diff options
| -rw-r--r-- | include/linux/inetdevice.h | 1 | ||||
| -rw-r--r-- | net/ipv4/arp.c | 8 | ||||
| -rw-r--r-- | net/ipv4/devinet.c | 2 |
3 files changed, 11 insertions, 0 deletions
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h index b5d64f1b4..95527f46c 100644 --- a/include/linux/inetdevice.h +++ b/include/linux/inetdevice.h @@ -40,6 +40,7 @@ enum IPV4_DEVCONF_PROXY_ARP_PVLAN, IPV4_DEVCONF_ROUTE_LOCALNET, IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST, + IPV4_DEVCONF_DROP_GRATUITOUS_ARP, __IPV4_DEVCONF_MAX }; diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c index 5fe16a76d..d0ee14d6a 100644 --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c @@ -808,6 +808,14 @@ static int arp_process(struct sk_buff *skb) (!IN_DEV_ROUTE_LOCALNET(in_dev) && ipv4_is_loopback(tip))) goto out; + /* + * For some 802.11 wireless deployments (and possibly other networks), + * there will be an ARP proxy and gratuitous ARP frames are attacks + * and thus should not be accepted. + */ + if (sip == tip && IN_DEV_ORCONF(in_dev, DROP_GRATUITOUS_ARP)) + goto out; + /* * Special case: We must set Frame Relay source Q.922 address */ diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 08b0c1e42..ee3c309ef 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -2109,6 +2109,8 @@ static struct devinet_sysctl_table { DEVINET_SYSCTL_RW_ENTRY(ARP_ACCEPT, "arp_accept"), DEVINET_SYSCTL_RW_ENTRY(ARP_NOTIFY, "arp_notify"), DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP_PVLAN, "proxy_arp_pvlan"), + DEVINET_SYSCTL_RW_ENTRY(DROP_GRATUITOUS_ARP, + "drop_gratuitous_arp"), DEVINET_SYSCTL_FLUSHING_ENTRY(NOXFRM, "disable_xfrm"), DEVINET_SYSCTL_FLUSHING_ENTRY(NOPOLICY, "disable_policy"), |