upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-08 08:12:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pft_ping: improve IPv6 address comparison

Browse source 
Don't use string comparisons, use socket.inet_pton() instead. This avoids
confusion when there are different ways to spell the same IP addres.
e.g. 64:ff9b::c000:202 and 64:ff9b::192.0.2.2 are two representations of the same
address.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost 2024-10-28 14:54:50 +01:00
parent a4e64fcd68
commit 609fa228ba
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
tests/sys/netpfil/common/pft_ping.py
View file

@ -33,6 +33,7 @@ logging.getLogger("scapy").setLevel(logging.CRITICAL)
import math
import scapy.all as sp
import sys
import socket
from copy import copy
from sniffer import Sniffer
@ -227,10 +228,12 @@ def check_ipv6(expect_params, packet):
if not ip6:
LOGGER.debug('Packet is not IPv6!')
return False
if src_address and ip6.src != src_address:
if src_address and socket.inet_pton(socket.AF_INET6, ip6.src) != \
socket.inet_pton(socket.AF_INET6, src_address):
LOGGER.debug(f'Wrong IPv6 source {ip6.src}, expected {src_address}')
return False
if dst_address and ip6.dst != dst_address:
if dst_address and socket.inet_pton(socket.AF_INET6, ip6.dst) != \
socket.inet_pton(socket.AF_INET6, dst_address):
LOGGER.debug(f'Wrong IPv6 destination {ip6.dst}, expected {dst_address}')
return False
# IPv6 has no IP-level checksum.