diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2001-03-03 01:00:21 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2001-03-03 01:00:21 +0000 |
| commit | 8871a2d76744799efa054ac8b5c6ba4edecde215 (patch) | |
| tree | 6373ce0a99b9f149c0b4aa7ae4ba6530a7222a96 | |
| parent | 2adae9b95a5ad1232a10535efdefd334d0302462 (diff) | |
drop packets with 127.0.0.0/8 in header field, if the packet is from outside.
under RFC1122 sender rule 127.0.0.8 must not appear on the wire.
count incidents by ipstat.ips_badaddr. sync with kame
| -rw-r--r-- | sys/netinet/ip_input.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_var.h | 3 | ||||
| -rw-r--r-- | usr.bin/netstat/inet.c | 5 |
3 files changed, 16 insertions, 4 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index f6474023c70..ad21ded43b5 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.61 2000/12/03 19:56:20 angelos Exp $ */ +/* $OpenBSD: ip_input.c,v 1.62 2001/03/03 01:00:19 itojun Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -372,6 +372,16 @@ ipv4_input(struct mbuf *m, ...) } ip = mtod(m, struct ip *); } + + /* 127/8 must not appear on wire - RFC1122 */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || + (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { + if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { + ipstat.ips_badaddr++; + goto bad; + } + } + if ((ip->ip_sum = in_cksum(m, hlen)) != 0) { ipstat.ips_badsum++; goto bad; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index cb39663c35d..4d005563a2b 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_var.h,v 1.14 2000/09/18 22:06:38 provos Exp $ */ +/* $OpenBSD: ip_var.h,v 1.15 2001/03/03 01:00:19 itojun Exp $ */ /* $NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $ */ /* @@ -146,6 +146,7 @@ struct ipstat { u_long ips_rcvmemdrop; /* frags dropped for lack of memory */ u_long ips_toolong; /* ip length > max ip packet size */ u_long ips_nogif; /* no match gif found */ + u_long ips_badaddr; /* invalid address on header */ }; #ifdef _KERNEL diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c index 687ec34429a..d0518807d7d 100644 --- a/usr.bin/netstat/inet.c +++ b/usr.bin/netstat/inet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: inet.c,v 1.48 2000/06/30 20:04:01 itojun Exp $ */ +/* $OpenBSD: inet.c,v 1.49 2001/03/03 01:00:20 itojun Exp $ */ /* $NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $ */ /* @@ -38,7 +38,7 @@ #if 0 static char sccsid[] = "from: @(#)inet.c 8.4 (Berkeley) 4/20/94"; #else -static char *rcsid = "$OpenBSD: inet.c,v 1.48 2000/06/30 20:04:01 itojun Exp $"; +static char *rcsid = "$OpenBSD: inet.c,v 1.49 2001/03/03 01:00:20 itojun Exp $"; #endif #endif /* not lint */ @@ -410,6 +410,7 @@ ip_stats(off, name) p1(ips_rcvmemdrop, "\t%lu fragment floods\n"); p(ips_toolong, "\t%lu packet%s with ip length > max ip packet size\n"); p(ips_nogif, "\t%lu tunneling packet%s that can't find gif\n"); + p(ips_badaddr, "\t%lu datagram%s with bad address in header\n"); #undef p #undef p1 } |