lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1379963485.3575.53.camel@joe-AO722>
Date:	Mon, 23 Sep 2013 12:11:25 -0700
From:	Joe Perches <joe@...ches.com>
To:	"Catalin(ux) M. BOIE" <catab@...edromix.ro>
Cc:	netdev@...r.kernel.org, hannes@...essinduktion.org,
	yoshfuji@...ux-ipv6.org, davem@...emloft.net
Subject: Re: [PATCH] Do not drop DNATed 6to4/6rd packets (v4)

On Mon, 2013-09-23 at 21:36 +0300, Catalin(ux) M. BOIE wrote:
> From: "Catalin(ux) M. BOIE" <catab@...edromix.ro>
> 
> When a router is doing  DNAT for 6to4/6rd packets the latest anti-spoofing
> patch (218774dc) will drop them because the IPv6 address embedded
> does not match the IPv4 destination. This patch will allow them to
> pass by testing if we have an address that matches on 6to4/6rd interface.
> I have been hit by this problem using Fedora and IPV6TO4_IPV4ADDR.
> Also, log the dropped packets (with rate limit).

A few more trivialities:

When you send revisions to patches, please put the
revision number inside the brackets like:

[PATCH V4] subject

Also, use a prefix for the patch like:

[PATCH V4] IPv6 NAT: Don't drop DNAT 6to4 or 6RD packets

> diff --git a/include/net/addrconf.h b/include/net/addrconf.h
[]
> @@ -67,6 +67,10 @@ int ipv6_chk_addr(struct net *net, const struct in6_addr *addr,
>  int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr);
>  #endif
>  
> +extern bool ipv6_chk_custom_prefix(const struct in6_addr *addr,
> +				   const unsigned int prefix_len,
> +				   struct net_device *dev);
> +

extern isn't required.

> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
[]
> @@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr,
[]
> +/* Returns true if a packet is spoofed */
> +static bool packet_is_spoofed(struct sk_buff *skb,
> +			      const struct iphdr *iph,
> +			      struct ip_tunnel *tunnel)
> +{
[]
> +	if ((tunnel->dev->flags & IFF_POINTOPOINT))
> +		return false;

One too many parentheses

	if (tunnel->dev->flags & IFF_POINTTOPOINT)
		return false;


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ