diff options
author | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2008-10-28 22:57:02 +0000 |
---|---|---|
committer | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2008-10-28 22:57:02 +0000 |
commit | 17dd131c4d105561317952613504b02a936eceac (patch) | |
tree | d7133d54f1b84af4dd61bab7b36239fe38df1188 /sys/net | |
parent | 8bd1d4309863e16750d511a2b2861f54f17545f6 (diff) |
Always skip "urpf-failed" test for IPv6 link local addresses.
We could re-embed the scope-id before we do the route lookup,
but then we would just find the very interface we've received
the packet on anyway.
OK markus@, claudio@, henning@
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/pf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 3313a204492..5cb55844445 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.624 2008/10/23 22:22:43 deraadt Exp $ */ +/* $OpenBSD: pf.c,v 1.625 2008/10/28 22:57:01 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5107,6 +5107,12 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif) break; #ifdef INET6 case AF_INET6: + /* + * Skip check for addresses with embedded interface scope, + * as they would always match anyway. + */ + if (IN6_IS_SCOPE_EMBED(&addr->v6)) + goto out; dst6 = (struct sockaddr_in6 *)&ro.ro_dst; dst6->sin6_family = AF_INET6; dst6->sin6_len = sizeof(*dst6); |