Page MenuHomeFreeBSD
Differential D32915

Add net.inet6.ip6.source_address_validation
ClosedPublic
Actions

Authored by glebius on Nov 9 2021, 8:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, May 27, 7:56 PM
Unknown Object (File)
Fri, May 12, 3:34 PM
Unknown Object (File)
Thu, May 11, 6:14 AM
Unknown Object (File)
Tue, May 9, 11:55 PM
Unknown Object (File)
Tue, May 9, 1:07 AM
Unknown Object (File)
Mar 23 2023, 7:49 AM
Unknown Object (File)
Feb 17 2023, 12:18 AM
Unknown Object (File)
Feb 16 2023, 11:54 AM
View All 17 Files
Subscribers
ae
bz
imp
melifaro

Details

Reviewers
rrs
ae
donner
kp
melifaro
Group Reviewers
manpages
network
Commits
rG1817be481b87: Add net.inet6.ip6.source_address_validation
Summary

Drop packets arriving from the network that have our source IPv6
address. If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate. Enable the tunable
by default. Long time due for a modern Internet host.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

glebius created this revision.Nov 9 2021, 8:36 PM
Herald added a reviewer: manpages. · View Herald TranscriptNov 9 2021, 8:36 PM
Herald added subscribers: melifaro, bz, ae, imp. · View Herald Transcript
glebius requested review of this revision.Nov 9 2021, 8:36 PM
glebius added a parent revision: D32914: Add net.inet.ip.source_address_validation.
Harbormaster completed remote builds in B42684: Diff 98270.Nov 9 2021, 8:36 PM
glebius added a reviewer: network.Nov 9 2021, 8:37 PM
glebius added reviewers: rrs, ae.
donner accepted this revision as: donner.Nov 9 2021, 9:48 PM
This revision is now accepted and ready to land.Nov 9 2021, 9:48 PM
kp accepted this revision as: kp.Nov 10 2021, 9:50 AM
melifaro requested changes to this revision.Nov 10 2021, 9:59 AM
melifaro added inline comments.
sys/netinet6/ip6_input.c
826

How will it work with multiple fibs?

This revision now requires changes to proceed.Nov 10 2021, 9:59 AM
glebius added inline comments.Nov 11 2021, 12:12 AM
sys/netinet6/ip6_input.c
826

We chatted with Alexander on what kind of a setup could be broken by restriction that the change introduces. Here is an example that Alexander provided:

photo_2021-11-10_16-06-47.jpg (574×1 px, 61 KB)

glebius updated this revision to Diff 98339.Nov 11 2021, 12:31 AM

Use in6_localip_fib().

Harbormaster completed remote builds in B42713: Diff 98339.Nov 11 2021, 12:31 AM
melifaro accepted this revision.Nov 11 2021, 9:22 AM
This revision is now accepted and ready to land.Nov 11 2021, 9:22 AM
Closed by commit rG1817be481b87: Add net.inet6.ip6.source_address_validation (authored by glebius). · Explain WhyNov 12 2021, 5:07 PM
This revision was automatically updated to reflect the committed changes.
glebius added a commit: rG1817be481b87: Add net.inet6.ip6.source_address_validation.
melifaro mentioned this in D35117: netinet6: streamline scope6 checks for loopback traffic in ip6_output()..May 3 2022, 2:45 PM

Revision Contents
Changeset List

PathSize
share/
man/
man4/
10 lines
sys/
netinet6/
12 lines

Diff 98426

View Options

share/man/man4/inet6.4

Loading...
View Options

sys/netinet6/ip6_input.c

Loading...