* [PATCH net-next v2] ipv4: Add support to disable icmp timestamp
@ 2019-05-14 2:56 Weilong Chen
2019-05-14 6:38 ` Michal Kubecek
0 siblings, 1 reply; 5+ messages in thread
From: Weilong Chen @ 2019-05-14 2:56 UTC (permalink / raw)
To: chenweilong, davem, kuznet, yoshfuji; +Cc: netdev
The remote host answers to an ICMP timestamp request.
This allows an attacker to know the time and date on your host.
This path is an another way contrast to iptables rules:
iptables -A input -p icmp --icmp-type timestamp-request -j DROP
iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
Default is enabled.
enable:
sysctl -w net.ipv4.icmp_timestamp_enable=1
disable
sysctl -w net.ipv4.icmp_timestamp_enable=0
testing:
hping3 --icmp --icmp-ts -V $IPADDR
Signed-off-by: Weilong Chen <chenweilong@huawei.com>
---
include/net/ip.h | 2 ++
net/ipv4/icmp.c | 5 +++++
net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
3 files changed, 15 insertions(+)
diff --git a/include/net/ip.h b/include/net/ip.h
index 2d3cce7..71840e4 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -718,6 +718,8 @@ bool icmp_global_allow(void);
extern int sysctl_icmp_msgs_per_sec;
extern int sysctl_icmp_msgs_burst;
+extern int sysctl_icmp_timestamp_enable;
+
#ifdef CONFIG_PROC_FS
int ip_misc_proc_init(void);
#endif
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f3a5893..5010541 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
int sysctl_icmp_msgs_burst __read_mostly = 50;
+int sysctl_icmp_timestamp_enable __read_mostly = 1;
static struct {
spinlock_t lock;
@@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
static bool icmp_timestamp(struct sk_buff *skb)
{
struct icmp_bxm icmp_param;
+
+ if (!sysctl_icmp_timestamp_enable)
+ goto out_err;
+
/*
* Too short.
*/
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 875867b..1fe467e 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
.extra1 = &zero,
},
{
+ .procname = "icmp_timestamp_enable",
+ .data = &sysctl_icmp_timestamp_enable,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &zero,
+ },
+ {
.procname = "udp_mem",
.data = &sysctl_udp_mem,
.maxlen = sizeof(sysctl_udp_mem),
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next v2] ipv4: Add support to disable icmp timestamp
2019-05-14 2:56 [PATCH net-next v2] ipv4: Add support to disable icmp timestamp Weilong Chen
@ 2019-05-14 6:38 ` Michal Kubecek
0 siblings, 0 replies; 5+ messages in thread
From: Michal Kubecek @ 2019-05-14 6:38 UTC (permalink / raw)
To: netdev; +Cc: Weilong Chen, davem, kuznet, yoshfuji
On Tue, May 14, 2019 at 10:56:54AM +0800, Weilong Chen wrote:
> The remote host answers to an ICMP timestamp request.
> This allows an attacker to know the time and date on your host.
>
> This path is an another way contrast to iptables rules:
> iptables -A input -p icmp --icmp-type timestamp-request -j DROP
> iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
>
> Default is enabled.
>
> enable:
> sysctl -w net.ipv4.icmp_timestamp_enable=1
> disable
> sysctl -w net.ipv4.icmp_timestamp_enable=0
> testing:
> hping3 --icmp --icmp-ts -V $IPADDR
>
> Signed-off-by: Weilong Chen <chenweilong@huawei.com>
> ---
I'm not sure what you are trying to do but this looks like a process
violation:
- it's exactly the same as the patch rejected yesterday
- it's marked as "v2" again
- net-next is closed until the end of merge window anyway
Michal Kubecek
> include/net/ip.h | 2 ++
> net/ipv4/icmp.c | 5 +++++
> net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
> 3 files changed, 15 insertions(+)
>
> diff --git a/include/net/ip.h b/include/net/ip.h
> index 2d3cce7..71840e4 100644
> --- a/include/net/ip.h
> +++ b/include/net/ip.h
> @@ -718,6 +718,8 @@ bool icmp_global_allow(void);
> extern int sysctl_icmp_msgs_per_sec;
> extern int sysctl_icmp_msgs_burst;
>
> +extern int sysctl_icmp_timestamp_enable;
> +
> #ifdef CONFIG_PROC_FS
> int ip_misc_proc_init(void);
> #endif
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index f3a5893..5010541 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
>
> int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
> int sysctl_icmp_msgs_burst __read_mostly = 50;
> +int sysctl_icmp_timestamp_enable __read_mostly = 1;
>
> static struct {
> spinlock_t lock;
> @@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
> static bool icmp_timestamp(struct sk_buff *skb)
> {
> struct icmp_bxm icmp_param;
> +
> + if (!sysctl_icmp_timestamp_enable)
> + goto out_err;
> +
> /*
> * Too short.
> */
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 875867b..1fe467e 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
> .extra1 = &zero,
> },
> {
> + .procname = "icmp_timestamp_enable",
> + .data = &sysctl_icmp_timestamp_enable,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = &zero,
> + },
> + {
> .procname = "udp_mem",
> .data = &sysctl_udp_mem,
> .maxlen = sizeof(sysctl_udp_mem),
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net-next v2] ipv4: Add support to disable icmp timestamp
2019-05-13 13:28 Weilong Chen
2019-05-13 14:07 ` Florian Westphal
@ 2019-05-13 16:16 ` David Miller
1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2019-05-13 16:16 UTC (permalink / raw)
To: chenweilong; +Cc: kuznet, yoshfuji, netdev
From: Weilong Chen <chenweilong@huawei.com>
Date: Mon, 13 May 2019 21:28:57 +0800
> The remote host answers to an ICMP timestamp request.
> This allows an attacker to know the time and date on your host.
>
> This path is an another way contrast to iptables rules:
> iptables -A input -p icmp --icmp-type timestamp-request -j DROP
> iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
>
> Default is enabled.
>
> enable:
> sysctl -w net.ipv4.icmp_timestamp_enable=1
> disable
> sysctl -w net.ipv4.icmp_timestamp_enable=0
> testing:
> hping3 --icmp --icmp-ts -V $IPADDR
>
> Signed-off-by: Weilong Chen <chenweilong@huawei.com>
Premise is wrong, understanding of what ICMP timestamp value actually
is is inaccurate, and the solution is wrong.
No way I am applying this, sorry.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net-next v2] ipv4: Add support to disable icmp timestamp
2019-05-13 13:28 Weilong Chen
@ 2019-05-13 14:07 ` Florian Westphal
2019-05-13 16:16 ` David Miller
1 sibling, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2019-05-13 14:07 UTC (permalink / raw)
To: Weilong Chen; +Cc: davem, kuznet, yoshfuji, netdev
Weilong Chen <chenweilong@huawei.com> wrote:
> The remote host answers to an ICMP timestamp request.
> This allows an attacker to know the time and date on your host.
No, it does not, I already told you so in V1 :-/
If you really think that its a problem that one can discover
milliseconds-since-midnight please just change inet_current_timestamp()
to add a random offset instead of adding yet another sysctl.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net-next v2] ipv4: Add support to disable icmp timestamp
@ 2019-05-13 13:28 Weilong Chen
2019-05-13 14:07 ` Florian Westphal
2019-05-13 16:16 ` David Miller
0 siblings, 2 replies; 5+ messages in thread
From: Weilong Chen @ 2019-05-13 13:28 UTC (permalink / raw)
To: chenweilong, davem, kuznet, yoshfuji; +Cc: netdev
The remote host answers to an ICMP timestamp request.
This allows an attacker to know the time and date on your host.
This path is an another way contrast to iptables rules:
iptables -A input -p icmp --icmp-type timestamp-request -j DROP
iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
Default is enabled.
enable:
sysctl -w net.ipv4.icmp_timestamp_enable=1
disable
sysctl -w net.ipv4.icmp_timestamp_enable=0
testing:
hping3 --icmp --icmp-ts -V $IPADDR
Signed-off-by: Weilong Chen <chenweilong@huawei.com>
---
include/net/ip.h | 2 ++
net/ipv4/icmp.c | 5 +++++
net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
3 files changed, 15 insertions(+)
diff --git a/include/net/ip.h b/include/net/ip.h
index 2d3cce7..71840e4 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -718,6 +718,8 @@ bool icmp_global_allow(void);
extern int sysctl_icmp_msgs_per_sec;
extern int sysctl_icmp_msgs_burst;
+extern int sysctl_icmp_timestamp_enable;
+
#ifdef CONFIG_PROC_FS
int ip_misc_proc_init(void);
#endif
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f3a5893..5010541 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
int sysctl_icmp_msgs_burst __read_mostly = 50;
+int sysctl_icmp_timestamp_enable __read_mostly = 1;
static struct {
spinlock_t lock;
@@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
static bool icmp_timestamp(struct sk_buff *skb)
{
struct icmp_bxm icmp_param;
+
+ if (!sysctl_icmp_timestamp_enable)
+ goto out_err;
+
/*
* Too short.
*/
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 875867b..1fe467e 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
.extra1 = &zero,
},
{
+ .procname = "icmp_timestamp_enable",
+ .data = &sysctl_icmp_timestamp_enable,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &zero,
+ },
+ {
.procname = "udp_mem",
.data = &sysctl_udp_mem,
.maxlen = sizeof(sysctl_udp_mem),
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-14 6:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-14 2:56 [PATCH net-next v2] ipv4: Add support to disable icmp timestamp Weilong Chen
2019-05-14 6:38 ` Michal Kubecek
-- strict thread matches above, loose matches on Subject: below --
2019-05-13 13:28 Weilong Chen
2019-05-13 14:07 ` Florian Westphal
2019-05-13 16:16 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.