diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2008-10-02 00:32:59 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2008-10-02 00:32:59 +0000 |
| commit | 3540cc7a234dc0bf527eb0569f147f420c84e8a9 (patch) | |
| tree | 1861f39b0ba9b9cbbfa2719d588afb2ff37d8fdd | |
| parent | 1b26fb611b43af830efde01f78c85490f1992115 (diff) | |
Notes
| -rw-r--r-- | sys/netinet6/in6.h | 3 | ||||
| -rw-r--r-- | sys/netinet6/in6_proto.c | 4 | ||||
| -rw-r--r-- | sys/netinet6/nd6.h | 1 | ||||
| -rw-r--r-- | sys/netinet6/nd6_nbr.c | 18 |
4 files changed, 25 insertions, 1 deletions
diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index 569a05d146d5..21b15282bce2 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -575,7 +575,8 @@ struct ip6_mtuinfo { /* to define items, should talk with KAME guys first, for *BSD compatibility */ #define IPV6CTL_STEALTH 45 #define IPV6CTL_RTHDR0_ALLOWED 46 -#define IPV6CTL_MAXID 47 +#define ICMPV6CTL_ND6_ONLINKNSRFC4861 47 +#define IPV6CTL_MAXID 48 #endif /* __BSD_VISIBLE */ /* diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index 742e4b0edfac..be3daaffb524 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -354,6 +354,7 @@ DOMAIN_SET(inet6); #ifndef IPV6_SENDREDIRECTS #define IPV6_SENDREDIRECTS 1 #endif +int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */ int ip6_forwarding = IPV6FORWARDING; /* act as router? */ int ip6_sendredirects = IPV6_SENDREDIRECTS; @@ -553,3 +554,6 @@ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_MAXNUDHINT, nd6_maxnudhint, CTLFLAG_RW, &nd6_maxnudhint, 0, ""); SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG, nd6_debug, CTLFLAG_RW, &nd6_debug, 0, ""); +SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861, + nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0, + "Accept 'on-link' nd6 NS in compliance with RFC 4861."); diff --git a/sys/netinet6/nd6.h b/sys/netinet6/nd6.h index 8b932a93412f..5f9f8e9ad600 100644 --- a/sys/netinet6/nd6.h +++ b/sys/netinet6/nd6.h @@ -339,6 +339,7 @@ extern struct llinfo_nd6 llinfo_nd6; extern struct nd_drhead nd_defrouter; extern struct nd_prhead nd_prefix; extern int nd6_debug; +extern int nd6_onlink_ns_rfc4861; #define nd6log(x) do { if (nd6_debug) log x; } while (/*CONSTCOND*/ 0) diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index d24216be4dcb..0297b5dbcb2c 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -148,6 +148,24 @@ nd6_ns_input(m, off, icmp6len) "(wrong ip6 dst)\n")); goto bad; } + } else if (!nd6_onlink_ns_rfc4861) { + struct sockaddr_in6 src_sa6; + + /* + * According to recent IETF discussions, it is not a good idea + * to accept a NS from an address which would not be deemed + * to be a neighbor otherwise. This point is expected to be + * clarified in future revisions of the specification. + */ + bzero(&src_sa6, sizeof(src_sa6)); + src_sa6.sin6_family = AF_INET6; + src_sa6.sin6_len = sizeof(src_sa6); + src_sa6.sin6_addr = saddr6; + if (!nd6_is_addr_neighbor(&src_sa6, ifp)) { + nd6log((LOG_INFO, "nd6_ns_input: " + "NS packet from non-neighbor\n")); + goto bad; + } } if (IN6_IS_ADDR_MULTICAST(&taddr6)) { |