ipv6: add option to drop unsolicited neighbor advertisements
In certain 802.11 wireless deployments, there will be NA proxies that use knowledge of the network to correctly answer requests. To prevent unsolicitd advertisements on the shared medium from being a problem, on such deployments wireless needs to drop them. Enable this by providing an option called "drop_unsolicited_na". Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit aec215e7aa380fe5f85eb6948766b58bf78cb6c3) Change-Id: Iad429a767a786087b0985632be44932b2e3fd1a8
This commit is contained in:
parent
0dad032b69
commit
4c8c23684b
|
@ -1418,6 +1418,13 @@ drop_unicast_in_l2_multicast - BOOLEAN
|
|||
|
||||
By default this is turned off.
|
||||
|
||||
drop_unsolicited_na - BOOLEAN
|
||||
Drop all unsolicited neighbor advertisements, for example if there's
|
||||
a known good NA proxy on the network and such frames need not be used
|
||||
(or in the case of 802.11, must not be used to prevent attacks.)
|
||||
|
||||
By default this is turned off.
|
||||
|
||||
icmp/*:
|
||||
ratelimit - INTEGER
|
||||
Limit the maximal rates for sending ICMPv6 packets.
|
||||
|
|
|
@ -53,6 +53,7 @@ struct ipv6_devconf {
|
|||
__s32 accept_dad;
|
||||
__s32 force_tllao;
|
||||
__s32 ndisc_notify;
|
||||
__s32 drop_unsolicited_na;
|
||||
__s32 accept_ra_prefix_route;
|
||||
__s32 accept_ra_mtu;
|
||||
__s32 use_oif_addrs_only;
|
||||
|
|
|
@ -4431,6 +4431,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
|
|||
array[DEVCONF_ACCEPT_RA_MTU] = cnf->accept_ra_mtu;
|
||||
array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf->use_oif_addrs_only;
|
||||
array[DEVCONF_DROP_UNICAST_IN_L2_MULTICAST] = cnf->drop_unicast_in_l2_multicast;
|
||||
array[DEVCONF_DROP_UNSOLICITED_NA] = cnf->drop_unsolicited_na;
|
||||
}
|
||||
|
||||
static inline size_t inet6_ifla6_size(void)
|
||||
|
@ -5265,6 +5266,13 @@ static struct addrconf_sysctl_table
|
|||
.mode = 0644,
|
||||
.proc_handler = proc_dointvec,
|
||||
},
|
||||
{
|
||||
.procname = "drop_unsolicited_na",
|
||||
.data = &ipv6_devconf.drop_unsolicited_na,
|
||||
.maxlen = sizeof(int),
|
||||
.mode = 0644,
|
||||
.proc_handler = proc_dointvec,
|
||||
},
|
||||
{
|
||||
/* sentinel */
|
||||
}
|
||||
|
|
|
@ -859,6 +859,7 @@ static void ndisc_recv_na(struct sk_buff *skb)
|
|||
offsetof(struct nd_msg, opt));
|
||||
struct ndisc_options ndopts;
|
||||
struct net_device *dev = skb->dev;
|
||||
struct inet6_dev *idev = __in6_dev_get(dev);
|
||||
struct inet6_ifaddr *ifp;
|
||||
struct neighbour *neigh;
|
||||
|
||||
|
@ -878,6 +879,14 @@ static void ndisc_recv_na(struct sk_buff *skb)
|
|||
return;
|
||||
}
|
||||
|
||||
/* For some 802.11 wireless deployments (and possibly other networks),
|
||||
* there will be a NA proxy and unsolicitd packets are attacks
|
||||
* and thus should not be accepted.
|
||||
*/
|
||||
if (!msg->icmph.icmp6_solicited && idev &&
|
||||
idev->cnf.drop_unsolicited_na)
|
||||
return;
|
||||
|
||||
if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
|
||||
ND_PRINTK(2, warn, "NS: invalid ND option\n");
|
||||
return;
|
||||
|
|
Loading…
Reference in New Issue