IPv6: Generic TTL Security Mechanism (final version)

This patch adds IPv6 support for RFC5082 Generalized TTL Security Mechanism. Not to users of mapped address; the IPV6 and IPV4 socket options are seperate. The server does have to deal with both IPv4 and IPv6 socket options and the client has to handle the different for each family. On client: int ttl = 255; getaddrinfo(argv[1], argv[2], &hint, &result); for (rp = result; rp != NULL; rp = rp->ai_next) { s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); if (s < 0) continue; if (rp->ai_family == AF_INET) { setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl)); } else if (rp->ai_family == AF_INET6) { setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl))) } if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) { ... On server: int minttl = 255 - maxhops; getaddrinfo(NULL, port, &hints, &result); for (rp = result; rp != NULL; rp = rp->ai_next) { s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); if (s < 0) continue; if (rp->ai_family == AF_INET6) setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)); setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0) break ... Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Stephen Hemminger <shemminger@vyatta.com> 2010-04-22 18:24:53 -0400
committer: David S. Miller <davem@davemloft.net> 2010-04-22 18:24:53 -0400
commit: e802af9cabb011f09b9c19a82faef3dd315f27eb (patch)
tree: 9a8ef1163b9b40fef8860b08ea4dcb4ff3916098 /net/ipv6/tcp_ipv6.c
parent: 9ccb8975940c4ee51161152e37058e3d9e06c62f (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 1ababbb41131..6603511e3673 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -353,6 +353,11 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (sk->sk_state == TCP_CLOSE)
                goto out;
+        if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+                NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+                goto out;
+        }
        tp = tcp_sk(sk);
        seq = ntohl(th->seq);
        if (sk->sk_state != TCP_LISTEN &&
@@ -1678,6 +1683,7 @@ ipv6_pktoptions:
 static int tcp_v6_rcv(struct sk_buff *skb)
 {
        struct tcphdr *th;
+        struct ipv6hdr *hdr;
        struct sock *sk;
        int ret;
        struct net *net = dev_net(skb->dev);
@@ -1704,12 +1710,13 @@ static int tcp_v6_rcv(struct sk_buff *skb)
                goto bad_packet;
        th = tcp_hdr(skb);
+        hdr = ipv6_hdr(skb);
        TCP_SKB_CB(skb)->seq = ntohl(th->seq);
        TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
                                    skb->len - th->doff*4);
        TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
        TCP_SKB_CB(skb)->when = 0;
-        TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+        TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
        TCP_SKB_CB(skb)->sacked = 0;
        sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1720,6 +1727,11 @@ process:
        if (sk->sk_state == TCP_TIME_WAIT)
                goto do_time_wait;
+        if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+                NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+                goto discard_and_relse;
+        }
        if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
                goto discard_and_relse;
author	Stephen Hemminger <shemminger@vyatta.com>	2010-04-22 18:24:53 -0400
committer	David S. Miller <davem@davemloft.net>	2010-04-22 18:24:53 -0400
commit	e802af9cabb011f09b9c19a82faef3dd315f27eb (patch)
tree	9a8ef1163b9b40fef8860b08ea4dcb4ff3916098 /net/ipv6/tcp_ipv6.c
parent	9ccb8975940c4ee51161152e37058e3d9e06c62f (diff)