diff options
author | shin <shin@FreeBSD.org> | 2000-03-11 22:11:57 +0000 |
---|---|---|
committer | shin <shin@FreeBSD.org> | 2000-03-11 22:11:57 +0000 |
commit | 86bd670bb2031a97c59251a6734bdf46455be1a7 (patch) | |
tree | c50ba42793c404a2a53c0a88af841e8e9e5b0a8d | |
parent | e09aeb465b879b0d0ee8c14b6e3842f57549c29f (diff) | |
download | FreeBSD-src-86bd670bb2031a97c59251a6734bdf46455be1a7.zip FreeBSD-src-86bd670bb2031a97c59251a6734bdf46455be1a7.tar.gz |
Disable IPv4 over IPv4 tunnel on the 6to4 interface for better security.
Approved by: jkh
-rw-r--r-- | sys/netinet/in_gif.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index 9348a53..0efa40e0 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -154,7 +154,11 @@ in_gif_output(ifp, family, m, rt) iphdr.ip_src = sin_src->sin_addr; #ifdef INET6 /* XXX: temporal stf support hack */ - if (bcmp(ifp->if_name, "stf", 3) == 0 && ip6 != NULL) { + if (bcmp(ifp->if_name, "stf", 3) == 0) { + if (ip6 == NULL) { + m_freem(m); + return ENETUNREACH; + } if (IN6_IS_ADDR_6TO4(&ip6->ip6_dst)) iphdr.ip_dst = *GET_V4(&ip6->ip6_dst); else if (rt && rt->rt_gateway->sa_family == AF_INET6) { @@ -309,6 +313,13 @@ in_gif_input(struct mbuf *m, int off, int proto) case IPPROTO_IPV4: { struct ip *ip; + +#ifdef INET6 + if (bcmp(gifp->if_name, "stf", 3) == 0) { + m_freem(m); + return; + } +#endif af = AF_INET; if (m->m_len < sizeof(*ip)) { m = m_pullup(m, sizeof(*ip)); |