pull in deprecated address handling from KAME sys/netinet6/tcp6_input.c.

2002-08-19 02:13:46 +00:00 · 2002-08-19 02:13:46 +00:00 · f00291d88b
parent 43fe370014
commit f00291d88b
1 changed files with 46 additions and 2 deletions
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.150 2002/08/14 00:23:33 itojun Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.151 2002/08/19 02:13:46 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -152,7 +152,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.150 2002/08/14 00:23:33 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.151 2002/08/19 02:13:46 itojun Exp $");

 #include "opt_inet.h"
 #include "opt_ipsec.h"
@ -1385,6 +1385,50 @@ findpcb:
 					}
 				}

+				/*
+				 * If deprecated address is forbidden, we do
+				 * not accept SYN to deprecated interface
+				 * address to prevent any new inbound
+				 * connection from getting established.
+				 * When we do not accept SYN, we send a TCP RST,
+				 * with deprecated source address (instead
+				 * of dropping it).  We compromise it as it is
+				 * much better for peer to send a RST, and RST
+				 * will be the final packet for the exchange.
+				 *
+				 * If we do not forbid deprecated addresses,
+				 * we accept the SYN packet.  RFC2462 does not
+				 * suggest dropping SYN in this case.  If we
+				 * decipher RFC2462 5.5.4, it says like this:
+				 * 1. use of deprecated addr with existing
+				 *    communication is okay - "SHOULD continue
+				 *    to be used"
+				 * 2. use of it with new communication:
+				 *   (2a) "SHOULD NOT be used if alternate
+				 *        address with sufficient scope is
+				 *        available"
+				 *   (2b) nothing mentioned otherwise. 
+				 * Here we fall into (2b) case as we have no
+				 * choice in our source address selection -
+				 * we must obey the peer.
+				 *
+				 * The wording in RFC2462 is confusing, and
+				 * there are multiple description text for
+				 * deprecated address handling - worse, they
+				 * are not exactly the same.  I believe
+				 * 5.5.4 is the best one, so we follow 5.5.4.
+				 */
+				if (!ip6_use_deprecated) {
+					struct in6_ifaddr *ia6;
+
+					if ((ia6 = in6ifa_ifpwithaddr(m->m_pkthdr.rcvif,
+					    &ip6->ip6_dst)) &&
+					    (ia6->ia6_flags & IN6_IFF_DEPRECATED)) {
+						tp = NULL;
+						goto dropwithreset;
+					}
+				}
+
 				/*
 				 * SYN looks ok; create compressed TCP
 				 * state for it.