6in4: fix exit status, less strict src filtering, logging (import from sources)
This commit is contained in:
parent
73e7e47d5b
commit
d9394b0d87
|
@ -160,7 +160,7 @@ setup(int *v6net, int *tunp)
|
||||||
char buf[128], path[64];
|
char buf[128], path[64];
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* gain access to IPv6-in-IPv4 packets
|
* gain access to IPv6-in-IPv4 packets via ipmux
|
||||||
*/
|
*/
|
||||||
p = seprint(buf, buf + sizeof buf, "%s/ipmux!proto=%2.2x|%2.2x;dst=%V",
|
p = seprint(buf, buf + sizeof buf, "%s/ipmux!proto=%2.2x|%2.2x;dst=%V",
|
||||||
net, IP_IPV6PROTO, IP_ICMPV6PROTO, myip + IPv4off);
|
net, IP_IPV6PROTO, IP_ICMPV6PROTO, myip + IPv4off);
|
||||||
|
@ -269,6 +269,7 @@ main(int argc, char **argv)
|
||||||
procargs(argc, argv);
|
procargs(argc, argv);
|
||||||
setup(&v6net, &tunnel);
|
setup(&v6net, &tunnel);
|
||||||
runtunnel(v6net, tunnel);
|
runtunnel(v6net, tunnel);
|
||||||
|
exits(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -317,6 +318,7 @@ ip2tunnel(int in, int out)
|
||||||
op = (Iphdr*)buf;
|
op = (Iphdr*)buf;
|
||||||
op->vihl = IP_VER4 | 5; /* hdr is 5 longs? */
|
op->vihl = IP_VER4 | 5; /* hdr is 5 longs? */
|
||||||
memcpy(op->src, myip + IPv4off, sizeof op->src);
|
memcpy(op->src, myip + IPv4off, sizeof op->src);
|
||||||
|
op->proto = IP_IPV6PROTO; /* inner protocol */
|
||||||
op->ttl = 100;
|
op->ttl = 100;
|
||||||
|
|
||||||
/* get a V6 packet destined for the tunnel */
|
/* get a V6 packet destined for the tunnel */
|
||||||
|
@ -334,16 +336,20 @@ ip2tunnel(int in, int out)
|
||||||
n = m;
|
n = m;
|
||||||
|
|
||||||
/* drop if v6 source or destination address is naughty */
|
/* drop if v6 source or destination address is naughty */
|
||||||
if (badipv6(ip->src) ||
|
if (badipv6(ip->src)) {
|
||||||
(!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
|
syslog(0, "6in4", "egress filtered %I -> %I; bad src",
|
||||||
syslog(0, "6in4", "egress filtered %I -> %I",
|
|
||||||
ip->src, ip->dst);
|
ip->src, ip->dst);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
if ((!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
|
||||||
|
syslog(0, "6in4", "egress filtered %I -> %I; "
|
||||||
|
"bad dst not remote", ip->src, ip->dst);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
op->proto = ip->proto;
|
|
||||||
if (debug > 1)
|
if (debug > 1)
|
||||||
fprint(2, "v6 to tunnel %I -> %I\n", ip->src, ip->dst);
|
fprint(2, "v6 to tunnel %I -> %I\n", ip->src, ip->dst);
|
||||||
|
|
||||||
/* send 6to4 packets directly to ipv4 target */
|
/* send 6to4 packets directly to ipv4 target */
|
||||||
if ((ip->dst[0]<<8 | ip->dst[1]) == V6to4pfx)
|
if ((ip->dst[0]<<8 | ip->dst[1]) == V6to4pfx)
|
||||||
memcpy(op->dst, ip->dst+2, sizeof op->dst);
|
memcpy(op->dst, ip->dst+2, sizeof op->dst);
|
||||||
|
@ -389,8 +395,12 @@ tunnel2ip(int in, int out)
|
||||||
|
|
||||||
/* if not IPv4 nor IPv4 protocol IPv6 nor ICMPv6, drop it */
|
/* if not IPv4 nor IPv4 protocol IPv6 nor ICMPv6, drop it */
|
||||||
if ((ip->vihl & 0xF0) != IP_VER4 ||
|
if ((ip->vihl & 0xF0) != IP_VER4 ||
|
||||||
ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO)
|
ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO) {
|
||||||
|
syslog(0, "6in4",
|
||||||
|
"dropping pkt from tunnel with inner proto %d",
|
||||||
|
ip->proto);
|
||||||
continue;
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
/* check length: drop if too short, trim if too long */
|
/* check length: drop if too short, trim if too long */
|
||||||
m = nhgets(ip->length);
|
m = nhgets(ip->length);
|
||||||
|
@ -408,8 +418,8 @@ tunnel2ip(int in, int out)
|
||||||
*/
|
*/
|
||||||
maskip(op->dst, localmask, a);
|
maskip(op->dst, localmask, a);
|
||||||
if (!equivip6(a, localnet)) {
|
if (!equivip6(a, localnet)) {
|
||||||
syslog(0, "6in4", "ingress filtered %I -> %I",
|
syslog(0, "6in4", "ingress filtered %I -> %I; "
|
||||||
op->src, op->dst);
|
"dst not on local net", op->src, op->dst);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (debug > 1)
|
if (debug > 1)
|
||||||
|
|
Loading…
Reference in a new issue