From owner-svn-src-all@FreeBSD.ORG Fri Oct 31 15:23:25 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6468DA39; Fri, 31 Oct 2014 15:23:25 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 50732F74; Fri, 31 Oct 2014 15:23:25 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9VFNP6n083498; Fri, 31 Oct 2014 15:23:25 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9VFNPcJ083497; Fri, 31 Oct 2014 15:23:25 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201410311523.s9VFNPcJ083497@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 31 Oct 2014 15:23:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r273909 - head/sys/netinet X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2014 15:23:25 -0000 Author: ae Date: Fri Oct 31 15:23:24 2014 New Revision: 273909 URL: https://svnweb.freebsd.org/changeset/base/273909 Log: Remove the check for packets with broadcast source from if_gif's encapcheck. The check was recommened in the draft-ietf-ngtrans-mech-05.txt. But it isn't clear, should it compare the source with all direct broadcast addresses in the system or not. RFC 4213 says it is enough to verify that the source address is the address of the encapsulator, as configured on the decapsulator. And this verification can be extended by administrator with any other forms of IPv4 ingress filtering. Discussed with: glebius, melifaro Sponsored by: Yandex LLC Modified: head/sys/netinet/in_gif.c Modified: head/sys/netinet/in_gif.c ============================================================================== --- head/sys/netinet/in_gif.c Fri Oct 31 15:07:51 2014 (r273908) +++ head/sys/netinet/in_gif.c Fri Oct 31 15:23:24 2014 (r273909) @@ -167,7 +167,6 @@ in_gif_input(struct mbuf **mp, int *offp static int gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp) { - struct in_ifaddr *ia4; GIF_RLOCK_ASSERT(sc); @@ -186,19 +185,6 @@ gif_validate4(const struct ip *ip, struc return (0); } - /* reject packets with broadcast on source */ - /* XXXRW: should use hash lists? */ - IN_IFADDR_RLOCK(); - TAILQ_FOREACH(ia4, &V_in_ifaddrhead, ia_link) { - if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0) - continue; - if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) { - IN_IFADDR_RUNLOCK(); - return (0); - } - } - IN_IFADDR_RUNLOCK(); - /* ingress filters on outer source */ if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) { struct sockaddr_in sin;