Re: [PATCH] Do not drop DNATed 6to4/6rd packets (v4)
From: Joe Perches <joe@perches.com>
Date: 2013-09-23 19:11:29
On Mon, 2013-09-23 at 21:36 +0300, Catalin(ux) M. BOIE wrote:
From: "Catalin(ux) M. BOIE" <redacted> When a router is doing DNAT for 6to4/6rd packets the latest anti-spoofing patch (218774dc) will drop them because the IPv6 address embedded does not match the IPv4 destination. This patch will allow them to pass by testing if we have an address that matches on 6to4/6rd interface. I have been hit by this problem using Fedora and IPV6TO4_IPV4ADDR. Also, log the dropped packets (with rate limit).
A few more trivialities: When you send revisions to patches, please put the revision number inside the brackets like: [PATCH V4] subject Also, use a prefix for the patch like: [PATCH V4] IPv6 NAT: Don't drop DNAT 6to4 or 6RD packets
quoted hunk ↗ jump to hunk
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
[]
quoted hunk ↗ jump to hunk
@@ -67,6 +67,10 @@ int ipv6_chk_addr(struct net *net, const struct in6_addr *addr, int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr); #endif +extern bool ipv6_chk_custom_prefix(const struct in6_addr *addr, + const unsigned int prefix_len, + struct net_device *dev); +
extern isn't required.
quoted hunk ↗ jump to hunk
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
[]
quoted hunk ↗ jump to hunk
@@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr,
[]
+/* Returns true if a packet is spoofed */
+static bool packet_is_spoofed(struct sk_buff *skb,
+ const struct iphdr *iph,
+ struct ip_tunnel *tunnel)
+{[]
+ if ((tunnel->dev->flags & IFF_POINTOPOINT)) + return false;
One too many parentheses if (tunnel->dev->flags & IFF_POINTTOPOINT) return false;