Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/etc/rc.d correct reject route installations for IPv6. impro...
details: https://anonhg.NetBSD.org/src/rev/cc0e75fb2004
branches: trunk
changeset: 483763:cc0e75fb2004
user: itojun <itojun%NetBSD.org@localhost>
date: Fri Mar 17 17:41:01 2000 +0000
description:
correct reject route installations for IPv6. improve comments.
diffstat:
etc/rc.d/network | 41 +++++++++++++++++++++++++++++++++++------
1 files changed, 35 insertions(+), 6 deletions(-)
diffs (69 lines):
diff -r f0258604f752 -r cc0e75fb2004 etc/rc.d/network
--- a/etc/rc.d/network Fri Mar 17 17:35:20 2000 +0000
+++ b/etc/rc.d/network Fri Mar 17 17:41:01 2000 +0000
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $NetBSD: network,v 1.3 2000/03/12 04:21:26 itojun Exp $
+# $NetBSD: network,v 1.4 2000/03/17 17:41:01 itojun Exp $
#
# PROVIDE: network
@@ -186,23 +186,52 @@
if ifconfig lo0 inet6 >/dev/null 2>&1; then
# We have IPv6 support in kernel.
- # disallow scoped unicast dest without outgoing scope
+ # disallow link-local unicast dest without outgoing scope
# identifiers.
#
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
- route add -inet6 fc80:: -prefixlen 10 ::1 -reject
+
+ # disallow site-local unicast dest without outgoing scope
+ # identifiers.
+ # If you configure site-locals without scope id (it is
+ # permissible config for routers that are not on scope
+ # boundary), you may want to comment the following one out.
+ #
+ route add -inet6 fec0:: -prefixlen 10 ::1 -reject
# disallow "internal" addresses to appear on the wire.
#
route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
- route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
+
+ # disallow packets to malicious IPv4 compatible prefix
+ #
+ route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject
+ route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject
+ route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject
+ route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject
# disallow packets to malicious 6to4 prefix
#
route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
- route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject
- route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject
+ route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
+ route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
+
+ # Completely disallow packets to IPv4 compatible prefix.
+ # This may conflict with RFC1933 under following circumstances:
+ # (1) An IPv6-only KAME node tries to originate packets to IPv4
+ # comatible destination. The KAME node has no IPv4
+ # compatible support. Under RFC1933, it should transmit
+ # native IPv6 packets toward IPv4 compatible destination,
+ # hoping it would reach a router that forwards the packet
+ # toward auto-tunnel interface.
+ # (2) An IPv6-only node originates a packet to IPv4 compatible
+ # destination. A KAME node is acting as an IPv6 router, and
+ # asked to forward it.
+ # Due to rare use of IPv4 compatible address, and security
+ # issues with it, we disable it by default.
+ #
+ route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
sysctl -w net.inet6.ip6.forwarding=0 >/dev/null
sysctl -w net.inet6.ip6.accept_rtadv=0 >/dev/null
Home |
Main Index |
Thread Index |
Old Index