map: Prevent IPv4 prefix spoofing during IPv6 -> IPv4 08/28308/1
authorJon Loeliger <jdl@netgate.com>
Tue, 28 Jan 2020 13:30:28 +0000 (07:30 -0600)
committerAndrew Yourtchenko <ayourtch@gmail.com>
Wed, 12 Aug 2020 15:59:46 +0000 (15:59 +0000)
commitb9536214058a3b736ef3e739fb070961104e8f07
tree307ff7d50f6bc365c18a5a76b4fd742bf17becfd
parent18b3c002bf606c0a9f85781887b73e748a46a6da
map: Prevent IPv4 prefix spoofing during IPv6 -> IPv4

Prevent malicious packets with spoofed embedded IPv4 addresses
by limiting the IPv6 ingress packets to known MAP-T domains.
Drop spoofed packets.

Add several tests that ensure spoofing isn't allowed.

Type: fix
Fixes: fc7344f9be

Change-Id: I80a5dd10d5fe7492e3a1b04de389d649a78065e2
Signed-off-by: Jon Loeliger <jdl@netgate.com>
(cherry picked from commit 65866f03d96bd41b99b1c823ea6f38cd77fac58c)
src/plugins/map/ip6_map_t.c
src/plugins/map/test/test_map_br.py [new file with mode: 0644]