mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-18 15:16:56 +07:00
ipv6: drop fragmented ndisc packets by default (RFC 6980)
This patch implements RFC6980: Drop fragmented ndisc packets by default. If a fragmented ndisc packet is received the user is informed that it is possible to disable the check. Cc: Fernando Gont <fernando@gont.com.ar> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
a3a975b1df
commit
b800c3b966
@ -1349,6 +1349,12 @@ mldv2_unsolicited_report_interval - INTEGER
|
|||||||
MLDv2 report retransmit will take place.
|
MLDv2 report retransmit will take place.
|
||||||
Default: 1000 (1 second)
|
Default: 1000 (1 second)
|
||||||
|
|
||||||
|
suppress_frag_ndisc - INTEGER
|
||||||
|
Control RFC 6980 (Security Implications of IPv6 Fragmentation
|
||||||
|
with IPv6 Neighbor Discovery) behavior:
|
||||||
|
1 - (default) discard fragmented neighbor discovery packets
|
||||||
|
0 - allow fragmented neighbor discovery packets
|
||||||
|
|
||||||
icmp/*:
|
icmp/*:
|
||||||
ratelimit - INTEGER
|
ratelimit - INTEGER
|
||||||
Limit the maximal rates for sending ICMPv6 packets.
|
Limit the maximal rates for sending ICMPv6 packets.
|
||||||
|
@ -50,6 +50,7 @@ struct ipv6_devconf {
|
|||||||
__s32 accept_dad;
|
__s32 accept_dad;
|
||||||
__s32 force_tllao;
|
__s32 force_tllao;
|
||||||
__s32 ndisc_notify;
|
__s32 ndisc_notify;
|
||||||
|
__s32 suppress_frag_ndisc;
|
||||||
void *sysctl;
|
void *sysctl;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -162,6 +162,7 @@ enum {
|
|||||||
DEVCONF_NDISC_NOTIFY,
|
DEVCONF_NDISC_NOTIFY,
|
||||||
DEVCONF_MLDV1_UNSOLICITED_REPORT_INTERVAL,
|
DEVCONF_MLDV1_UNSOLICITED_REPORT_INTERVAL,
|
||||||
DEVCONF_MLDV2_UNSOLICITED_REPORT_INTERVAL,
|
DEVCONF_MLDV2_UNSOLICITED_REPORT_INTERVAL,
|
||||||
|
DEVCONF_SUPPRESS_FRAG_NDISC,
|
||||||
DEVCONF_MAX
|
DEVCONF_MAX
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -204,6 +204,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
|
|||||||
.accept_source_route = 0, /* we do not accept RH0 by default. */
|
.accept_source_route = 0, /* we do not accept RH0 by default. */
|
||||||
.disable_ipv6 = 0,
|
.disable_ipv6 = 0,
|
||||||
.accept_dad = 1,
|
.accept_dad = 1,
|
||||||
|
.suppress_frag_ndisc = 1,
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
|
static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
|
||||||
@ -241,6 +242,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
|
|||||||
.accept_source_route = 0, /* we do not accept RH0 by default. */
|
.accept_source_route = 0, /* we do not accept RH0 by default. */
|
||||||
.disable_ipv6 = 0,
|
.disable_ipv6 = 0,
|
||||||
.accept_dad = 1,
|
.accept_dad = 1,
|
||||||
|
.suppress_frag_ndisc = 1,
|
||||||
};
|
};
|
||||||
|
|
||||||
/* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
|
/* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
|
||||||
@ -4188,6 +4190,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
|
|||||||
array[DEVCONF_ACCEPT_DAD] = cnf->accept_dad;
|
array[DEVCONF_ACCEPT_DAD] = cnf->accept_dad;
|
||||||
array[DEVCONF_FORCE_TLLAO] = cnf->force_tllao;
|
array[DEVCONF_FORCE_TLLAO] = cnf->force_tllao;
|
||||||
array[DEVCONF_NDISC_NOTIFY] = cnf->ndisc_notify;
|
array[DEVCONF_NDISC_NOTIFY] = cnf->ndisc_notify;
|
||||||
|
array[DEVCONF_SUPPRESS_FRAG_NDISC] = cnf->suppress_frag_ndisc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline size_t inet6_ifla6_size(void)
|
static inline size_t inet6_ifla6_size(void)
|
||||||
@ -5001,6 +5004,13 @@ static struct addrconf_sysctl_table
|
|||||||
.mode = 0644,
|
.mode = 0644,
|
||||||
.proc_handler = proc_dointvec
|
.proc_handler = proc_dointvec
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.procname = "suppress_frag_ndisc",
|
||||||
|
.data = &ipv6_devconf.suppress_frag_ndisc,
|
||||||
|
.maxlen = sizeof(int),
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = proc_dointvec
|
||||||
|
},
|
||||||
{
|
{
|
||||||
/* sentinel */
|
/* sentinel */
|
||||||
}
|
}
|
||||||
|
@ -1519,10 +1519,27 @@ static void pndisc_redo(struct sk_buff *skb)
|
|||||||
kfree_skb(skb);
|
kfree_skb(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
struct inet6_dev *idev = __in6_dev_get(skb->dev);
|
||||||
|
|
||||||
|
if (!idev)
|
||||||
|
return true;
|
||||||
|
if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
|
||||||
|
idev->cnf.suppress_frag_ndisc) {
|
||||||
|
net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
int ndisc_rcv(struct sk_buff *skb)
|
int ndisc_rcv(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct nd_msg *msg;
|
struct nd_msg *msg;
|
||||||
|
|
||||||
|
if (ndisc_suppress_frag_ndisc(skb))
|
||||||
|
return 0;
|
||||||
|
|
||||||
if (skb_linearize(skb))
|
if (skb_linearize(skb))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user