Hello, On Fri, 10 Apr 2015, Johannes Berg wrote: > From: Johannes Berg <johannes.berg@xxxxxxxxx> > > In certain 802.11 wireless deployments, there will be ARP proxies > that use knowledge of the network to correctly answer requests. > To prevent gratuitous ARP frames on the shared medium from being > a problem, on such deployments wireless needs to drop them. > > Enable this by providing an option called "drop_gratuitous_arp". > > Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> > diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c > index 5f5c674e130a..5487d5e5191e 100644 > --- a/net/ipv4/arp.c > +++ b/net/ipv4/arp.c > @@ -715,6 +715,14 @@ static int arp_process(struct sk_buff *skb) > (!IN_DEV_ROUTE_LOCALNET(in_dev) && ipv4_is_loopback(tip))) > goto out; > > + /* > + * For some 802.11 wireless deployments (and possibly other networks), > + * there will be an ARP proxy and gratuitous ARP frames are attacks > + * and thus should not be accepted. > + */ > + if (IN_DEV_CONF_GET(in_dev, DROP_GRATUITOUS_ARP) && sip == tip) > + goto out; Does it happen for any pkt_type? IN_DEV_ARP_ACCEPT is not ON by default, so new entries are not created but update can happen at any time, even with simple request like who-has OURIP tell PROXYIP and sha=hacker_mac sent by attackers. Is that the only gap that needs to be protected with this patch? May be only arptable_filter can help here to protect ARP? Regards -- Julian Anastasov <ja@xxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
