Disable IPv4 over IPv4 tunnel on the 6to4 interface for better security.

Approved by: jkh
author: shin <shin@FreeBSD.org> 2000-03-11 22:11:57 +0000
committer: shin <shin@FreeBSD.org> 2000-03-11 22:11:57 +0000
commit: 86bd670bb2031a97c59251a6734bdf46455be1a7 (patch)
tree: c50ba42793c404a2a53c0a88af841e8e9e5b0a8d /sys/netinet/in_gif.c
parent: e09aeb465b879b0d0ee8c14b6e3842f57549c29f (diff)
download: FreeBSD-src-86bd670bb2031a97c59251a6734bdf46455be1a7.zip
FreeBSD-src-86bd670bb2031a97c59251a6734bdf46455be1a7.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c
index 9348a53..0efa40e0 100644
--- a/sys/netinet/in_gif.c
+++ b/sys/netinet/in_gif.c
@@ -154,7 +154,11 @@ in_gif_output(ifp, family, m, rt)
 	iphdr.ip_src = sin_src->sin_addr;
 #ifdef INET6
 	/* XXX: temporal stf support hack */
-	if (bcmp(ifp->if_name, "stf", 3) == 0 && ip6 != NULL) {
+	if (bcmp(ifp->if_name, "stf", 3) == 0) {
+		if (ip6 == NULL) {
+			m_freem(m);
+			return ENETUNREACH;
+		}
 		if (IN6_IS_ADDR_6TO4(&ip6->ip6_dst))
 			iphdr.ip_dst = *GET_V4(&ip6->ip6_dst);
 		else if (rt && rt->rt_gateway->sa_family == AF_INET6) {
@@ -309,6 +313,13 @@ in_gif_input(struct mbuf *m, int off, int proto)
 	case IPPROTO_IPV4:
 	    {
 		struct ip *ip;
+
+#ifdef INET6
+		if (bcmp(gifp->if_name, "stf", 3) == 0) {
+			m_freem(m);
+			return;
+		}
+#endif
 		af = AF_INET;
 		if (m->m_len < sizeof(*ip)) {
 			m = m_pullup(m, sizeof(*ip));
author	shin <shin@FreeBSD.org>	2000-03-11 22:11:57 +0000
committer	shin <shin@FreeBSD.org>	2000-03-11 22:11:57 +0000
commit	86bd670bb2031a97c59251a6734bdf46455be1a7 (patch)
tree	c50ba42793c404a2a53c0a88af841e8e9e5b0a8d /sys/netinet/in_gif.c
parent	e09aeb465b879b0d0ee8c14b6e3842f57549c29f (diff)
download	FreeBSD-src-86bd670bb2031a97c59251a6734bdf46455be1a7.zip FreeBSD-src-86bd670bb2031a97c59251a6734bdf46455be1a7.tar.gz