diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2021-11-12 17:00:33 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2021-11-12 17:00:33 +0000 |
| commit | 2ce85919bbba9e29ee85508abb4ba0c662c2b080 (patch) | |
| tree | 57a6e98f448c3348483d78991b659222cf11802c /sys/netinet/ip_input.c | |
| parent | 9c89392f12d707db8992ff8017d397bd8b0cd69b (diff) | |
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index a678c15caad5..9db1f8c6f2e7 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -124,6 +124,12 @@ SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false, "Packet's IP destination address must match address on arrival interface"); +VNET_DEFINE_STATIC(bool, ip_sav) = true; +#define V_ip_sav VNET(ip_sav) +SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true, + "Drop incoming packets with source address that is a local address"); + VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */ static struct netisr_handler ip_nh = { @@ -683,6 +689,16 @@ passin: goto bad; } + /* + * net.inet.ip.source_address_validation: drop incoming + * packets that pretend to be ours. + */ + if (V_ip_sav && !(ifp->if_flags & IFF_LOOPBACK) && + __predict_false(in_localip_fib(ip->ip_src, ifp->if_fib))) { + IPSTAT_INC(ips_badaddr); + goto bad; + } + counter_u64_add(ia->ia_ifa.ifa_ipackets, 1); counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len); goto ours; |