Date: Tue, 25 Jan 2005 16:20:06 GMT From: Antonio Tapiador del Dujo <atapiador@dit.upm.es> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs? Message-ID: <200501251620.j0PGK6EE076508@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/75121; it has been noted by GNATS.
From: Antonio Tapiador del Dujo <atapiador@dit.upm.es>
To: Hajimu UMEMOTO <ume@freebsd.org>
Cc: Antonio Tapiador del Dujo <atapiador@dit.upm.es>,
FreeBSD-gnats-submit@freebsd.org, Gleb Smirnoff <glebius@freebsd.org>
Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs?
Date: Tue, 25 Jan 2005 17:19:11 +0100
--JgQwtEuHJzHdouWu
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I think I'm leaving this, because I'm going mad...
Sorry if I'm wrong, but:
El mi=E9rcoles, 26 de enero de 2005, a las 00:30:53, Hajimu UMEMOTO escribi=
=F3:
> Hi,
>=20
> >>>>> On Tue, 25 Jan 2005 15:57:48 +0100
> >>>>> Antonio Tapiador del Dujo <atapiador@dit.upm.es> said:
>=20
> atapiador> But now IFF_LINK2 does not turn off ingress filter.
> atapiador> Either kernel code or man page should be modified because one =
is=20
> atapiador> inconsistent with the other.
>=20
> No, it does. You can find following chunk in in6_gif.cgif_validate6()
> in6_gif.c:
>=20
> /* ingress filters on outer source */
> if ((sc->gif_if.if_flags & IFF_LINK2) =3D=3D 0 && ifp) {
>=20
> The check you pointed out is not an ingress filter.
You said: "Ingress filtering is for preventing IP address spoofing of=20
outer src address and dest address."
The check you point out is for the interface, as Glib said:
"The IFF_LINK2 means that incoming tunnel packets may come from
interface different to interface we use for sending out tunnel packets."
Packets with src or dest addresses spoofed are droped before:
/*
* Check for address match. Note that the check is for an incoming
* packet. We should compare the *source* address in our configura=
tion
* and the *destination* address of the packet, and vice versa.
*/
if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) ||
!IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src))
return 0;
--=20
EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es
--JgQwtEuHJzHdouWu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB9nF/AeZK4jlfl3cRAp6dAJ96Ds9YSYPMdun6vawVVogOpjhdEwCglMHI
dBjlCKcScsxz1EAN/G3tfMI=
=NnAh
-----END PGP SIGNATURE-----
--JgQwtEuHJzHdouWu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501251620.j0PGK6EE076508>