ipv6: add option to drop unicast encapsulated in L2 multicast (abbc3043) · Commits · 戴 / test

Documentation/networking/ip-sysctl.txt

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1674,6 +1674,12 @@ stable_secret - IPv6 address

	By default the stable secret is unset.		By default the stable secret is unset.

			drop_unicast_in_l2_multicast - BOOLEAN
			Drop any unicast IPv6 packets that are received in link-layer
			multicast (or broadcast) frames.

			By default this is turned off.

	icmp/*:		icmp/*:
	ratelimit - INTEGER		ratelimit - INTEGER
	Limit the maximal rates for sending ICMPv6 packets.		Limit the maximal rates for sending ICMPv6 packets.

+1 −0

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -174,6 +174,7 @@ enum {
	DEVCONF_USE_OIF_ADDRS_ONLY,		DEVCONF_USE_OIF_ADDRS_ONLY,
	DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,		DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
	DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,		DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
			DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
	DEVCONF_MAX		DEVCONF_MAX
	};		};

+8 −0

Original line number	Original line	Diff line number	Diff line
	@@ -4711,6 +4711,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
	array[DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN] = cnf->ignore_routes_with_linkdown;		array[DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN] = cnf->ignore_routes_with_linkdown;
	/* we omit DEVCONF_STABLE_SECRET for now */		/* we omit DEVCONF_STABLE_SECRET for now */
	array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf->use_oif_addrs_only;		array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf->use_oif_addrs_only;
			array[DEVCONF_DROP_UNICAST_IN_L2_MULTICAST] = cnf->drop_unicast_in_l2_multicast;
	}		}

	static inline size_t inet6_ifla6_size(void)		static inline size_t inet6_ifla6_size(void)
	@@ -5784,6 +5785,13 @@ static struct addrconf_sysctl_table
	.mode = 0644,		.mode = 0644,
	.proc_handler = addrconf_sysctl_ignore_routes_with_linkdown,		.proc_handler = addrconf_sysctl_ignore_routes_with_linkdown,
	},		},
			{
			.procname = "drop_unicast_in_l2_multicast",
			.data = &ipv6_devconf.drop_unicast_in_l2_multicast,
			.maxlen = sizeof(int),
			.mode = 0644,
			.proc_handler = proc_dointvec,
			},
	{		{
	/* sentinel */		/* sentinel */
	}		}

+10 −0

Original line number	Original line	Diff line number	Diff line
	@@ -134,6 +134,16 @@ int ipv6_rcv(struct sk_buff skb, struct net_device dev, struct packet_type *pt
	IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1)		IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1)
	goto err;		goto err;

			/* If enabled, drop unicast packets that were encapsulated in link-layer
			* multicast or broadcast to protected against the so-called "hole-196"
			* attack in 802.11 wireless.
			*/
			if (!ipv6_addr_is_multicast(&hdr->daddr) &&
			(skb->pkt_type == PACKET_BROADCAST \|\|
			skb->pkt_type == PACKET_MULTICAST) &&
			idev->cnf.drop_unicast_in_l2_multicast)
			goto err;

	/* RFC4291 2.7		/* RFC4291 2.7
	* Nodes must not originate a packet to a multicast address whose scope		* Nodes must not originate a packet to a multicast address whose scope
	* field contains the reserved value 0; if such a packet is received, it		* field contains the reserved value 0; if such a packet is received, it