ipv4: add option to drop gratuitous ARP packets

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In certain 802.11 wireless deployments, there will be ARP proxies
that use knowledge of the network to correctly answer requests.
To prevent gratuitous ARP frames on the shared medium from being
a problem, on such deployments wireless needs to drop them.

Enable this by providing an option called "drop_gratuitous_arp".

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Johannes Berg and committed by

David S. Miller 10 years ago 97daf331 12b74dfa

+17

4 changed files

expand all

Documentation

networking

ip-sysctl.txt

include

uapi

linux

ip.h

net

ipv4

arp.c

devinet.c

Documentation/networking/ip-sysctl.txt

··· 1223 1223 1122, but is disabled by default for compatibility reasons. 1224 1224 Default: off (0) 1225 1225 1226 + drop_gratuitous_arp - BOOLEAN 1227 + Drop all gratuitous ARP frames, for example if there's a known 1228 + good ARP proxy on the network and such frames need not be used 1229 + (or in the case of 802.11, must not be used to prevent attacks.) 1230 + Default: off (0) 1231 + 1226 1232 1227 1233 tag - INTEGER 1228 1234 Allows you to write a number, which can be used as required.

include/uapi/linux/ip.h

··· 166 166 IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL, 167 167 IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN, 168 168 IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST, 169 + IPV4_DEVCONF_DROP_GRATUITOUS_ARP, 169 170 __IPV4_DEVCONF_MAX 170 171 }; 171 172

net/ipv4/arp.c

··· 735 735 (!IN_DEV_ROUTE_LOCALNET(in_dev) && ipv4_is_loopback(tip))) 736 736 goto out; 737 737 738 + /* 739 + * For some 802.11 wireless deployments (and possibly other networks), 740 + * there will be an ARP proxy and gratuitous ARP frames are attacks 741 + * and thus should not be accepted. 742 + */ 743 + if (sip == tip && IN_DEV_ORCONF(in_dev, DROP_GRATUITOUS_ARP)) 744 + goto out; 745 + 738 746 /* 739 747 * Special case: We must set Frame Relay source Q.922 address 740 748 */

net/ipv4/devinet.c

··· 2185 2185 "igmpv3_unsolicited_report_interval"), 2186 2186 DEVINET_SYSCTL_RW_ENTRY(IGNORE_ROUTES_WITH_LINKDOWN, 2187 2187 "ignore_routes_with_linkdown"), 2188 + DEVINET_SYSCTL_RW_ENTRY(DROP_GRATUITOUS_ARP, 2189 + "drop_gratuitous_arp"), 2188 2190 2189 2191 DEVINET_SYSCTL_FLUSHING_ENTRY(NOXFRM, "disable_xfrm"), 2190 2192 DEVINET_SYSCTL_FLUSHING_ENTRY(NOPOLICY, "disable_policy"),