From 470dcde534eb71dc0f09c9867e6f3ace04c126ed Mon Sep 17 00:00:00 2001 From: jmc Date: Thu, 6 Apr 2017 17:36:00 +0000 Subject: [PATCH] shuffle for a saner read; help/ok bluhm --- share/man/man4/inet6.4 | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/share/man/man4/inet6.4 b/share/man/man4/inet6.4 index cc128855084..23d9773a9d8 100644 --- a/share/man/man4/inet6.4 +++ b/share/man/man4/inet6.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: inet6.4,v 1.39 2017/03/27 17:02:15 jmc Exp $ +.\" $OpenBSD: inet6.4,v 1.40 2017/04/06 17:36:00 jmc Exp $ .\" $KAME: inet6.4,v 1.19 2000/11/24 10:13:18 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2017 $ +.Dd $Mdocdate: April 6 2017 $ .Dt INET6 4 .Os .Sh NAME @@ -74,24 +74,6 @@ A raw interface to IPv6 is available by creating an Internet socket of type .Dv SOCK_RAW . The ICMPv6 message protocol is accessible from a raw socket. .Pp -For security reasons, -.Ox -does not route IPv4 traffic to an -.Dv AF_INET6 -socket, -and does not support IPv4 mapped addresses, -where IPv4 traffic is seen as if it comes from an IPv6 address like -.Li ::ffff:10.1.1.1 . -Where both IPv4 and IPv6 traffic need to be accepted, listen on two sockets. -.Pp -It is also advisable to explicitly reject all packets to your network -not used by any of your interface prefixes. -Otherwise packets that have a destination address belonging to your network -may be routed back to your provider via the default route. -Set a reject route for your assigned prefix: -.Pp -.Dl # route add -net 2001:db8::/48 ::1 -reject -.Pp IPv6 addresses are 128-bit quantities, stored in network standard byteorder. The include file @@ -123,6 +105,17 @@ to effect .Dq wildcard matching on incoming messages. .Pp +For security reasons, +.Ox +does not route IPv4 traffic to an +.Dv AF_INET6 +socket, +and does not support IPv4 mapped addresses, +where IPv4 traffic is seen as if it comes from an IPv6 address like +.Li ::ffff:10.1.1.1 . +Where both IPv4 and IPv6 traffic need to be accepted, +bind and listen on two sockets. +.Pp Global addresses utilise the first 48 bits of the address for the routing prefix. The next 16 bits designate the subnet, @@ -210,3 +203,11 @@ HOWEVER, users should never use the embedded form. .Re .Sh HISTORY The implementation described herein appeared in WIDE/KAME project. +.Sh CAVEATS +It is advisable to explicitly reject all packets to your network +not used by any of your interface prefixes. +Otherwise packets that have a destination address belonging to your network +may be routed back to your provider via the default route. +Set a reject route for your assigned prefix: +.Pp +.Dl # route add -net 2001:db8::/48 ::1 -reject -- 2.20.1