Author: ae
Date: Fri Oct 31 15:23:24 2014
New Revision: 273909
URL: https://svnweb.freebsd.org/changeset/base/273909
Log:
Remove the check for packets with broadcast source from if_gif's encapcheck.
The check was recommened in the draft-ietf-ngtrans-mech-05.txt. But it isn't
clear, should it compare the source with all direct broadcast addresses in the
system or not.
RFC 4213 says it is enough to verify that the source address is the address
of the encapsulator, as configured on the decapsulator. And this verification
can be extended by administrator with any other forms of IPv4 ingress
filtering.
Discussed with: glebius, melifaro
Sponsored by: Yandex LLC
Modified:
head/sys/netinet/in_gif.c
Modified: head/sys/netinet/in_gif.c
==============================================================================
--- head/sys/netinet/in_gif.c Fri Oct 31 15:07:51 2014 (r273908)
+++ head/sys/netinet/in_gif.c Fri Oct 31 15:23:24 2014 (r273909)
@@ -167,7 +167,6 @@ in_gif_input(struct mbuf **mp, int *offp
static int
gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
{
- struct in_ifaddr *ia4;
GIF_RLOCK_ASSERT(sc);
@@ -186,19 +185,6 @@ gif_validate4(const struct ip *ip, struc
return (0);
}
- /* reject packets with broadcast on source */
- /* XXXRW: should use hash lists? */
- IN_IFADDR_RLOCK();
- TAILQ_FOREACH(ia4, &V_in_ifaddrhead, ia_link) {
- if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0)
- continue;
- if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) {
- IN_IFADDR_RUNLOCK();
- return (0);
- }
- }
- IN_IFADDR_RUNLOCK();
-
/* ingress filters on outer source */
if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) {
struct sockaddr_in sin;
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
