Message ID | 1268986871.3048.9.camel@edumazet-laptop |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On Fri, 19 Mar 2010, Eric Dumazet wrote: > This requires that any router in the path between the client and server > also respects the MINTTL when sending ICMP. Not sure how practical it > is... You're correct that with multihop GTSM, ICMP becomes trickier. I'm not sure how applicable GTSM is really in multihop scenarios, though. I would not recommend using it to secure e.g. with minttl=250 or something that uncontrollable. Your comment relates mainly to ICMP soft/hard errors which are not critical for correct operation. http://tools.ietf.org/html/draft-ietf-tcpm-icmp-attacks-11 discusses this.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 70df409..a9d3ba5 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -367,6 +367,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info) if (sock_owned_by_user(sk)) NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS); + if (iph->ttl < inet_sk(sk)->min_ttl) + goto out; + if (sk->sk_state == TCP_CLOSE) goto out;