pull in deprecated address handling from KAME sys/netinet6/tcp6_input.c.
This commit is contained in:
parent
43fe370014
commit
f00291d88b
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: tcp_input.c,v 1.150 2002/08/14 00:23:33 itojun Exp $ */
|
||||
/* $NetBSD: tcp_input.c,v 1.151 2002/08/19 02:13:46 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
@ -152,7 +152,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.150 2002/08/14 00:23:33 itojun Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.151 2002/08/19 02:13:46 itojun Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
@ -1385,6 +1385,50 @@ findpcb:
|
|||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* If deprecated address is forbidden, we do
|
||||
* not accept SYN to deprecated interface
|
||||
* address to prevent any new inbound
|
||||
* connection from getting established.
|
||||
* When we do not accept SYN, we send a TCP RST,
|
||||
* with deprecated source address (instead
|
||||
* of dropping it). We compromise it as it is
|
||||
* much better for peer to send a RST, and RST
|
||||
* will be the final packet for the exchange.
|
||||
*
|
||||
* If we do not forbid deprecated addresses,
|
||||
* we accept the SYN packet. RFC2462 does not
|
||||
* suggest dropping SYN in this case. If we
|
||||
* decipher RFC2462 5.5.4, it says like this:
|
||||
* 1. use of deprecated addr with existing
|
||||
* communication is okay - "SHOULD continue
|
||||
* to be used"
|
||||
* 2. use of it with new communication:
|
||||
* (2a) "SHOULD NOT be used if alternate
|
||||
* address with sufficient scope is
|
||||
* available"
|
||||
* (2b) nothing mentioned otherwise.
|
||||
* Here we fall into (2b) case as we have no
|
||||
* choice in our source address selection -
|
||||
* we must obey the peer.
|
||||
*
|
||||
* The wording in RFC2462 is confusing, and
|
||||
* there are multiple description text for
|
||||
* deprecated address handling - worse, they
|
||||
* are not exactly the same. I believe
|
||||
* 5.5.4 is the best one, so we follow 5.5.4.
|
||||
*/
|
||||
if (!ip6_use_deprecated) {
|
||||
struct in6_ifaddr *ia6;
|
||||
|
||||
if ((ia6 = in6ifa_ifpwithaddr(m->m_pkthdr.rcvif,
|
||||
&ip6->ip6_dst)) &&
|
||||
(ia6->ia6_flags & IN6_IFF_DEPRECATED)) {
|
||||
tp = NULL;
|
||||
goto dropwithreset;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* SYN looks ok; create compressed TCP
|
||||
* state for it.
|
||||
|
|
Loading…
Reference in New Issue