Date: Fri, 18 May 2007 06:19:55 GMT From: Matt Jacob <mjacob@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 119984 for review Message-ID: <200705180619.l4I6Jt61055373@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=119984 Change 119984 by mjacob@mjexp on 2007/05/18 06:19:27 IFC driblets Affected files ... .. //depot/projects/mjexp/sys/netinet/icmp6.h#2 integrate .. //depot/projects/mjexp/sys/netinet6/icmp6.c#5 integrate .. //depot/projects/mjexp/sys/netinet6/in6_proto.c#6 integrate Differences ... ==== //depot/projects/mjexp/sys/netinet/icmp6.h#2 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netinet/icmp6.h,v 1.20 2005/10/21 16:23:00 suz Exp $ */ +/* $FreeBSD: src/sys/netinet/icmp6.h,v 1.21 2007/05/17 21:20:23 jinmei Exp $ */ /* $KAME: icmp6.h,v 1.46 2001/04/27 15:09:48 itojun Exp $ */ /*- @@ -709,6 +709,11 @@ extern int icmp6_rediraccept; /* accept/process redirects */ extern int icmp6_redirtimeout; /* cache time for redirect routes */ + +#define ICMP6_NODEINFO_FQDNOK 0x1 +#define ICMP6_NODEINFO_NODEADDROK 0x2 +#define ICMP6_NODEINFO_TMPADDROK 0x4 +#define ICMP6_NODEINFO_GLOBALOK 0x8 #endif /* _KERNEL */ #endif /* not _NETINET_ICMP6_H_ */ ==== //depot/projects/mjexp/sys/netinet6/icmp6.c#5 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netinet6/icmp6.c,v 1.75 2007/02/10 12:25:19 bms Exp $ */ +/* $FreeBSD: src/sys/netinet6/icmp6.c,v 1.76 2007/05/17 21:20:23 jinmei Exp $ */ /* $KAME: icmp6.c,v 1.211 2001/04/04 05:56:20 itojun Exp $ */ /*- @@ -666,6 +666,10 @@ u_char *p; int maxlen, maxhlen; + /* + * XXX: this combination of flags is pointless, + * but should we keep this for compatibility? + */ if ((icmp6_nodeinfo & 5) != 5) break; @@ -1184,12 +1188,30 @@ #endif /* + * Validate IPv6 source address. + * The default configuration MUST be to refuse answering queries from + * global-scope addresses according to RFC4602. + * Notes: + * - it's not very clear what "refuse" means; this implementation + * simply drops it. + * - it's not very easy to identify global-scope (unicast) addresses + * since there are many prefixes for them. It should be safer + * and in practice sufficient to check "all" but loopback and + * link-local (note that site-local unicast was deprecated and + * ULA is defined as global scope-wise) + */ + if ((icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 && + !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) && + !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) + goto bad; + + /* * Validate IPv6 destination address. * * The Responder must discard the Query without further processing * unless it is one of the Responder's unicast or anycast addresses, or * a link-local scope multicast address which the Responder has joined. - * [icmp-name-lookups-08, Section 4.] + * [RFC4602, Section 5.] */ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst)) @@ -1200,7 +1222,7 @@ goto bad; /* XXX impossible */ if ((ia6->ia6_flags & IN6_IFF_TEMPORARY) && - !(icmp6_nodeinfo & 4)) { + !(icmp6_nodeinfo & ICMP6_NODEINFO_TMPADDROK)) { nd6log((LOG_DEBUG, "ni6_input: ignore node info to " "a temporary address in %s:%d", __FILE__, __LINE__)); @@ -1315,12 +1337,12 @@ /* refuse based on configuration. XXX ICMP6_NI_REFUSED? */ switch (qtype) { case NI_QTYPE_FQDN: - if ((icmp6_nodeinfo & 1) == 0) + if ((icmp6_nodeinfo & ICMP6_NODEINFO_FQDNOK) == 0) goto bad; break; case NI_QTYPE_NODEADDR: case NI_QTYPE_IPV4ADDR: - if ((icmp6_nodeinfo & 2) == 0) + if ((icmp6_nodeinfo & ICMP6_NODEINFO_NODEADDROK) == 0) goto bad; break; } @@ -1698,7 +1720,7 @@ (niflags & NI_NODEADDR_FLAG_ANYCAST) == 0) continue; /* we need only unicast addresses */ if ((ifa6->ia6_flags & IN6_IFF_TEMPORARY) != 0 && - (icmp6_nodeinfo & 4) == 0) { + (icmp6_nodeinfo & ICMP6_NODEINFO_TMPADDROK) == 0) { continue; } addrsofif++; /* count the address */ @@ -1786,7 +1808,7 @@ (niflags & NI_NODEADDR_FLAG_ANYCAST) == 0) continue; if ((ifa6->ia6_flags & IN6_IFF_TEMPORARY) != 0 && - (icmp6_nodeinfo & 4) == 0) { + (icmp6_nodeinfo & ICMP6_NODEINFO_TMPADDROK) == 0) { continue; } ==== //depot/projects/mjexp/sys/netinet6/in6_proto.c#6 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netinet6/in6_proto.c,v 1.42 2007/05/08 20:11:36 gnn Exp $ */ +/* $FreeBSD: src/sys/netinet6/in6_proto.c,v 1.43 2007/05/17 21:20:24 jinmei Exp $ */ /* $KAME: in6_proto.c,v 1.91 2001/05/27 13:28:35 itojun Exp $ */ /*- @@ -443,7 +443,8 @@ int icmp6_rediraccept = 1; /* accept and process redirects */ int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ int icmp6errppslim = 100; /* 100pps */ -int icmp6_nodeinfo = 3; /* enable/disable NI response */ +/* control how to respond to NI queries */ +int icmp6_nodeinfo = (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK); /* UDP on IP6 parameters */ int udp6_sendspace = 9216; /* really max datagram size */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705180619.l4I6Jt61055373>