ipv4: add option to drop gratuitous ARP packets

In certain 802.11 wireless deployments, there will be ARP proxies
that use knowledge of the network to correctly answer requests.
To prevent gratuitous ARP frames on the shared medium from being
a problem, on such deployments wireless needs to drop them.

Enable this by providing an option called "drop_gratuitous_arp".

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index d5910d63214d8105838bc988e57222abbfc57122..a53bbfaff1c7488b0893d724965e8bc1a9a28fbf 100644 (file)
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1223,6 +1223,12 @@ drop_unicast_in_l2_multicast - BOOLEAN
        1122, but is disabled by default for compatibility reasons.
        Default: off (0)
 
+drop_gratuitous_arp - BOOLEAN
+       Drop all gratuitous ARP frames, for example if there's a known
+       good ARP proxy on the network and such frames need not be used
+       (or in the case of 802.11, must not be used to prevent attacks.)
+       Default: off (0)
+
 
 tag - INTEGER
        Allows you to write a number, which can be used as required.

diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
index 584834f7e95c9e369223bce87b55e8a1c6700c46..f291569768ddf22bd4d1b39cc30c8bc7dd8bf408 100644 (file)
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -166,6 +166,7 @@ enum
        IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
        IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
        IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
+       IPV4_DEVCONF_DROP_GRATUITOUS_ARP,
        __IPV4_DEVCONF_MAX
 };
 

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 59b3e0e8fd5110031eff0303b5f75622bdd7d22a..c102eb5ac55c8e3d496821886f874c769abf7cc8 100644 (file)
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -735,6 +735,14 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
            (!IN_DEV_ROUTE_LOCALNET(in_dev) && ipv4_is_loopback(tip)))
                goto out;
 
+ /*
+  *    For some 802.11 wireless deployments (and possibly other networks),
+  *    there will be an ARP proxy and gratuitous ARP frames are attacks
+  *    and thus should not be accepted.
+  */
+       if (sip == tip && IN_DEV_ORCONF(in_dev, DROP_GRATUITOUS_ARP))
+               goto out;
+
 /*
  *     Special case: We must set Frame Relay source Q.922 address
  */

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index dbbab28a52a4947a354e2d0de32532430d7eb6d5..3d835313575e07446cd39ce53f9e42bb16e1d0de 100644 (file)
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2185,6 +2185,8 @@ static struct devinet_sysctl_table {
                                        "igmpv3_unsolicited_report_interval"),
                DEVINET_SYSCTL_RW_ENTRY(IGNORE_ROUTES_WITH_LINKDOWN,
                                        "ignore_routes_with_linkdown"),
+               DEVINET_SYSCTL_RW_ENTRY(DROP_GRATUITOUS_ARP,
+                                       "drop_gratuitous_arp"),
 
                DEVINET_SYSCTL_FLUSHING_ENTRY(NOXFRM, "disable_xfrm"),
                DEVINET_SYSCTL_FLUSHING_ENTRY(NOPOLICY, "disable_policy"),