3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
86 lines
3.2 KiB
Diff
86 lines
3.2 KiB
Diff
Index: sys/netinet6/in6.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/sys/netinet6/in6.h,v
|
|
retrieving revision 1.36.2.9
|
|
diff -u -p -r1.36.2.9 in6.h
|
|
--- sys/netinet6/in6.h 1 Sep 2008 22:57:56 -0000 1.36.2.9
|
|
+++ sys/netinet6/in6.h 28 Sep 2008 21:27:09 -0000
|
|
@@ -575,7 +575,8 @@ struct ip6_mtuinfo {
|
|
/* to define items, should talk with KAME guys first, for *BSD compatibility */
|
|
#define IPV6CTL_STEALTH 45
|
|
#define IPV6CTL_RTHDR0_ALLOWED 46
|
|
-#define IPV6CTL_MAXID 47
|
|
+#define ICMPV6CTL_ND6_ONLINKNSRFC4861 47
|
|
+#define IPV6CTL_MAXID 48
|
|
#endif /* __BSD_VISIBLE */
|
|
|
|
/*
|
|
Index: sys/netinet6/in6_proto.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/sys/netinet6/in6_proto.c,v
|
|
retrieving revision 1.32.2.9
|
|
diff -u -p -r1.32.2.9 in6_proto.c
|
|
--- sys/netinet6/in6_proto.c 1 Sep 2008 22:57:56 -0000 1.32.2.9
|
|
+++ sys/netinet6/in6_proto.c 28 Sep 2008 21:26:24 -0000
|
|
@@ -354,6 +354,7 @@ DOMAIN_SET(inet6);
|
|
#ifndef IPV6_SENDREDIRECTS
|
|
#define IPV6_SENDREDIRECTS 1
|
|
#endif
|
|
+int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */
|
|
|
|
int ip6_forwarding = IPV6FORWARDING; /* act as router? */
|
|
int ip6_sendredirects = IPV6_SENDREDIRECTS;
|
|
@@ -553,3 +554,6 @@ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_N
|
|
nd6_maxnudhint, CTLFLAG_RW, &nd6_maxnudhint, 0, "");
|
|
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
|
|
nd6_debug, CTLFLAG_RW, &nd6_debug, 0, "");
|
|
+SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
|
|
+ nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0,
|
|
+ "Accept 'on-link' nd6 NS in compliance with RFC 4861.");
|
|
Index: sys/netinet6/nd6.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/sys/netinet6/nd6.h,v
|
|
retrieving revision 1.19.2.3
|
|
diff -u -p -r1.19.2.3 nd6.h
|
|
--- sys/netinet6/nd6.h 1 Sep 2008 22:57:56 -0000 1.19.2.3
|
|
+++ sys/netinet6/nd6.h 28 Sep 2008 21:26:24 -0000
|
|
@@ -339,6 +339,7 @@ extern struct llinfo_nd6 llinfo_nd6;
|
|
extern struct nd_drhead nd_defrouter;
|
|
extern struct nd_prhead nd_prefix;
|
|
extern int nd6_debug;
|
|
+extern int nd6_onlink_ns_rfc4861;
|
|
|
|
#define nd6log(x) do { if (nd6_debug) log x; } while (/*CONSTCOND*/ 0)
|
|
|
|
Index: sys/netinet6/nd6_nbr.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/sys/netinet6/nd6_nbr.c,v
|
|
retrieving revision 1.29.2.10
|
|
diff -u -p -r1.29.2.10 nd6_nbr.c
|
|
--- sys/netinet6/nd6_nbr.c 1 Sep 2008 22:57:56 -0000 1.29.2.10
|
|
+++ sys/netinet6/nd6_nbr.c 28 Sep 2008 21:26:24 -0000
|
|
@@ -148,6 +148,24 @@ nd6_ns_input(m, off, icmp6len)
|
|
"(wrong ip6 dst)\n"));
|
|
goto bad;
|
|
}
|
|
+ } else if (!nd6_onlink_ns_rfc4861) {
|
|
+ struct sockaddr_in6 src_sa6;
|
|
+
|
|
+ /*
|
|
+ * According to recent IETF discussions, it is not a good idea
|
|
+ * to accept a NS from an address which would not be deemed
|
|
+ * to be a neighbor otherwise. This point is expected to be
|
|
+ * clarified in future revisions of the specification.
|
|
+ */
|
|
+ bzero(&src_sa6, sizeof(src_sa6));
|
|
+ src_sa6.sin6_family = AF_INET6;
|
|
+ src_sa6.sin6_len = sizeof(src_sa6);
|
|
+ src_sa6.sin6_addr = saddr6;
|
|
+ if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
|
|
+ nd6log((LOG_INFO, "nd6_ns_input: "
|
|
+ "NS packet from non-neighbor\n"));
|
|
+ goto bad;
|
|
+ }
|
|
}
|
|
|
|
if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
|