On Sun, 22 Sep 2013, Joe Perches wrote:

On Sun, 2013-09-22 at 13:58 +0300, Catalin(ux) M. BOIE wrote:

quoted

From: "Catalin(ux) M. BOIE" <redacted>

When a router is doing  DNAT for 6to4/6rd packets the latest anti-spoofing
patch (218774dc) will drop them because the IPv6 address embedded
does not match the IPv4 destination. This patch will allow them to
pass by testing if we have an address that matches on 6to4/6rd interface.
I have been hit by this problem using Fedora and IPV6TO4_IPV4ADDR.
Also, log the dropped packets (with rate limit).

Thanks.  trivial nits which maybe fixed later:

quoted

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c

[]

quoted

+/* Returns true if a packet is spoofed
+ */

probably nicer as single line /* Returns true ... */

quoted

+static bool packet_is_spoofed(struct sk_buff *skb,
+			      const struct iphdr *iph,
+			      struct ip_tunnel *tunnel)
+{
+	const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+
+	if (tunnel->dev->priv_flags & IFF_ISATAP) {
+		if (!isatap_chksrc(skb, iph, tunnel))
+			return true;
+
+		return false;
+	}
+
+	if ((tunnel->dev->flags&IFF_POINTOPOINT))

It'd be nicer with spaces around the &

quoted

+		return false;

It'd be slightly faster code moving the ipv6_hdr(skb)
assignment below these tests.

Sorry, v3 was missing the changes suggested.
v4 fill fix it.
Sorry.

--
Catalin(ux) M. BOIE
http://kernel.embedromix.ro/