mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-22 15:47:37 +00:00
Add net.inet.ip.source_address_validation
Drop packets arriving from the network that have our source IP address. If maliciously crafted they can create evil effects like an RST exchange between two of our listening TCP ports. Such packets just can't be legitimate. Enable the tunable by default. Long time due for a modern Internet host. Reviewed by: donner, melifaro Differential revision: https://reviews.freebsd.org/D32914
This commit is contained in:
parent
9c89392f12
commit
2ce85919bb
@ -219,6 +219,14 @@ or destination address rewriting
|
|||||||
.Xr pfil 4
|
.Xr pfil 4
|
||||||
filters may override and bypass this check.
|
filters may override and bypass this check.
|
||||||
Disabled by default.
|
Disabled by default.
|
||||||
|
.It Va ip.source_address_validation
|
||||||
|
Boolean: perform source address validation for packets destined for the local
|
||||||
|
host.
|
||||||
|
Consider this as following Section 3.2 of RFC3704/BCP84, where we treat local
|
||||||
|
host as our own infrastructure.
|
||||||
|
This has no effect on packets to be forwarded, so don't consider it as
|
||||||
|
anti-spoof feature for a router.
|
||||||
|
Enabled by default.
|
||||||
.It Va ip.rfc6864
|
.It Va ip.rfc6864
|
||||||
Boolean: control IP IDs generation behaviour.
|
Boolean: control IP IDs generation behaviour.
|
||||||
True value enables RFC6864 support, which specifies that IP ID field of
|
True value enables RFC6864 support, which specifies that IP ID field of
|
||||||
|
@ -124,6 +124,12 @@ SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es,
|
|||||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false,
|
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false,
|
||||||
"Packet's IP destination address must match address on arrival interface");
|
"Packet's IP destination address must match address on arrival interface");
|
||||||
|
|
||||||
|
VNET_DEFINE_STATIC(bool, ip_sav) = true;
|
||||||
|
#define V_ip_sav VNET(ip_sav)
|
||||||
|
SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation,
|
||||||
|
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true,
|
||||||
|
"Drop incoming packets with source address that is a local address");
|
||||||
|
|
||||||
VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */
|
VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */
|
||||||
|
|
||||||
static struct netisr_handler ip_nh = {
|
static struct netisr_handler ip_nh = {
|
||||||
@ -683,6 +689,16 @@ ip_input(struct mbuf *m)
|
|||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* net.inet.ip.source_address_validation: drop incoming
|
||||||
|
* packets that pretend to be ours.
|
||||||
|
*/
|
||||||
|
if (V_ip_sav && !(ifp->if_flags & IFF_LOOPBACK) &&
|
||||||
|
__predict_false(in_localip_fib(ip->ip_src, ifp->if_fib))) {
|
||||||
|
IPSTAT_INC(ips_badaddr);
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
|
||||||
counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
|
counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
|
||||||
counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len);
|
counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len);
|
||||||
goto ours;
|
goto ours;
|
||||||
|
Loading…
Reference in New Issue
Block a user