From e93f7885dad16245a4f772d4305cfc00ba5d8a44 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Thu, 31 Mar 2016 23:53:10 +0200
Subject: 6in4: ingress filter multicast and link-local, but allow relay
 traffic

---
 sys/src/cmd/ip/6in4.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/sys/src/cmd/ip/6in4.c b/sys/src/cmd/ip/6in4.c
index ae591a607..7ef633fed 100644
--- a/sys/src/cmd/ip/6in4.c
+++ b/sys/src/cmd/ip/6in4.c
@@ -381,7 +381,6 @@ tunnel2ip(int in, int out)
 {
 	int n, m;
 	char buf[64*1024];
-	uchar a[IPaddrlen];
 	Ip6hdr *op;
 	Iphdr *ip;
 
@@ -419,14 +418,10 @@ tunnel2ip(int in, int out)
 		op = (Ip6hdr*)(buf + IPaddrlen + STFHDR);
 		n -= STFHDR;
 
-		/*
-		 * don't relay: just accept packets for local host/subnet
-		 * (this blocks link-local and multicast addresses as well)
-		 */
-		maskip(op->dst, localmask, a);
-		if (!equivip6(a, localnet)) {
-			syslog(0, "6in4", "ingress filtered %I -> %I; "
-				"dst not on local net", op->src, op->dst);
+		/* filter multicast and link-local, but allow relay traffic */
+		if (badipv6(op->src) || badipv6(op->dst)) {
+			syslog(0, "6in4", "ingress filtered %I -> %I; bad src/dst",
+				op->src, op->dst);
 			continue;
 		}
 		if (debug > 1)
-- 
cgit v1.2.3