Add net.inet6.ip6.source_address_validation
ClosedPublic
Actions

Authored by glebius on Nov 9 2021, 8:36 PM.

Details

Reviewers

rrs
ae
donner
kp
melifaro

Group Reviewers

manpages
network

Commits

rG1817be481b87: Add net.inet6.ip6.source_address_validation

Summary

Drop packets arriving from the network that have our source IPv6
address. If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate. Enable the tunable
by default. Long time due for a modern Internet host.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

glebius created this revision.Nov 9 2021, 8:36 PM

Herald added a reviewer: manpages. · View Herald TranscriptNov 9 2021, 8:36 PM

Herald added subscribers: melifaro, bz, ae, imp. · View Herald Transcript

glebius requested review of this revision.Nov 9 2021, 8:36 PM

glebius added a parent revision: D32914: Add net.inet.ip.source_address_validation.

Harbormaster completed remote builds in B42684: Diff 98270.Nov 9 2021, 8:36 PM

glebius added a reviewer: network.Nov 9 2021, 8:37 PM

glebius added reviewers: rrs, ae.

donner accepted this revision as: donner.Nov 9 2021, 9:48 PM

This revision is now accepted and ready to land.Nov 9 2021, 9:48 PM

kp accepted this revision as: kp.Nov 10 2021, 9:50 AM

melifaro requested changes to this revision.Nov 10 2021, 9:59 AM

melifaro added inline comments.

sys/netinet6/ip6_input.c
825	How will it work with multiple fibs?

This revision now requires changes to proceed.Nov 10 2021, 9:59 AM

glebius added inline comments.Nov 11 2021, 12:12 AM

sys/netinet6/ip6_input.c
825	We chatted with Alexander on what kind of a setup could be broken by restriction that the change introduces. Here is an example that Alexander provided: