Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 97daf331 authored Feb 04, 2016 by Johannes Berg Committed by David S. Miller Feb 11, 2016

ipv4: add option to drop gratuitous ARP packets



In certain 802.11 wireless deployments, there will be ARP proxies
that use knowledge of the network to correctly answer requests.
To prevent gratuitous ARP frames on the shared medium from being
a problem, on such deployments wireless needs to drop them.

Enable this by providing an option called "drop_gratuitous_arp".

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 12b74dfa

Documentation/networking/ip-sysctl.txt

+6 −0

Original line number	Diff line number	Diff line
		@@ -1223,6 +1223,12 @@ drop_unicast_in_l2_multicast - BOOLEAN
		1122, but is disabled by default for compatibility reasons.
		Default: off (0)

		drop_gratuitous_arp - BOOLEAN
		Drop all gratuitous ARP frames, for example if there's a known
		good ARP proxy on the network and such frames need not be used
		(or in the case of 802.11, must not be used to prevent attacks.)
		Default: off (0)


		tag - INTEGER
		Allows you to write a number, which can be used as required.

include/uapi/linux/ip.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -166,6 +166,7 @@ enum
		IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
		IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
		IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
		IPV4_DEVCONF_DROP_GRATUITOUS_ARP,
		__IPV4_DEVCONF_MAX
		};

net/ipv4/arp.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -735,6 +735,14 @@ static int arp_process(struct net net, struct sock sk, struct sk_buff *skb)
		(!IN_DEV_ROUTE_LOCALNET(in_dev) && ipv4_is_loopback(tip)))
		goto out;

		/*
		* For some 802.11 wireless deployments (and possibly other networks),
		* there will be an ARP proxy and gratuitous ARP frames are attacks
		* and thus should not be accepted.
		*/
		if (sip == tip && IN_DEV_ORCONF(in_dev, DROP_GRATUITOUS_ARP))
		goto out;

		/*
		* Special case: We must set Frame Relay source Q.922 address
		*/

net/ipv4/devinet.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2185,6 +2185,8 @@ static struct devinet_sysctl_table {
		"igmpv3_unsolicited_report_interval"),
		DEVINET_SYSCTL_RW_ENTRY(IGNORE_ROUTES_WITH_LINKDOWN,
		"ignore_routes_with_linkdown"),
		DEVINET_SYSCTL_RW_ENTRY(DROP_GRATUITOUS_ARP,
		"drop_gratuitous_arp"),

		DEVINET_SYSCTL_FLUSHING_ENTRY(NOXFRM, "disable_xfrm"),
		DEVINET_SYSCTL_FLUSHING_ENTRY(NOPOLICY, "disable_policy"),