Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

- Disabled responding to NI queries from a global address by default as

  specified in RFC4620.  A new flag for icmp6_nodeinfo was added to enable the
  feature.
- Also cleaned up the code so that the semantics of the icmp6_nodeinfo
  flags is clearer (i.e., defined specific macro names instead of using
  hard-coded values).
  • Loading branch information...
commit 6f49cf62832ad5eec5c86aca66353fe2d2396e43 1 parent 3857a73
jinmei authored
View
7 kame/sys/netinet/icmp6.h
@@ -1,4 +1,4 @@
-/* $KAME: icmp6.h,v 1.105 2006/08/29 02:00:19 suz Exp $ */
+/* $KAME: icmp6.h,v 1.106 2007/05/17 18:27:40 jinmei Exp $ */
/*
* Copyright (c) 2002 INRIA. All rights reserved.
@@ -1001,6 +1001,11 @@ do { \
extern int icmp6_rediraccept; /* accept/process redirects */
extern int icmp6_redirtimeout; /* cache time for redirect routes */
+
+#define ICMP6_NODEINFO_FQDNOK 0x1
+#define ICMP6_NODEINFO_NODEADDROK 0x2
+#define ICMP6_NODEINFO_TMPADDROK 0x4
+#define ICMP6_NODEINFO_GLOBALOK 0x8
#endif /* _KERNEL */
#endif /* !__APPLE__ || (__APPLE__ && KERNEL_PRIVATE) */
View
36 kame/sys/netinet6/icmp6.c
@@ -1,4 +1,4 @@
-/* $KAME: icmp6.c,v 1.420 2007/01/16 11:06:23 itojun Exp $ */
+/* $KAME: icmp6.c,v 1.421 2007/05/17 18:27:40 jinmei Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -889,6 +889,10 @@ icmp6_input(mp, offp, proto)
u_char *p;
int maxlen, maxhlen;
+ /*
+ * XXX: this combination of flags is pointless,
+ * but should we keep this for compatibility?
+ */
if ((icmp6_nodeinfo & 5) != 5)
break;
@@ -1470,12 +1474,30 @@ ni6_input(m, off)
#endif
/*
+ * Validate IPv6 source address.
+ * The default configuration MUST be to refuse answering queries from
+ * global-scope addresses according to RFC4602.
+ * Notes:
+ * - it's not very clear what "refuse" means; this implementation
+ * simply drops it.
+ * - it's not very easy to identify global-scope (unicast) addresses
+ * since there are many prefixes for them. It should be safer
+ * and in practice sufficient to check "all" but loopback and
+ * link-local (note that site-local unicast was deprecated and
+ * ULA is defined as global scope-wise)
+ */
+ if ((icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 &&
+ !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
+ !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src))
+ goto bad;
+
+ /*
* Validate IPv6 destination address.
*
* The Responder must discard the Query without further processing
* unless it is one of the Responder's unicast or anycast addresses, or
* a link-local scope multicast address which the Responder has joined.
- * [icmp-name-lookups-08, Section 4.]
+ * [RFC4602, Section 5.]
*/
if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst))
@@ -1486,7 +1508,7 @@ ni6_input(m, off)
goto bad; /* XXX impossible */
if ((ia6->ia6_flags & IN6_IFF_TEMPORARY) &&
- !(icmp6_nodeinfo & 4)) {
+ !(icmp6_nodeinfo & ICMP6_NODEINFO_TMPADDROK)) {
nd6log((LOG_DEBUG, "ni6_input: ignore node info to "
"a temporary address in %s:%d",
__FILE__, __LINE__));
@@ -1601,12 +1623,12 @@ ni6_input(m, off)
/* refuse based on configuration. XXX ICMP6_NI_REFUSED? */
switch (qtype) {
case NI_QTYPE_FQDN:
- if ((icmp6_nodeinfo & 1) == 0)
+ if ((icmp6_nodeinfo & ICMP6_NODEINFO_FQDNOK) == 0)
goto bad;
break;
case NI_QTYPE_NODEADDR:
case NI_QTYPE_IPV4ADDR:
- if ((icmp6_nodeinfo & 2) == 0)
+ if ((icmp6_nodeinfo & ICMP6_NODEINFO_NODEADDROK) == 0)
goto bad;
break;
}
@@ -2011,7 +2033,7 @@ ni6_addrs(ni6, m, ifpp, subj)
(niflags & NI_NODEADDR_FLAG_ANYCAST) == 0)
continue; /* we need only unicast addresses */
if ((ifa6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
- (icmp6_nodeinfo & 4) == 0) {
+ (icmp6_nodeinfo & ICMP6_NODEINFO_TMPADDROK) == 0) {
continue;
}
addrsofif++; /* count the address */
@@ -2098,7 +2120,7 @@ ni6_store_addrs(ni6, nni6, ifp0, resid)
(niflags & NI_NODEADDR_FLAG_ANYCAST) == 0)
continue;
if ((ifa6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
- (icmp6_nodeinfo & 4) == 0) {
+ (icmp6_nodeinfo & ICMP6_NODEINFO_TMPADDROK) == 0) {
continue;
}
View
5 kame/sys/netinet6/in6_proto.c
@@ -1,4 +1,4 @@
-/* $KAME: in6_proto.c,v 1.164 2007/05/08 12:05:12 itojun Exp $ */
+/* $KAME: in6_proto.c,v 1.165 2007/05/17 18:27:41 jinmei Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
@@ -633,7 +633,8 @@ u_long rip6_recvspace = RIPV6RCVQ;
int icmp6_rediraccept = 1; /* accept and process redirects */
int icmp6_redirtimeout = 10 * 60; /* 10 minutes */
int icmp6errppslim = 100; /* 100pps */
-int icmp6_nodeinfo = 3; /* enable/disable NI response */
+/* control how to respond to NI queries */
+int icmp6_nodeinfo = (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK);
/* UDP on IP6 parameters */
int udp6_sendspace = 9216; /* really max datagram size */
Please sign in to comment.
Something went wrong with that request. Please try again.