Message ID | 1333284791-5363-1-git-send-email-martin@lucina.net |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
I'm extremely disappointed with the april fools submissions this year to be honest... -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
davem@davemloft.net said: > > I'm extremely disappointed with the april fools submissions this > year to be honest... Well, with Anonymous making their own distro, and the advertised "takedown of the Internet" on Saturday, it seemed timeley. I guess I should have written a more convincing blurb in the commit message...
From: Martin Lucina <martin@lucina.net> Date: Mon, 2 Apr 2012 11:24:10 +0200 > davem@davemloft.net said: >> >> I'm extremely disappointed with the april fools submissions this >> year to be honest... > > Well, with Anonymous making their own distro, and the advertised "takedown > of the Internet" on Saturday, it seemed timeley. I guess I should have > written a more convincing blurb in the commit message... It wasn't the blurb it was simply that you're at least the third person to submit a patch like this over the years, here's one: http://www.version6.net/patches/linux-2.4.20-rfc3514.dif Someone did a netfilter iptables module too: http://www.gossamer-threads.com/lists/linux/kernel/431645 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
davem@davemloft.net said: > It wasn't the blurb it was simply that you're at least the third > person to submit a patch like this over the years, here's one: > > http://www.version6.net/patches/linux-2.4.20-rfc3514.dif > > Someone did a netfilter iptables module too: > > http://www.gossamer-threads.com/lists/linux/kernel/431645 I missed the former patch completely, sorry about that. Googling for "evil bit implementation" did turn up the ipt_evil patch but no corresponding patch to actually let an application *set* the bit.
* Martin Lucina: > This patch implements the IP_EVIL socket option, allowing user-space > applications to set the Security Flag in the IPv4 Header, aka "evil" bit, > as defined in RFC 3514. I need this to fix a security issue. Could this be merged for real, please? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Apr 04, 2012 at 09:17:00PM +0200, Florian Weimer wrote: > * Martin Lucina: > > > This patch implements the IP_EVIL socket option, allowing user-space > > applications to set the Security Flag in the IPv4 Header, aka "evil" bit, > > as defined in RFC 3514. > > I need this to fix a security issue. Could this be merged for real, > please? I would suggest switching away from your RFC1149 link - looks like your mail took 3 days on the way out... -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
* Al Viro: > On Wed, Apr 04, 2012 at 09:17:00PM +0200, Florian Weimer wrote: >> * Martin Lucina: >> >> > This patch implements the IP_EVIL socket option, allowing user-space >> > applications to set the Security Flag in the IPv4 Header, aka "evil" bit, >> > as defined in RFC 3514. >> >> I need this to fix a security issue. Could this be merged for real, >> please? > > I would suggest switching away from your RFC1149 link - looks like your mail > took 3 days on the way out... Sorry, I saw it just now. The idea is to change the JVM to set IP_EVIL when an applet creates a socket, so that this socket cannot be used to trick firewalls to open up access to totally unrelated services. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/linux/in.h b/include/linux/in.h index e0337f1..6814c0f 100644 --- a/include/linux/in.h +++ b/include/linux/in.h @@ -86,6 +86,7 @@ struct in_addr { #define IP_MINTTL 21 #define IP_NODEFRAG 22 +#define IP_EVIL 23 /* IP_MTU_DISCOVER values */ #define IP_PMTUDISC_DONT 0 /* Never send DF frames */ diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index ae17e13..37aaf9b 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h @@ -168,6 +168,7 @@ struct inet_sock { transparent:1, mc_all:1, nodefrag:1; + __u8 evil; __u8 rcv_tos; int uc_index; int mc_index; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 10e3751..b165dfb 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -356,6 +356,7 @@ lookup_protocol: inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0; inet->nodefrag = 0; + inet->evil = 0; /* Don't be evil */ if (SOCK_RAW == sock->type) { inet->inet_num = protocol; diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 4910176..c1b4b15 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -157,6 +157,8 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, iph->frag_off = htons(IP_DF); else iph->frag_off = 0; + if (inet->evil) + iph->frag_off |= 1<<15; iph->ttl = ip_select_ttl(inet, &rt->dst); iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); iph->saddr = saddr; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 2fd0fba..f26d45c 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -463,7 +463,8 @@ static int do_ip_setsockopt(struct sock *sk, int level, (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) | (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) | (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) | - (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) || + (1<<IP_MINTTL) | (1<<IP_NODEFRAG) | + (1<<IP_EVIL))) || optname == IP_UNICAST_IF || optname == IP_MULTICAST_TTL || optname == IP_MULTICAST_ALL || @@ -598,6 +599,9 @@ static int do_ip_setsockopt(struct sock *sk, int level, } inet->nodefrag = val ? 1 : 0; break; + case IP_EVIL: + inet->evil = val ? 1 : 0; + break; case IP_MTU_DISCOVER: if (val < IP_PMTUDISC_DONT || val > IP_PMTUDISC_PROBE) goto e_inval; @@ -1176,6 +1180,9 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, case IP_NODEFRAG: val = inet->nodefrag; break; + case IP_EVIL: + val = inet->evil; + break; case IP_MTU_DISCOVER: val = inet->pmtudisc; break;
This patch implements the IP_EVIL socket option, allowing user-space applications to set the Security Flag in the IPv4 Header, aka "evil" bit, as defined in RFC 3514. Signed-off-by: Martin Lucina <martin@lucina.net> --- include/linux/in.h | 1 + include/net/inet_sock.h | 1 + net/ipv4/af_inet.c | 1 + net/ipv4/ip_output.c | 2 ++ net/ipv4/ip_sockglue.c | 9 ++++++++- 5 files changed, 13 insertions(+), 1 deletions(-)