6in4: ingress filter multicast and link-local, but allow relay traffic

author: cinap_lenrek <cinap_lenrek@felloff.net> 2016-03-31 23:53:10 +0200
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2016-03-31 23:53:10 +0200
commit: e93f7885dad16245a4f772d4305cfc00ba5d8a44 (patch)
tree: 96cd4681c0d7fde94441bee5948f28c2dc95f737 /sys/src/cmd
parent: 137533bd69847030d716658e1772c6320f9282bb (diff)
1 files changed, 4 insertions, 9 deletions
diff --git a/sys/src/cmd/ip/6in4.c b/sys/src/cmd/ip/6in4.c
index ae591a607..7ef633fed 100644
--- a/sys/src/cmd/ip/6in4.c
+++ b/sys/src/cmd/ip/6in4.c
@@ -381,7 +381,6 @@ tunnel2ip(int in, int out)
 {
 	int n, m;
 	char buf[64*1024];
-	uchar a[IPaddrlen];
 	Ip6hdr *op;
 	Iphdr *ip;
 
@@ -419,14 +418,10 @@ tunnel2ip(int in, int out)
 		op = (Ip6hdr*)(buf + IPaddrlen + STFHDR);
 		n -= STFHDR;
 
-		/*
-		 * don't relay: just accept packets for local host/subnet
-		 * (this blocks link-local and multicast addresses as well)
-		 */
-		maskip(op->dst, localmask, a);
-		if (!equivip6(a, localnet)) {
-			syslog(0, "6in4", "ingress filtered %I -> %I; "
-				"dst not on local net", op->src, op->dst);
+		/* filter multicast and link-local, but allow relay traffic */
+		if (badipv6(op->src) || badipv6(op->dst)) {
+			syslog(0, "6in4", "ingress filtered %I -> %I; bad src/dst",
+				op->src, op->dst);
 			continue;
 		}
 		if (debug > 1)
author	cinap_lenrek <cinap_lenrek@felloff.net>	2016-03-31 23:53:10 +0200
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2016-03-31 23:53:10 +0200
commit	e93f7885dad16245a4f772d4305cfc00ba5d8a44 (patch)
tree	96cd4681c0d7fde94441bee5948f28c2dc95f737 /sys/src/cmd
parent	137533bd69847030d716658e1772c6320f9282bb (diff)