Hello. In article <[EMAIL PROTECTED]> (at Thu, 10 Aug 2006 00:37:14 +0300), Ville Nuorvala <[EMAIL PROTECTED]> says:
> >> commit e0ad64d5b44179ea1296d737dec23279c72c9636 > >> Author: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> > >> Date: Wed Aug 9 17:08:33 2006 +0900 > >> > >> [IPV6] NDISC: Allow redirects from other interfaces if it is not > >> strict. > >> > >> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> > >> > >> diff --git a/net/ipv6/route.c b/net/ipv6/route.c > >> index 4650787..1698fec 100644 > >> --- a/net/ipv6/route.c > >> +++ b/net/ipv6/route.c > >> @@ -1322,7 +1322,7 @@ restart: > >> continue; > >> if (!(rt->rt6i_flags & RTF_GATEWAY)) > >> continue; > >> - if (fl->oif != rt->rt6i_dev->ifindex) > >> + if ((flags & RT6_F_STRICT) && fl->oif != rt->rt6i_dev->ifindex) > >> continue; > >> if (!ipv6_addr_equal(&rdfl->gateway, &rt->rt6i_gateway)) > >> continue; > >> > > > > Is this absolutely safe? Doesn't this enable a malicious node on another > > link to make a bogus redirect if it uses same link-local source address > > as the real router on the other link. Keep in mind that the RT6_F_STRICT > > flag is set based on the destination of the original redirected packet > > and doesn't in any way depend on the router or source address. : Ah, you're right. I'll drop this. As a result of original lookup (with possible ambiguous outout interface), one interface for original output is selected. Which means, we have a route for the (original) destination through that interface. Redirects shall come from that interface. So, it is enough to lookup routes on that interface. Thanks. --yoshfuji - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
