1
0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-07 13:14:51 +00:00

Add net.inet.ip.source_address_validation

Drop packets arriving from the network that have our source IP
address.  If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate.  Enable the tunable
by default.  Long time due for a modern Internet host.

Reviewed by:		donner, melifaro
Differential revision:	https://reviews.freebsd.org/D32914
This commit is contained in:
Gleb Smirnoff 2021-11-12 09:00:33 -08:00
parent 9c89392f12
commit 2ce85919bb
2 changed files with 24 additions and 0 deletions

View File

@ -219,6 +219,14 @@ or destination address rewriting
.Xr pfil 4 .Xr pfil 4
filters may override and bypass this check. filters may override and bypass this check.
Disabled by default. Disabled by default.
.It Va ip.source_address_validation
Boolean: perform source address validation for packets destined for the local
host.
Consider this as following Section 3.2 of RFC3704/BCP84, where we treat local
host as our own infrastructure.
This has no effect on packets to be forwarded, so don't consider it as
anti-spoof feature for a router.
Enabled by default.
.It Va ip.rfc6864 .It Va ip.rfc6864
Boolean: control IP IDs generation behaviour. Boolean: control IP IDs generation behaviour.
True value enables RFC6864 support, which specifies that IP ID field of True value enables RFC6864 support, which specifies that IP ID field of

View File

@ -124,6 +124,12 @@ SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false,
"Packet's IP destination address must match address on arrival interface"); "Packet's IP destination address must match address on arrival interface");
VNET_DEFINE_STATIC(bool, ip_sav) = true;
#define V_ip_sav VNET(ip_sav)
SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true,
"Drop incoming packets with source address that is a local address");
VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */ VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */
static struct netisr_handler ip_nh = { static struct netisr_handler ip_nh = {
@ -683,6 +689,16 @@ ip_input(struct mbuf *m)
goto bad; goto bad;
} }
/*
* net.inet.ip.source_address_validation: drop incoming
* packets that pretend to be ours.
*/
if (V_ip_sav && !(ifp->if_flags & IFF_LOOPBACK) &&
__predict_false(in_localip_fib(ip->ip_src, ifp->if_fib))) {
IPSTAT_INC(ips_badaddr);
goto bad;
}
counter_u64_add(ia->ia_ifa.ifa_ipackets, 1); counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len); counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len);
goto ours; goto ours;