --JgQwtEuHJzHdouWu Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I think I'm leaving this, because I'm going mad... Sorry if I'm wrong, but: El mi=E9rcoles, 26 de enero de 2005, a las 00:30:53, Hajimu UMEMOTO escribi= =F3: > Hi, >=20 > >>>>> On Tue, 25 Jan 2005 15:57:48 +0100 > >>>>> Antonio Tapiador del Dujo <atapiador@dit.upm.es> said: >=20 > atapiador> But now IFF_LINK2 does not turn off ingress filter. > atapiador> Either kernel code or man page should be modified because one = is=20 > atapiador> inconsistent with the other. >=20 > No, it does. You can find following chunk in in6_gif.cgif_validate6() > in6_gif.c: >=20 > /* ingress filters on outer source */ > if ((sc->gif_if.if_flags & IFF_LINK2) =3D=3D 0 && ifp) { >=20 > The check you pointed out is not an ingress filter. You said: "Ingress filtering is for preventing IP address spoofing of=20 outer src address and dest address." The check you point out is for the interface, as Glib said: "The IFF_LINK2 means that incoming tunnel packets may come from interface different to interface we use for sending out tunnel packets." Packets with src or dest addresses spoofed are droped before: /* * Check for address match. Note that the check is for an incoming * packet. We should compare the *source* address in our configura= tion * and the *destination* address of the packet, and vice versa. */ if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) || !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src)) return 0; --=20 EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es --JgQwtEuHJzHdouWu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB9nF/AeZK4jlfl3cRAp6dAJ96Ds9YSYPMdun6vawVVogOpjhdEwCglMHI dBjlCKcScsxz1EAN/G3tfMI= =NnAh -----END PGP SIGNATURE----- --JgQwtEuHJzHdouWu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501251620.j0PGK6EE076508>