From: Tom Herbert <tom@herbertland.com>
To: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
justin.iurman@uliege.be
Cc: Tom Herbert <tom@herbertland.com>
Subject: [PATCH net-next v3 7/7] ipv6: Document enforce_ext_hdr_order sysctl
Date: Mon, 19 Jan 2026 13:12:12 -0800 [thread overview]
Message-ID: <20260119211212.55026-8-tom@herbertland.com> (raw)
In-Reply-To: <20260119211212.55026-1-tom@herbertland.com>
Document the enforce_ext_hdr_order sysctl that controls whether
Extension Header order is enforced on receive.
Signed-off-by: Tom Herbert <tom@herbertland.com>
---
Documentation/networking/ip-sysctl.rst | 31 +++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index 5051fe653c96..4713adb002e3 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -2478,7 +2478,7 @@ max_dst_opts_number - INTEGER
options extension header. If this value is zero then receive
Destination Options processing is disabled in which case packets
with the Destination Options extension header are dropped. If
- this value is less than zero then unknown options are disallowed
+ this value is less than zero then unknown options is disallowed
and the number of known TLVs allowed is the absolute value of
this number.
@@ -2581,6 +2581,35 @@ ioam6_id_wide - LONG INTEGER
Default: 0xFFFFFFFFFFFFFF
+enforce_ext_hdr_order - BOOLEAN
+ Enforce recommended Extension Header ordering in RFC8200.
+ If the sysctl is set to 1 then the ordering the ordering is
+ enforced in received packets and each Extension Header
+ may be present at most once per packet. If the sysctl is
+ set to 0 then ordering is not enforced and Extension Headers
+ may be present in any order and have any number of
+ occurences per packet (except for Hop-by-Hop Options). Also,
+ if the sysctl is set then Destination Options before the
+ Routing header are disllowed.
+
+ The Extension Header order is:
+
+ IPv6 header
+ Hop-by-Hop Options header
+ Routing header
+ Fragment header
+ Authentication header
+ Encapsulating Security Payload header
+ Destination Options header
+ Upper-Layer header
+
+ Possible values:
+
+ - 0 (disabled)
+ - 1 (enabled)
+
+ Default: 1 (enabled)
+
IPv6 Fragmentation:
ip6frag_high_thresh - INTEGER
--
2.43.0
prev parent reply other threads:[~2026-01-19 21:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 21:12 [PATCH net-next v3 0/7] ipv6: Address ext hdr DoS vulnerabilities Tom Herbert
2026-01-19 21:12 ` [PATCH net-next v3 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is Tom Herbert
2026-01-19 21:12 ` [PATCH net-next v3 2/7] ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch Tom Herbert
2026-01-21 0:08 ` Jakub Kicinski
2026-01-19 21:12 ` [PATCH net-next v3 3/7] ipv6: Cleanup IPv6 TLV definitions Tom Herbert
2026-01-19 21:12 ` [PATCH net-next v3 4/7] ipv6: Set HBH and DestOpt limits to 2 Tom Herbert
2026-01-19 21:12 ` [PATCH net-next v3 5/7] ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls Tom Herbert
2026-01-19 21:12 ` [PATCH net-next v3 6/7] ipv6: Enforce Extension Header ordering Tom Herbert
2026-01-19 21:12 ` Tom Herbert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260119211212.55026-8-tom@herbertland.com \
--to=tom@herbertland.com \
--cc=davem@davemloft.net \
--cc=justin.iurman@uliege.be \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox