shithub: riscv

Download patch

ref: d9394b0d87169ef7aa7796344af421c757bc3749
parent: 73e7e47d5ba6cb44b159fb0f2cf201b362b6b1b0
author: cinap_lenrek <[email protected]>
date: Thu Oct 11 09:21:30 EDT 2012 

6in4: fix exit status, less strict src filtering, logging (import from sources)


--- a/sys/src/cmd/ip/6in4.c
+++ b/sys/src/cmd/ip/6in4.c
@@ -160,7 +160,7 @@
 	char buf[128], path[64];
 
 	/*
-	 * gain access to IPv6-in-IPv4 packets
+	 * gain access to IPv6-in-IPv4 packets via ipmux
 	 */
 	p = seprint(buf, buf + sizeof buf, "%s/ipmux!proto=%2.2x|%2.2x;dst=%V",
 		net, IP_IPV6PROTO, IP_ICMPV6PROTO, myip + IPv4off);
@@ -269,6 +269,7 @@
 	procargs(argc, argv);
 	setup(&v6net, &tunnel);
 	runtunnel(v6net, tunnel);
+	exits(0);
 }
 
 /*
@@ -317,6 +318,7 @@
 	op = (Iphdr*)buf;
 	op->vihl = IP_VER4 | 5;		/* hdr is 5 longs? */
 	memcpy(op->src, myip + IPv4off, sizeof op->src);
+	op->proto = IP_IPV6PROTO;	/* inner protocol */
 	op->ttl = 100;
 
 	/* get a V6 packet destined for the tunnel */
@@ -334,16 +336,20 @@
 			n = m;
 
 		/* drop if v6 source or destination address is naughty */
-		if (badipv6(ip->src) ||
-		    (!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
-			syslog(0, "6in4", "egress filtered %I -> %I",
+		if (badipv6(ip->src)) {
+			syslog(0, "6in4", "egress filtered %I -> %I; bad src",
 				ip->src, ip->dst);
 			continue;
 		}
+		if ((!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
+			syslog(0, "6in4", "egress filtered %I -> %I; "
+				"bad dst not remote", ip->src, ip->dst);
+			continue;
+		}
 
-		op->proto = ip->proto;
 		if (debug > 1)
 			fprint(2, "v6 to tunnel %I -> %I\n", ip->src, ip->dst);
+
 		/* send 6to4 packets directly to ipv4 target */
 		if ((ip->dst[0]<<8 | ip->dst[1]) == V6to4pfx)
 			memcpy(op->dst, ip->dst+2, sizeof op->dst);
@@ -389,8 +395,12 @@
 
 		/* if not IPv4 nor IPv4 protocol IPv6 nor ICMPv6, drop it */
 		if ((ip->vihl & 0xF0) != IP_VER4 ||
-		    ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO)
+		    ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO) {
+			syslog(0, "6in4",
+				"dropping pkt from tunnel with inner proto %d",
+				ip->proto);
 			continue;
+		}
 
 		/* check length: drop if too short, trim if too long */
 		m = nhgets(ip->length);
@@ -408,8 +418,8 @@
 		 */
 		maskip(op->dst, localmask, a);
 		if (!equivip6(a, localnet)) {
-			syslog(0, "6in4", "ingress filtered %I -> %I",
-				op->src, op->dst);
+			syslog(0, "6in4", "ingress filtered %I -> %I; "
+				"dst not on local net", op->src, op->dst);
 			continue;
 		}
 		if (debug > 1)