From 2e9df64fa30ac6ff19285ed58579961bf44f2898 Mon Sep 17 00:00:00 2001 From: itojun Date: Sun, 14 May 2000 03:44:02 +0000 Subject: [PATCH] sync IPv4 rogue address filter with RFC1122. (sync with kame) --- share/man/man4/stf.4 | 15 +++++++++------ sys/net/if_stf.c | 34 ++++++++++++++++++++++++++++------ 2 files changed, 37 insertions(+), 12 deletions(-) diff --git a/share/man/man4/stf.4 b/share/man/man4/stf.4 index c97d21e5a918..78b352d0fa66 100644 --- a/share/man/man4/stf.4 +++ b/share/man/man4/stf.4 @@ -1,5 +1,5 @@ -.\" $NetBSD: stf.4,v 1.2 2000/05/02 04:05:25 itojun Exp $ -.\" $KAME: stf.4,v 1.20 2000/05/02 03:59:44 itojun Exp $ +.\" $NetBSD: stf.4,v 1.3 2000/05/14 03:44:03 itojun Exp $ +.\" $KAME: stf.4,v 1.21 2000/05/13 23:15:28 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. .\" All rights reserved. @@ -125,14 +125,17 @@ interface filters out the following packets. Note that the checks are no way complete: .Bl -bullet .It +Packets with IPv4 unspecified addrss as outer IPv4 source/destination +.Pq Li 0.0.0.0/8 +.It +Packets with loopback address as outer IPv4 source/destination +.Pq Li 127.0.0.0/8 +.It Packets with IPv4 multicast address as outer IPv4 source/destination .Pq Li 224.0.0.0/4 .It -Packets with IPv4 unspecified addrss as outer IPv4 source/destination -.Pq Li 0.0.0.0/32 -.It Packets with limited broadcast address as outer IPv4 source/destination -.Pq Li 255.255.255.255/32 +.Pq Li 255.0.0.0/8 .It Packets with subnet broadcast address as outer IPv4 source/destination. The check is made against subnet broadcast addresses for diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c index 9698e922005a..3028a8736cc0 100644 --- a/sys/net/if_stf.c +++ b/sys/net/if_stf.c @@ -1,5 +1,5 @@ -/* $NetBSD: if_stf.c,v 1.2 2000/04/21 02:40:53 itojun Exp $ */ -/* $KAME: if_stf.c,v 1.32 2000/04/21 02:39:43 itojun Exp $ */ +/* $NetBSD: if_stf.c,v 1.3 2000/05/14 03:44:02 itojun Exp $ */ +/* $KAME: if_stf.c,v 1.37 2000/05/05 11:00:55 sumikawa Exp $ */ /* * Copyright (C) 2000 WIDE Project. @@ -72,7 +72,11 @@ * Note that there is no way to be 100% secure. */ -#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || defined(__NetBSD__) +#if defined(__FreeBSD__) && __FreeBSD__ >= 3 +#include "opt_inet.h" +#include "opt_inet6.h" +#endif +#ifdef __NetBSD__ #include "opt_inet.h" #endif @@ -119,7 +123,12 @@ #include +#if defined(__FreeBSD__) && __FreeBSD__ >= 4 +#include "bpf.h" +#define NBPFILTER NBPF +#else #include "bpfilter.h" +#endif #include "stf.h" #include "gif.h" /*XXX*/ @@ -227,6 +236,9 @@ stfattach(dummy) sc->sc_if.if_ioctl = stf_ioctl; sc->sc_if.if_output = stf_output; sc->sc_if.if_type = IFT_STF; +#if defined(__FreeBSD__) && __FreeBSD__ >= 4 + sc->sc_if.if_snd.ifq_maxlen = IFQ_MAXLEN; +#endif if_attach(&sc->sc_if); #if NBPFILTER > 0 #ifdef HAVE_OLD_BPF @@ -334,6 +346,10 @@ stf_getsrcifa6(ifp) for (ia4 = in_ifaddr.tqh_first; ia4; ia4 = ia4->ia_list.tqe_next) +#elif defined(__FreeBSD__) && __FreeBSD__ >= 3 + for (ia4 = TAILQ_FIRST(&in_ifaddrhead); + ia4; + ia4 = TAILQ_NEXT(ia4, ia_link)) #else for (ia4 = in_ifaddr; ia4 != NULL; ia4 = ia4->ia_next) #endif @@ -449,10 +465,12 @@ stf_checkaddr4(in, ifp) /* * reject packets with the following address: - * 224.0.0.0/4 0.0.0.0/32 255.255.255.255/32 + * 224.0.0.0/4 0.0.0.0/8 127.0.0.0/8 255.0.0.0/8 */ - if (IN_MULTICAST(in->s_addr) || in->s_addr == INADDR_ANY || - in->s_addr == INADDR_BROADCAST) { + if (IN_MULTICAST(in->s_addr)) + return -1; + switch ((ntohl(in->s_addr) & 0xff000000) >> 24) { + case 0: case 127: case 255: return -1; } @@ -461,6 +479,10 @@ stf_checkaddr4(in, ifp) */ #if defined(__OpenBSD__) || defined(__NetBSD__) for (ia4 = in_ifaddr.tqh_first; ia4; ia4 = ia4->ia_list.tqe_next) +#elif defined(__FreeBSD__) && __FreeBSD__ >= 3 + for (ia4 = TAILQ_FIRST(&in_ifaddrhead); + ia4; + ia4 = TAILQ_NEXT(ia4, ia_link)) #else for (ia4 = in_ifaddr; ia4 != NULL; ia4 = ia4->ia_next) #endif