ipv6: drop fragmented ndisc packets by default (RFC 6980)

This patch implements RFC6980: Drop fragmented ndisc packets by default. If a fragmented ndisc packet is received the user is informed that it is possible to disable the check. Cc: Fernando Gont <fernando@gont.com.ar> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Hannes Frederic Sowa <hannes@stressinduktion.org> 2013-08-26 19:36:51 -0400
committer: David S. Miller <davem@davemloft.net> 2013-08-29 15:32:08 -0400
commit: b800c3b966bcf004bd8592293a49ed5cb7ea67a9 (patch)
tree: e10eef87a5dc18bc16745adde12dae6ff104240b /net/ipv6
parent: a3a975b1dfe999f3e5d38d38f2387894c4332d96 (diff)
2 files changed, 27 insertions, 0 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 2d6d1793bbfe..a7183fc9bbc2 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -204,6 +204,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
        .accept_source_route    = 0,    /* we do not accept RH0 by default. */
        .disable_ipv6           = 0,
        .accept_dad             = 1,
+        .suppress_frag_ndisc    = 1,
 };
 static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
@@ -241,6 +242,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
        .accept_source_route    = 0,    /* we do not accept RH0 by default. */
        .disable_ipv6           = 0,
        .accept_dad             = 1,
+        .suppress_frag_ndisc    = 1,
 };
 /* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
@@ -4188,6 +4190,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
        array[DEVCONF_ACCEPT_DAD] = cnf->accept_dad;
        array[DEVCONF_FORCE_TLLAO] = cnf->force_tllao;
        array[DEVCONF_NDISC_NOTIFY] = cnf->ndisc_notify;
+        array[DEVCONF_SUPPRESS_FRAG_NDISC] = cnf->suppress_frag_ndisc;
 }
 static inline size_t inet6_ifla6_size(void)
@@ -5002,6 +5005,13 @@ static struct addrconf_sysctl_table
                        .proc_handler   = proc_dointvec
                },
                {
+                        .procname       = "suppress_frag_ndisc",
+                        .data           = &ipv6_devconf.suppress_frag_ndisc,
+                        .maxlen         = sizeof(int),
+                        .mode           = 0644,
+                        .proc_handler   = proc_dointvec
+                },
+                {
                        /* sentinel */
                }
        },
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 04d31c2fbef1..41720feeaa64 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1519,10 +1519,27 @@ static void pndisc_redo(struct sk_buff *skb)
        kfree_skb(skb);
 }
+static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
+{
+        struct inet6_dev *idev = __in6_dev_get(skb->dev);
+        if (!idev)
+                return true;
+        if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
+            idev->cnf.suppress_frag_ndisc) {
+                net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
+                return true;
+        }
+        return false;
+}
 int ndisc_rcv(struct sk_buff *skb)
 {
        struct nd_msg *msg;
+        if (ndisc_suppress_frag_ndisc(skb))
+                return 0;
        if (skb_linearize(skb))
                return 0;
author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2013-08-26 19:36:51 -0400
committer	David S. Miller <davem@davemloft.net>	2013-08-29 15:32:08 -0400
commit	b800c3b966bcf004bd8592293a49ed5cb7ea67a9 (patch)
tree	e10eef87a5dc18bc16745adde12dae6ff104240b /net/ipv6
parent	a3a975b1dfe999f3e5d38d38f2387894c4332d96 (diff)