tap: Disallow loopback addresses on tap interface
The "tap" interface, whether it's actually a tuntap device or a qemu socket, presents a virtual external link between different network hosts. Hence, loopback addresses make no sense there. However, nothing prevents the guest from putting bogus packets with loopback addresses onto the interface and it's not entirely clear what effect that will have on passt. Explicitly test for such packets and drop them. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
3b59b9748a
commit
f15be719b3
1 changed files with 19 additions and 0 deletions
19
tap.c
19
tap.c
|
@ -610,6 +610,16 @@ resume:
|
||||||
|
|
||||||
l4_len = htons(iph->tot_len) - hlen;
|
l4_len = htons(iph->tot_len) - hlen;
|
||||||
|
|
||||||
|
if (IN4_IS_ADDR_LOOPBACK(&iph->saddr) ||
|
||||||
|
IN4_IS_ADDR_LOOPBACK(&iph->daddr)) {
|
||||||
|
char sstr[INET_ADDRSTRLEN], dstr[INET_ADDRSTRLEN];
|
||||||
|
|
||||||
|
debug("Loopback address on tap interface: %s -> %s",
|
||||||
|
inet_ntop(AF_INET, &iph->saddr, sstr, sizeof(sstr)),
|
||||||
|
inet_ntop(AF_INET, &iph->daddr, dstr, sizeof(dstr)));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr)
|
if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr)
|
||||||
c->ip4.addr_seen.s_addr = iph->saddr;
|
c->ip4.addr_seen.s_addr = iph->saddr;
|
||||||
|
|
||||||
|
@ -766,6 +776,15 @@ resume:
|
||||||
if (!(l4h = ipv6_l4hdr(in, i, sizeof(*eh), &proto, &l4_len)))
|
if (!(l4h = ipv6_l4hdr(in, i, sizeof(*eh), &proto, &l4_len)))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
if (IN6_IS_ADDR_LOOPBACK(saddr) || IN6_IS_ADDR_LOOPBACK(daddr)) {
|
||||||
|
char sstr[INET6_ADDRSTRLEN], dstr[INET6_ADDRSTRLEN];
|
||||||
|
|
||||||
|
debug("Loopback address on tap interface: %s -> %s",
|
||||||
|
inet_ntop(AF_INET6, saddr, sstr, sizeof(sstr)),
|
||||||
|
inet_ntop(AF_INET6, daddr, dstr, sizeof(dstr)));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
if (IN6_IS_ADDR_LINKLOCAL(saddr)) {
|
if (IN6_IS_ADDR_LINKLOCAL(saddr)) {
|
||||||
c->ip6.addr_ll_seen = *saddr;
|
c->ip6.addr_ll_seen = *saddr;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue