If the sysctl variable net.inet.ip.forwarding is enabled (value 1), but the variable net.inet.ip.sourceroute is disabled (value 0).
The kernel will block source routed packets from going through, but will still
accept source routing packets destined for itself. Our fix changes the
net.inet.ip.sourceroute variable semantics to mean that all source routed
packets should be blocked completely.
Apply by doing
cd /sys
patch < sourceroute.patch
Index: netinet/ip_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- ip_input.c 1998/02/01 21:46:02 1.28
+++ ip_input.c 1998/02/03 21:11:08 1.29
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_input.c,v 1.26 1997/08/09 23:36:29 millert Exp $ */
+/* $OpenBSD: ip_input.c,v 1.29 1998/02/03 21:11:08 deraadt Exp $ */
/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */
/*
@@ -744,6 +744,17 @@
*/
case IPOPT_LSRR:
case IPOPT_SSRR:
+ if (!ip_dosourceroute) {
+ char buf[4*sizeof "123"];
+
+ strcpy(buf, inet_ntoa(ip->ip_dst));
+ log(LOG_WARNING,
+ "attempted source route from %s to %s\n",
+ inet_ntoa(ip->ip_src), buf);
+ type = ICMP_UNREACH;
+ code = ICMP_UNREACH_SRCFAIL;
+ goto bad;
+ }
if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
code = &cp[IPOPT_OFFSET] - (u_char *)ip;
goto bad;
@@ -771,18 +782,6 @@
break;
}
- if (!ip_dosourceroute) {
- char buf[4*sizeof "123"];
-
- strcpy(buf, inet_ntoa(ip->ip_dst));
- log(LOG_WARNING,
- "attempted source route from %s to %s\n",
- inet_ntoa(ip->ip_src), buf);
- type = ICMP_UNREACH;
- code = ICMP_UNREACH_SRCFAIL;
- goto bad;
- }
-
/*
* locate outgoing interface
*/
@@ -889,7 +888,7 @@
ipt->ipt_ptr += sizeof(n_time);
}
}
- if (forward) {
+ if (forward && ipforwarding) {
ip_forward(m, 1);
return (1);
}
|
|
