diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2016-02-04 13:31:20 +0100 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2017-11-18 19:27:10 +0100 |
| commit | a69a6d3b998143407295884c2dba110e3f7cceaf (patch) | |
| tree | 286005fd8b3d9948118de5aee7183700f2543e25 | |
| parent | 1212bd2498a4852c104f6cf7557f7c1ac4c2f75c (diff) | |
ipv6: add option to drop unsolicited neighbor advertisements
In certain 802.11 wireless deployments, there will be NA proxies
that use knowledge of the network to correctly answer requests.
To prevent unsolicitd advertisements on the shared medium from
being a problem, on such deployments wireless needs to drop them.
Enable this by providing an option called "drop_unsolicited_na".
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: danielhk <daniel_hk>
| -rw-r--r-- | include/linux/ipv6.h | 3 | ||||
| -rw-r--r-- | net/ipv6/addrconf.c | 8 | ||||
| -rw-r--r-- | net/ipv6/ndisc.c | 9 |
3 files changed, 19 insertions, 1 deletions
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 47854a133..14190cca9 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -49,7 +49,8 @@ struct ipv6_devconf { __s32 drop_unicast_in_l2_multicast; __s32 accept_dad; __s32 force_tllao; - __s32 ndisc_notify; + __s32 ndisc_notify; + __s32 drop_unsolicited_na; __s32 use_oif_addrs_only; void *sysctl; }; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 358218595..1e489c4ec 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4356,6 +4356,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf, array[DEVCONF_NDISC_NOTIFY] = cnf->ndisc_notify; array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf->use_oif_addrs_only; array[DEVCONF_DROP_UNICAST_IN_L2_MULTICAST] = cnf->drop_unicast_in_l2_multicast; + array[DEVCONF_DROP_UNSOLICITED_NA] = cnf->drop_unsolicited_na; } static inline size_t inet6_ifla6_size(void) @@ -5218,6 +5219,13 @@ static struct addrconf_sysctl_table .mode = 0644, .proc_handler = proc_dointvec, }, + { + .procname = "drop_unsolicited_na", + .data = &ipv6_devconf.drop_unsolicited_na, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, { /* sentinel */ } diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 4513f5935..d3690db1f 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -859,6 +859,7 @@ static void ndisc_recv_na(struct sk_buff *skb) offsetof(struct nd_msg, opt)); struct ndisc_options ndopts; struct net_device *dev = skb->dev; + struct inet6_dev *idev = __in6_dev_get(dev); struct inet6_ifaddr *ifp; struct neighbour *neigh; @@ -878,6 +879,14 @@ static void ndisc_recv_na(struct sk_buff *skb) return; } + /* For some 802.11 wireless deployments (and possibly other networks), + * there will be a NA proxy and unsolicitd packets are attacks + * and thus should not be accepted. + */ + if (!msg->icmph.icmp6_solicited && idev && + idev->cnf.drop_unsolicited_na) + return; + if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) { ND_PRINTK(2, warn, "NS: invalid ND option\n"); return; |