Page MenuHomeFreeBSD

Add net.inet6.ip6.source_address_validation
ClosedPublic

Authored by glebius on Nov 9 2021, 8:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jun 9, 2:05 PM
Unknown Object (File)
Sat, Jun 8, 5:35 AM
Unknown Object (File)
Tue, Jun 4, 9:17 AM
Unknown Object (File)
Fri, May 31, 9:27 AM
Unknown Object (File)
May 8 2024, 9:47 AM
Unknown Object (File)
May 6 2024, 10:40 AM
Unknown Object (File)
Apr 26 2024, 4:09 AM
Unknown Object (File)
Apr 20 2024, 1:22 AM
Subscribers

Details

Summary

Drop packets arriving from the network that have our source IPv6
address. If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate. Enable the tunable
by default. Long time due for a modern Internet host.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision is now accepted and ready to land.Nov 9 2021, 9:48 PM
melifaro added inline comments.
sys/netinet6/ip6_input.c
826

How will it work with multiple fibs?

This revision now requires changes to proceed.Nov 10 2021, 9:59 AM
sys/netinet6/ip6_input.c
826

We chatted with Alexander on what kind of a setup could be broken by restriction that the change introduces. Here is an example that Alexander provided:

photo_2021-11-10_16-06-47.jpg (574×1 px, 61 KB)

This revision is now accepted and ready to land.Nov 11 2021, 9:22 AM
This revision was automatically updated to reflect the committed changes.