Page MenuHomeFreeBSD

Add net.inet6.ip6.source_address_validation
ClosedPublic

Authored by glebius on Nov 9 2021, 8:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Jul 8, 11:53 PM
Unknown Object (File)
Sat, Jun 29, 6:14 AM
Unknown Object (File)
Sat, Jun 29, 6:10 AM
Unknown Object (File)
Thu, Jun 27, 12:56 PM
Unknown Object (File)
Thu, Jun 27, 9:16 AM
Unknown Object (File)
Thu, Jun 27, 9:09 AM
Unknown Object (File)
Thu, Jun 27, 9:07 AM
Unknown Object (File)
Thu, Jun 27, 8:26 AM
Subscribers

Details

Summary

Drop packets arriving from the network that have our source IPv6
address. If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate. Enable the tunable
by default. Long time due for a modern Internet host.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 42684
Build 39572: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Nov 9 2021, 9:48 PM
melifaro added inline comments.
sys/netinet6/ip6_input.c
826

How will it work with multiple fibs?

This revision now requires changes to proceed.Nov 10 2021, 9:59 AM
sys/netinet6/ip6_input.c
826

We chatted with Alexander on what kind of a setup could be broken by restriction that the change introduces. Here is an example that Alexander provided:

photo_2021-11-10_16-06-47.jpg (574×1 px, 61 KB)

This revision is now accepted and ready to land.Nov 11 2021, 9:22 AM
This revision was automatically updated to reflect the committed changes.