On Tue, Jul 12, 2016 at 11:46:43AM +0200, Martin Pieuchot wrote:
> > Would you then remove the ::/96 reject route from the routing table?
>
> I think this should be a second discussion. We also have a route for
> IPv4-mapped IPv6 addresses & have a similar check enabled in ip6_input():
>
> ::ffff:0.0.0.0/96 ::1 UGRS 0 0 32768 8 lo0
>
> Now routes also prevent any user from sending packets to such destinations.
> Note that we don't have similar checks in ip6_output().
I would leave the reject route as it is.
OK bluhm@
> > > Index: netinet6/ip6_input.c
> > > ===================================================================
> > > RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
> > > retrieving revision 1.162
> > > diff -u -p -r1.162 ip6_input.c
> > > --- netinet6/ip6_input.c 6 Jul 2016 15:50:00 -0000 1.162
> > > +++ netinet6/ip6_input.c 12 Jul 2016 09:17:04 -0000
> > > @@ -299,20 +299,17 @@ ip6_input(struct mbuf *m)
> > > ip6stat.ip6s_badscope++;
> > > goto bad;
> > > }
> > > -#if 0
> > > +
> > > /*
> > > * Reject packets with IPv4 compatible addresses (auto tunnel).
> > > *
> > > - * The code forbids auto tunnel relay case in RFC1933 (the check is
> > > - * stronger than RFC1933). We may want to re-enable it if mech-xx
> > > - * is revised to forbid relaying case.
> > > + * The code forbids automatic tunneling as per RFC4213.
> > > */
> > > if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
> > > IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
> > > ip6stat.ip6s_badscope++;
> > > goto bad;
> > > }
> > > -#endif
> > >
> > > /*
> > > * If the packet has been received on a loopback interface it
> > >
> >
> > --
> > :wq Claudio
> >
