* [PATCH 0/3] GTSM support for IPv6 three alternatives
@ 2010-04-03 23:21 Stephen Hemminger
2010-04-03 23:21 ` [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) Stephen Hemminger
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Stephen Hemminger @ 2010-04-03 23:21 UTC (permalink / raw)
To: davem, Pekka Savola, YOSHIFUJI Hideaki, Nick Hilliard; +Cc: netdev
I have tested three alternative versions of this patch and can't
reach a diffinitive conclusion. I favor the unified version (simplest API),
but need more opinions. It would not be good if Linux implements
one option and BSD choose the other! That is why the original
BSD developer and the quagga patch author are receiving this.
In case it is not obvious, only one of these choices should be
applied!
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)
2010-04-03 23:21 [PATCH 0/3] GTSM support for IPv6 three alternatives Stephen Hemminger
@ 2010-04-03 23:21 ` Stephen Hemminger
2010-04-05 4:48 ` YOSHIFUJI Hideaki
2010-04-22 16:23 ` Stephen Hemminger
2010-04-03 23:21 ` [PATCH 2/3] IPv6: Generic TTL Security Mechanism (alternate version) Stephen Hemminger
2010-04-03 23:21 ` [PATCH 3/3] IPv6: Generic TTL Security Mechanism (unified version) Stephen Hemminger
2 siblings, 2 replies; 10+ messages in thread
From: Stephen Hemminger @ 2010-04-03 23:21 UTC (permalink / raw)
To: davem, Pekka Savola, YOSHIFUJI Hideaki, Nick Hilliard; +Cc: netdev
[-- Attachment #1: gtsm-ipv6-ipv4-1.diff --]
[-- Type: text/plain, Size: 4384 bytes --]
This patch adds IPv6 support for RFC5082 Generalized TTL
Security Mechanism.
The original proposed code; the IPV6 and IPV4 socket options are seperate.
With this method, the server does have to deal with both IPv4 and IPv6
socket options and the client has to handle the different for each
family.
On client:
int ttl = 255;
getaddrinfo(argv[1], argv[2], &hint, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET) {
setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
} else if (rp->ai_family == AF_INET6) {
setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
&ttl, sizeof(ttl)))
}
if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
...
On server:
int minttl = 255 - maxhops;
getaddrinfo(NULL, port, &hints, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET6)
setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT,
&minttl, sizeof(minttl));
setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
break
..
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
include/linux/in6.h | 3 +++
include/linux/ipv6.h | 1 +
net/ipv6/ipv6_sockglue.c | 12 ++++++++++++
net/ipv6/tcp_ipv6.c | 14 +++++++++++++-
4 files changed, 29 insertions(+), 1 deletion(-)
--- a/net/ipv6/tcp_ipv6.c 2010-04-03 16:04:01.159412921 -0700
+++ b/net/ipv6/tcp_ipv6.c 2010-04-03 16:05:15.749413056 -0700
@@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s
if (sk->sk_state == TCP_CLOSE)
goto out;
+ if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto out;
+ }
+
tp = tcp_sk(sk);
seq = ntohl(th->seq);
if (sk->sk_state != TCP_LISTEN &&
@@ -1675,6 +1680,7 @@ ipv6_pktoptions:
static int tcp_v6_rcv(struct sk_buff *skb)
{
struct tcphdr *th;
+ struct ipv6hdr *hdr;
struct sock *sk;
int ret;
struct net *net = dev_net(skb->dev);
@@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk
goto bad_packet;
th = tcp_hdr(skb);
+ hdr = ipv6_hdr(skb);
TCP_SKB_CB(skb)->seq = ntohl(th->seq);
TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
skb->len - th->doff*4);
TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
TCP_SKB_CB(skb)->when = 0;
- TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+ TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
TCP_SKB_CB(skb)->sacked = 0;
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1717,6 +1724,11 @@ process:
if (sk->sk_state == TCP_TIME_WAIT)
goto do_time_wait;
+ if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto discard_and_relse;
+ }
+
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
--- a/include/linux/in6.h 2010-04-02 21:16:07.461701802 -0700
+++ b/include/linux/in6.h 2010-04-03 16:05:15.749413056 -0700
@@ -265,6 +265,9 @@ struct in6_flowlabel_req {
#define IPV6_PREFER_SRC_CGA 0x0008
#define IPV6_PREFER_SRC_NONCGA 0x0800
+/* RFC5082: Generalized Ttl Security Mechanism */
+#define IPV6_MINHOPCOUNT 73
+
/*
* Multicast Routing:
* see include/linux/mroute6.h.
--- a/include/linux/ipv6.h 2010-04-02 21:16:04.122638936 -0700
+++ b/include/linux/ipv6.h 2010-04-03 16:05:15.769412669 -0700
@@ -348,6 +348,7 @@ struct ipv6_pinfo {
* 010: prefer public address
* 100: prefer care-of address
*/
+ __u8 min_hopcount;
__u8 tclass;
__u32 dst_cookie;
--- a/net/ipv6/ipv6_sockglue.c 2010-04-02 21:15:26.071389733 -0700
+++ b/net/ipv6/ipv6_sockglue.c 2010-04-03 16:05:15.789412706 -0700
@@ -766,6 +766,14 @@ pref_skip_coa:
break;
}
+ case IPV6_MINHOPCOUNT:
+ if (optlen < sizeof(int))
+ goto e_inval;
+ if (val < 0 || val > 255)
+ goto e_inval;
+ np->min_hopcount = val;
+ retv = 0;
+ break;
}
release_sock(sk);
@@ -1114,6 +1122,10 @@ static int do_ipv6_getsockopt(struct soc
val |= IPV6_PREFER_SRC_HOME;
break;
+ case IPV6_MINHOPCOUNT:
+ val = np->min_hopcount;
+ break;
+
default:
return -ENOPROTOOPT;
}
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 2/3] IPv6: Generic TTL Security Mechanism (alternate version)
2010-04-03 23:21 [PATCH 0/3] GTSM support for IPv6 three alternatives Stephen Hemminger
2010-04-03 23:21 ` [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) Stephen Hemminger
@ 2010-04-03 23:21 ` Stephen Hemminger
2010-04-03 23:21 ` [PATCH 3/3] IPv6: Generic TTL Security Mechanism (unified version) Stephen Hemminger
2 siblings, 0 replies; 10+ messages in thread
From: Stephen Hemminger @ 2010-04-03 23:21 UTC (permalink / raw)
To: davem, Pekka Savola, YOSHIFUJI Hideaki, Nick Hilliard; +Cc: netdev
[-- Attachment #1: gtsm-ipv6-ipv4-1a.diff --]
[-- Type: text/plain, Size: 4615 bytes --]
This patch adds IPv6 support for RFC5082 Generalized TTL
Security Mechanism.
Very similar to original proposed code; the IPV6 and IPV4
socket options are seperate, but the setting the IPV6 min hopcount
also sets IPV4 min ttl. This makes for less possible errors by the
programmer when using IPV4 mapped addresses.
With this method, the server does have to deal with both IPv4 and IPv6
socket options and the client has to handle the different for each
family.
On client:
int ttl = 255;
getaddrinfo(argv[1], argv[2], &hint, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET) {
setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
} else if (rp->ai_family == AF_INET6) {
setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
&ttl, sizeof(ttl)))
}
if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
...
On server:
int minttl = 255 - maxhops;
getaddrinfo(NULL, port, &hints, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET6)
setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT,
&minttl, sizeof(minttl));
else
setsockopt(s, IPPROTO_IP, IP_MINTTL,
&minttl, sizeof(minttl));
if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
break
..
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
include/linux/in6.h | 3 +++
include/linux/ipv6.h | 1 +
net/ipv6/ipv6_sockglue.c | 13 +++++++++++++
net/ipv6/tcp_ipv6.c | 14 +++++++++++++-
4 files changed, 30 insertions(+), 1 deletion(-)
--- a/net/ipv6/tcp_ipv6.c 2010-04-03 16:13:50.450038495 -0700
+++ b/net/ipv6/tcp_ipv6.c 2010-04-03 16:14:58.579101059 -0700
@@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s
if (sk->sk_state == TCP_CLOSE)
goto out;
+ if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto out;
+ }
+
tp = tcp_sk(sk);
seq = ntohl(th->seq);
if (sk->sk_state != TCP_LISTEN &&
@@ -1675,6 +1680,7 @@ ipv6_pktoptions:
static int tcp_v6_rcv(struct sk_buff *skb)
{
struct tcphdr *th;
+ struct ipv6hdr *hdr;
struct sock *sk;
int ret;
struct net *net = dev_net(skb->dev);
@@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk
goto bad_packet;
th = tcp_hdr(skb);
+ hdr = ipv6_hdr(skb);
TCP_SKB_CB(skb)->seq = ntohl(th->seq);
TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
skb->len - th->doff*4);
TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
TCP_SKB_CB(skb)->when = 0;
- TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+ TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
TCP_SKB_CB(skb)->sacked = 0;
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1717,6 +1724,11 @@ process:
if (sk->sk_state == TCP_TIME_WAIT)
goto do_time_wait;
+ if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto discard_and_relse;
+ }
+
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
--- a/include/linux/in6.h 2010-04-03 16:13:50.460038505 -0700
+++ b/include/linux/in6.h 2010-04-03 16:14:58.579101059 -0700
@@ -265,6 +265,9 @@ struct in6_flowlabel_req {
#define IPV6_PREFER_SRC_CGA 0x0008
#define IPV6_PREFER_SRC_NONCGA 0x0800
+/* RFC5082: Generalized Ttl Security Mechanism */
+#define IPV6_MINHOPCOUNT 73
+
/*
* Multicast Routing:
* see include/linux/mroute6.h.
--- a/include/linux/ipv6.h 2010-04-03 16:13:50.470038394 -0700
+++ b/include/linux/ipv6.h 2010-04-03 16:14:58.579101059 -0700
@@ -348,6 +348,7 @@ struct ipv6_pinfo {
* 010: prefer public address
* 100: prefer care-of address
*/
+ __u8 min_hopcount;
__u8 tclass;
__u32 dst_cookie;
--- a/net/ipv6/ipv6_sockglue.c 2010-04-03 16:13:50.440037810 -0700
+++ b/net/ipv6/ipv6_sockglue.c 2010-04-03 16:16:45.973137844 -0700
@@ -766,6 +766,15 @@ pref_skip_coa:
break;
}
+ case IPV6_MINHOPCOUNT:
+ if (optlen < sizeof(int))
+ goto e_inval;
+ if (val < 0 || val > 255)
+ goto e_inval;
+ np->min_hopcount = val;
+ inet_sk(sk)->min_ttl = val;
+ retv = 0;
+ break;
}
release_sock(sk);
@@ -1114,6 +1123,10 @@ static int do_ipv6_getsockopt(struct soc
val |= IPV6_PREFER_SRC_HOME;
break;
+ case IPV6_MINHOPCOUNT:
+ val = np->min_hopcount;
+ break;
+
default:
return -ENOPROTOOPT;
}
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 3/3] IPv6: Generic TTL Security Mechanism (unified version)
2010-04-03 23:21 [PATCH 0/3] GTSM support for IPv6 three alternatives Stephen Hemminger
2010-04-03 23:21 ` [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) Stephen Hemminger
2010-04-03 23:21 ` [PATCH 2/3] IPv6: Generic TTL Security Mechanism (alternate version) Stephen Hemminger
@ 2010-04-03 23:21 ` Stephen Hemminger
2 siblings, 0 replies; 10+ messages in thread
From: Stephen Hemminger @ 2010-04-03 23:21 UTC (permalink / raw)
To: davem, Pekka Savola, YOSHIFUJI Hideaki, Nick Hilliard; +Cc: netdev
[-- Attachment #1: gtsm-ipv6.diff --]
[-- Type: text/plain, Size: 3126 bytes --]
This patch is one alternative IPv6 support for RFC5082 Generalized TTL
Security Mechanism.
This version takes a simplest (but least pure) approach.
It uses the same socket option for IPv6 as IPv4 because
the TCP code has to deal with mapped addresses already.
With this method, the server doesn't have to deal with both IPv4 and IPv6
socket options. But the client still does have to handle the different
options.
On client:
int ttl = 255;
getaddrinfo(argv[1], argv[2], &hint, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET) {
setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
} else if (rp->ai_family == AF_INET6) {
setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
&ttl, sizeof(ttl)))
}
if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
...
On server:
unsigned char minttl = 255 - maxhops;
getaddrinfo(NULL, port, &hints, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
break
..
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
net/ipv4/tcp_ipv4.c | 15 +++++++++++----
net/ipv6/tcp_ipv6.c | 10 ++++++++++
2 files changed, 21 insertions(+), 4 deletions(-)
--- a/net/ipv6/tcp_ipv6.c 2010-04-02 21:19:39.692013672 -0700
+++ b/net/ipv6/tcp_ipv6.c 2010-04-03 15:55:43.778224848 -0700
@@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s
if (sk->sk_state == TCP_CLOSE)
goto out;
+ if (ipv6_hdr(skb)->hop_limit < inet_sk(sk)->min_ttl) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto out;
+ }
+
tp = tcp_sk(sk);
seq = ntohl(th->seq);
if (sk->sk_state != TCP_LISTEN &&
@@ -1717,6 +1722,11 @@ process:
if (sk->sk_state == TCP_TIME_WAIT)
goto do_time_wait;
+ if (ipv6_hdr(skb)->hop_limit < inet_sk(sk)->min_ttl) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto discard_and_relse;
+ }
+
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
--- a/net/ipv4/tcp_ipv4.c 2010-04-02 21:19:39.682014278 -0700
+++ b/net/ipv4/tcp_ipv4.c 2010-04-02 21:20:25.571077252 -0700
@@ -1660,10 +1660,14 @@ process:
if (sk->sk_state == TCP_TIME_WAIT)
goto do_time_wait;
- if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
- NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
- goto discard_and_relse;
- }
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+ if (ipv6_hdr(skb)->hop_limit < inet_sk(sk)->min_ttl)
+ goto min_ttl_discard;
+ } else
+#endif
+ if (iph->ttl < inet_sk(sk)->min_ttl)
+ goto min_ttl_discard;
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
@@ -1716,6 +1720,9 @@ discard_it:
kfree_skb(skb);
return 0;
+min_ttl_discard:
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+
discard_and_relse:
sock_put(sk);
goto discard_it;
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)
2010-04-03 23:21 ` [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) Stephen Hemminger
@ 2010-04-05 4:48 ` YOSHIFUJI Hideaki
2010-04-05 19:06 ` Nick Hilliard
2010-04-22 16:23 ` Stephen Hemminger
1 sibling, 1 reply; 10+ messages in thread
From: YOSHIFUJI Hideaki @ 2010-04-05 4:48 UTC (permalink / raw)
To: Stephen Hemminger
Cc: davem, Pekka Savola, Nick Hilliard, netdev, YOSHIFUJI Hideaki
Hi,
(2010/04/04 8:21), Stephen Hemminger wrote:
> The original proposed code; the IPV6 and IPV4 socket options are seperate.
> With this method, the server does have to deal with both IPv4 and IPv6
> socket options and the client has to handle the different for each
> family.
I am for 1/3 (original), not for 2/3, 3/3.
Because we should allow users to set respective value
for IPv4 and IPv6, as we allow users to do so for TTL
and hoplimit itself.
--yoshfuji
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)
2010-04-05 4:48 ` YOSHIFUJI Hideaki
@ 2010-04-05 19:06 ` Nick Hilliard
0 siblings, 0 replies; 10+ messages in thread
From: Nick Hilliard @ 2010-04-05 19:06 UTC (permalink / raw)
To: YOSHIFUJI Hideaki; +Cc: Stephen Hemminger, davem, Pekka Savola, netdev
On 05/04/2010 05:48, YOSHIFUJI Hideaki wrote:
> I am for 1/3 (original), not for 2/3, 3/3.
>
> Because we should allow users to set respective value
> for IPv4 and IPv6, as we allow users to do so for TTL
> and hoplimit itself.
<non-linux-user>
I concur. ipv4 mapped addresses need special handling in lots of cases,
and I don't believe that patch 2/3 adds anything here - except possibly
confusion.
Regarding case 3/3, ipv4 and ipv6 are separate protocols. Treating them
as the same from the setsockopt() point of view is a clear case of the
Wrong Thing.
</non-linux-user>
Case 1/3 is IMO a better approach. It satisfies both KISS (keep it
simple...) and POLA (principle of least astonishment).
Nick
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)
2010-04-03 23:21 ` [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) Stephen Hemminger
2010-04-05 4:48 ` YOSHIFUJI Hideaki
@ 2010-04-22 16:23 ` Stephen Hemminger
2010-04-22 21:38 ` David Miller
1 sibling, 1 reply; 10+ messages in thread
From: Stephen Hemminger @ 2010-04-22 16:23 UTC (permalink / raw)
To: davem; +Cc: Pekka Savola, YOSHIFUJI Hideaki, Nick Hilliard, netdev
On Sat, 03 Apr 2010 16:21:04 -0700
Stephen Hemminger <shemminger@vyatta.com> wrote:
> This patch adds IPv6 support for RFC5082 Generalized TTL
> Security Mechanism.
>
> The original proposed code; the IPV6 and IPV4 socket options are seperate.
> With this method, the server does have to deal with both IPv4 and IPv6
> socket options and the client has to handle the different for each
> family.
>
> On client:
> int ttl = 255;
> getaddrinfo(argv[1], argv[2], &hint, &result);
>
> for (rp = result; rp != NULL; rp = rp->ai_next) {
> s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
> if (s < 0) continue;
>
> if (rp->ai_family == AF_INET) {
> setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
> } else if (rp->ai_family == AF_INET6) {
> setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
> &ttl, sizeof(ttl)))
> }
>
> if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
> ...
>
> On server:
> int minttl = 255 - maxhops;
>
> getaddrinfo(NULL, port, &hints, &result);
> for (rp = result; rp != NULL; rp = rp->ai_next) {
> s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
> if (s < 0) continue;
>
> if (rp->ai_family == AF_INET6)
> setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT,
> &minttl, sizeof(minttl));
> setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
>
> if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
> break
> ..
>
>
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Dave: Yoshifuji and I agree this is the best solution, how come the patch
hasn't been applied?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)
2010-04-22 16:23 ` Stephen Hemminger
@ 2010-04-22 21:38 ` David Miller
2010-04-22 22:18 ` [PATCH] IPv6: Generic TTL Security Mechanism (final version) Stephen Hemminger
0 siblings, 1 reply; 10+ messages in thread
From: David Miller @ 2010-04-22 21:38 UTC (permalink / raw)
To: shemminger; +Cc: pekkas, yoshfuji, nick, netdev
From: Stephen Hemminger <shemminger@vyatta.com>
Date: Thu, 22 Apr 2010 09:23:05 -0700
> Dave: Yoshifuji and I agree this is the best solution, how come the patch
> hasn't been applied?
You supplied 3 different implementations, that puts all of them
into "RFC" state in patchwork.
When you figure out which one is best you make a new explicit
submission of the implementation you think should actually
go into the tree.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] IPv6: Generic TTL Security Mechanism (final version)
2010-04-22 21:38 ` David Miller
@ 2010-04-22 22:18 ` Stephen Hemminger
2010-04-22 22:27 ` David Miller
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Hemminger @ 2010-04-22 22:18 UTC (permalink / raw)
To: David Miller; +Cc: pekkas, yoshfuji, nick, netdev
This patch adds IPv6 support for RFC5082 Generalized TTL Security Mechanism.
Not to users of mapped address; the IPV6 and IPV4 socket options are seperate.
The server does have to deal with both IPv4 and IPv6 socket options
and the client has to handle the different for each family.
On client:
int ttl = 255;
getaddrinfo(argv[1], argv[2], &hint, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET) {
setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
} else if (rp->ai_family == AF_INET6) {
setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
&ttl, sizeof(ttl)))
}
if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
...
On server:
int minttl = 255 - maxhops;
getaddrinfo(NULL, port, &hints, &result);
for (rp = result; rp != NULL; rp = rp->ai_next) {
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s < 0) continue;
if (rp->ai_family == AF_INET6)
setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT,
&minttl, sizeof(minttl));
setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
break
...
Same as v1 (except commit message)
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
include/linux/in6.h | 3 +++
include/linux/ipv6.h | 1 +
net/ipv6/ipv6_sockglue.c | 12 ++++++++++++
net/ipv6/tcp_ipv6.c | 14 +++++++++++++-
4 files changed, 29 insertions(+), 1 deletion(-)
--- a/net/ipv6/tcp_ipv6.c 2010-04-22 09:32:39.845447496 -0700
+++ b/net/ipv6/tcp_ipv6.c 2010-04-22 09:32:47.395758592 -0700
@@ -353,6 +353,11 @@ static void tcp_v6_err(struct sk_buff *s
if (sk->sk_state == TCP_CLOSE)
goto out;
+ if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto out;
+ }
+
tp = tcp_sk(sk);
seq = ntohl(th->seq);
if (sk->sk_state != TCP_LISTEN &&
@@ -1675,6 +1680,7 @@ ipv6_pktoptions:
static int tcp_v6_rcv(struct sk_buff *skb)
{
struct tcphdr *th;
+ struct ipv6hdr *hdr;
struct sock *sk;
int ret;
struct net *net = dev_net(skb->dev);
@@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk
goto bad_packet;
th = tcp_hdr(skb);
+ hdr = ipv6_hdr(skb);
TCP_SKB_CB(skb)->seq = ntohl(th->seq);
TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
skb->len - th->doff*4);
TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
TCP_SKB_CB(skb)->when = 0;
- TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+ TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
TCP_SKB_CB(skb)->sacked = 0;
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1717,6 +1724,11 @@ process:
if (sk->sk_state == TCP_TIME_WAIT)
goto do_time_wait;
+ if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto discard_and_relse;
+ }
+
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
--- a/include/linux/in6.h 2010-04-22 09:32:39.855445952 -0700
+++ b/include/linux/in6.h 2010-04-22 09:32:47.395758592 -0700
@@ -265,6 +265,9 @@ struct in6_flowlabel_req {
#define IPV6_PREFER_SRC_CGA 0x0008
#define IPV6_PREFER_SRC_NONCGA 0x0800
+/* RFC5082: Generalized Ttl Security Mechanism */
+#define IPV6_MINHOPCOUNT 73
+
/*
* Multicast Routing:
* see include/linux/mroute6.h.
--- a/include/linux/ipv6.h 2010-04-22 09:32:39.865447950 -0700
+++ b/include/linux/ipv6.h 2010-04-22 09:32:47.395758592 -0700
@@ -348,6 +348,7 @@ struct ipv6_pinfo {
* 010: prefer public address
* 100: prefer care-of address
*/
+ __u8 min_hopcount;
__u8 tclass;
__u32 dst_cookie;
--- a/net/ipv6/ipv6_sockglue.c 2010-04-22 09:32:39.835445583 -0700
+++ b/net/ipv6/ipv6_sockglue.c 2010-04-22 09:32:47.405760414 -0700
@@ -767,6 +767,14 @@ pref_skip_coa:
break;
}
+ case IPV6_MINHOPCOUNT:
+ if (optlen < sizeof(int))
+ goto e_inval;
+ if (val < 0 || val > 255)
+ goto e_inval;
+ np->min_hopcount = val;
+ retv = 0;
+ break;
}
release_sock(sk);
@@ -1116,6 +1124,10 @@ static int do_ipv6_getsockopt(struct soc
val |= IPV6_PREFER_SRC_HOME;
break;
+ case IPV6_MINHOPCOUNT:
+ val = np->min_hopcount;
+ break;
+
default:
return -ENOPROTOOPT;
}
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] IPv6: Generic TTL Security Mechanism (final version)
2010-04-22 22:18 ` [PATCH] IPv6: Generic TTL Security Mechanism (final version) Stephen Hemminger
@ 2010-04-22 22:27 ` David Miller
0 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2010-04-22 22:27 UTC (permalink / raw)
To: shemminger; +Cc: pekkas, yoshfuji, nick, netdev
From: Stephen Hemminger <shemminger@vyatta.com>
Date: Thu, 22 Apr 2010 15:18:46 -0700
> This patch adds IPv6 support for RFC5082 Generalized TTL Security Mechanism.
Applied, thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-04-22 22:27 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-03 23:21 [PATCH 0/3] GTSM support for IPv6 three alternatives Stephen Hemminger
2010-04-03 23:21 ` [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) Stephen Hemminger
2010-04-05 4:48 ` YOSHIFUJI Hideaki
2010-04-05 19:06 ` Nick Hilliard
2010-04-22 16:23 ` Stephen Hemminger
2010-04-22 21:38 ` David Miller
2010-04-22 22:18 ` [PATCH] IPv6: Generic TTL Security Mechanism (final version) Stephen Hemminger
2010-04-22 22:27 ` David Miller
2010-04-03 23:21 ` [PATCH 2/3] IPv6: Generic TTL Security Mechanism (alternate version) Stephen Hemminger
2010-04-03 23:21 ` [PATCH 3/3] IPv6: Generic TTL Security Mechanism (unified version) Stephen Hemminger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.