Page MenuHomeFreeBSD

Add net.inet6.ip6.source_address_validation
ClosedPublic

Authored by glebius on Nov 9 2021, 8:36 PM.

Details

Summary

Drop packets arriving from the network that have our source IPv6
address. If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate. Enable the tunable
by default. Long time due for a modern Internet host.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

This revision is now accepted and ready to land.Nov 9 2021, 9:48 PM
melifaro added inline comments.
sys/netinet6/ip6_input.c
825

How will it work with multiple fibs?

This revision now requires changes to proceed.Nov 10 2021, 9:59 AM
sys/netinet6/ip6_input.c
825

We chatted with Alexander on what kind of a setup could be broken by restriction that the change introduces. Here is an example that Alexander provided:

This revision is now accepted and ready to land.Nov 11 2021, 9:22 AM
This revision was automatically updated to reflect the committed changes.