On Mon, Jun 27, 2016 at 08:46:12PM +0200, Jeremie Courreges-Anglas wrote:
>
> Renato would like to implement GTSM in ldpd(8), the first step would be
> to support IPV6_MINHOPCOUNT on SOCK_DGRAM sockets. The following diff
> seems to work fine for him.
>
> I did not go down all possible *_input() methods, only regular TCP and
> UDP sockets. Is that enough to deserve the associated manpage diff?
>
> Thoughts / oks? I'll admit that the code is getting a big ugly...
The man page says IPV6_MINHOPCOUNT is only for unicast packets.
The ugly part of the code is dealing with multicast packets.
I don't know which is right. Is there a specification somewhere?
bluhm
> Index: sys/netinet/udp_usrreq.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/udp_usrreq.c,v
> retrieving revision 1.213
> diff -u -p -r1.213 udp_usrreq.c
> --- sys/netinet/udp_usrreq.c 18 Jun 2016 10:36:13 -0000 1.213
> +++ sys/netinet/udp_usrreq.c 27 Jun 2016 17:19:35 -0000
> @@ -425,15 +425,25 @@ udp_input(struct mbuf *m, ...)
> continue;
> #ifdef INET6
> if (ip6) {
> + if (inp->inp_ip6_minhlim &&
> + inp->inp_ip6_minhlim > ip6->ip6_hlim)
> + continue;
> if (!IN6_IS_ADDR_UNSPECIFIED(&inp->inp_laddr6))
> if
> (!IN6_ARE_ADDR_EQUAL(&inp->inp_laddr6,
> &ip6->ip6_dst))
> continue;
> } else
> #endif /* INET6 */
> - if (inp->inp_laddr.s_addr != INADDR_ANY) {
> - if (inp->inp_laddr.s_addr != ip->ip_dst.s_addr)
> + {
> + if (inp->inp_ip_minttl &&
> + inp->inp_ip_minttl > ip->ip_ttl)
> continue;
> +
> + if (inp->inp_laddr.s_addr != INADDR_ANY) {
> + if (inp->inp_laddr.s_addr !=
> + ip->ip_dst.s_addr)
> + continue;
> + }
> }
> #ifdef INET6
> if (ip6) {
> @@ -580,6 +590,17 @@ udp_input(struct mbuf *m, ...)
> }
> KASSERT(sotoinpcb(inp->inp_socket) == inp);
>
> +#ifdef INET6
> + if (ip6 && inp->inp_ip6_minhlim &&
> + inp->inp_ip6_minhlim > ip6->ip6_hlim) {
> + goto bad;
> + } else
> +#endif
> + if (ip && inp->inp_ip_minttl &&
> + inp->inp_ip_minttl > ip->ip_ttl) {
> + goto bad;
> + }
> +
> #if NPF > 0
> if (inp->inp_socket->so_state & SS_ISCONNECTED)
> pf_inp_link(m, inp);
> Index: share/man/man4/ip6.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/ip6.4,v
> retrieving revision 1.38
> diff -u -p -r1.38 ip6.4
> --- share/man/man4/ip6.4 27 Jun 2016 16:33:48 -0000 1.38
> +++ share/man/man4/ip6.4 27 Jun 2016 18:36:53 -0000
> @@ -146,9 +146,7 @@ datagrams sent on this socket.
> A value of \-1 resets to the default value.
> .It Dv IPV6_MINHOPCOUNT Fa "int *"
> Get or set the minimum hop limit header field for incoming unicast
> -datagrams received on this
> -.Dv SOCK_STREAM
> -socket.
> +datagrams received on this socket.
> This can be used to implement the
> .Em Generalized TTL Security Mechanism (GTSM)
> according to RFC 5082.
>
>
> --
> jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
