Drop received packets with an IPv4-compatible address as source or

destination as per RFC4213.

We're not in 1999 anymore, what was earlier a "stronger check than
RFC1933" is now a best practice.  This matches the behavior of the
reject (R) routes added by default by netstart(8).

ok jca@, florian@, claudio@, bluhm@

1 files changed, 3 insertions, 6 deletions

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 8f326efb413..92077dbd458 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.162 2016/07/06 15:50:00 mpi Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.163 2016/07/14 14:39:12 mpi Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -299,20 +299,17 @@ ip6_input(struct mbuf *m)
 		ip6stat.ip6s_badscope++;
 		goto bad;
 	}
-#if 0
+
 	/*
 	 * Reject packets with IPv4 compatible addresses (auto tunnel).
 	 *
-	 * The code forbids auto tunnel relay case in RFC1933 (the check is
-	 * stronger than RFC1933).  We may want to re-enable it if mech-xx
-	 * is revised to forbid relaying case.
+	 * The code forbids automatic tunneling as per RFC4213.
 	 */
 	if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
 	    IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
 		ip6stat.ip6s_badscope++;
 		goto bad;
 	}
-#endif
 
 	/*
 	 * If the packet has been received on a loopback interface it