From bd974032990670676c64feeaa301c19e4755d580 Mon Sep 17 00:00:00 2001 From: Alberto Leiva Popper Date: Fri, 28 Aug 2020 10:58:55 -0500 Subject: [PATCH] siit: apply generic blacklist to dst address So apparently, SIIT wasn't applying the generic blacklist to the destination address of incoming IPv4 packets. Strangest is that, even though this should cause untold mayhem immediately, I was somehow unable to reproduce it for the longest time. From my reading of the history, this bug first appeared during the 2019-10-30 RFC7915 review. Before that, the generic blacklist behavior used to be - Source address: Always enabled - Destination address: Always enabled RFC7915 wanted me to disable the generic blacklist for the source address for ICMP errors, but for some reason what I actually did was - Source address: Disabled on ICMP errors - Destination address: Disabled on ICMP errors Then, during the 7915 graybox testing of 2020-02-14, I ran into some problem with this and nesciently reverted back to - Source address: Always enabled - Destination address: Always enabled Then, during another graybox batch test on 2020-05-20, it became - Source address: Disabled on ICMP errors - Destination address: Always disabled This commit changes into what I believe is the correct behavior (and which is consistent with RFC 7915): - Source address: Disabled on ICMP errors - Destination address: Always enabled This commit fixes the translator-router ping of #338, and also probably the entirety of #339. --- src/mod/common/steps/compute_outgoing_tuple_siit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod/common/steps/compute_outgoing_tuple_siit.c b/src/mod/common/steps/compute_outgoing_tuple_siit.c index 37408ad72..c84e8b85b 100644 --- a/src/mod/common/steps/compute_outgoing_tuple_siit.c +++ b/src/mod/common/steps/compute_outgoing_tuple_siit.c @@ -112,7 +112,7 @@ verdict translate_addrs46_siit(struct xlation *state, struct in6_addr *src_out, /* Dst address. (SRC DEPENDS CON DST, SO WE NEED TO XLAT DST FIRST!) */ addr_result = addrxlat_siit46(&state->jool, hdr4->daddr, &addr6, - !disable_dst_eam(in, is_hairpin), false); + !disable_dst_eam(in, is_hairpin), true); if (addr_result.reason) log_debug(state, "%s.", addr_result.reason);