diff options
| author |   niklas <niklas@openbsd.org> | 1999-05-16 22:31:40 +0000 |
|---|---|---|
| committer | niklas <niklas@openbsd.org> | 1999-05-16 22:31:40 +0000 |
| commit | 08ab4a7448cd16ef527f1e916de4a1528e3802fb (patch) | |
| tree | 89ecac261f489148f336afd2627d63de13796bd1 | |
| parent | More special targets documentation. (diff) | |
| download | wireguard-openbsd-08ab4a7448cd16ef527f1e916de4a1528e3802fb.tar.xz wireguard-openbsd-08ab4a7448cd16ef527f1e916de4a1528e3802fb.zip | |
Don't judge locally generated tunnel packets as spoof attempts. indent.
| -rw-r--r-- | sys/netinet/ip_ip4.c | 58 |
1 files changed, 32 insertions, 26 deletions
diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c index d7b20313d7c..cf27a0f5b5b 100644 --- a/sys/netinet/ip_ip4.c +++ b/sys/netinet/ip_ip4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.c,v 1.30 1999/05/12 23:18:35 niklas Exp $ */ +/* $OpenBSD: ip_ip4.c,v 1.31 1999/05/16 22:31:40 niklas Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -84,9 +84,10 @@ /* * We can control the acceptance of IP4 packets by altering the sysctl - * net.inet.ip4.allow value. Zero means drop them, all ilse is acceptance. + * net.inet.ip4.allow value. Zero means drop them, all else is acceptance. */ int ip4_allow = 0; + struct ip4stat ip4stat; /* @@ -186,40 +187,45 @@ ip4_input(m, va_alist) return; } - /* - * If we do not accept IP4 other than part of ESP & AH, we should - * not accept a packet with double ip4 headers neither. - */ + /* + * If we do not accept IP4 other than part of ESP & AH, we should + * not accept a packet with double ip4 headers neither. + */ - if (!ip4_allow && ipi->ip_p == IPPROTO_IPIP) - { + if (!ip4_allow && ipi->ip_p == IPPROTO_IPIP) + { DPRINTF(("ip4_input(): dropped due to policy\n")); ip4stat.ip4s_pdrops++; m_freem(m); return; - } - + } + /* - * Check for local address spoofing. + * Check remote packets for local address spoofing. */ - for (ifp = ifnet.tqh_first; ifp != 0; ifp = ifp->if_list.tqe_next) - for (ifa = ifp->if_addrlist.tqh_first; - ifa != 0; - ifa = ifa->ifa_list.tqe_next) - { - if (ifa->ifa_addr->sa_family != AF_INET) - continue; - - sin = (struct sockaddr_in *) ifa->ifa_addr; - if (sin->sin_addr.s_addr == ipi->ip_src.s_addr) + if (m->m_pkthdr.rcvif == NULL || + !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) + { + for (ifp = ifnet.tqh_first; ifp != 0; ifp = ifp->if_list.tqe_next) + for (ifa = ifp->if_addrlist.tqh_first; + ifa != 0; + ifa = ifa->ifa_list.tqe_next) { - DPRINTF(("ip_input(): possible local address spoofing detected on packet from %s to %s (%s->%s)\n", inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst), inet_ntoa4(ipi->ip_src), inet_ntoa4(ipi->ip_dst))); - ip4stat.ip4s_spoof++; - m_freem(m); - return; + if (ifa->ifa_addr->sa_family != AF_INET) + continue; + + sin = (struct sockaddr_in *) ifa->ifa_addr; + + if (sin->sin_addr.s_addr == ipi->ip_src.s_addr) + { + DPRINTF(("ip_input(): possible local address spoofing detected on packet from %s to %s (%s->%s)\n", inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst), inet_ntoa4(ipi->ip_src), inet_ntoa4(ipi->ip_dst))); + ip4stat.ip4s_spoof++; + m_freem(m); + return; + } } - } + } /* Statistics */ ip4stat.ip4s_ibytes += ntohs(ipi->ip_len); |