drop multi destination mode (IFF_LINK0).
This commit is contained in:
itojun
parent
b38e85279e
commit
498fdebcd7
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: gif.4,v 1.15 2001/02/20 12:55:24 itojun Exp $
|
||||
.\" $NetBSD: gif.4,v 1.16 2001/05/14 13:35:20 itojun Exp $
|
||||
.\" $KAME: gif.4,v 1.24 2001/02/20 12:54:01 itojun Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
|
@ -78,79 +78,9 @@ Finally, use routing table to route the packets toward
|
|||
interface.
|
||||
.Pp
|
||||
.Nm
|
||||
interface can be configued to perform bidirectional tunnel, or
|
||||
multi-destination tunnel.
|
||||
This is controlled by
|
||||
.Dv IFF_LINK0
|
||||
interface flag.
|
||||
Also,
|
||||
.Nm
|
||||
can be configured to be ECN friendly.
|
||||
This can be configured by
|
||||
.Dv IFF_LINK1 .
|
||||
.\"
|
||||
.Ss Bidirectional and multi-destination mode
|
||||
Usually,
|
||||
.Nm
|
||||
implements bidirectional tunnel.
|
||||
.Xr ifconfig 8
|
||||
should configure a tunnel ingress point
|
||||
.Pq this node
|
||||
and an egress point
|
||||
.Pq tunnel endpoint ,
|
||||
and
|
||||
one
|
||||
.Nm
|
||||
interface will tunnel to only a single tunnel endpoint,
|
||||
and accept from only a single tunnel endpoint.
|
||||
Source and destination address for outer IP header is always the
|
||||
ingress and the egress point configued by
|
||||
.Xr ifconfig 8 .
|
||||
.Pp
|
||||
With
|
||||
.Dv IFF_LINK0
|
||||
interface flag,
|
||||
.Nm
|
||||
can be configured to implement multi-destination tunnel.
|
||||
With
|
||||
.Dv IFF_LINK0 ,
|
||||
it is able to configure egress point to IPv4 wildcard address
|
||||
.Pq Nm 0.0.0.0
|
||||
or IPv6 unspecified address
|
||||
.Pq Nm 0::0 .
|
||||
In this case, destination address for the outer IP header is
|
||||
determined based on the routing table setup.
|
||||
Therefore, one
|
||||
.Nm
|
||||
interface can tunnel to multiple destinations.
|
||||
Also,
|
||||
.Nm
|
||||
will accept tunneled traffic from any outer source address.
|
||||
.Pp
|
||||
When finding a
|
||||
.Nm gif
|
||||
interface from the inbound tunneled traffic,
|
||||
bidirectional mode interface is preferred than multi-destination mode interface.
|
||||
For example, if you have the following three
|
||||
.Nm
|
||||
interfaces on node A, tunneled traffic from C to A will match the second
|
||||
.Nm
|
||||
interface, not the third one.
|
||||
.Bl -bullet -compact -offset indent
|
||||
.It
|
||||
bidirectional, A to B
|
||||
.It
|
||||
bidirectional, A to C
|
||||
.It
|
||||
multi-destination, A to any
|
||||
.El
|
||||
.Pp
|
||||
Please note that multi-destination mode is far less secure
|
||||
than bidirectional mode.
|
||||
Multi-destination mode
|
||||
.Nm
|
||||
can accept tunneled packet from anybody,
|
||||
and can be attacked from a malicious node.
|
||||
.Pp
|
||||
.Ss ECN friendly behavior
|
||||
.Nm
|
||||
|
|
@ -217,10 +147,6 @@ You may want to secure your node by using packet filters.
|
|||
Ingress filter can be turned off by
|
||||
.Dv IFF_LINK2
|
||||
bit.
|
||||
.Pp
|
||||
As mentioned above, multi-destination mode
|
||||
.Pq Dv IFF_LINK0
|
||||
is far less secure than bidirectional mode.
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr inet 4 ,
|
||||
|
|
@ -270,7 +196,9 @@ and your node will generate packets with a spoofed source address.
|
|||
If the outer protocol is IPv6, path MTU discovery for encapsulated packet
|
||||
may affect communication over the interface.
|
||||
.Pp
|
||||
.Xr gif 4
|
||||
is an
|
||||
.Dv IFF_POINTOPOINT
|
||||
device, however, it supports NBMA behavior in multi-destination mode.
|
||||
In the past,
|
||||
.Nm
|
||||
had a multi-destination behavior, configurable via
|
||||
.Dv IFF_LINK0
|
||||
flag.
|
||||
The behavior was obsoleted and is no longer supported.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: in_gif.c,v 1.20 2001/05/10 01:37:42 itojun Exp $ */
|
||||
/* $NetBSD: in_gif.c,v 1.21 2001/05/14 13:35:21 itojun Exp $ */
|
||||
/* $KAME: in_gif.c,v 1.53 2001/05/03 14:51:48 itojun Exp $ */
|
||||
|
||||
/*
|
||||
|
|
@ -150,29 +150,12 @@ in_gif_output(ifp, family, m, rt)
|
|||
|
||||
bzero(&iphdr, sizeof(iphdr));
|
||||
iphdr.ip_src = sin_src->sin_addr;
|
||||
if (ifp->if_flags & IFF_LINK0) {
|
||||
/* multi-destination mode */
|
||||
if (sin_dst->sin_addr.s_addr != INADDR_ANY)
|
||||
iphdr.ip_dst = sin_dst->sin_addr;
|
||||
else if (rt) {
|
||||
if (family != AF_INET) {
|
||||
m_freem(m);
|
||||
return EINVAL; /*XXX*/
|
||||
}
|
||||
iphdr.ip_dst = ((struct sockaddr_in *)
|
||||
(rt->rt_gateway))->sin_addr;
|
||||
} else {
|
||||
m_freem(m);
|
||||
return ENETUNREACH;
|
||||
}
|
||||
} else {
|
||||
/* bidirectional configured tunnel mode */
|
||||
if (sin_dst->sin_addr.s_addr != INADDR_ANY)
|
||||
iphdr.ip_dst = sin_dst->sin_addr;
|
||||
else {
|
||||
m_freem(m);
|
||||
return ENETUNREACH;
|
||||
}
|
||||
/* bidirectional configured tunnel mode */
|
||||
if (sin_dst->sin_addr.s_addr != INADDR_ANY)
|
||||
iphdr.ip_dst = sin_dst->sin_addr;
|
||||
else {
|
||||
m_freem(m);
|
||||
return ENETUNREACH;
|
||||
}
|
||||
iphdr.ip_p = proto;
|
||||
/* version will be set in ip_output() */
|
||||
|
|
@ -350,10 +333,6 @@ gif_encapcheck4(m, off, proto, arg)
|
|||
addrmatch |= 1;
|
||||
if (dst->sin_addr.s_addr == ip.ip_src.s_addr)
|
||||
addrmatch |= 2;
|
||||
else if ((sc->gif_if.if_flags & IFF_LINK0) != 0 &&
|
||||
dst->sin_addr.s_addr == INADDR_ANY) {
|
||||
addrmatch |= 2; /* we accept any source */
|
||||
}
|
||||
if (addrmatch != 3)
|
||||
return 0;
|
||||
|
||||
|
|
@ -397,6 +376,5 @@ gif_encapcheck4(m, off, proto, arg)
|
|||
rtfree(rt);
|
||||
}
|
||||
|
||||
/* prioritize: IFF_LINK0 mode is less preferred */
|
||||
return (sc->gif_if.if_flags & IFF_LINK0) ? 32 : 32 * 2;
|
||||
return 32 * 2;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: in6_gif.c,v 1.19 2001/05/10 01:37:42 itojun Exp $ */
|
||||
/* $NetBSD: in6_gif.c,v 1.20 2001/05/14 13:35:21 itojun Exp $ */
|
||||
/* $KAME: in6_gif.c,v 1.48 2001/05/03 14:51:48 itojun Exp $ */
|
||||
|
||||
/*
|
||||
|
|
@ -150,28 +150,12 @@ in6_gif_output(ifp, family, m, rt)
|
|||
ip6->ip6_nxt = proto;
|
||||
ip6->ip6_hlim = ip6_gif_hlim;
|
||||
ip6->ip6_src = sin6_src->sin6_addr;
|
||||
if (ifp->if_flags & IFF_LINK0) {
|
||||
/* multi-destination mode */
|
||||
if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr))
|
||||
ip6->ip6_dst = sin6_dst->sin6_addr;
|
||||
else if (rt) {
|
||||
if (family != AF_INET6) {
|
||||
m_freem(m);
|
||||
return EINVAL; /*XXX*/
|
||||
}
|
||||
ip6->ip6_dst = ((struct sockaddr_in6 *)(rt->rt_gateway))->sin6_addr;
|
||||
} else {
|
||||
m_freem(m);
|
||||
return ENETUNREACH;
|
||||
}
|
||||
} else {
|
||||
/* bidirectional configured tunnel mode */
|
||||
if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr))
|
||||
ip6->ip6_dst = sin6_dst->sin6_addr;
|
||||
else {
|
||||
m_freem(m);
|
||||
return ENETUNREACH;
|
||||
}
|
||||
/* bidirectional configured tunnel mode */
|
||||
if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr))
|
||||
ip6->ip6_dst = sin6_dst->sin6_addr;
|
||||
else {
|
||||
m_freem(m);
|
||||
return ENETUNREACH;
|
||||
}
|
||||
if (ifp->if_flags & IFF_LINK1)
|
||||
ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
|
||||
|
|
@ -333,10 +317,6 @@ gif_encapcheck6(m, off, proto, arg)
|
|||
addrmatch |= 1;
|
||||
if (IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6.ip6_src))
|
||||
addrmatch |= 2;
|
||||
else if ((sc->gif_if.if_flags & IFF_LINK0) != 0 &&
|
||||
IN6_IS_ADDR_UNSPECIFIED(&dst->sin6_addr)) {
|
||||
addrmatch |= 2; /* we accept any source */
|
||||
}
|
||||
if (addrmatch != 3)
|
||||
return 0;
|
||||
|
||||
|
|
@ -367,6 +347,5 @@ gif_encapcheck6(m, off, proto, arg)
|
|||
rtfree(rt);
|
||||
}
|
||||
|
||||
/* prioritize: IFF_LINK0 mode is less preferred */
|
||||
return (sc->gif_if.if_flags & IFF_LINK0) ? 128 : 128 * 2;
|
||||
return 128 * 2;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue