diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2001-03-03 01:00:21 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2001-03-03 01:00:21 +0000 |
| commit | 8871a2d76744799efa054ac8b5c6ba4edecde215 (patch) | |
| tree | 6373ce0a99b9f149c0b4aa7ae4ba6530a7222a96 /sys/netinet/ip_input.c | |
| parent | 2adae9b95a5ad1232a10535efdefd334d0302462 (diff) | |
drop packets with 127.0.0.0/8 in header field, if the packet is from outside.
under RFC1122 sender rule 127.0.0.8 must not appear on the wire.
count incidents by ipstat.ips_badaddr. sync with kame
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index f6474023c70..ad21ded43b5 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.61 2000/12/03 19:56:20 angelos Exp $ */ +/* $OpenBSD: ip_input.c,v 1.62 2001/03/03 01:00:19 itojun Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -372,6 +372,16 @@ ipv4_input(struct mbuf *m, ...) } ip = mtod(m, struct ip *); } + + /* 127/8 must not appear on wire - RFC1122 */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || + (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { + if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { + ipstat.ips_badaddr++; + goto bad; + } + } + if ((ip->ip_sum = in_cksum(m, hlen)) != 0) { ipstat.ips_badsum++; goto bad; |