summaryrefslogtreecommitdiff
path: root/sys/netinet6/nd6.c
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-07-06 10:11:27 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-07-06 10:11:27 +0000
commitc57277a44467243481c293c12c691f199fc0f185 (patch)
treec5095d43d95096fdebe6362e1b8fb17f585ec91a /sys/netinet6/nd6.c
parent3c7f73e7f967361446f25818f12c4cabaa88d55a (diff)
- more icmp6/ip6 stats.
- protect IPv6 ND from being hosed (due to neighbor unreachability detection hint) by wrong tcp traffic. still not sure if there's real attack, but it is good to be cautious. - avoid bitfield for router renumbering header decl. - implement packet-per-sec limitation for icmp6 errors, turn interval limit off (it is not very useful due to unix timer resolution).
Diffstat (limited to 'sys/netinet6/nd6.c')
-rw-r--r--sys/netinet6/nd6.c46
1 files changed, 28 insertions, 18 deletions
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index f8f2e44caea..6a9d7dc0c2e 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: nd6.c,v 1.17 2000/06/16 21:47:17 provos Exp $ */
-/* $KAME: nd6.c,v 1.63 2000/05/17 12:35:59 jinmei Exp $ */
+/* $OpenBSD: nd6.c,v 1.18 2000/07/06 10:11:26 itojun Exp $ */
+/* $KAME: nd6.c,v 1.68 2000/07/02 14:48:02 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,6 +91,8 @@ int nd6_useloopback = 1; /* use loopback interface for local traffic */
/* preventing too many loops in ND option parsing */
int nd6_maxndopt = 10; /* max # of ND options allowed */
+int nd6_maxnudhint = 0; /* max # of subsequent upper layer hints */
+
/* for debugging? */
static int nd6_inuse, nd6_allocated;
@@ -220,8 +222,7 @@ nd6_setmtu(ifp)
*/
if (in6_maxmtu < ndi->linkmtu)
in6_maxmtu = ndi->linkmtu;
- }
- else
+ } else
in6_setmaxmtu();
}
}
@@ -462,8 +463,7 @@ nd6_timer(ignored_arg)
nd6_ns_output(ifp, &dst->sin6_addr,
&dst->sin6_addr,
ln, 0);
- }
- else
+ } else
ln->ln_state = ND6_LLINFO_STALE; /* XXX */
break;
case ND6_LLINFO_PROBE:
@@ -704,8 +704,7 @@ nd6_lookup(addr6, create, ifp)
(struct llinfo_nd6 *)rt->rt_llinfo;
ln->ln_state = ND6_LLINFO_NOSTATE;
}
- }
- else
+ } else
return(NULL);
}
rt->rt_refcnt--;
@@ -870,9 +869,10 @@ nd6_free(rt)
* XXX cost-effective metods?
*/
void
-nd6_nud_hint(rt, dst6)
+nd6_nud_hint(rt, dst6, force)
struct rtentry *rt;
struct in6_addr *dst6;
+ int force;
{
struct llinfo_nd6 *ln;
long time_second = time.tv_sec;
@@ -888,11 +888,10 @@ nd6_nud_hint(rt, dst6)
return;
}
- if ((rt->rt_flags & RTF_GATEWAY)
- || (rt->rt_flags & RTF_LLINFO) == 0
- || !rt->rt_llinfo
- || !rt->rt_gateway
- || rt->rt_gateway->sa_family != AF_LINK) {
+ if ((rt->rt_flags & RTF_GATEWAY) != 0 ||
+ (rt->rt_flags & RTF_LLINFO) == 0 ||
+ !rt->rt_llinfo || !rt->rt_gateway ||
+ rt->rt_gateway->sa_family != AF_LINK) {
/* This is not a host route. */
return;
}
@@ -901,6 +900,16 @@ nd6_nud_hint(rt, dst6)
if (ln->ln_state < ND6_LLINFO_REACHABLE)
return;
+ /*
+ * if we get upper-layer reachability confirmation many times,
+ * it is possible we have false information.
+ */
+ if (!force) {
+ ln->ln_byhint++;
+ if (ln->ln_byhint > nd6_maxnudhint)
+ return;
+ }
+
ln->ln_state = ND6_LLINFO_REACHABLE;
if (ln->ln_expire)
ln->ln_expire = time_second +
@@ -1122,6 +1131,7 @@ nd6_rtrequest(req, rt, sa)
* which is specified by ndp command.
*/
ln->ln_state = ND6_LLINFO_REACHABLE;
+ ln->ln_byhint = 0;
} else {
/*
* When req == RTM_RESOLVE, rt is created and
@@ -1146,6 +1156,7 @@ nd6_rtrequest(req, rt, sa)
caddr_t macp = nd6_ifptomac(ifp);
ln->ln_expire = 0;
ln->ln_state = ND6_LLINFO_REACHABLE;
+ ln->ln_byhint = 0;
if (macp) {
Bcopy(macp, LLADDR(SDL(gate)), ifp->if_addrlen);
SDL(gate)->sdl_alen = ifp->if_addrlen;
@@ -1169,6 +1180,7 @@ nd6_rtrequest(req, rt, sa)
} else if (rt->rt_flags & RTF_ANNOUNCE) {
ln->ln_expire = 0;
ln->ln_state = ND6_LLINFO_REACHABLE;
+ ln->ln_byhint = 0;
/* join solicited node multicast for proxy ND */
if (ifp->if_flags & IFF_MULTICAST) {
@@ -1308,8 +1320,7 @@ nd6_ioctl(cmd, data, ifp)
if (IN6_IS_ADDR_LINKLOCAL(&drl->defrouter[i].rtaddr)) {
/* XXX: need to this hack for KAME stack */
drl->defrouter[i].rtaddr.s6_addr16[1] = 0;
- }
- else
+ } else
log(LOG_ERR,
"default router list contains a "
"non-linklocal address(%s)\n",
@@ -1354,8 +1365,7 @@ nd6_ioctl(cmd, data, ifp)
if (IN6_IS_ADDR_LINKLOCAL(&RTRADDR)) {
/* XXX: hack for KAME */
RTRADDR.s6_addr16[1] = 0;
- }
- else
+ } else
log(LOG_ERR,
"a router(%s) advertises "
"a prefix with "