Message ID | 53019823.20700@cn.fujitsu.com |
---|---|
State | Rejected, archived |
Delegated to: | David Miller |
Headers | show |
From: Duan Jiong <duanj.fnst@cn.fujitsu.com> Date: Mon, 17 Feb 2014 13:03:31 +0800 > otherwise the host may deal with the invaild packet. > > Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com> Locally bound packets are in fact the one case we do not want source address validation to occur for performance reasons, it's the whole reason this is coded the way that it is. Turn on rpfilter if you have a machine directly exposed to the internet with no ingress firewalls/routers there to validate the source address. I am not applying this patch. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index c7539e2..4423a1a 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -321,6 +321,7 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); if (!r && !fib_num_tclassid_users(dev_net(dev)) && + oif != LOOPBACK_IFINDEX && (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))) { *itag = 0; return 0;
otherwise the host may deal with the invaild packet. Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com> --- net/ipv4/fib_frontend.c | 1 + 1 file changed, 1 insertion(+)