Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net/npf Fix the "return-rst" rule on IPv6 packets.
details: https://anonhg.NetBSD.org/src/rev/bd1b039b9915
branches: trunk
changeset: 360504:bd1b039b9915
user: maxv <maxv%NetBSD.org@localhost>
date: Wed Mar 14 09:32:04 2018 +0000
description:
Fix the "return-rst" rule on IPv6 packets.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.
Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.
Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.
Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).
diffstat:
sys/net/npf/npf_sendpkt.c | 23 +++++++++++++++++++++--
1 files changed, 21 insertions(+), 2 deletions(-)
diffs (56 lines):
diff -r 77dbae73d43d -r bd1b039b9915 sys/net/npf/npf_sendpkt.c
--- a/sys/net/npf/npf_sendpkt.c Wed Mar 14 09:09:46 2018 +0000
+++ b/sys/net/npf/npf_sendpkt.c Wed Mar 14 09:32:04 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_sendpkt.c,v 1.16 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_sendpkt.c,v 1.17 2018/03/14 09:32:04 maxv Exp $ */
/*-
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.16 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.17 2018/03/14 09:32:04 maxv Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -49,6 +49,7 @@
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
#include <netinet6/ip6_var.h>
+#include <netinet6/scope6_var.h>
#include <sys/mbuf.h>
#endif
@@ -175,11 +176,29 @@
sizeof(struct tcphdr));
}
+ /* Handle IPv6 scopes */
+ if (npf_iscached(npc, NPC_IP6)) {
+ const struct ifnet *rcvif = npc->npc_nbuf->nb_ifp;
+
+ if (in6_clearscope(&ip6->ip6_src) ||
+ in6_clearscope(&ip6->ip6_dst)) {
+ goto bad;
+ }
+ if (in6_setscope(&ip6->ip6_src, rcvif, NULL) ||
+ in6_setscope(&ip6->ip6_dst, rcvif, NULL)) {
+ goto bad;
+ }
+ }
+
/* Pass to IP layer. */
if (npf_iscached(npc, NPC_IP4)) {
return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
}
return ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);
+
+bad:
+ m_freem(m);
+ return EINVAL;
}
/*
Home |
Main Index |
Thread Index |
Old Index