diff options
| author | Gert Doering <gert@greenie.muc.de> | 2014-06-06 20:43:55 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-06-08 12:48:54 +0200 |
| commit | 70f1864188ad00451683cabf51e56b7730250c40 (patch) | |
| tree | 9b349f29ce794a07bd1067aadc50e3c7eb27718c /src | |
| parent | be46a2c083a6bd77754bc1674249eab583d25dac (diff) | |
| download | openvpn-70f1864188ad00451683cabf51e56b7730250c40.tar.gz openvpn-70f1864188ad00451683cabf51e56b7730250c40.tar.xz openvpn-70f1864188ad00451683cabf51e56b7730250c40.zip | |
Drop incoming fe80:: packets silently now.
IPv6 has the concept of "link local" addresses, fe80::<host id>, which
normally are present on every link, and are used for stuff like DHCPv6,
neighbor discovery, etc.
OpenVPN point-to-multipoint mode currently does neither configure them on
tun interfaces, nor are they handled in a meaningful way if a client OS
always has them (like Windows or Solaris) - so the log fills with many
lines of "MULTI: bad source address from client [fe80::...]", serving
no useful purpose.
This patch just recognizes IPv6 LL packets and silently drops them.
Further patches can build on this and add full link-local support, which
would require address learning (as the addresse are based on host IDs, not
assigned by the server).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
Diffstat (limited to 'src')
| -rw-r--r-- | src/openvpn/multi.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e451924..5910154 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2161,8 +2161,17 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins /* make sure that source address is associated with this client */ else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending) { - msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", - mroute_addr_print (&src, &gc)); + /* IPv6 link-local address (fe80::xxx)? */ + if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6 && + src.addr[0] == 0xfe && src.addr[1] == 0x80 ) + { + /* do nothing, for now. TODO: add address learning */ + } + else + { + msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", + mroute_addr_print (&src, &gc)); + } c->c2.to_tun.len = 0; } /* client-to-client communication enabled? */ |