diff options
author | Catalin\(ux\) M. BOIE <catab@embedromix.ro> | 2013-09-23 16:04:19 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-09-28 15:56:15 -0400 |
commit | 7df37ff33dc122f7bd0614d707939fe84322d264 (patch) | |
tree | caacc6c977eeb20bd408094c92a12c4bd8adfbed /include/net/addrconf.h | |
parent | 60e453a940ac678565b6641d65f8c18541bb9f28 (diff) |
IPv6 NAT: Do not drop DNATed 6to4/6rd packets
When a router is doing DNAT for 6to4/6rd packets the latest
anti-spoofing commit 218774dc ("ipv6: add anti-spoofing checks for
6to4 and 6rd") will drop them because the IPv6 address embedded does
not match the IPv4 destination. This patch will allow them to pass by
testing if we have an address that matches on 6to4/6rd interface. I
have been hit by this problem using Fedora and IPV6TO4_IPV4ADDR.
Also, log the dropped packets (with rate limit).
Signed-off-by: Catalin(ux) M. BOIE <catab@embedromix.ro>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/addrconf.h')
-rw-r--r-- | include/net/addrconf.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/net/addrconf.h b/include/net/addrconf.h index fb314de2b61b..86505bfa5d2c 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h | |||
@@ -67,6 +67,10 @@ int ipv6_chk_addr(struct net *net, const struct in6_addr *addr, | |||
67 | int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr); | 67 | int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr); |
68 | #endif | 68 | #endif |
69 | 69 | ||
70 | bool ipv6_chk_custom_prefix(const struct in6_addr *addr, | ||
71 | const unsigned int prefix_len, | ||
72 | struct net_device *dev); | ||
73 | |||
70 | int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev); | 74 | int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev); |
71 | 75 | ||
72 | struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, | 76 | struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, |