aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorCatalin(ux) M. BOIE <catab@embedromix.ro>2013-09-23 16:04:19 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-10-13 19:08:30 -0400
commit6ea2edb3b6cbe72d2f943e205c463f6cb8bafe56 (patch)
tree6c3f79e392abd8f3b93881df70399e1c9a8b1998 /include/net
parentf7036a444e8a9eb1e41f4e157c8f19b8efbc2cb7 (diff)
IPv6 NAT: Do not drop DNATed 6to4/6rd packets
[ Upstream commit 7df37ff33dc122f7bd0614d707939fe84322d264 ] When a router is doing DNAT for 6to4/6rd packets the latest anti-spoofing commit 218774dc ("ipv6: add anti-spoofing checks for 6to4 and 6rd") will drop them because the IPv6 address embedded does not match the IPv4 destination. This patch will allow them to pass by testing if we have an address that matches on 6to4/6rd interface. I have been hit by this problem using Fedora and IPV6TO4_IPV4ADDR. Also, log the dropped packets (with rate limit). Signed-off-by: Catalin(ux) M. BOIE <catab@embedromix.ro> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/addrconf.h4
1 files changed, 4 insertions, 0 deletions
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 01b1a1ad77d2..25100687babb 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -73,6 +73,10 @@ extern int ipv6_chk_home_addr(struct net *net,
73 const struct in6_addr *addr); 73 const struct in6_addr *addr);
74#endif 74#endif
75 75
76bool ipv6_chk_custom_prefix(const struct in6_addr *addr,
77 const unsigned int prefix_len,
78 struct net_device *dev);
79
76extern int ipv6_chk_prefix(const struct in6_addr *addr, 80extern int ipv6_chk_prefix(const struct in6_addr *addr,
77 struct net_device *dev); 81 struct net_device *dev);
78 82