From owner-freebsd-bugs@FreeBSD.ORG Tue Jan 25 16:20:27 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C07AD16A4D0 for ; Tue, 25 Jan 2005 16:20:27 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AD1B43D5C for ; Tue, 25 Jan 2005 16:20:06 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0PGK687076509 for ; Tue, 25 Jan 2005 16:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0PGK6EE076508; Tue, 25 Jan 2005 16:20:06 GMT (envelope-from gnats) Date: Tue, 25 Jan 2005 16:20:06 GMT Message-Id: <200501251620.j0PGK6EE076508@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Antonio Tapiador del Dujo Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs? X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Antonio Tapiador del Dujo List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 16:20:28 -0000 The following reply was made to PR kern/75121; it has been noted by GNATS. From: Antonio Tapiador del Dujo To: Hajimu UMEMOTO Cc: Antonio Tapiador del Dujo , FreeBSD-gnats-submit@freebsd.org, Gleb Smirnoff Subject: Re: kern/75121: Wrong behaviour of IFF_LINK2 bit in 6in6 gifs? Date: Tue, 25 Jan 2005 17:19:11 +0100 --JgQwtEuHJzHdouWu Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I think I'm leaving this, because I'm going mad... Sorry if I'm wrong, but: El mi=E9rcoles, 26 de enero de 2005, a las 00:30:53, Hajimu UMEMOTO escribi= =F3: > Hi, >=20 > >>>>> On Tue, 25 Jan 2005 15:57:48 +0100 > >>>>> Antonio Tapiador del Dujo said: >=20 > atapiador> But now IFF_LINK2 does not turn off ingress filter. > atapiador> Either kernel code or man page should be modified because one = is=20 > atapiador> inconsistent with the other. >=20 > No, it does. You can find following chunk in in6_gif.cgif_validate6() > in6_gif.c: >=20 > /* ingress filters on outer source */ > if ((sc->gif_if.if_flags & IFF_LINK2) =3D=3D 0 && ifp) { >=20 > The check you pointed out is not an ingress filter. You said: "Ingress filtering is for preventing IP address spoofing of=20 outer src address and dest address." The check you point out is for the interface, as Glib said: "The IFF_LINK2 means that incoming tunnel packets may come from interface different to interface we use for sending out tunnel packets." Packets with src or dest addresses spoofed are droped before: /* * Check for address match. Note that the check is for an incoming * packet. We should compare the *source* address in our configura= tion * and the *destination* address of the packet, and vice versa. */ if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) || !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src)) return 0; --=20 EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es --JgQwtEuHJzHdouWu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB9nF/AeZK4jlfl3cRAp6dAJ96Ds9YSYPMdun6vawVVogOpjhdEwCglMHI dBjlCKcScsxz1EAN/G3tfMI= =NnAh -----END PGP SIGNATURE----- --JgQwtEuHJzHdouWu--