git: 9front

Download patch

ref: 23c41f25eb20a54f835df7fb2240944cd15e60a2
parent: e27d33f2a56dd196d084dbaacabf31e0e41340b2
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Thu Mar 31 19:53:10 EDT 2016 

6in4: ingress filter multicast and link-local, but allow relay traffic


--- a/sys/src/cmd/ip/6in4.c
+++ b/sys/src/cmd/ip/6in4.c
@@ -381,7 +381,6 @@
 {
 	int n, m;
 	char buf[64*1024];
-	uchar a[IPaddrlen];
 	Ip6hdr *op;
 	Iphdr *ip;
 
@@ -419,14 +418,10 @@
 		op = (Ip6hdr*)(buf + IPaddrlen + STFHDR);
 		n -= STFHDR;
 
-		/*
-		 * don't relay: just accept packets for local host/subnet
-		 * (this blocks link-local and multicast addresses as well)
-		 */
-		maskip(op->dst, localmask, a);
-		if (!equivip6(a, localnet)) {
-			syslog(0, "6in4", "ingress filtered %I -> %I; "
-				"dst not on local net", op->src, op->dst);
+		/* filter multicast and link-local, but allow relay traffic */
+		if (badipv6(op->src) || badipv6(op->dst)) {
+			syslog(0, "6in4", "ingress filtered %I -> %I; bad src/dst",
+				op->src, op->dst);
 			continue;
 		}
 		if (debug > 1)
--