void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-04-16 12:06:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add ipauth handling of IPv6 NDP neighbor solicitations and advertisements. IPv6 works well now with ipauth.

Browse source
This commit is contained in:
Adam Ierymenko 2017-02-28 07:43:40 -08:00
parent 4436824faf
commit 31bece7fa0
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
node/Network.cpp
View file

@ -514,7 +514,22 @@ static _doZtFilterResult _doZtFilter(
if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) {
src.set((const void *)(frameData + 12),4,0);
} else if ((etherType == ZT_ETHERTYPE_IPV6)&&(frameLen >= 40)) {
src.set((const void *)(frameData + 8),16,0);
// IPv6 NDP requires special handling, since the src and dest IPs in the packet are empty or link-local.
unsigned int pos = 0,proto = 0;
if ( (frameLen >= (40 + 8 + 16)) && (frameData[6] == 0x3a) && ((frameData[40] == 0x87)||(frameData[40] == 0x88)) ) {
if (frameData[40] == 0x87) {
// Neighbor solicitations contain no reliable source address, so we implement a small
// hack by considering them authenticated. Otherwise you would pretty much have to do
// this manually in the rule set for IPv6 to work at all.
ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_IP_AUTHENTICATED;
} else {
// Neighbor advertisements on the other hand can absolutely be authenticated.
src.set((const void *)(frameData + 40 + 8),16,0);
}
} else {
// Other IPv6 packets can be handled normally
src.set((const void *)(frameData + 8),16,0);
}
} else if ((etherType == ZT_ETHERTYPE_ARP)&&(frameLen >= 28)) {
src.set((const void *)(frameData + 14),4,0);
}