Message ID | 1557754137-100816-1-git-send-email-chenweilong@huawei.com |
---|---|
State | Rejected |
Delegated to: | David Miller |
Headers | show |
Series | [net-next,v2] ipv4: Add support to disable icmp timestamp | expand |
Weilong Chen <chenweilong@huawei.com> wrote: > The remote host answers to an ICMP timestamp request. > This allows an attacker to know the time and date on your host. No, it does not, I already told you so in V1 :-/ If you really think that its a problem that one can discover milliseconds-since-midnight please just change inet_current_timestamp() to add a random offset instead of adding yet another sysctl.
From: Weilong Chen <chenweilong@huawei.com> Date: Mon, 13 May 2019 21:28:57 +0800 > The remote host answers to an ICMP timestamp request. > This allows an attacker to know the time and date on your host. > > This path is an another way contrast to iptables rules: > iptables -A input -p icmp --icmp-type timestamp-request -j DROP > iptables -A output -p icmp --icmp-type timestamp-reply -j DROP > > Default is enabled. > > enable: > sysctl -w net.ipv4.icmp_timestamp_enable=1 > disable > sysctl -w net.ipv4.icmp_timestamp_enable=0 > testing: > hping3 --icmp --icmp-ts -V $IPADDR > > Signed-off-by: Weilong Chen <chenweilong@huawei.com> Premise is wrong, understanding of what ICMP timestamp value actually is is inaccurate, and the solution is wrong. No way I am applying this, sorry.
diff --git a/include/net/ip.h b/include/net/ip.h index 2d3cce7..71840e4 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -718,6 +718,8 @@ bool icmp_global_allow(void); extern int sysctl_icmp_msgs_per_sec; extern int sysctl_icmp_msgs_burst; +extern int sysctl_icmp_timestamp_enable; + #ifdef CONFIG_PROC_FS int ip_misc_proc_init(void); #endif diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index f3a5893..5010541 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk) int sysctl_icmp_msgs_per_sec __read_mostly = 1000; int sysctl_icmp_msgs_burst __read_mostly = 50; +int sysctl_icmp_timestamp_enable __read_mostly = 1; static struct { spinlock_t lock; @@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb) static bool icmp_timestamp(struct sk_buff *skb) { struct icmp_bxm icmp_param; + + if (!sysctl_icmp_timestamp_enable) + goto out_err; + /* * Too short. */ diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 875867b..1fe467e 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = { .extra1 = &zero, }, { + .procname = "icmp_timestamp_enable", + .data = &sysctl_icmp_timestamp_enable, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + }, + { .procname = "udp_mem", .data = &sysctl_udp_mem, .maxlen = sizeof(sysctl_udp_mem),
The remote host answers to an ICMP timestamp request. This allows an attacker to know the time and date on your host. This path is an another way contrast to iptables rules: iptables -A input -p icmp --icmp-type timestamp-request -j DROP iptables -A output -p icmp --icmp-type timestamp-reply -j DROP Default is enabled. enable: sysctl -w net.ipv4.icmp_timestamp_enable=1 disable sysctl -w net.ipv4.icmp_timestamp_enable=0 testing: hping3 --icmp --icmp-ts -V $IPADDR Signed-off-by: Weilong Chen <chenweilong@huawei.com> --- include/net/ip.h | 2 ++ net/ipv4/icmp.c | 5 +++++ net/ipv4/sysctl_net_ipv4.c | 8 ++++++++ 3 files changed, 15 insertions(+)