aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZhenlei Huang <zlei.huang@gmail.com>2021-05-18 20:51:37 +0000
committerLutz Donnerhacke <donner@FreeBSD.org>2021-06-17 08:21:00 +0000
commit9d30353cb49467ba2b672673a5765588c4e857ec (patch)
treee3ccf4c08e2b1b1fec00111d9fd8c2db655efdfc
parent7438333663b4d22f6863aeffba55d6a04149e3a2 (diff)
downloadsrc-9d30353cb49467ba2b672673a5765588c4e857ec.tar.gz
src-9d30353cb49467ba2b672673a5765588c4e857ec.zip
Do not forward datagrams originated by link-local addresses
The current implement of ip_input() reject packets destined for 169.254.0.0/16, but not those original from 169.254.0.0/16 link-local addresses. Fix to fully respect RFC 3927 section 2.7. PR: 255388 Reviewed by: donner, rgrimes, karels Differential Revision: https://reviews.freebsd.org/D29968 Reviewed by: rgrimes, donner, karels, marcus, emaste Differential Revision: https://reviews.freebsd.org/D30374 (cherry picked from commit 3d846e48227e2e78c1e7b35145f57353ffda56ba) (cherry picked from commit 03b0505b8fe848f33f2f38fe89dd5538908c847e)
-rw-r--r--sys/netinet/ip_input.c19
1 files changed, 12 insertions, 7 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 0f14889f355d..53978fd0fe6c 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -733,14 +733,12 @@ passin:
IF_ADDR_RUNLOCK(ifp);
ia = NULL;
}
- /* RFC 3927 2.7: Do not forward datagrams for 169.254.0.0/16. */
- if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))) {
- IPSTAT_INC(ips_cantforward);
- m_freem(m);
- return;
- }
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
- if (V_ip_mrouter) {
+ /*
+ * RFC 3927 2.7: Do not forward multicast packets from
+ * IN_LINKLOCAL.
+ */
+ if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
/*
* If we are acting as a multicast router, all
* incoming multicast packets are passed to the
@@ -775,6 +773,13 @@ passin:
goto ours;
if (ip->ip_dst.s_addr == INADDR_ANY)
goto ours;
+ /* RFC 3927 2.7: Do not forward packets to or from IN_LINKLOCAL. */
+ if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
+ IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
+ IPSTAT_INC(ips_cantforward);
+ m_freem(m);
+ return;
+ }
/*
* Not for us; forward if possible and desirable.