From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=pf8B=RX=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0D130C43381
	for <netdev@archiver.kernel.org>; Wed, 20 Mar 2019 14:29:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id CC9B02186A
	for <netdev@archiver.kernel.org>; Wed, 20 Mar 2019 14:29:40 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="uDMH+MVq"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727329AbfCTO3j (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Wed, 20 Mar 2019 10:29:39 -0400
Received: from mail-it1-f196.google.com ([209.85.166.196]:36391 "EHLO
        mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726824AbfCTO3j (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 20 Mar 2019 10:29:39 -0400
Received: by mail-it1-f196.google.com with SMTP id h9so10602553itl.1
        for <netdev@vger.kernel.org>; Wed, 20 Mar 2019 07:29:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=10eZ94zwWtV8DYPEg/g2RFCJ5LPy/Uo4w9wYeVnsObY=;
        b=uDMH+MVqHOaxwYF5lBiNiM0XGLsASC75WOJoJiBI3XJjHyLulBo75Acd+jjCt48W6w
         nKZLdOXxIgFQXCE3moaHkGAPyKs6o7PKM39QzuoES9ZSUlRj/PRTI/N9ACeRbfj7bV9d
         V5CRzbJM7jDnayPoTg7fmhzWCdVKFy6yDQSaqt7OikkEeSErhCx38w1rrRT+ky7Q/0rs
         wRa6MQNI4uReB0w+F896Z7K7mo6c+ZrVNJSNNQpi+GhEkVKIZcr1HegCrVh8/7cOkzQ4
         BNHucO2pBFOxL0b457bNoN10gGa0kdCLCA4Exmdz7S8AIs81myClEt2oAZDOYVsmrHvr
         fjsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=10eZ94zwWtV8DYPEg/g2RFCJ5LPy/Uo4w9wYeVnsObY=;
        b=b3fhpSDDBtxkAnF5fB4wjcoIeK0sSfqh+x+9x3nkHHdEDzWjJkItN8//WFuuRO+cBV
         KIKiR/C+vx/Vk/zpKafipqhU343Y4QYRzjeyxBf51V55bRwS+ME9pyHzAIvRfrFjohZk
         oEIxcCS2drzKh6NL2ltQYyy9q38wqPb7mSkWR3JnTi3nAwps+gUDT1GxOxa1GPBy+ipD
         UWbXbboVxrLBxRZOkmsb2pm78agYmfxyS+ELXydhto9PuK/W4n55LkzPWFaixmlR2e9L
         0VRHeMf3mU3nm0K5XZ6L8nhrZm4Oksr3ixD+5zmYzb1iwrcm77566xDtvrRmeVTw05ww
         yEtw==
X-Gm-Message-State: APjAAAXM4AVWTvvJeXNXvXwlf4KrSQz6mVaO5xNgFAuVpZFToFagQa/i
        hb/EXIV9hIB632DyfBB1Fct1cd1dpA==
X-Google-Smtp-Source: APXvYqzPeLQVzc0RVWogKwSGrQHWtvk8NG1awY7ydYakMVzuncZ1YpGni5dVvvS5Gj4zfXZQXKGjLQ==
X-Received: by 2002:a02:3b51:: with SMTP id i17mr5074447jaf.68.1553092177628;
        Wed, 20 Mar 2019 07:29:37 -0700 (PDT)
Received: from ubuntu.extremenetworks.com ([12.38.14.8])
        by smtp.gmail.com with ESMTPSA id v16sm949875itc.7.2019.03.20.07.29.36
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Mar 2019 07:29:36 -0700 (PDT)
From:   Stephen Suryaputra <ssuryaextr@gmail.com>
To:     netdev@vger.kernel.org
Cc:     Stephen Suryaputra <ssuryaextr@gmail.com>
Subject: [PATCH net-next] ipv6: Add icmp_echo_ignore_anycast for ICMPv6
Date:   Wed, 20 Mar 2019 10:29:27 -0400
Message-Id: <20190320142927.4271-1-ssuryaextr@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

In addition to icmp_echo_ignore_multicast, there is a need to also
prevent responding to pings to anycast addresses for security.

Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
---
 Documentation/networking/ip-sysctl.txt |  5 +++++
 include/net/netns/ipv6.h               |  1 +
 net/ipv6/af_inet6.c                    |  1 +
 net/ipv6/icmp.c                        | 16 ++++++++++++++--
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 55ea7def46be..bd029fc55ccb 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1923,6 +1923,11 @@ echo_ignore_multicast - BOOLEAN
 	requests sent to it over the IPv6 protocol via multicast.
 	Default: 0
 
+echo_ignore_anycast - BOOLEAN
+	If set non-zero, then the kernel will ignore all ICMP ECHO
+	requests sent to it over the IPv6 protocol destined to anycast address.
+	Default: 0
+
 xfrm6_gc_thresh - INTEGER
 	The threshold at which we will start garbage collecting for IPv6
 	destination cache entries.  At twice this value the system will
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index e29aff15acc9..64e29b58bb5e 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -34,6 +34,7 @@ struct netns_sysctl_ipv6 {
 	int icmpv6_time;
 	int icmpv6_echo_ignore_all;
 	int icmpv6_echo_ignore_multicast;
+	int icmpv6_echo_ignore_anycast;
 	int anycast_src_echo_reply;
 	int ip_nonlocal_bind;
 	int fwmark_reflect;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index fdc117de849c..fa6b404cbd10 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -848,6 +848,7 @@ static int __net_init inet6_net_init(struct net *net)
 	net->ipv6.sysctl.icmpv6_time = 1*HZ;
 	net->ipv6.sysctl.icmpv6_echo_ignore_all = 0;
 	net->ipv6.sysctl.icmpv6_echo_ignore_multicast = 0;
+	net->ipv6.sysctl.icmpv6_echo_ignore_anycast = 0;
 	net->ipv6.sysctl.flowlabel_consistency = 1;
 	net->ipv6.sysctl.auto_flowlabels = IP6_DEFAULT_AUTO_FLOW_LABELS;
 	net->ipv6.sysctl.idgen_retries = 3;
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 0907bcede5e5..cc14b9998941 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -683,6 +683,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
 	struct dst_entry *dst;
 	struct ipcm6_cookie ipc6;
 	u32 mark = IP6_REPLY_MARK(net, skb->mark);
+	bool acast;
 
 	if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) &&
 	    net->ipv6.sysctl.icmpv6_echo_ignore_multicast)
@@ -690,9 +691,12 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
 
 	saddr = &ipv6_hdr(skb)->daddr;
 
+	acast = ipv6_anycast_destination(skb_dst(skb), saddr);
+	if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast)
+		return;
+
 	if (!ipv6_unicast_destination(skb) &&
-	    !(net->ipv6.sysctl.anycast_src_echo_reply &&
-	      ipv6_anycast_destination(skb_dst(skb), saddr)))
+	    !(net->ipv6.sysctl.anycast_src_echo_reply && acast))
 		saddr = NULL;
 
 	memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
@@ -1126,6 +1130,13 @@ static struct ctl_table ipv6_icmp_table_template[] = {
 		.mode		= 0644,
 		.proc_handler = proc_dointvec,
 	},
+	{
+		.procname	= "echo_ignore_anycast",
+		.data		= &init_net.ipv6.sysctl.icmpv6_echo_ignore_anycast,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler = proc_dointvec,
+	},
 	{ },
 };
 
@@ -1141,6 +1152,7 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
 		table[0].data = &net->ipv6.sysctl.icmpv6_time;
 		table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all;
 		table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast;
+		table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast;
 	}
 	return table;
 }
-- 
2.17.1