From d9394b0d87169ef7aa7796344af421c757bc3749 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@gmx.de>
Date: Thu, 11 Oct 2012 13:21:30 +0200
Subject: [PATCH] 6in4: fix exit status, less strict src filtering, logging
 (import from sources)

---
 sys/src/cmd/ip/6in4.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/sys/src/cmd/ip/6in4.c b/sys/src/cmd/ip/6in4.c
index 44e1636e8..f27c25a04 100644
--- a/sys/src/cmd/ip/6in4.c
+++ b/sys/src/cmd/ip/6in4.c
@@ -160,7 +160,7 @@ setup(int *v6net, int *tunp)
 	char buf[128], path[64];
 
 	/*
-	 * gain access to IPv6-in-IPv4 packets
+	 * gain access to IPv6-in-IPv4 packets via ipmux
 	 */
 	p = seprint(buf, buf + sizeof buf, "%s/ipmux!proto=%2.2x|%2.2x;dst=%V",
 		net, IP_IPV6PROTO, IP_ICMPV6PROTO, myip + IPv4off);
@@ -269,6 +269,7 @@ main(int argc, char **argv)
 	procargs(argc, argv);
 	setup(&v6net, &tunnel);
 	runtunnel(v6net, tunnel);
+	exits(0);
 }
 
 /*
@@ -317,6 +318,7 @@ ip2tunnel(int in, int out)
 	op = (Iphdr*)buf;
 	op->vihl = IP_VER4 | 5;		/* hdr is 5 longs? */
 	memcpy(op->src, myip + IPv4off, sizeof op->src);
+	op->proto = IP_IPV6PROTO;	/* inner protocol */
 	op->ttl = 100;
 
 	/* get a V6 packet destined for the tunnel */
@@ -334,16 +336,20 @@ ip2tunnel(int in, int out)
 			n = m;
 
 		/* drop if v6 source or destination address is naughty */
-		if (badipv6(ip->src) ||
-		    (!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
-			syslog(0, "6in4", "egress filtered %I -> %I",
+		if (badipv6(ip->src)) {
+			syslog(0, "6in4", "egress filtered %I -> %I; bad src",
 				ip->src, ip->dst);
 			continue;
 		}
+		if ((!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
+			syslog(0, "6in4", "egress filtered %I -> %I; "
+				"bad dst not remote", ip->src, ip->dst);
+			continue;
+		}
 
-		op->proto = ip->proto;
 		if (debug > 1)
 			fprint(2, "v6 to tunnel %I -> %I\n", ip->src, ip->dst);
+
 		/* send 6to4 packets directly to ipv4 target */
 		if ((ip->dst[0]<<8 | ip->dst[1]) == V6to4pfx)
 			memcpy(op->dst, ip->dst+2, sizeof op->dst);
@@ -389,8 +395,12 @@ tunnel2ip(int in, int out)
 
 		/* if not IPv4 nor IPv4 protocol IPv6 nor ICMPv6, drop it */
 		if ((ip->vihl & 0xF0) != IP_VER4 ||
-		    ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO)
+		    ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO) {
+			syslog(0, "6in4",
+				"dropping pkt from tunnel with inner proto %d",
+				ip->proto);
 			continue;
+		}
 
 		/* check length: drop if too short, trim if too long */
 		m = nhgets(ip->length);
@@ -408,8 +418,8 @@ tunnel2ip(int in, int out)
 		 */
 		maskip(op->dst, localmask, a);
 		if (!equivip6(a, localnet)) {
-			syslog(0, "6in4", "ingress filtered %I -> %I",
-				op->src, op->dst);
+			syslog(0, "6in4", "ingress filtered %I -> %I; "
+				"dst not on local net", op->src, op->dst);
 			continue;
 		}
 		if (debug > 1)