diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-08-19 02:28:24 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-08-19 02:28:24 +0000 |
| commit | f6e962beaf1d59abff23fd9a45c1dfbc34ee924d (patch) | |
| tree | 4fefb2f57dc74cc2652c35054eb6f714e5ca2f17 /sys | |
| parent | 7a583044e75aa68143c9c410026c2424ec951e89 (diff) | |
merge in IPv6 deprecated address handling from KAME.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/tcp_input.c | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 25dacf38bc4..07ac26978cf 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.120 2002/08/08 19:18:12 provos Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.121 2002/08/19 02:28:23 itojun Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -730,6 +730,48 @@ findpcb: if (so->so_options & SO_ACCEPTCONN) { struct socket *so1; +#ifdef INET6 + /* + * If deprecated address is forbidden, + * we do not accept SYN to deprecated interface + * address to prevent any new inbound connection from + * getting established. So drop the SYN packet. + * When we do not accept SYN, we send a TCP RST, + * with deprecated source address (instead of dropping + * it). We compromise it as it is much better for peer + * to send a RST, and RST will be the final packet + * for the exchange. + * + * If we do not forbid deprecated addresses, we accept + * the SYN packet. RFC2462 does not suggest dropping + * SYN in this case. + * If we decipher RFC2462 5.5.4, it says like this: + * 1. use of deprecated addr with existing + * communication is okay - "SHOULD continue to be + * used" + * 2. use of it with new communication: + * (2a) "SHOULD NOT be used if alternate address + * with sufficient scope is available" + * (2b) nothing mentioned otherwise. + * Here we fall into (2b) case as we have no choice in + * our source address selection - we must obey the peer. + * + * The wording in RFC2462 is confusing, and there are + * multiple description text for deprecated address + * handling - worse, they are not exactly the same. + * I believe 5.5.4 is the best one, so we follow 5.5.4. + */ + if (ipv6 && !ip6_use_deprecated) { + struct in6_ifaddr *ia6; + + if ((ia6 = in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ipv6->ip6_dst)) && + (ia6->ia6_flags & IN6_IFF_DEPRECATED)) { + tp = NULL; + goto dropwithreset; + } + } +#endif + so1 = sonewconn(so, 0); if (so1 == NULL) { tcpdropoldhalfopen(tp, th->th_dport); |