gitweb.dragonflybsd.org Git - dragonfly.git/commit

kernel - Adjustments for CERT VU#711516

Note that IPV6 route advertisements are disabled by default, so these
adjustments have no real security implications if you haven't enabled
it.  And, generally speaking, enabling IPV6 route advertisements is a
really bad idea anyway and these adjustments only address one small part
of the problem.

* Allowing RTR packets via net.inet6.ip6.accept_rtadv is not advised
  even with this adjustment.

* Add a sysctl to put a lower limit on the IPV6 hop limit received via
  RTR packets when allowed, default is 39. sysctl net.inet6.ip6.minhlim.

author	Matthew Dillon <dillon@apollo.backplane.com>
	Sat, 28 Mar 2015 22:00:43 +0000 (15:00 -0700)
committer	Matthew Dillon <dillon@apollo.backplane.com>
	Sat, 28 Mar 2015 22:00:43 +0000 (15:00 -0700)
commit	74ceb998af302c8fb9fe0303aa736e3ab66780c8
tree	981dac647bde42cdffa0fc67eef4ee0cf6fbae73	tree \| snapshot
parent	506bd6d145b6429947d572e34575b4a2a864193c	commit \| diff

sys/netinet/ip6.h		diff \| blob \| blame \| history
sys/netinet6/icmp6.c		diff \| blob \| blame \| history
sys/netinet6/in6.h		diff \| blob \| blame \| history
sys/netinet6/in6_pcb.c		diff \| blob \| blame \| history
sys/netinet6/in6_proto.c		diff \| blob \| blame \| history
sys/netinet6/in6_src.c		diff \| blob \| blame \| history
sys/netinet6/ip6_var.h		diff \| blob \| blame \| history