Date: Fri, 6 Dec 2019 16:53:42 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r355452 - head/sys/netinet6 Message-ID: <201912061653.xB6GrgrF053747@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Fri Dec 6 16:53:42 2019 New Revision: 355452 URL: https://svnweb.freebsd.org/changeset/base/355452 Log: Update comment. Update the comment related to SIIT and v4mapped addresses being rejected by us when coming from the wire given we have supported IPv6-only kernels for a few years now. See also draft-itojun-v6ops-v4mapped-harmful. Suggested by: melifaro MFC after: 2 weeks Modified: head/sys/netinet6/ip6_input.c Modified: head/sys/netinet6/ip6_input.c ============================================================================== --- head/sys/netinet6/ip6_input.c Fri Dec 6 16:48:36 2019 (r355451) +++ head/sys/netinet6/ip6_input.c Fri Dec 6 16:53:42 2019 (r355452) @@ -677,11 +677,10 @@ ip6_input(struct mbuf *m) * and bypass security checks (act as if it was from 127.0.0.1 by using * IPv6 src ::ffff:127.0.0.1). Be cautious. * - * This check chokes if we are in an SIIT cloud. As none of BSDs - * support IPv4-less kernel compilation, we cannot support SIIT - * environment at all. So, it makes more sense for us to reject any - * malicious packets for non-SIIT environment, than try to do a - * partial support for SIIT environment. + * We have supported IPv6-only kernels for a few years and this issue + * has not come up. The world seems to move mostly towards not using + * v4mapped on the wire, so it makes sense for us to keep rejecting + * any such packets. */ if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912061653.xB6GrgrF053747>