diff mbox

[v4] add stealth mode

Message ID 1442397259-28894-1-git-send-email-matteo@openwrt.org
State RFC, archived
Delegated to: David Miller
Headers show

Commit Message

Matteo Croce Sept. 16, 2015, 9:54 a.m. UTC 
Add option to disable any reply not related to a listening socket,
like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
Also disables ICMP replies to echo request and timestamp.
The stealth mode can be enabled selectively for a single interface.

Signed-off-by: Matteo Croce <matteo@openwrt.org>
---
rebased on 4.3-rc1

 Documentation/networking/ip-sysctl.txt | 14 ++++++++++++++
 include/linux/inetdevice.h             |  1 +
 include/linux/ipv6.h                   |  1 +
 include/uapi/linux/ip.h                |  1 +
 net/ipv4/devinet.c                     |  1 +
 net/ipv4/icmp.c                        |  6 ++++++
 net/ipv4/ip_input.c                    |  5 +++--
 net/ipv4/tcp_ipv4.c                    |  3 ++-
 net/ipv4/udp.c                         |  4 +++-
 net/ipv6/addrconf.c                    |  7 +++++++
 net/ipv6/icmp.c                        |  3 ++-
 net/ipv6/ip6_input.c                   |  5 +++--
 net/ipv6/tcp_ipv6.c                    |  2 +-
 net/ipv6/udp.c                         |  3 ++-
 14 files changed, 47 insertions(+), 9 deletions(-)

Comments

Daniel Borkmann Sept. 16, 2015, 10:26 a.m. UTC | #1 
On 09/16/2015 11:54 AM, Matteo Croce wrote:
> Add option to disable any reply not related to a listening socket,
> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> Also disables ICMP replies to echo request and timestamp.
> The stealth mode can be enabled selectively for a single interface.
>
> Signed-off-by: Matteo Croce <matteo@openwrt.org>
> ---
> rebased on 4.3-rc1
>
>   Documentation/networking/ip-sysctl.txt | 14 ++++++++++++++
>   include/linux/inetdevice.h             |  1 +
>   include/linux/ipv6.h                   |  1 +
>   include/uapi/linux/ip.h                |  1 +
>   net/ipv4/devinet.c                     |  1 +
>   net/ipv4/icmp.c                        |  6 ++++++
>   net/ipv4/ip_input.c                    |  5 +++--
>   net/ipv4/tcp_ipv4.c                    |  3 ++-
>   net/ipv4/udp.c                         |  4 +++-
>   net/ipv6/addrconf.c                    |  7 +++++++
>   net/ipv6/icmp.c                        |  3 ++-
>   net/ipv6/ip6_input.c                   |  5 +++--
>   net/ipv6/tcp_ipv6.c                    |  2 +-
>   net/ipv6/udp.c                         |  3 ++-
>   14 files changed, 47 insertions(+), 9 deletions(-)
>
> diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
> index ebe94f2..1d46adc 100644
> --- a/Documentation/networking/ip-sysctl.txt
> +++ b/Documentation/networking/ip-sysctl.txt
> @@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN
>   	224.0.0.X range.
>   	Default TRUE
>
> +stealth - BOOLEAN
> +	Disable any reply not related to a listening socket,
> +	like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> +	Also disables ICMP replies to echo requests and timestamp
> +	and ICMP errors for unknown protocols.
> +	Default value is 0.
> +

Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP,
etc? It seems it gives false expectations in such cases when the user
enables being "stealth", but finds out it has no effect at all there ...
nmap f.e. has a couple of scanning options for SCTP, and at least SCTP
is still relevant in telco space.

I know this question has been asked before, but the only answer on this
was so far: "well, I've never played with SCTP before" ... :/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Matteo Croce Sept. 16, 2015, 10:45 a.m. UTC | #2 
2015-09-16 12:26 GMT+02:00 Daniel Borkmann <daniel@iogearbox.net>:
> On 09/16/2015 11:54 AM, Matteo Croce wrote:
>>
>> Add option to disable any reply not related to a listening socket,
>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>> Also disables ICMP replies to echo request and timestamp.
>> The stealth mode can be enabled selectively for a single interface.
>>
>> Signed-off-by: Matteo Croce <matteo@openwrt.org>
>> ---
>> rebased on 4.3-rc1
>>
>>   Documentation/networking/ip-sysctl.txt | 14 ++++++++++++++
>>   include/linux/inetdevice.h             |  1 +
>>   include/linux/ipv6.h                   |  1 +
>>   include/uapi/linux/ip.h                |  1 +
>>   net/ipv4/devinet.c                     |  1 +
>>   net/ipv4/icmp.c                        |  6 ++++++
>>   net/ipv4/ip_input.c                    |  5 +++--
>>   net/ipv4/tcp_ipv4.c                    |  3 ++-
>>   net/ipv4/udp.c                         |  4 +++-
>>   net/ipv6/addrconf.c                    |  7 +++++++
>>   net/ipv6/icmp.c                        |  3 ++-
>>   net/ipv6/ip6_input.c                   |  5 +++--
>>   net/ipv6/tcp_ipv6.c                    |  2 +-
>>   net/ipv6/udp.c                         |  3 ++-
>>   14 files changed, 47 insertions(+), 9 deletions(-)
>>
>> diff --git a/Documentation/networking/ip-sysctl.txt
>> b/Documentation/networking/ip-sysctl.txt
>> index ebe94f2..1d46adc 100644
>> --- a/Documentation/networking/ip-sysctl.txt
>> +++ b/Documentation/networking/ip-sysctl.txt
>> @@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN
>>         224.0.0.X range.
>>         Default TRUE
>>
>> +stealth - BOOLEAN
>> +       Disable any reply not related to a listening socket,
>> +       like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>> +       Also disables ICMP replies to echo requests and timestamp
>> +       and ICMP errors for unknown protocols.
>> +       Default value is 0.
>> +
>
>
> Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP,
> etc? It seems it gives false expectations in such cases when the user
> enables being "stealth", but finds out it has no effect at all there ...
> nmap f.e. has a couple of scanning options for SCTP, and at least SCTP
> is still relevant in telco space.
>
> I know this question has been asked before, but the only answer on this
> was so far: "well, I've never played with SCTP before" ... :/

Right, I was thinking to add them in a later version
Florian Westphal Sept. 16, 2015, 11:06 a.m. UTC | #3 
Matteo Croce <matteo@openwrt.org> wrote:
> Add option to disable any reply not related to a listening socket,
> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> Also disables ICMP replies to echo request and timestamp.
> The stealth mode can be enabled selectively for a single interface.

I think it would make more sense to extend the socket match
in xtables if it can't be used to achive this already.

seems like
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp -m socket --nowildcard -j ACCEPT
-A INPUT -p tcp -j DROP
COMMIT

Already does what you want for tcp, udp should work too.
I'd much rather see xtables and/or nftables to be extended
with whatever feature(s) are needed to configure such a policy
rather than pushing this into the core network stack.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Dumazet Sept. 16, 2015, 11:11 a.m. UTC | #4 
On Wed, 2015-09-16 at 11:54 +0200, Matteo Croce wrote:
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 93898e0..fe62ae0 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -77,6 +77,7 @@
>  #include <net/busy_poll.h>
>  
>  #include <linux/inet.h>
> +#include <linux/inetdevice.h>
>  #include <linux/ipv6.h>
>  #include <linux/stddef.h>
>  #include <linux/proc_fs.h>
> @@ -1652,7 +1653,7 @@ csum_error:
>  		TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
>  bad_packet:
>  		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
> -	} else {
> +	} else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
>  		tcp_v4_send_reset(NULL, skb);
>  	}


It is illegal to deref skb->dev->ip_ptr without proper accessor /
annotations.

Check 

struct in_device *in_dev = __in_dev_get_rcu(skb->dev); 

(Same remarks in other places of your patch)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Daniel Borkmann Sept. 16, 2015, 11:11 a.m. UTC | #5 
On 09/16/2015 12:45 PM, Matteo Croce wrote:
> 2015-09-16 12:26 GMT+02:00 Daniel Borkmann <daniel@iogearbox.net>:
>> On 09/16/2015 11:54 AM, Matteo Croce wrote:
>>>
>>> Add option to disable any reply not related to a listening socket,
>>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>>> Also disables ICMP replies to echo request and timestamp.
>>> The stealth mode can be enabled selectively for a single interface.
>>>
>>> Signed-off-by: Matteo Croce <matteo@openwrt.org>
>>> ---
>>> rebased on 4.3-rc1
>>>
>>>    Documentation/networking/ip-sysctl.txt | 14 ++++++++++++++
>>>    include/linux/inetdevice.h             |  1 +
>>>    include/linux/ipv6.h                   |  1 +
>>>    include/uapi/linux/ip.h                |  1 +
>>>    net/ipv4/devinet.c                     |  1 +
>>>    net/ipv4/icmp.c                        |  6 ++++++
>>>    net/ipv4/ip_input.c                    |  5 +++--
>>>    net/ipv4/tcp_ipv4.c                    |  3 ++-
>>>    net/ipv4/udp.c                         |  4 +++-
>>>    net/ipv6/addrconf.c                    |  7 +++++++
>>>    net/ipv6/icmp.c                        |  3 ++-
>>>    net/ipv6/ip6_input.c                   |  5 +++--
>>>    net/ipv6/tcp_ipv6.c                    |  2 +-
>>>    net/ipv6/udp.c                         |  3 ++-
>>>    14 files changed, 47 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/Documentation/networking/ip-sysctl.txt
>>> b/Documentation/networking/ip-sysctl.txt
>>> index ebe94f2..1d46adc 100644
>>> --- a/Documentation/networking/ip-sysctl.txt
>>> +++ b/Documentation/networking/ip-sysctl.txt
>>> @@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN
>>>          224.0.0.X range.
>>>          Default TRUE
>>>
>>> +stealth - BOOLEAN
>>> +       Disable any reply not related to a listening socket,
>>> +       like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>>> +       Also disables ICMP replies to echo requests and timestamp
>>> +       and ICMP errors for unknown protocols.
>>> +       Default value is 0.
>>> +
>>
>> Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP,
>> etc? It seems it gives false expectations in such cases when the user
>> enables being "stealth", but finds out it has no effect at all there ...
>> nmap f.e. has a couple of scanning options for SCTP, and at least SCTP
>> is still relevant in telco space.
>>
>> I know this question has been asked before, but the only answer on this
>> was so far: "well, I've never played with SCTP before" ... :/
>
> Right, I was thinking to add them in a later version

I feel, there would be many follow-ups. :/ Architecturally on the bigger
picture, nft and its connection tracker would be the much better place for
such policies, and it also provides matches for various protocols already.

What has been tried to address this more generically f.e. inside netfilter
subsystem, and why is it absolutely not possible to extend this functionality
over there?

Sorry if my question is stubborn, but from reading over the old threads
it still is not fully clear to me.

Thanks again,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Matteo Croce Sept. 23, 2015, 4:36 p.m. UTC | #6 
2015-09-16 13:06 GMT+02:00 Florian Westphal <fw@strlen.de>:
>
> Matteo Croce <matteo@openwrt.org> wrote:
> > Add option to disable any reply not related to a listening socket,
> > like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> > Also disables ICMP replies to echo request and timestamp.
> > The stealth mode can be enabled selectively for a single interface.
>
> I think it would make more sense to extend the socket match
> in xtables if it can't be used to achive this already.
>
> seems like
> *filter
> :INPUT ACCEPT [0:0]
> -A INPUT -p tcp -m socket --nowildcard -j ACCEPT
> -A INPUT -p tcp -j DROP
> COMMIT
>
> Already does what you want for tcp, udp should work too.
> I'd much rather see xtables and/or nftables to be extended
> with whatever feature(s) are needed to configure such a policy
> rather than pushing this into the core network stack.

The point is to do the filtering without *tables at all,
like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings
Eric Dumazet Sept. 23, 2015, 5:29 p.m. UTC | #7 
On Wed, 2015-09-23 at 18:36 +0200, Matteo Croce wrote:
> 2015-09-16 13:06 GMT+02:00 Florian Westphal <fw@strlen.de>:
> >
> > Matteo Croce <matteo@openwrt.org> wrote:
> > > Add option to disable any reply not related to a listening socket,
> > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> > > Also disables ICMP replies to echo request and timestamp.
> > > The stealth mode can be enabled selectively for a single interface.
> >
> > I think it would make more sense to extend the socket match
> > in xtables if it can't be used to achive this already.
> >
> > seems like
> > *filter
> > :INPUT ACCEPT [0:0]
> > -A INPUT -p tcp -m socket --nowildcard -j ACCEPT
> > -A INPUT -p tcp -j DROP
> > COMMIT
> >
> > Already does what you want for tcp, udp should work too.
> > I'd much rather see xtables and/or nftables to be extended
> > with whatever feature(s) are needed to configure such a policy
> > rather than pushing this into the core network stack.
> 
> The point is to do the filtering without *tables at all,
> like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings

Yes, but this adds code in many places, even for people not caring of
such protection.

The point is : people wanting firewall like protections should instead
use netfilter framework.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller Sept. 23, 2015, 6:15 p.m. UTC | #8 
From: Matteo Croce <matteo@openwrt.org>
Date: Wed, 23 Sep 2015 18:36:12 +0200

> The point is to do the filtering without *tables at all,
> like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings

That's not a good argument, sorry.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller Sept. 23, 2015, 6:16 p.m. UTC | #9 
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 23 Sep 2015 10:29:52 -0700

> Yes, but this adds code in many places, even for people not caring of
> such protection.
> 
> The point is : people wanting firewall like protections should instead
> use netfilter framework.

+1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ebe94f2..1d46adc 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1206,6 +1206,13 @@  igmp_link_local_mcast_reports - BOOLEAN
 	224.0.0.X range.
 	Default TRUE
 
+stealth - BOOLEAN
+	Disable any reply not related to a listening socket,
+	like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+	Also disables ICMP replies to echo requests and timestamp
+	and ICMP errors for unknown protocols.
+	Default value is 0.
+
 Alexey Kuznetsov.
 kuznet@ms2.inr.ac.ru
 
@@ -1635,6 +1642,13 @@  stable_secret - IPv6 address
 
 	By default the stable secret is unset.
 
+stealth - BOOLEAN
+	Disable any reply not related to a listening socket,
+	like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+	Also disables ICMPv6 replies to echo requests
+	and ICMP errors for unknown protocols.
+	Default value is 0.
+
 icmp/*:
 ratelimit - INTEGER
 	Limit the maximal rates for sending ICMPv6 packets.
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index a4328ce..a64c01e 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -128,6 +128,7 @@  static inline void ipv4_devconf_setall(struct in_device *in_dev)
 #define IN_DEV_ARP_ANNOUNCE(in_dev)	IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
 #define IN_DEV_ARP_IGNORE(in_dev)	IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
 #define IN_DEV_ARP_NOTIFY(in_dev)	IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
+#define IN_DEV_STEALTH(in_dev)		IN_DEV_MAXCONF((in_dev), STEALTH)
 
 struct in_ifaddr {
 	struct hlist_node	hash;
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index f1f32af..a9d0172 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -55,6 +55,7 @@  struct ipv6_devconf {
 	__s32           ndisc_notify;
 	__s32		suppress_frag_ndisc;
 	__s32		accept_ra_mtu;
+	__s32		stealth;
 	struct ipv6_stable_secret {
 		bool initialized;
 		struct in6_addr secret;
diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
index 08f894d..4acbf99 100644
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -165,6 +165,7 @@  enum
 	IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
 	IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
 	IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
+	IPV4_DEVCONF_STEALTH,
 	__IPV4_DEVCONF_MAX
 };
 
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 2d9cb17..6d9c080 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2190,6 +2190,7 @@  static struct devinet_sysctl_table {
 					      "promote_secondaries"),
 		DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
 					      "route_localnet"),
+		DEVINET_SYSCTL_RW_ENTRY(STEALTH, "stealth"),
 	},
 };
 
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 79fe05b..4cd35b2 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -889,6 +889,9 @@  static bool icmp_echo(struct sk_buff *skb)
 {
 	struct net *net;
 
+	if (IN_DEV_STEALTH(skb->dev->ip_ptr))
+		return true;
+
 	net = dev_net(skb_dst(skb)->dev);
 	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
 		struct icmp_bxm icmp_param;
@@ -922,6 +925,9 @@  static bool icmp_timestamp(struct sk_buff *skb)
 	if (skb->len < 4)
 		goto out_err;
 
+	if (IN_DEV_STEALTH(skb->dev->ip_ptr))
+		return true;
+
 	/*
 	 *	Fill in the current time as ms since midnight UT:
 	 */
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index f4fc8a7..e75f250 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -224,8 +224,9 @@  static int ip_local_deliver_finish(struct sock *sk, struct sk_buff *skb)
 			if (!raw) {
 				if (xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 					IP_INC_STATS_BH(net, IPSTATS_MIB_INUNKNOWNPROTOS);
-					icmp_send(skb, ICMP_DEST_UNREACH,
-						  ICMP_PROT_UNREACH, 0);
+					if (!IN_DEV_STEALTH(skb->dev->ip_ptr))
+						icmp_send(skb, ICMP_DEST_UNREACH,
+							  ICMP_PROT_UNREACH, 0);
 				}
 				kfree_skb(skb);
 			} else {
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 93898e0..fe62ae0 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -77,6 +77,7 @@ 
 #include <net/busy_poll.h>
 
 #include <linux/inet.h>
+#include <linux/inetdevice.h>
 #include <linux/ipv6.h>
 #include <linux/stddef.h>
 #include <linux/proc_fs.h>
@@ -1652,7 +1653,7 @@  csum_error:
 		TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
 bad_packet:
 		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
-	} else {
+	} else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
 		tcp_v4_send_reset(NULL, skb);
 	}
 
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index c0a15e7..033a051 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -96,6 +96,7 @@ 
 #include <linux/timer.h>
 #include <linux/mm.h>
 #include <linux/inet.h>
+#include <linux/inetdevice.h>
 #include <linux/netdevice.h>
 #include <linux/slab.h>
 #include <net/tcp_states.h>
@@ -1843,7 +1844,8 @@  int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
 		goto csum_error;
 
 	UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
-	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+	if (!IN_DEV_STEALTH(skb->dev->ip_ptr))
+		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 
 	/*
 	 * Hmm.  We got an UDP packet to a port to which we
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 030fefd..09d6baa 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5713,6 +5713,13 @@  static struct addrconf_sysctl_table
 			.proc_handler	= addrconf_sysctl_ignore_routes_with_linkdown,
 		},
 		{
+			.procname	= "stealth",
+			.data		= &ipv6_devconf.stealth,
+			.maxlen		= sizeof(int),
+			.mode		= 0644,
+			.proc_handler	= proc_dointvec,
+		},
+		{
 			/* sentinel */
 		}
 	},
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 6c2b213..dbec4d76 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -723,7 +723,8 @@  static int icmpv6_rcv(struct sk_buff *skb)
 
 	switch (type) {
 	case ICMPV6_ECHO_REQUEST:
-		icmpv6_echo_reply(skb);
+		if (!idev->cnf.stealth)
+			icmpv6_echo_reply(skb);
 		break;
 
 	case ICMPV6_ECHO_REPLY:
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index adba03a..0955db4 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -256,8 +256,9 @@  resubmit:
 			if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 				IP6_INC_STATS_BH(net, idev,
 						 IPSTATS_MIB_INUNKNOWNPROTOS);
-				icmpv6_send(skb, ICMPV6_PARAMPROB,
-					    ICMPV6_UNK_NEXTHDR, nhoff);
+				if (!idev->cnf.stealth)
+					icmpv6_send(skb, ICMPV6_PARAMPROB,
+						    ICMPV6_UNK_NEXTHDR, nhoff);
 			}
 			kfree_skb(skb);
 		} else {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 97d9314..50178ce 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1445,7 +1445,7 @@  csum_error:
 		TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
 bad_packet:
 		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
-	} else {
+	} else if (!__in6_dev_get(skb->dev)->cnf.stealth) {
 		tcp_v6_send_reset(NULL, skb);
 	}
 
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 0aba654..f865aca 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -934,7 +934,8 @@  int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
 		goto csum_error;
 
 	UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
-	icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
+	if (!__in6_dev_get(skb->dev)->cnf.stealth)
+		icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
 
 	kfree_skb(skb);
 	return 0;