[PATCH 0/3] GTSM support for IPv6 three alternatives

[PATCH 0/3] GTSM support for IPv6 three alternatives

[Stephen Hemminger]

I have tested three alternative versions of this patch and can't
reach a diffinitive conclusion.  I favor the unified version (simplest API),
but need more opinions.  It would not be good if Linux implements
one option and BSD choose the other! That is why the original 
BSD developer and the quagga patch author are receiving this.

In case it is not obvious, only one of these choices should be
applied!

-- 

[PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)

[Stephen Hemminger]

[-- Attachment #1: gtsm-ipv6-ipv4-1.diff --]
[-- Type: text/plain, Size: 4384 bytes --]

This patch adds IPv6 support for RFC5082 Generalized TTL
Security Mechanism.  

The original proposed code; the IPV6 and IPV4 socket options are seperate.
With this method, the server does have to deal with both IPv4 and IPv6
socket options and the client has to handle the different for each
family.

On client:
	int ttl = 255;
	getaddrinfo(argv[1], argv[2], &hint, &result);

	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET) {
			setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
		} else if (rp->ai_family == AF_INET6) {
			setsockopt(s, IPPROTO_IPV6,  IPV6_UNICAST_HOPS, 
					&ttl, sizeof(ttl)))
		}
			
		if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
		   ...

On server:
	int minttl = 255 - maxhops;
   
	getaddrinfo(NULL, port, &hints, &result);
	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET6)
			setsockopt(s, IPPROTO_IPV6,  IPV6_MINHOPCOUNT,
					&minttl, sizeof(minttl));
		setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
			
		if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
			break
..


Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

---
 include/linux/in6.h      |    3 +++
 include/linux/ipv6.h     |    1 +
 net/ipv6/ipv6_sockglue.c |   12 ++++++++++++
 net/ipv6/tcp_ipv6.c      |   14 +++++++++++++-
 4 files changed, 29 insertions(+), 1 deletion(-)

--- a/net/ipv6/tcp_ipv6.c	2010-04-03 16:04:01.159412921 -0700
+++ b/net/ipv6/tcp_ipv6.c	2010-04-03 16:05:15.749413056 -0700
@@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s
 	if (sk->sk_state == TCP_CLOSE)
 		goto out;
 
+	if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto out;
+	}
+
 	tp = tcp_sk(sk);
 	seq = ntohl(th->seq);
 	if (sk->sk_state != TCP_LISTEN &&
@@ -1675,6 +1680,7 @@ ipv6_pktoptions:
 static int tcp_v6_rcv(struct sk_buff *skb)
 {
 	struct tcphdr *th;
+	struct ipv6hdr *hdr;
 	struct sock *sk;
 	int ret;
 	struct net *net = dev_net(skb->dev);
@@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk
 		goto bad_packet;
 
 	th = tcp_hdr(skb);
+	hdr = ipv6_hdr(skb);
 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
 	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
 				    skb->len - th->doff*4);
 	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
 	TCP_SKB_CB(skb)->when = 0;
-	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
 	TCP_SKB_CB(skb)->sacked = 0;
 
 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1717,6 +1724,11 @@ process:
 	if (sk->sk_state == TCP_TIME_WAIT)
 		goto do_time_wait;
 
+	if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto discard_and_relse;
+	}
+
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
 
--- a/include/linux/in6.h	2010-04-02 21:16:07.461701802 -0700
+++ b/include/linux/in6.h	2010-04-03 16:05:15.749413056 -0700
@@ -265,6 +265,9 @@ struct in6_flowlabel_req {
 #define IPV6_PREFER_SRC_CGA		0x0008
 #define IPV6_PREFER_SRC_NONCGA		0x0800
 
+/* RFC5082: Generalized Ttl Security Mechanism */
+#define IPV6_MINHOPCOUNT		73
+
 /*
  * Multicast Routing:
  * see include/linux/mroute6.h.
--- a/include/linux/ipv6.h	2010-04-02 21:16:04.122638936 -0700
+++ b/include/linux/ipv6.h	2010-04-03 16:05:15.769412669 -0700
@@ -348,6 +348,7 @@ struct ipv6_pinfo {
 						 * 010: prefer public address
 						 * 100: prefer care-of address
 						 */
+	__u8			min_hopcount;
 	__u8			tclass;
 
 	__u32			dst_cookie;
--- a/net/ipv6/ipv6_sockglue.c	2010-04-02 21:15:26.071389733 -0700
+++ b/net/ipv6/ipv6_sockglue.c	2010-04-03 16:05:15.789412706 -0700
@@ -766,6 +766,14 @@ pref_skip_coa:
 
 		break;
 	    }
+	case IPV6_MINHOPCOUNT:
+		if (optlen < sizeof(int))
+			goto e_inval;
+		if (val < 0 || val > 255)
+			goto e_inval;
+		np->min_hopcount = val;
+		retv = 0;
+		break;
 	}
 
 	release_sock(sk);
@@ -1114,6 +1122,10 @@ static int do_ipv6_getsockopt(struct soc
 			val |= IPV6_PREFER_SRC_HOME;
 		break;
 
+	case IPV6_MINHOPCOUNT:
+		val = np->min_hopcount;
+		break;
+
 	default:
 		return -ENOPROTOOPT;
 	}

-- 

[PATCH 2/3] IPv6: Generic TTL Security Mechanism (alternate version)

[Stephen Hemminger]

[-- Attachment #1: gtsm-ipv6-ipv4-1a.diff --]
[-- Type: text/plain, Size: 4615 bytes --]

This patch adds IPv6 support for RFC5082 Generalized TTL
Security Mechanism.  

Very similar to original proposed code; the IPV6 and IPV4 
socket options are seperate, but the setting the IPV6 min hopcount
also sets IPV4 min ttl. This makes for less possible errors by the
programmer when using IPV4 mapped addresses.

With this method, the server does have to deal with both IPv4 and IPv6
socket options and the client has to handle the different for each
family.

On client:
	int ttl = 255;
	getaddrinfo(argv[1], argv[2], &hint, &result);

	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET) {
			setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
		} else if (rp->ai_family == AF_INET6) {
			setsockopt(s, IPPROTO_IPV6,  IPV6_UNICAST_HOPS, 
					&ttl, sizeof(ttl)))
		}
			
		if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
		   ...

On server:
	int minttl = 255 - maxhops;
   
	getaddrinfo(NULL, port, &hints, &result);
	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET6)
			setsockopt(s, IPPROTO_IPV6,  IPV6_MINHOPCOUNT,
					&minttl, sizeof(minttl));
		else
		        setsockopt(s, IPPROTO_IP, IP_MINTTL, 
			                &minttl, sizeof(minttl));
			
		if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
			break
..


Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

---
 include/linux/in6.h      |    3 +++
 include/linux/ipv6.h     |    1 +
 net/ipv6/ipv6_sockglue.c |   13 +++++++++++++
 net/ipv6/tcp_ipv6.c      |   14 +++++++++++++-
 4 files changed, 30 insertions(+), 1 deletion(-)

--- a/net/ipv6/tcp_ipv6.c	2010-04-03 16:13:50.450038495 -0700
+++ b/net/ipv6/tcp_ipv6.c	2010-04-03 16:14:58.579101059 -0700
@@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s
 	if (sk->sk_state == TCP_CLOSE)
 		goto out;
 
+	if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto out;
+	}
+
 	tp = tcp_sk(sk);
 	seq = ntohl(th->seq);
 	if (sk->sk_state != TCP_LISTEN &&
@@ -1675,6 +1680,7 @@ ipv6_pktoptions:
 static int tcp_v6_rcv(struct sk_buff *skb)
 {
 	struct tcphdr *th;
+	struct ipv6hdr *hdr;
 	struct sock *sk;
 	int ret;
 	struct net *net = dev_net(skb->dev);
@@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk
 		goto bad_packet;
 
 	th = tcp_hdr(skb);
+	hdr = ipv6_hdr(skb);
 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
 	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
 				    skb->len - th->doff*4);
 	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
 	TCP_SKB_CB(skb)->when = 0;
-	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
 	TCP_SKB_CB(skb)->sacked = 0;
 
 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1717,6 +1724,11 @@ process:
 	if (sk->sk_state == TCP_TIME_WAIT)
 		goto do_time_wait;
 
+	if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto discard_and_relse;
+	}
+
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
 
--- a/include/linux/in6.h	2010-04-03 16:13:50.460038505 -0700
+++ b/include/linux/in6.h	2010-04-03 16:14:58.579101059 -0700
@@ -265,6 +265,9 @@ struct in6_flowlabel_req {
 #define IPV6_PREFER_SRC_CGA		0x0008
 #define IPV6_PREFER_SRC_NONCGA		0x0800
 
+/* RFC5082: Generalized Ttl Security Mechanism */
+#define IPV6_MINHOPCOUNT		73
+
 /*
  * Multicast Routing:
  * see include/linux/mroute6.h.
--- a/include/linux/ipv6.h	2010-04-03 16:13:50.470038394 -0700
+++ b/include/linux/ipv6.h	2010-04-03 16:14:58.579101059 -0700
@@ -348,6 +348,7 @@ struct ipv6_pinfo {
 						 * 010: prefer public address
 						 * 100: prefer care-of address
 						 */
+	__u8			min_hopcount;
 	__u8			tclass;
 
 	__u32			dst_cookie;
--- a/net/ipv6/ipv6_sockglue.c	2010-04-03 16:13:50.440037810 -0700
+++ b/net/ipv6/ipv6_sockglue.c	2010-04-03 16:16:45.973137844 -0700
@@ -766,6 +766,15 @@ pref_skip_coa:
 
 		break;
 	    }
+	case IPV6_MINHOPCOUNT:
+		if (optlen < sizeof(int))
+			goto e_inval;
+		if (val < 0 || val > 255)
+			goto e_inval;
+		np->min_hopcount = val;
+		inet_sk(sk)->min_ttl = val;
+		retv = 0;
+		break;
 	}
 
 	release_sock(sk);
@@ -1114,6 +1123,10 @@ static int do_ipv6_getsockopt(struct soc
 			val |= IPV6_PREFER_SRC_HOME;
 		break;
 
+	case IPV6_MINHOPCOUNT:
+		val = np->min_hopcount;
+		break;
+
 	default:
 		return -ENOPROTOOPT;
 	}

-- 

[PATCH 3/3] IPv6: Generic TTL Security Mechanism (unified version)

[Stephen Hemminger]

[-- Attachment #1: gtsm-ipv6.diff --]
[-- Type: text/plain, Size: 3126 bytes --]

This patch is one alternative IPv6 support for RFC5082 Generalized TTL
Security Mechanism. 

This version takes a simplest (but least pure) approach.
It uses the same socket option for IPv6 as IPv4 because
the TCP code has to deal with mapped addresses already.

With this method, the server doesn't have to deal with both IPv4 and IPv6
socket options. But the client still does have to handle the different
options.

On client:
	int ttl = 255;
	getaddrinfo(argv[1], argv[2], &hint, &result);

	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET) {
			setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
		} else if (rp->ai_family == AF_INET6) {
			setsockopt(s, IPPROTO_IPV6,  IPV6_UNICAST_HOPS, 
					&ttl, sizeof(ttl)))
		}
			
		if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
		   ...

On server:
	unsigned char minttl = 255 - maxhops;
   
	getaddrinfo(NULL, port, &hints, &result);
	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
			
		if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
			break
..


Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

---
 net/ipv4/tcp_ipv4.c |   15 +++++++++++----
 net/ipv6/tcp_ipv6.c |   10 ++++++++++
 2 files changed, 21 insertions(+), 4 deletions(-)

--- a/net/ipv6/tcp_ipv6.c	2010-04-02 21:19:39.692013672 -0700
+++ b/net/ipv6/tcp_ipv6.c	2010-04-03 15:55:43.778224848 -0700
@@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s
 	if (sk->sk_state == TCP_CLOSE)
 		goto out;
 
+	if (ipv6_hdr(skb)->hop_limit < inet_sk(sk)->min_ttl) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto out;
+	}
+
 	tp = tcp_sk(sk);
 	seq = ntohl(th->seq);
 	if (sk->sk_state != TCP_LISTEN &&
@@ -1717,6 +1722,11 @@ process:
 	if (sk->sk_state == TCP_TIME_WAIT)
 		goto do_time_wait;
 
+	if (ipv6_hdr(skb)->hop_limit < inet_sk(sk)->min_ttl) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto discard_and_relse;
+	}
+
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
 
--- a/net/ipv4/tcp_ipv4.c	2010-04-02 21:19:39.682014278 -0700
+++ b/net/ipv4/tcp_ipv4.c	2010-04-02 21:20:25.571077252 -0700
@@ -1660,10 +1660,14 @@ process:
 	if (sk->sk_state == TCP_TIME_WAIT)
 		goto do_time_wait;
 
-	if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
-		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-		goto discard_and_relse;
-	}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+	if (skb->protocol == htons(ETH_P_IPV6)) {
+		if (ipv6_hdr(skb)->hop_limit < inet_sk(sk)->min_ttl)
+			goto min_ttl_discard;
+	} else
+#endif
+	if (iph->ttl < inet_sk(sk)->min_ttl)
+		goto min_ttl_discard;
 
 	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
@@ -1716,6 +1720,9 @@ discard_it:
 	kfree_skb(skb);
 	return 0;
 
+min_ttl_discard:
+	NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+
 discard_and_relse:
 	sock_put(sk);
 	goto discard_it;

-- 

Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)

[YOSHIFUJI Hideaki]

Hi,

(2010/04/04 8:21), Stephen Hemminger wrote:
> The original proposed code; the IPV6 and IPV4 socket options are seperate.
> With this method, the server does have to deal with both IPv4 and IPv6
> socket options and the client has to handle the different for each
> family.

I am for 1/3 (original), not for 2/3, 3/3.

Because we should allow users to set respective value
for IPv4 and IPv6, as we allow users to do so for TTL
and hoplimit itself.

--yoshfuji

Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)

[Nick Hilliard]

On 05/04/2010 05:48, YOSHIFUJI Hideaki wrote:
> I am for 1/3 (original), not for 2/3, 3/3.
>
> Because we should allow users to set respective value
> for IPv4 and IPv6, as we allow users to do so for TTL
> and hoplimit itself.

<non-linux-user>

I concur.  ipv4 mapped addresses need special handling in lots of cases, 
and I don't believe that patch 2/3 adds anything here - except possibly 
confusion.

Regarding case 3/3, ipv4 and ipv6 are separate protocols.  Treating them 
as the same from the setsockopt() point of view is a clear case of the 
Wrong Thing.

</non-linux-user>

Case 1/3 is IMO a better approach.  It satisfies both KISS (keep it 
simple...) and POLA (principle of least astonishment).

Nick

Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)

[Stephen Hemminger]

On Sat, 03 Apr 2010 16:21:04 -0700
Stephen Hemminger <shemminger@vyatta.com> wrote:

> This patch adds IPv6 support for RFC5082 Generalized TTL
> Security Mechanism.  
> 
> The original proposed code; the IPV6 and IPV4 socket options are seperate.
> With this method, the server does have to deal with both IPv4 and IPv6
> socket options and the client has to handle the different for each
> family.
> 
> On client:
> 	int ttl = 255;
> 	getaddrinfo(argv[1], argv[2], &hint, &result);
> 
> 	for (rp = result; rp != NULL; rp = rp->ai_next) {
> 		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
> 		if (s < 0) continue;
> 
> 		if (rp->ai_family == AF_INET) {
> 			setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
> 		} else if (rp->ai_family == AF_INET6) {
> 			setsockopt(s, IPPROTO_IPV6,  IPV6_UNICAST_HOPS, 
> 					&ttl, sizeof(ttl)))
> 		}
> 			
> 		if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
> 		   ...
> 
> On server:
> 	int minttl = 255 - maxhops;
>    
> 	getaddrinfo(NULL, port, &hints, &result);
> 	for (rp = result; rp != NULL; rp = rp->ai_next) {
> 		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
> 		if (s < 0) continue;
> 
> 		if (rp->ai_family == AF_INET6)
> 			setsockopt(s, IPPROTO_IPV6,  IPV6_MINHOPCOUNT,
> 					&minttl, sizeof(minttl));
> 		setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
> 			
> 		if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
> 			break
> ..
> 
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

Dave: Yoshifuji and I agree this is the best solution, how come the patch
hasn't been applied?

Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version)

[David Miller]

From: Stephen Hemminger <shemminger@vyatta.com>
Date: Thu, 22 Apr 2010 09:23:05 -0700

> Dave: Yoshifuji and I agree this is the best solution, how come the patch
> hasn't been applied?

You supplied 3 different implementations, that puts all of them
into "RFC" state in patchwork.

When you figure out which one is best you make a new explicit
submission of the implementation you think should actually
go into the tree.

[PATCH] IPv6: Generic TTL Security Mechanism (final version)

[Stephen Hemminger]

This patch adds IPv6 support for RFC5082 Generalized TTL Security Mechanism.  

Not to users of mapped address; the IPV6 and IPV4 socket options are seperate.
The server does have to deal with both IPv4 and IPv6 socket options
and the client has to handle the different for each family.

On client:
	int ttl = 255;
	getaddrinfo(argv[1], argv[2], &hint, &result);

	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET) {
			setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
		} else if (rp->ai_family == AF_INET6) {
			setsockopt(s, IPPROTO_IPV6,  IPV6_UNICAST_HOPS, 
					&ttl, sizeof(ttl)))
		}
			
		if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) {
		   ...

On server:
	int minttl = 255 - maxhops;
   
	getaddrinfo(NULL, port, &hints, &result);
	for (rp = result; rp != NULL; rp = rp->ai_next) {
		s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
		if (s < 0) continue;

		if (rp->ai_family == AF_INET6)
			setsockopt(s, IPPROTO_IPV6,  IPV6_MINHOPCOUNT,
					&minttl, sizeof(minttl));
		setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
			
		if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0)
			break
...
Same as v1 (except commit message)

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

---
 include/linux/in6.h      |    3 +++
 include/linux/ipv6.h     |    1 +
 net/ipv6/ipv6_sockglue.c |   12 ++++++++++++
 net/ipv6/tcp_ipv6.c      |   14 +++++++++++++-
 4 files changed, 29 insertions(+), 1 deletion(-)

--- a/net/ipv6/tcp_ipv6.c	2010-04-22 09:32:39.845447496 -0700
+++ b/net/ipv6/tcp_ipv6.c	2010-04-22 09:32:47.395758592 -0700
@@ -353,6 +353,11 @@ static void tcp_v6_err(struct sk_buff *s
 	if (sk->sk_state == TCP_CLOSE)
 		goto out;
 
+	if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto out;
+	}
+
 	tp = tcp_sk(sk);
 	seq = ntohl(th->seq);
 	if (sk->sk_state != TCP_LISTEN &&
@@ -1675,6 +1680,7 @@ ipv6_pktoptions:
 static int tcp_v6_rcv(struct sk_buff *skb)
 {
 	struct tcphdr *th;
+	struct ipv6hdr *hdr;
 	struct sock *sk;
 	int ret;
 	struct net *net = dev_net(skb->dev);
@@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk
 		goto bad_packet;
 
 	th = tcp_hdr(skb);
+	hdr = ipv6_hdr(skb);
 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
 	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
 				    skb->len - th->doff*4);
 	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
 	TCP_SKB_CB(skb)->when = 0;
-	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
+	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
 	TCP_SKB_CB(skb)->sacked = 0;
 
 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -1717,6 +1724,11 @@ process:
 	if (sk->sk_state == TCP_TIME_WAIT)
 		goto do_time_wait;
 
+	if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
+		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+		goto discard_and_relse;
+	}
+
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
 
--- a/include/linux/in6.h	2010-04-22 09:32:39.855445952 -0700
+++ b/include/linux/in6.h	2010-04-22 09:32:47.395758592 -0700
@@ -265,6 +265,9 @@ struct in6_flowlabel_req {
 #define IPV6_PREFER_SRC_CGA		0x0008
 #define IPV6_PREFER_SRC_NONCGA		0x0800
 
+/* RFC5082: Generalized Ttl Security Mechanism */
+#define IPV6_MINHOPCOUNT		73
+
 /*
  * Multicast Routing:
  * see include/linux/mroute6.h.
--- a/include/linux/ipv6.h	2010-04-22 09:32:39.865447950 -0700
+++ b/include/linux/ipv6.h	2010-04-22 09:32:47.395758592 -0700
@@ -348,6 +348,7 @@ struct ipv6_pinfo {
 						 * 010: prefer public address
 						 * 100: prefer care-of address
 						 */
+	__u8			min_hopcount;
 	__u8			tclass;
 
 	__u32			dst_cookie;
--- a/net/ipv6/ipv6_sockglue.c	2010-04-22 09:32:39.835445583 -0700
+++ b/net/ipv6/ipv6_sockglue.c	2010-04-22 09:32:47.405760414 -0700
@@ -767,6 +767,14 @@ pref_skip_coa:
 
 		break;
 	    }
+	case IPV6_MINHOPCOUNT:
+		if (optlen < sizeof(int))
+			goto e_inval;
+		if (val < 0 || val > 255)
+			goto e_inval;
+		np->min_hopcount = val;
+		retv = 0;
+		break;
 	}
 
 	release_sock(sk);
@@ -1116,6 +1124,10 @@ static int do_ipv6_getsockopt(struct soc
 			val |= IPV6_PREFER_SRC_HOME;
 		break;
 
+	case IPV6_MINHOPCOUNT:
+		val = np->min_hopcount;
+		break;
+
 	default:
 		return -ENOPROTOOPT;
 	}

Re: [PATCH] IPv6: Generic TTL Security Mechanism (final version)

[David Miller]

From: Stephen Hemminger <shemminger@vyatta.com>
Date: Thu, 22 Apr 2010 15:18:46 -0700

> This patch adds IPv6 support for RFC5082 Generalized TTL Security Mechanism.  

Applied, thanks.