|
Lines 88-93
Link Here
|
| 88 |
#include <sys/module.h> |
88 |
#include <sys/module.h> |
| 89 |
#include <sys/protosw.h> |
89 |
#include <sys/protosw.h> |
| 90 |
#include <sys/queue.h> |
90 |
#include <sys/queue.h> |
|
|
91 |
#include <sys/sysctl.h> |
| 91 |
#include <machine/cpu.h> |
92 |
#include <machine/cpu.h> |
| 92 |
|
93 |
|
| 93 |
#include <sys/malloc.h> |
94 |
#include <sys/malloc.h> |
|
Lines 181-186
Link Here
|
| 181 |
struct if_clone stf_cloner = IFC_CLONE_INITIALIZER(STFNAME, NULL, 0, |
182 |
struct if_clone stf_cloner = IFC_CLONE_INITIALIZER(STFNAME, NULL, 0, |
| 182 |
NULL, stf_clone_match, stf_clone_create, stf_clone_destroy); |
183 |
NULL, stf_clone_match, stf_clone_create, stf_clone_destroy); |
| 183 |
|
184 |
|
|
|
185 |
SYSCTL_DECL(_net_link); |
| 186 |
SYSCTL_NODE(_net_link, IFT_STF, stf, CTLFLAG_RW, 0, "6to4 Interface"); |
| 187 |
|
| 188 |
static int no_addr4check = 0; |
| 189 |
SYSCTL_INT(_net_link_stf, OID_AUTO, no_addr4check, CTLFLAG_RW, |
| 190 |
&no_addr4check, 0, "Skip checking outer IPv4 address"); |
| 191 |
|
| 184 |
static int |
192 |
static int |
| 185 |
stf_clone_match(struct if_clone *ifc, const char *name) |
193 |
stf_clone_match(struct if_clone *ifc, const char *name) |
| 186 |
{ |
194 |
{ |
|
Lines 334-342
Link Here
|
| 334 |
* local 6to4 address. |
342 |
* local 6to4 address. |
| 335 |
* success on: dst = 10.1.1.1, ia6->ia_addr = 2002:0a01:0101:... |
343 |
* success on: dst = 10.1.1.1, ia6->ia_addr = 2002:0a01:0101:... |
| 336 |
*/ |
344 |
*/ |
| 337 |
if (bcmp(GET_V4(&ia6->ia_addr.sin6_addr), &ip.ip_dst, |
345 |
if (no_addr4check) { |
| 338 |
sizeof(ip.ip_dst)) != 0) |
346 |
struct ifnet *tif; |
| 339 |
return 0; |
347 |
|
|
|
348 |
INADDR_TO_IFP(ip.ip_dst, tif); |
| 349 |
if (!tif) |
| 350 |
return 0; |
| 351 |
} else { |
| 352 |
if (bcmp(GET_V4(&ia6->ia_addr.sin6_addr), &ip.ip_dst, |
| 353 |
sizeof(ip.ip_dst)) != 0) |
| 354 |
return 0; |
| 355 |
} |
| 340 |
|
356 |
|
| 341 |
/* |
357 |
/* |
| 342 |
* check if IPv4 src matches the IPv4 address derived from the |
358 |
* check if IPv4 src matches the IPv4 address derived from the |
|
Lines 373-384
Link Here
|
| 373 |
if (!IN6_IS_ADDR_6TO4(&sin6->sin6_addr)) |
389 |
if (!IN6_IS_ADDR_6TO4(&sin6->sin6_addr)) |
| 374 |
continue; |
390 |
continue; |
| 375 |
|
391 |
|
| 376 |
bcopy(GET_V4(&sin6->sin6_addr), &in, sizeof(in)); |
392 |
if (!no_addr4check) { |
| 377 |
LIST_FOREACH(ia4, INADDR_HASH(in.s_addr), ia_hash) |
393 |
bcopy(GET_V4(&sin6->sin6_addr), &in, sizeof(in)); |
| 378 |
if (ia4->ia_addr.sin_addr.s_addr == in.s_addr) |
394 |
LIST_FOREACH(ia4, INADDR_HASH(in.s_addr), ia_hash) |
| 379 |
break; |
395 |
if (ia4->ia_addr.sin_addr.s_addr == in.s_addr) |
| 380 |
if (ia4 == NULL) |
396 |
break; |
| 381 |
continue; |
397 |
if (ia4 == NULL) |
|
|
398 |
continue; |
| 399 |
} |
| 382 |
|
400 |
|
| 383 |
return (struct in6_ifaddr *)ia; |
401 |
return (struct in6_ifaddr *)ia; |
| 384 |
} |
402 |
} |
|
Lines 493-500
Link Here
|
| 493 |
|
511 |
|
| 494 |
bzero(ip, sizeof(*ip)); |
512 |
bzero(ip, sizeof(*ip)); |
| 495 |
|
513 |
|
| 496 |
bcopy(GET_V4(&((struct sockaddr_in6 *)&ia6->ia_addr)->sin6_addr), |
514 |
if (!no_addr4check) |
| 497 |
&ip->ip_src, sizeof(ip->ip_src)); |
515 |
bcopy(GET_V4( |
|
|
516 |
&((struct sockaddr_in6 *)&ia6->ia_addr)->sin6_addr), |
| 517 |
&ip->ip_src, sizeof(ip->ip_src)); |
| 498 |
bcopy(&in4, &ip->ip_dst, sizeof(ip->ip_dst)); |
518 |
bcopy(&in4, &ip->ip_dst, sizeof(ip->ip_dst)); |
| 499 |
ip->ip_p = IPPROTO_IPV6; |
519 |
ip->ip_p = IPPROTO_IPV6; |
| 500 |
ip->ip_ttl = ip_stf_ttl; |
520 |
ip->ip_ttl = ip_stf_ttl; |
|
Lines 569-581
Link Here
|
| 569 |
} |
589 |
} |
| 570 |
|
590 |
|
| 571 |
/* |
591 |
/* |
| 572 |
* reject packets with private address range. |
|
|
| 573 |
* (requirement from RFC3056 section 2 1st paragraph) |
| 574 |
*/ |
| 575 |
if (isrfc1918addr(in)) |
| 576 |
return -1; |
| 577 |
|
| 578 |
/* |
| 579 |
* reject packets with broadcast |
592 |
* reject packets with broadcast |
| 580 |
*/ |
593 |
*/ |
| 581 |
for (ia4 = TAILQ_FIRST(&in_ifaddrhead); |
594 |
for (ia4 = TAILQ_FIRST(&in_ifaddrhead); |
|
Lines 627-633
Link Here
|
| 627 |
*/ |
640 |
*/ |
| 628 |
if (IN6_IS_ADDR_6TO4(in6)) { |
641 |
if (IN6_IS_ADDR_6TO4(in6)) { |
| 629 |
struct in_addr in4; |
642 |
struct in_addr in4; |
|
|
643 |
|
| 630 |
bcopy(GET_V4(in6), &in4, sizeof(in4)); |
644 |
bcopy(GET_V4(in6), &in4, sizeof(in4)); |
|
|
645 |
|
| 646 |
/* |
| 647 |
* reject packets with private address range. |
| 648 |
* (requirement from RFC3056 section 2 1st paragraph) |
| 649 |
*/ |
| 650 |
if (isrfc1918addr(&in4)) |
| 651 |
return -1; |
| 652 |
|
| 631 |
return stf_checkaddr4(sc, &in4, inifp); |
653 |
return stf_checkaddr4(sc, &in4, inifp); |
| 632 |
} |
654 |
} |
| 633 |
|
655 |
|
|
Lines 678-683
Link Here
|
| 678 |
#endif |
700 |
#endif |
| 679 |
|
701 |
|
| 680 |
/* |
702 |
/* |
|
|
703 |
* Skip RFC1918 check against dest address to allowincoming |
| 704 |
* packets with private address for dest. Though it may |
| 705 |
* breasks the requirement from RFC3056 section 2 1st |
| 706 |
* paragraph, it helps for 6to4 over NAT. |
| 707 |
*/ |
| 708 |
if ((!no_addr4check && isrfc1918addr(&ip->ip_dst)) || |
| 709 |
isrfc1918addr(&ip->ip_src)) { |
| 710 |
m_freem(m); |
| 711 |
return; |
| 712 |
} |
| 713 |
|
| 714 |
/* |
| 681 |
* perform sanity check against outer src/dst. |
715 |
* perform sanity check against outer src/dst. |
| 682 |
* for source, perform ingress filter as well. |
716 |
* for source, perform ingress filter as well. |
| 683 |
*/ |
717 |
*/ |