[PATCH] ipv4: validate source address if the packet is for us

[PATCH] ipv4: validate source address if the packet is for us

[Duan Jiong]

otherwise the host may deal with the invaild packet.

Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
---
 net/ipv4/fib_frontend.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index c7539e2..4423a1a 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -321,6 +321,7 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
 	int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev);
 
 	if (!r && !fib_num_tclassid_users(dev_net(dev)) &&
+	    oif != LOOPBACK_IFINDEX &&
 	    (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))) {
 		*itag = 0;
 		return 0;
-- 
1.8.3.1

Re: [PATCH] ipv4: validate source address if the packet is for us

[David Miller]

From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Date: Mon, 17 Feb 2014 13:03:31 +0800

> otherwise the host may deal with the invaild packet.
> 
> Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>

Locally bound packets are in fact the one case we do not
want source address validation to occur for performance
reasons, it's the whole reason this is coded the way that
it is.

Turn on rpfilter if you have a machine directly exposed
to the internet with no ingress firewalls/routers there
to validate the source address.

I am not applying this patch.