In article <[EMAIL PROTECTED]> (at Thu, 02 Nov 2006 15:16:23 +0200), Ville Nuorvala <[EMAIL PROTECTED]> says:
> On 11/02/06 14:59, YOSHIFUJI Hideaki wrote: > > In article <[EMAIL PROTECTED]> (at Thu, 02 Nov 2006 13:39:19 +0200), Ville > > Nuorvala <[EMAIL PROTECTED]> says: > > > >> read_unlock(&ip6ip6_lock); > >> - return 1; > >> - > >> + icmpv6_send(skb, ICMPV6_DEST_UNREACH, > >> + ICMPV6_ADDR_UNREACH, 0, skb->dev); > >> discard: > > > > I'd argue this. We probably should not send back any ICMPv6 packets > > to the original sender in this case to avoid DoS. > > Sorry, I don't follow you. I don't see the DoS scenario here (after we > apply the patch, that is ;-). Well, leaving aside whether sending icmpv6 is good thing (*), the code for sending icmpv6 was moved from ip6_tunnel.c to tunnel6.c by commit-id 50fba2aa7cefa6b0e1768cb350c9e69042320c03 by Herbert. The ip6_tunnel.c change that Herbert made does not seem consistent with ipip.c change. To fix your issue the appropriate change is just fall through to discard section, as we're doing for ipip.c. Please do not re-add sending icmpv6 logic here. If you DO think it is appropriate, please fix other codes such as ipip.c, and your comment. *: As far as I remember, *BSD*s do not send icmpv6 in this case. Anyway, I'd talk to people at ietf next week. --yoshfuji - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
