From 769273cb91bc014417cd360611feb803a8b01a52 Mon Sep 17 00:00:00 2001 From: mpi Date: Thu, 14 Jul 2016 14:39:12 +0000 Subject: [PATCH] Drop received packets with an IPv4-compatible address as source or destination as per RFC4213. We're not in 1999 anymore, what was earlier a "stronger check than RFC1933" is now a best practice. This matches the behavior of the reject (R) routes added by default by netstart(8). ok jca@, florian@, claudio@, bluhm@ --- sys/netinet6/ip6_input.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 8f326efb413..92077dbd458 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.162 2016/07/06 15:50:00 mpi Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.163 2016/07/14 14:39:12 mpi Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -299,20 +299,17 @@ ip6_input(struct mbuf *m) ip6stat.ip6s_badscope++; goto bad; } -#if 0 + /* * Reject packets with IPv4 compatible addresses (auto tunnel). * - * The code forbids auto tunnel relay case in RFC1933 (the check is - * stronger than RFC1933). We may want to re-enable it if mech-xx - * is revised to forbid relaying case. + * The code forbids automatic tunneling as per RFC4213. */ if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { ip6stat.ip6s_badscope++; goto bad; } -#endif /* * If the packet has been received on a loopback interface it -- 2.20.1